From f5c503a13df967d98c481f5cccd6f937803b8349 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 25 May 2023 02:12:44 +0200 Subject: [PATCH 1/8] feat: add qakbot related rules --- .../2023/Malware/Qakbot/README.md | 16 +++++ ..._win_malware_qakbot_rundll32_execution.yml | 38 +++++++++++ ...on_win_malware_qakbot_rundll32_exports.yml | 63 +++++++++++++++++++ ...are_qakbot_rundll32_fake_dll_execution.yml | 38 +++++++++++ 4 files changed, 155 insertions(+) create mode 100644 rules-emerging-threats/2023/Malware/Qakbot/README.md create mode 100644 rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml create mode 100644 rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml create mode 100644 rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml diff --git a/rules-emerging-threats/2023/Malware/Qakbot/README.md b/rules-emerging-threats/2023/Malware/Qakbot/README.md new file mode 100644 index 000000000..0d7a57e2c --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/README.md @@ -0,0 +1,16 @@ +# Qakbot + +## Summary + +QBot is a modular information stealer also known as Qakbot or Pinkslipbot. + +You can find more information on the threat in the following articles: + +- [Qakbot - malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) +- [Qakbot- pr0xylife](https://github.com/pr0xylife/Qakbot/) + +## Rules + +- [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml) +- [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml) +- [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml new file mode 100644 index 000000000..e0e080a06 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -0,0 +1,38 @@ +title: Potential Qakbot Rundll32 Execution +id: cf879ffb-793a-4753-9a14-bc8f37cc90df +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_paths: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + selection_extension: + CommandLine|contains: '.dll' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml new file mode 100644 index 000000000..da966c0fe --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -0,0 +1,63 @@ +title: Qakbot Rundll32 Exports Execution +id: cf879ffb-793a-4753-9a14-bc8f37cc90df +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_paths: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + selection_exports: + CommandLine|endswith: + # Note: Only add additional exports seen used by Qakbot + - ',aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report + - ',DrawThemeIcon' + - ',GG10' + - ',GL70' + - ',jhbvygftr' + - ',kjhbhkjvydrt' + - ',LS88' + - ',Motd' + - ',N115' + - ',Nikn' + - ',print' + - ',qqqb' + - ',qqqq' + - ',RS32' + - ',Test' + - ',Time' + - ',Updt' + - ',vips' + - ',Wind' + - ',WW50' + - ',X555' + - ',XL55' + - ',xlAutoOpen' + - ',XS88' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml new file mode 100644 index 000000000..01db1cf34 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -0,0 +1,38 @@ +title: Qakbot Rundll32 Fake DLL Extension Execution +id: cf879ffb-793a-4753-9a14-bc8f37cc90df +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\rundll32.exe' + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - ':\ProgramData\' + - ':\Users\Public\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + filter_main_extension: + CommandLine|contains: '.dll' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: critical From bf80eace812deb64065d83c8fade1da50ffa61e0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 25 May 2023 02:13:00 +0200 Subject: [PATCH 2/8] feat: first batch update for regsvr32 --- .../proc_creation_win_regsvr32_anomalies.yml | 64 ++++--------------- ...oc_creation_win_regsvr32_flags_anomaly.yml | 15 ++--- ...creation_win_regsvr32_http_ip_pattern.yml} | 11 ++-- ..._creation_win_regsvr32_network_pattern.yml | 30 +++++++++ .../proc_creation_win_regsvr32_no_dll.yml | 38 ----------- ...ation_win_regsvr32_susp_child_process.yml} | 18 ++++-- ...creation_win_regsvr32_susp_extensions.yml} | 18 ++++-- ...eation_win_regsvr32_uncommon_extension.yml | 39 +++++++++++ 8 files changed, 116 insertions(+), 117 deletions(-) rename rules/windows/process_creation/{proc_creation_win_regsvr32_http_pattern.yml => proc_creation_win_regsvr32_http_ip_pattern.yml} (82%) create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml rename rules/windows/process_creation/{proc_creation_win_regsvr32_spawn_explorer.yml => proc_creation_win_regsvr32_susp_child_process.yml} (54%) rename rules/windows/process_creation/{proc_creation_win_regsvr32_image.yml => proc_creation_win_regsvr32_susp_extensions.yml} (73%) create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml index 0eaa0c49d..5a1fec453 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml @@ -1,13 +1,13 @@ -title: Regsvr32 Anomaly +title: Regsvr32 Execution Anomaly id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental -description: Detects various anomalies in relation to regsvr32.exe +description: Detects various anomalies or uncommon execution trees related "regsvr32.exe" references: - - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton date: 2019/01/16 -modified: 2023/02/26 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -19,68 +19,26 @@ logsource: detection: selection1: Image|endswith: '\regsvr32.exe' - CommandLine|contains: '\Temp\' + CommandLine|contains: + - '\Temp\' + - '\AppData\Local' + - 'C:\Users\Public' selection2: Image|endswith: '\regsvr32.exe' ParentImage|endswith: + - '\cmd.exe' + - '\mshta.exe' + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' - - '\powershell_ise.exe' - selection3: - Image|endswith: '\regsvr32.exe' - ParentImage|endswith: '\cmd.exe' - selection4a: - Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: - - '/i:' - - 'http' - CommandLine|endswith: 'scrobj.dll' - selection4b: - Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: - - '/i:' - - 'ftp' - CommandLine|endswith: 'scrobj.dll' - selection5: - Image|endswith: - - '\cscript.exe' - - '\wscript.exe' - ParentImage|endswith: '\regsvr32.exe' selection6: Image|endswith: '\EXCEL.EXE' CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' - selection7: - ParentImage|endswith: '\mshta.exe' - Image|endswith: '\regsvr32.exe' - selection8: - Image|endswith: '\regsvr32.exe' - CommandLine|contains: - - '\AppData\Local' - - 'C:\Users\Public' - selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 - Image|endswith: '\regsvr32.exe' - CommandLine|endswith: - - '.jpg' - - '.jpeg' - - '.png' - - '.gif' - - '.bin' - - '.tmp' - - '.temp' - - '.txt' filter1: CommandLine|contains: - '\AppData\Local\Microsoft\Teams' - '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll' - filter2: - ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' - CommandLine|contains: '\Program Files\Box\Box\Temp\' - filter_legitimate: - CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: 1 of selection* and not 1 of filter* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index f09267f9e..e85146025 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,12 +1,12 @@ -title: Regsvr32 Flags Anomaly +title: Potentially Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time +description: Detects a potential command line flag anomaly related to "regsvr32" in which "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) date: 2019/07/13 -modified: 2021/11/27 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -17,12 +17,9 @@ detection: selection: Image|endswith: '\regsvr32.exe' CommandLine|contains: ' /i:' - filter: + filter_main_flag: CommandLine|contains: ' /n ' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index 715d87889..da769056b 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,13 +1,14 @@ title: Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 status: experimental -description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN +description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address and a IP address. references: - - https://twitter.com/mrd0x/status/1461041276514623491c19-ps + - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) date: 2022/01/11 -modified: 2023/01/11 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -16,7 +17,7 @@ logsource: product: windows detection: selection_flags: - CommandLine|contains|all: + CommandLine|contains: - ' /s' - ' /u' selection_ip: @@ -41,5 +42,5 @@ detection: - ' /i:https://9' condition: all of selection_* falsepositives: - - FQDNs that start with a number + - FQDNs that start with a number such as "7-Zip" level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml new file mode 100644 index 000000000..4c4706e8c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -0,0 +1,30 @@ +title: +id: 867356ee-9352-41c9-a8f2-1be690d78216 +status: experimental +description: Detects +references: + - https://twitter.com/mrd0x/status/1461041276514623491 + - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ +author: Florian Roth (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_flag: + CommandLine|contains: ' /i' + selection_protocol: + CommandLine|contains: + - 'ftp' + - 'http' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml deleted file mode 100644 index 32603fb9a..