diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml b/deprecated/windows/proc_creation_win_regsvr32_anomalies.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml rename to deprecated/windows/proc_creation_win_regsvr32_anomalies.yml index 0eaa0c49d..07c879e3e 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml +++ b/deprecated/windows/proc_creation_win_regsvr32_anomalies.yml @@ -1,13 +1,13 @@ title: Regsvr32 Anomaly id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d -status: experimental +status: deprecated description: Detects various anomalies in relation to regsvr32.exe references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton date: 2019/01/16 -modified: 2023/02/26 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.010 @@ -83,4 +83,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: high +level: high \ No newline at end of file diff --git a/rules-emerging-threats/2023/Malware/Qakbot/README.md b/rules-emerging-threats/2023/Malware/Qakbot/README.md new file mode 100644 index 000000000..2e50a2b2e --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/README.md @@ -0,0 +1,17 @@ +# Qakbot + +## Summary + +QBot is a modular information stealer also known as Qakbot, Quakbot, Oakboat or Pinkslipbot. + +You can find more information on the threat in the following articles: + +- [Qakbot - malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) +- [Qakbot- pr0xylife](https://github.com/pr0xylife/Qakbot/) + +## Rules + +- [Qakbot Regsvr32 Calc Pattern](./proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml) +- [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml) +- [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml) +- [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml new file mode 100644 index 000000000..db12b2f38 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -0,0 +1,25 @@ +title: Qakbot Regsvr32 Calc Pattern +id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 +status: experimental +description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot +references: + - https://github.com/pr0xylife/Qakbot/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: + - ' /s' + - ' -s' + CommandLine|endswith: ' calc' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml new file mode 100644 index 000000000..e0e080a06 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -0,0 +1,38 @@ +title: Potential Qakbot Rundll32 Execution +id: cf879ffb-793a-4753-9a14-bc8f37cc90df +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_paths: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + selection_extension: + CommandLine|contains: '.dll' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml new file mode 100644 index 000000000..e7d8113fa --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -0,0 +1,64 @@ +title: Qakbot Rundll32 Exports Execution +id: 339ed3d6-5490-46d0-96a7-8abe33078f58 +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_paths: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + selection_exports: + CommandLine|endswith: + # Note: Only add additional exports seen used by Qakbot + - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report + - 'bind' + - 'DrawThemeIcon' + - 'GG10' + - 'GL70' + - 'jhbvygftr' + - 'kjhbhkjvydrt' + - 'LS88' + - 'Motd' + - 'N115' + - 'Nikn' + - 'print' + - 'qqqb' + - 'qqqq' + - 'RS32' + - 'Test' + - 'Time' + - 'Updt' + - 'vips' + - 'Wind' + - 'WW50' + - 'X555' + - 'XL55' + - 'xlAutoOpen' + - 'XS88' + condition: all of selection_* +falsepositives: + - Unlikely +level: critical diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml new file mode 100644 index 000000000..74957c3ab --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -0,0 +1,38 @@ +title: Qakbot Rundll32 Fake DLL Extension Execution +id: bfd34392-c591-4009-b938-9fd985a28b85 +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + filter_main_extension: + CommandLine|contains: '.dll' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml new file mode 100644 index 000000000..1fb2caf8c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -0,0 +1,30 @@ +title: Potential Register_App.Vbs LOLScript Abuse +id: 28c8f68b-098d-45af-8d43-8089f3e35403 +status: experimental +description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +references: + - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 + - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs +author: Austin Songer @austinsonger +date: 2021/11/05 +modified: 2022/07/07 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + - OriginalFileName: + - 'cscript.exe' + - 'wscript.exe' + selection_cli: + CommandLine|contains: '.vbs -register ' # register_app.vbs + condition: all of selection* +falsepositives: + - Other VB scripts that leverage the same starting command line flags +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 1c55829fc..8ec5dee90 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -8,6 +8,7 @@ references: - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.008 @@ -22,6 +23,7 @@ detection: # Note: Add more suspicious locations CommandLine|contains: - ':\PerfLogs\' + - ':\ProgramData\' - ':\Temp\' - ':\Users\Public\' - ':\Windows\Registration\CRMLog' diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index f09267f9e..21edd2608 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,12 +1,12 @@ -title: Regsvr32 Flags Anomaly +title: Potential Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time +description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) date: 2019/07/13 -modified: 2021/11/27 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.010 @@ -16,13 +16,14 @@ logsource: detection: selection: Image|endswith: '\regsvr32.exe' - CommandLine|contains: ' /i:' - filter: - CommandLine|contains: ' /n ' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + CommandLine|contains: + - ' /i:' + - ' -i:' + filter_main_flag: + CommandLine|contains: + - ' /n ' + - ' -n ' + condition: selection and not 1 of filter_main_* falsepositives: - - Unknown -level: high + - Administrator typo might cause some false positives +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml new file mode 100644 index 000000000..d07d11d61 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -0,0 +1,63 @@ +title: Potentially Suspicious Regsvr32 HTTP IP Pattern +id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 +status: experimental +description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. +references: + - https://twitter.com/mrd0x/status/1461041276514623491 + - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ +author: Florian Roth (Nextron Systems) +date: 2022/01/11 +modified: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_ip: + CommandLine|contains: + - ' /i:http://1' + - ' /i:http://2' + - ' /i:http://3' + - ' /i:http://4' + - ' /i:http://5' + - ' /i:http://6' + - ' /i:http://7' + - ' /i:http://8' + - ' /i:http://9' + - ' /i:https://1' + - ' /i:https://2' + - ' /i:https://3' + - ' /i:https://4' + - ' /i:https://5' + - ' /i:https://6' + - ' /i:https://7' + - ' /i:https://8' + - ' /i:https://9' + - ' -i:http://1' + - ' -i:http://2' + - ' -i:http://3' + - ' -i:http://4' + - ' -i:http://5' + - ' -i:http://6' + - ' -i:http://7' + - ' -i:http://8' + - ' -i:http://9' + - ' -i:https://1' + - ' -i:https://2' + - ' -i:https://3' + - ' -i:https://4' + - ' -i:https://5' + - ' -i:https://6' + - ' -i:https://7' + - ' -i:https://8' + - ' -i:https://9' + condition: all of selection_* +falsepositives: + - FQDNs that start with a number such as "7-Zip" +level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml deleted file mode 100644 index 715d87889..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Suspicious Regsvr32 HTTP IP Pattern -id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 -status: experimental -description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN -references: - - https://twitter.com/mrd0x/status/1461041276514623491c19-ps - - https://twitter.com/tccontre18/status/1480950986650832903 -author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/01/11 -tags: - - attack.defense_evasion - - attack.t1218.010 -logsource: - category: process_creation - product: windows -detection: - selection_flags: - CommandLine|contains|all: - - ' /s' - - ' /u' - selection_ip: - CommandLine|contains: - - ' /i:http://1' - - ' /i:http://2' - - ' /i:http://3' - - ' /i:http://4' - - ' /i:http://5' - - ' /i:http://6' - - ' /i:http://7' - - ' /i:http://8' - - ' /i:http://9' - - ' /i:https://1' - - ' /i:https://2' - - ' /i:https://3' - - ' /i:https://4' - - ' /i:https://5' - - ' /i:https://6' - - ' /i:https://7' - - ' /i:https://8' - - ' /i:https://9' - condition: all of selection_* -falsepositives: - - FQDNs that start with a number -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml new file mode 100644 index 000000000..4f27725b4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -0,0 +1,36 @@ +title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern +id: 867356ee-9352-41c9-a8f2-1be690d78216 +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. +references: + - https://twitter.com/mrd0x/status/1461041276514623491 + - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ +author: Florian Roth (Nextron Systems) +date: 2023/05/24 +modified: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_flag: + CommandLine|contains: + - ' /i' + - ' -i' + selection_protocol: + CommandLine|contains: + - 'ftp' + - 'http' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml deleted file mode 100644 index 32603fb9a..