rules for APT32

2019-08-28 10:12:01 +07:00
parent fe8f040863
commit 8b6bd45b0b
11 changed files with 295 additions and 0 deletions
@@ -0,0 +1,24 @@
+title: Detect compress process using for data exfiltration
+description: Detects data compressing behaviour
+author: Lep - VuNX
+date: 2019/7/10
+tags:
+
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*Compress-Archive*'
+            - 'rar*'
+            - 'zip*'
+            - 'gzip*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
+    condition: selection1 or selection2
+falsepositives:
+    - Real compressed
+level: critical
@@ -0,0 +1,39 @@
+title: Microsoft Office Persistence
+status: experimental
+description: Detect some kinds of persistence techniques using Office Startup
+author: Lep
+references:
+  - https://attack.mitre.org/techniques/T1137/
+  - https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+date: 2019/08/20
+tags:
+  - attack.persistence
+  - attack.t1137
+  - attack.g0050
+logsource:
+  service: sysmon
+  product: windows
+detection:
+  template_macro:
+    EventID: 11
+    TargetFilename: 
+      - '*\AppData\Roaming\Microsoft\Templates\Normal.dotm'
+      - '*\AppData\Roaming\Microsoft\Excel*'
+  office_test:
+    EventID: 13
+    TargetObject: 'HKCU\Software\Microsoft\Office test\Special\Perf*'
+  enable_macros:
+    EventID: 13
+    TargetObject: 
+      - 'HKCU\Software\Microsoft\Office\*\Outlook*'
+      - 'HKCU\Software\Microsoft\Office\*\Excel\Options*'
+  addins:
+    EventID: 13
+    TargetObject: 
+      - 'HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\*'
+      - 'HKCU\Software\Microsoft\Office\*\PowerPoint\AddIns'
+      - 'HKCU\Software\Microsoft\Office\*\Addins\<AddInName>'
+  condition: template_macro or office_test or addins or enable_macros
+falsepositives:
+    - Office usage
+level: low
@@ -0,0 +1,32 @@
+title: File Permissions Modification
+status: experimental
+description: Detect File Permissions modification
+author: Lep
+references:
+  - https://attack.mitre.org/techniques/T1222/  
+date: 2019/08/21
+tags:
+  - attack.defense_evasion
+  - attack.t1222
+  - attack.g0050
+logsource:
+  service: sysmon
+  product: windows
+detection:
+  window:
+    - Image_lc: 
+      - '*cacls.exe'
+      - '*takeown.exe'
+      - '*icacls.exe'
+      - '*attrib.exe'
+    - CommandLine_lc: '*Set-Acl*'
+# Use for unix, change log sources
+  unix:
+    CommandLine_lc:
+      - '*chmod*'
+      - '*chowm*'  
+      - '*chattr*'
+  condition: window or unix
+falsepositives:
+    - Uninstall programs,..