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: Regsvr32 Command Line Without DLL -id: 50919691-7302-437f-8e10-1fe088afa145 -status: test -description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line -references: - - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth (Nextron Systems) -date: 2019/07/17 -modified: 2022/12/25 -tags: - - attack.defense_evasion - - attack.t1574 - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\regsvr32.exe' - filter: - CommandLine|contains: - - '.dll' - - '.ocx' - - '.cpl' - - '.ax' - - '.bav' - - '.ppl' - filter_null1_for_4688: - CommandLine: null - filter_null2_for_4688: - CommandLine: '' - condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688 -falsepositives: - - Unknown -fields: - - CommandLine - - ParentCommandLine -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml similarity index 54% rename from rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index a8ad65c94..85d9243bb 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -1,13 +1,13 @@ -title: Regsvr32 Spawning Explorer +title: Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca status: experimental -description: Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon. +description: Detects suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ - https://www.echotrail.io/insights/search/regsvr32.exe -author: elhoim +author: elhoim, Florian Roth (Nextron Systems) date: 2022/05/05 -modified: 2022/07/28 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -17,8 +17,14 @@ logsource: detection: selection: ParentImage|endswith: '\regsvr32.exe' - Image|endswith: '\explorer.exe' + Image|endswith: + - '\calc.exe' + - '\cscript.exe' + - '\explorer.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\wscript.exe' condition: selection falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_regsvr32_image.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 55a4ab29e..a756cc3b1 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,17 +1,17 @@ -title: Suspicious Regsvr32 Execution With Image Extension +title: Regsvr32 Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec type: similar status: experimental -description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files +description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://guides.lib.umich.edu/c.php?g=282942&p=1885348 -author: frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2021/11/29 -modified: 2022/10/31 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -21,12 +21,15 @@ logsource: detection: selection_img: - Image|endswith: '\regsvr32.exe' - - OriginalFileName: '\REGSVR32.EXE' + - OriginalFileName: 'REGSVR32.EXE' selection_cli: CommandLine|endswith: # Add more image extensions + # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + - '.bin' - '.bmp' - '.cr2' + - '.dat' - '.eps' - '.gif' - '.ico' @@ -37,9 +40,12 @@ detection: - '.png' - '.raw' - '.sr2' + - '.temp' - '.tif' - '.tiff' + - '.tmp' + - '.txt' condition: all of selection_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml new file mode 100644 index 000000000..3fa164d5d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -0,0 +1,39 @@ +title: Regsvr32 DLL Execution With Uncommon Extension +id: 50919691-7302-437f-8e10-1fe088afa145 +status: test +description: Detects a "regsvr32" execution where the file doesn't contain a common file extension used. +references: + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems) +date: 2019/07/17 +modified: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1574 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + filter_main_legit_ext: + CommandLine|contains: + # Note: For better accuracy you might not want to use contains + - '.ax' + - '.cpl' + - '.dll' # Covers ".dll.mui" + - '.ocx' + filter_optional_pascal: + CommandLine|contains: '.ppl' + filter_optional_avg: + CommandLine|contains: '.bav' + filter_main_null_4688: + CommandLine: null + filter_main_empty_4688: + CommandLine: '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Other legit extensions currently not in the list either from third party or specific windows component +level: medium From 547b8ffa714be800b3e55f8d03fb777ca3042036 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 May 2023 15:59:30 +0200 Subject: [PATCH 3/8] feat: update more regsvr32 --- .../proc_creation_win_regsvr32_anomalies.yml | 86 +++++++++++++++++++ .../2023/Malware/Qakbot/README.md | 1 + ...n_malware_qakbot_regsvr32_calc_pattern.yml | 24 ++++++ ...on_win_malware_qakbot_rundll32_exports.yml | 53 ++++++------ ...are_qakbot_rundll32_fake_dll_execution.yml | 2 +- ...oc_creation_win_lolscript_register_app.yml | 30 +++++++ ...ation_win_odbcconf_exec_susp_locations.yml | 2 + .../proc_creation_win_regsvr32_anomalies.yml | 44 ---------- ...oc_creation_win_regsvr32_flags_anomaly.yml | 16 ++-- ..._creation_win_regsvr32_http_ip_pattern.yml | 29 +++++-- ..._creation_win_regsvr32_network_pattern.yml | 12 ++- ..._win_regsvr32_registration_via_cscript.yml | 32 ------- ...eation_win_regsvr32_susp_child_process.yml | 25 ++++-- ...creation_win_regsvr32_susp_exec_path_1.yml | 33 +++++++ ...creation_win_regsvr32_susp_exec_path_2.yml | 51 +++++++++++ ..._creation_win_regsvr32_susp_extensions.yml | 7 +- ...proc_creation_win_regsvr32_susp_parent.yml | 37 ++++++++ ...eation_win_regsvr32_uncommon_extension.yml | 4 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 2 + ...gistry_set_odbc_driver_registered_susp.yml | 2 + 20 files changed, 364 insertions(+), 128 deletions(-) create mode 100644 deprecated/windows/proc_creation_win_regsvr32_anomalies.yml create mode 100644 rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml diff --git a/deprecated/windows/proc_creation_win_regsvr32_anomalies.yml b/deprecated/windows/proc_creation_win_regsvr32_anomalies.yml new file mode 100644 index 000000000..07c879e3e --- /dev/null +++ b/deprecated/windows/proc_creation_win_regsvr32_anomalies.yml @@ -0,0 +1,86 @@ +title: Regsvr32 Anomaly +id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +status: deprecated +description: Detects various anomalies in relation to regsvr32.exe +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton +date: 2019/01/16 +modified: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 + - car.2019-04-002 + - car.2019-04-003 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: '\Temp\' + selection2: + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\powershell_ise.exe' + selection3: + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: '\cmd.exe' + selection4a: + Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' + - 'http' + CommandLine|endswith: 'scrobj.dll' + selection4b: + Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' + - 'ftp' + CommandLine|endswith: 'scrobj.dll' + selection5: + Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + ParentImage|endswith: '\regsvr32.exe' + selection6: + Image|endswith: '\EXCEL.EXE' + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' + selection7: + ParentImage|endswith: '\mshta.exe' + Image|endswith: '\regsvr32.exe' + selection8: + Image|endswith: '\regsvr32.exe' + CommandLine|contains: + - '\AppData\Local' + - 'C:\Users\Public' + selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: + - '.jpg' + - '.jpeg' + - '.png' + - '.gif' + - '.bin' + - '.tmp' + - '.temp' + - '.txt' + filter1: + CommandLine|contains: + - '\AppData\Local\Microsoft\Teams' + - '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll' + filter2: + ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' + CommandLine|contains: '\Program Files\Box\Box\Temp\' + filter_legitimate: + CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' + condition: 1 of selection* and not 1 of filter* +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-emerging-threats/2023/Malware/Qakbot/README.md b/rules-emerging-threats/2023/Malware/Qakbot/README.md index 0d7a57e2c..84f42183e 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/README.md +++ b/rules-emerging-threats/2023/Malware/Qakbot/README.md @@ -11,6 +11,7 @@ You can find more information on the threat in the following articles: ## Rules +- [Qakbot Regsvr32 Calc Pattern](./proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml) - [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml) - [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml) - [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml new file mode 100644 index 000000000..4ec1aeb0f --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -0,0 +1,24 @@ +title: Qakbot Regsvr32 Calc Pattern +id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 +status: experimental +description: Detects sepcific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. Which is a behavior seen used often by Qakbot +references: + - https://github.com/pr0xylife/Qakbot/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: + - ' -s calc' + - ' /s calc' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index da966c0fe..e7d8113fa 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,5 +1,5 @@ title: Qakbot