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: Regsvr32 Command Line Without DLL -id: 50919691-7302-437f-8e10-1fe088afa145 -status: test -description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line -references: - - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth (Nextron Systems) -date: 2019/07/17 -modified: 2022/12/25 -tags: - - attack.defense_evasion - - attack.t1574 - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\regsvr32.exe' - filter: - CommandLine|contains: - - '.dll' - - '.ocx' - - '.cpl' - - '.ax' - - '.bav' - - '.ppl' - filter_null1_for_4688: - CommandLine: null - filter_null2_for_4688: - CommandLine: '' - condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688 -falsepositives: - - Unknown -fields: - - CommandLine - - ParentCommandLine -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml deleted file mode 100644 index 0fca27e47..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious Registration via cscript.exe -id: 28c8f68b-098d-45af-8d43-8089f3e35403 -status: experimental -description: Detects when the registration of a VSS/VDS Provider as a COM+ application. -references: - - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - - https://ss64.com/vb/cscript.html -author: Austin Songer @austinsonger -date: 2021/11/05 -modified: 2022/07/07 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\cscript.exe' - CommandLine|contains: '-register' - selection2: - CommandLine|contains: - - '\Windows Kits\10\bin\10.0.22000.0\x64' - - '\Windows Kits\10\bin\10.0.19041.0\x64' - - '\Windows Kits\10\bin\10.0.17763.0\x64' - condition: all of selection* -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml deleted file mode 100644 index a8ad65c94..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Regsvr32 Spawning Explorer -id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca -status: experimental -description: Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon. -references: - - https://redcanary.com/blog/intelligence-insights-april-2022/ - - https://www.echotrail.io/insights/search/regsvr32.exe -author: elhoim -date: 2022/05/05 -modified: 2022/07/28 -tags: - - attack.defense_evasion - - attack.t1218.010 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\regsvr32.exe' - Image|endswith: '\explorer.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml new file mode 100644 index 000000000..b2d1a88fc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -0,0 +1,45 @@ +title: Potentially Suspicious Child Process Of Regsvr32 +id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects potentially suspicious child processes of "regsvr32.exe". +references: + - https://redcanary.com/blog/intelligence-insights-april-2022/ + - https://www.echotrail.io/insights/search/regsvr32.exe + - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo +author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/05/05 +modified: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\regsvr32.exe' + Image|endswith: + - '\calc.exe' + - '\cscript.exe' + - '\explorer.exe' + - '\mshta.exe' + - '\net.exe' + - '\net1.exe' + - '\nltest.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\reg.exe' + - '\schtasks.exe' + - '\werfault.exe' + - '\wscript.exe' + filter_main_werfault: + Image|endswith: '\werfault.exe' + CommandLine|contains: ' -u -p ' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely, but can rarely occur. Apply additional filters accordingly. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml new file mode 100644 index 000000000..f34176956 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -0,0 +1,34 @@ +title: Regsvr32 Execution From Potential Suspicious Location +id: 9525dc73-0327-438c-8c04-13c0e037e9da +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. +references: + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_cli: + CommandLine|contains: + - ':\ProgramData\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: all of selection_* +falsepositives: + - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml new file mode 100644 index 000000000..fe7c15019 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -0,0 +1,63 @@ +title: Regsvr32 Execution From Highly Suspicious Location +id: 327ff235-94eb-4f06-b9de-aaee571324be +status: experimental +description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_path_1: + CommandLine|contains: + - ':\PerfLogs\' + - ':\Temp\' + - '\Windows\Registration\CRMLog' + - '\Windows\System32\com\dmp\' + - '\Windows\System32\FxsTmp\' + - '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\' + - '\Windows\System32\spool\drivers\color\' + - '\Windows\System32\spool\PRINTERS\' + - '\Windows\System32\spool\SERVERS\' + - '\Windows\System32\Tasks_Migrated\' + - '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\' + - '\Windows\SysWOW64\com\dmp\' + - '\Windows\SysWOW64\FxsTmp\' + - '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\' + - '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\' + - '\Windows\Tasks\' + - '\Windows\Tracing\' + selection_path_2: + CommandLine|contains: + # This is to avoid collisions with CLI starting with "C:\" + - ' "C:\' + - ' C:\' + - " 'C:\\" + - 'D:\' + selection_exclude_known_dirs: + CommandLine|contains: + # Note: add additional locations that are related to third party applications + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\ProgramData\' + - 'C:\Users\' + # Note: The space added here are to avoid collisions with the "regsvr32" binary full path + - ' C:\Windows\' + - ' "C:\Windows\' + - " 'C:\\Windows\\" + filter_main_empty: + CommandLine: '' + filter_main_null: + CommandLine: null + condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_regsvr32_image.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 55a4ab29e..851256ec4 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,17 +1,17 @@ -title: Suspicious Regsvr32 Execution With Image Extension +title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - - id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec - type: similar + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files +description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://guides.lib.umich.edu/c.php?g=282942&p=1885348 -author: frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2021/11/29 -modified: 2022/10/31 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -21,12 +21,15 @@ logsource: detection: selection_img: - Image|endswith: '\regsvr32.exe' - - OriginalFileName: '\REGSVR32.EXE' + - OriginalFileName: 'REGSVR32.EXE' selection_cli: CommandLine|endswith: # Add more image extensions + # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + - '.bin' - '.bmp' - '.cr2' + - '.dat' - '.eps' - '.gif' - '.ico' @@ -37,9 +40,13 @@ detection: - '.png' - '.raw' - '.sr2' + - '.temp' - '.tif' - '.tiff' + - '.tmp' + - '.rtf' + - '.txt' condition: all of selection_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml new file mode 100644 index 000000000..d0d5927f0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -0,0 +1,37 @@ +title: Scripting/CommandLine Process Spawned Regsvr32 +id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +references: + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\regsvr32.exe' + filter_main_rpcproxy: + ParentImage: C:\Windows\System32\cmd.exe + CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' + condition: selection and not 1 of filter_main_* +falsepositives: + - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary + - Some legitimate Windows services +level: medium # Can be reduced to low if you experience a ton of FP diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml new file mode 100644 index 000000000..bae2dcf8f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -0,0 +1,39 @@ +title: Regsvr32 DLL Execution With Uncommon Extension +id: 50919691-7302-437f-8e10-1fe088afa145 +status: test +description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. +references: + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems) +date: 2019/07/17 +modified: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1574 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + filter_main_legit_ext: + CommandLine|contains: + # Note: For better accuracy you might not want to use contains + - '.ax' + - '.cpl' + - '.dll' # Covers ".dll.mui" + - '.ocx' + filter_optional_pascal: + CommandLine|contains: '.ppl' + filter_optional_avg: + CommandLine|contains: '.bav' + filter_main_null_4688: + CommandLine: null + filter_main_empty_4688: + CommandLine: '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Other legitimate extensions currently not in the list either from third party or specific Windows components. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index b6f57f9e8..748ff8520 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -5,6 +5,8 @@ description: Detects potential SquiblyTwo attack technique with possible renamed references: - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - https://twitter.com/mattifestation/status/986280382042595328 # Deleted + - https://atomicredteam.io/defense-evasion/T1220/ + - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth date: 2019/01/16 modified: 2023/02/15 diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index f255eaa09..a9ed69849 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -6,6 +6,7 @@ references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/23 +modified: 2023/05/26 tags: - attack.persistence - attack.t1003 @@ -21,6 +22,7 @@ detection: - '\Setup' Details|contains: - ':\PerfLogs\' + - ':\ProgramData\' - ':\Temp\' - ':\Users\Public\' - ':\Windows\Registration\CRMLog'