From c01ec60e7dfabcc74889792336b1cba374a12dda Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 11:03:08 +0800 Subject: [PATCH 1/3] Update win_mal_service_installs.yml - Add new service Add new malicious service (javamtsup) by APT29 and add reference links. --- rules/windows/builtin/win_mal_service_installs.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 5e9adf31e..af2c247a2 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,13 @@ title: Malicious Service Installations id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a -description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2021/05/27 +references: + - https://awakesecurity.com/blog/threat-hunting-for-paexec/ + - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html + - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf tags: - attack.persistence - attack.privilege_escalation @@ -25,6 +29,8 @@ detection: ServiceName: 'mssecsvc2.0' malsvc_persistence: ServiceFileName|contains: 'net user' + malsvc_apt29: + ServiceName: 'javamtsup' condition: selection and 1 of malsvc_* falsepositives: - Penetration testing From a0407cf47717cb15ed01f0d840fd166c3bf73791 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 12:11:32 +0800 Subject: [PATCH 2/3] Update win_mal_service_installs.yml - Add new Event ID Added event ID 4697, which is equivalent to existing event ID 7045. --- rules/windows/builtin/win_mal_service_installs.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index af2c247a2..61d264cde 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -22,7 +22,9 @@ logsource: service: system detection: selection: - EventID: 7045 + EventID: + - 4697 + - 7045 malsvc_paexec: ServiceFileName|contains: '\PAExec' malsvc_wannacry: From aab65361da05987eba4cb310bd5579ddf0f909c6 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 00:50:23 -0700 Subject: [PATCH 3/3] Update rules/windows/builtin/win_mal_service_installs.yml Add modified date. Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/windows/builtin/win_mal_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 61d264cde..491926aee 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -3,7 +3,7 @@ id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2021/05/27 +modified: 2021/07/06 references: - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html