Rundll32 Exports Execution -id: cf879ffb-793a-4753-9a14-bc8f37cc90df +id: 339ed3d6-5490-46d0-96a7-8abe33078f58 status: experimental description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: @@ -33,31 +33,32 @@ detection: selection_exports: CommandLine|endswith: # Note: Only add additional exports seen used by Qakbot - - ',aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report - - ',DrawThemeIcon' - - ',GG10' - - ',GL70' - - ',jhbvygftr' - - ',kjhbhkjvydrt' - - ',LS88' - - ',Motd' - - ',N115' - - ',Nikn' - - ',print' - - ',qqqb' - - ',qqqq' - - ',RS32' - - ',Test' - - ',Time' - - ',Updt' - - ',vips' - - ',Wind' - - ',WW50' - - ',X555' - - ',XL55' - - ',xlAutoOpen' - - ',XS88' + - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report + - 'bind' + - 'DrawThemeIcon' + - 'GG10' + - 'GL70' + - 'jhbvygftr' + - 'kjhbhkjvydrt' + - 'LS88' + - 'Motd' + - 'N115' + - 'Nikn' + - 'print' + - 'qqqb' + - 'qqqq' + - 'RS32' + - 'Test' + - 'Time' + - 'Updt' + - 'vips' + - 'Wind' + - 'WW50' + - 'X555' + - 'XL55' + - 'xlAutoOpen' + - 'XS88' condition: all of selection_* falsepositives: - Unlikely -level: high +level: critical diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index 01db1cf34..74957c3ab 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,5 +1,5 @@ title: Qakbot Rundll32 Fake DLL Extension Execution -id: cf879ffb-793a-4753-9a14-bc8f37cc90df +id: bfd34392-c591-4009-b938-9fd985a28b85 status: experimental description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml new file mode 100644 index 000000000..84a92c7cb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -0,0 +1,30 @@ +title: Potential Register_App.Vbs LOLScript Abuse +id: 28c8f68b-098d-45af-8d43-8089f3e35403 +status: experimental +description: Detects potential abuse of the "register_app.vbs" script that's part of the windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +references: + - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 + - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs +author: Austin Songer @austinsonger +date: 2021/11/05 +modified: 2022/07/07 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + - OriginalFileName: + - 'cscript.exe' + - 'wscript.exe' + selection_cli: + CommandLine|contains: '.vbs -register ' # register_app.vbs + condition: all of selection* +falsepositives: + - Other VB scripts that leverage the same starting command line flags +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 1c55829fc..8ec5dee90 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -8,6 +8,7 @@ references: - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.008 @@ -22,6 +23,7 @@ detection: # Note: Add more suspicious locations CommandLine|contains: - ':\PerfLogs\' + - ':\ProgramData\' - ':\Temp\' - ':\Users\Public\' - ':\Windows\Registration\CRMLog' diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml deleted file mode 100644 index 5a1fec453..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml +++ /dev/null @@ -1,44 +0,0 @@ -title: Regsvr32 Execution Anomaly -id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d -status: experimental -description: Detects various anomalies or uncommon execution trees related "regsvr32.exe" -references: - - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton -date: 2019/01/16 -modified: 2023/05/24 -tags: - - attack.defense_evasion - - attack.t1218.010 - - car.2019-04-002 - - car.2019-04-003 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\regsvr32.exe' - CommandLine|contains: - - '\Temp\' - - '\AppData\Local' - - 'C:\Users\Public' - selection2: - Image|endswith: '\regsvr32.exe' - ParentImage|endswith: - - '\cmd.exe' - - '\mshta.exe' - - '\powershell_ise.exe' - - '\powershell.exe' - - '\pwsh.exe' - selection6: - Image|endswith: '\EXCEL.EXE' - CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' - filter1: - CommandLine|contains: - - '\AppData\Local\Microsoft\Teams' - - '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll' - condition: 1 of selection* and not 1 of filter* -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index e85146025..21edd2608 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,12 +1,12 @@ -title: Potentially Regsvr32 Commandline Flag Anomaly +title: Potential Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a potential command line flag anomaly related to "regsvr32" in which "/i" flag is used without the "/n" which should be uncommon. +description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) date: 2019/07/13 -modified: 2023/05/24 