+level: low
@@ -0,0 +1,18 @@
+title: Service Creation in Registry Detection
+description: Detect Service Creation in Registry
+author: Lep
+date: 2019/08/16
+tags:
+    - attack.execution
+    - attack.t1035
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        Image_lc: '*\services.exe'
+    condition: selection
+falsepositives:
+    - n/a
+level: low
@@ -0,0 +1,26 @@
+title: Suspicious Timestomp
+description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
+status: experimental
+references:
+    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
+    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
+author: Florian Roth
+date: 2019/08/24
+tags:
+    - attack.defense_evasion
+    - attack.t1099
+logsource:
+    product: windows
+detection:
+    windows:
+        CommandLine_lc:
+            - '*Get-ChildItem*'
+            - '*$_.LastAccessTime*'
+            - '*$_.LastWriteTime*'
+            - '*$_.CreationTime*'
+    linux:
+        CommandLine_lc: '*touch*'
+    condition: linux or windows
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,26 @@
+title: Discovery Activity with Command
+status: experimental
+description: Detects discovery activity command
+author: Lep
+date: 2019/09/26
+tags:
+    - attack.discovery
+    - attack.t1018
+    - attack.t1012
+    - attack.t1083
+logsource:
+    product: windows
+detection:
+    selection:
+        CommandLine_lc:
+            - 'dir *'
+            - 'tree *'
+            - 'reg query*'
+            - '*arp.exe*'
+            - 'ipconfig /all'
+            - 'new-psdrive*'
+    timeframe: 15s
+    condition: selection | count() by CommandLine_lc > 4
+falsepositives:
+    - Admin activities
+level: medium
@@ -0,0 +1,29 @@
+title: Microsoft Office Persistence
+status: experimental
+description: Detect File Deletion Technique
+author: Lep
+references:
+  - https://attack.mitre.org/techniques/T1107/
+  - https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
+date: 2019/08/20
+tags:
+  - attack.defense_evasion
+  - attack.t1107
+  - attack.g0050
+logsource:
+  service: sysmon
+  product: windows
+detection:
+  sdelete:
+    Image: '*sdelete.exe'
+    CommandLine_lc: '*remove-item*'
+  fsulti:
+    Image: '*fsutil.exe'
+    CommandLine_lc: '*deletejournal*'
+  wbadmin:
+    Image: '*wbadmin.exe'
+    CommandLine_lc: '*delete*'
+  condition: sdelete or fsulti or addins or wbadmin
+falsepositives:
+    - Uninstall programs,..
+level: low
@@ -0,0 +1,29 @@
+title: Modify Existing Service
+description: Detect persistence technique by modifying existing services
+author: Lep
+date: 2019/08/17
+tags:
+    - attack.persistence
+    - attack.t1031
+    - attack.g0050
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    process_creation:
+        EventID: 1
+    sc:
+        Image_lc:
+            -'*\sc.exe'
+        CommandLine_lc: '*config*'
+    reg:
+        Image_lc: 
+            -'*\reg.exe'
+        CommandLine_lc: '*hklm\system\currentcontrolset\services*'
+    registry_edit:
+        EventID: 13
+        TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services*'
+    condition: (process_creation and sc) or (process_creation and reg) or registry_edit
+falsepositives:
+    - Real service edit
+level: low
@@ -0,0 +1,21 @@
+title: Signed Script Proxy Execution
+description: Detect suspicious signed script like PubPrn triggered for validation bypassing
+author: Lep
+date: 2019/08/16
+tags:
+    - attack.execution
+    - attack.t1216
+    - attack.g0050
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage_lc: '*cscript.exe*'
+    selection2:
+        CommandLine_lc: '*pubprn.vbs*'
+    condition: selection or selection2
+falsepositives:
+    - Real PubPrn usage
+level: low
@@ -0,0 +1,30 @@
+title: File Creation Webserver Root Folder
+status: experimental
+description: Detects a suspicious file creation in a web service root folder 
+author: Lep - VuNX
+tags:
+    - attack.persistence
+    - attack.t1100
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        TargetFileName_lc:
+            - '*\wwwroot\\*'
+            - '*\wmpub\\*'
+            - '*\htdocs\\*'
+            - '*inetpub*'
+        EventID:
+            11
+    filter:
+        Image_lc:
+            - '*explorer.exe'
+    blank:
+        Image: null
+    condition: selection and not filter and not blank
+fields:
+    - TargetFileName
+falsepositives:
+    - Deploy new codes
+level: medium
@@ -0,0 +1,21 @@
+title: Trigger Compiled HTML
+status: experimental
+description: This detects compiled HTML triggered by HH
+references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/
+date: 2019/08/14
+author: Lep
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection1:
+    EventID: 1
+    Image_lc: '*\hh.exe'
+  condition: selection1
+falsepositives:
+  - Normal HTML Help File
+tags:
+  - attack.execution
+  - attack.T1223
+  - attack.G0050
+level: high