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.010 @@ -16,10 +16,14 @@ logsource: detection: selection: Image|endswith: '\regsvr32.exe' - CommandLine|contains: ' /i:' + CommandLine|contains: + - ' /i:' + - ' -i:' filter_main_flag: - CommandLine|contains: ' /n ' + CommandLine|contains: + - ' /n ' + - ' -n ' condition: selection and not 1 of filter_main_* falsepositives: - - Unknown + - Administrator typo might cause some false positives level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index da769056b..d07d11d61 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,7 +1,7 @@ -title: Suspicious Regsvr32 HTTP IP Pattern +title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 status: experimental -description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address and a IP address. +description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 @@ -16,10 +16,9 @@ logsource: category: process_creation product: windows detection: - selection_flags: - CommandLine|contains: - - ' /s' - - ' /u' + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' selection_ip: CommandLine|contains: - ' /i:http://1' @@ -40,6 +39,24 @@ detection: - ' /i:https://7' - ' /i:https://8' - ' /i:https://9' + - ' -i:http://1' + - ' -i:http://2' + - ' -i:http://3' + - ' -i:http://4' + - ' -i:http://5' + - ' -i:http://6' + - ' -i:http://7' + - ' -i:http://8' + - ' -i:http://9' + - ' -i:https://1' + - ' -i:https://2' + - ' -i:https://3' + - ' -i:https://4' + - ' -i:https://5' + - ' -i:https://6' + - ' -i:https://7' + - ' -i:https://8' + - ' -i:https://9' condition: all of selection_* falsepositives: - FQDNs that start with a number such as "7-Zip" diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 4c4706e8c..4f27725b4 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -1,13 +1,17 @@ -title: +title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern id: 867356ee-9352-41c9-a8f2-1be690d78216 +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects +description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) date: 2023/05/24 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.010 @@ -19,7 +23,9 @@ detection: - Image|endswith: '\regsvr32.exe' - OriginalFileName: 'REGSVR32.EXE' selection_flag: - CommandLine|contains: ' /i' + CommandLine|contains: + - ' /i' + - ' -i' selection_protocol: CommandLine|contains: - 'ftp' diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml deleted file mode 100644 index 0fca27e47..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious Registration via cscript.exe -id: 28c8f68b-098d-45af-8d43-8089f3e35403 -status: experimental -description: Detects when the registration of a VSS/VDS Provider as a COM+ application. -references: - - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - - https://ss64.com/vb/cscript.html -author: Austin Songer @austinsonger -date: 2021/11/05 -modified: 2022/07/07 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: '\cscript.exe' - CommandLine|contains: '-register' - selection2: - CommandLine|contains: - - '\Windows Kits\10\bin\10.0.22000.0\x64' - - '\Windows Kits\10\bin\10.0.19041.0\x64' - - '\Windows Kits\10\bin\10.0.17763.0\x64' - condition: all of selection* -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index 85d9243bb..6afe447bb 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -1,13 +1,17 @@ -title: Suspicious Child Process Of Regsvr32 +title: Potentially Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects suspicious child processes of "regsvr32.exe". +description: Detects potentially suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ - https://www.echotrail.io/insights/search/regsvr32.exe -author: elhoim, Florian Roth (Nextron Systems) + - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo +author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/05/05 -modified: 2023/05/24 +modified: 2023/05/26 tags: - attack.defense_evasion - attack.t1218.010 @@ -22,9 +26,20 @@ detection: - '\cscript.exe' - '\explorer.exe' - '\mshta.exe' + - '\net.exe' + - '\net1.exe' + - '\nltest.exe' - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\reg.exe' + - '\schtasks.exe' + - '\werfault.exe' - '\wscript.exe' + filter_main_werfault: + Image|endswith: '\werfault.exe' + CommandLine|contains: ' -u -p ' condition: selection falsepositives: - - Unlikely + - Unlikely, but can rarely occur. Apply additional filters accordingly. level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml new file mode 100644 index 000000000..b288c1d02 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -0,0 +1,33 @@ +title: Regsvr32 Execution From Potential Suspicious Location +id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects execution of regsvr32 where the DLL is located in a potential suspicious location. +references: + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_cli: + CommandLine|contains: + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: all of selection_* +falsepositives: + - Some installers might execute "regsvr32" with DLLs located in %TEMP%. Apply additional filters if necessary. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml new file mode 100644 index 000000000..aa4a3b299 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -0,0 +1,51 @@ +title: Regsvr32 Execution From Highly Suspicious Location +id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +status: experimental +description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_cli: + CommandLine|contains: + - ':\PerfLogs\' + - ':\ProgramData\' + - ':\Temp\' + - '\Windows\Registration\CRMLog' + - '\Windows\System32\com\dmp\' + - '\Windows\System32\FxsTmp\' + - '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\' + - '\Windows\System32\spool\drivers\color\' + - '\Windows\System32\spool\PRINTERS\' + - '\Windows\System32\spool\SERVERS\' + - '\Windows\System32\Tasks_Migrated\' + - '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\' + - '\Windows\SysWOW64\com\dmp\' + - '\Windows\SysWOW64\FxsTmp\' + - '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\' + - '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\' + - '\Windows\Tasks\' + - '\Windows\Temp\' + - '\Windows\Tracing\' + filter_main_exclude_known_dirs: + CommandLine|contains: + # Note: add additional locations that are related to third party applications + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\ProgramData\' + - ':\Users\' + - ':\Windows\' + condition: all of selection_* or (selection_img and not 1 of filter_main_exclude_*) +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index a756cc3b1..851256ec4 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,8 +1,8 @@ -title: Regsvr32 Execution With Suspicious File Extension +title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - - id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec - type: similar + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: @@ -44,6 +44,7 @@ detection: - '.tif' - '.tiff' - '.tmp' + - '.rtf' - '.txt' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml new file mode 100644 index 000000000..dbdad5227 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -0,0 +1,37 @@ +title: Scripting/CommandLine Process Spawned Regsvr32 +id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 +related: + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes +status: experimental +description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. Spawning a "regsvr32" instance. +references: + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + Image|endswith: '\regsvr32.exe' + filter_main_rpcproxy: + ParentImage: C:\Windows\System32\cmd.exe + CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary + - Some legitimate Windows services +level: medium # Can be reduced to low if you experience a ton of FP diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 3fa164d5d..50e1fa1fd 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -1,7 +1,7 @@ title: Regsvr32 DLL Execution With Uncommon Extension id: 50919691-7302-437f-8e10-1fe088afa145 status: test -description: Detects a "regsvr32" execution where the file doesn't contain a common file extension used. +description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems) @@ -35,5 +35,5 @@ detection: CommandLine: '' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Other legit extensions currently not in the list either from third party or specific windows component + - Other legit extensions currently not in the list either from third party or specific windows components. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index b6f57f9e8..748ff8520 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -5,6 +5,8 @@ description: Detects potential SquiblyTwo attack technique with possible renamed references: - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - https://twitter.com/mattifestation/status/986280382042595328 # Deleted + - https://atomicredteam.io/defense-evasion/T1220/ + - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth date: 2019/01/16 modified: 2023/02/15 diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index f255eaa09..a9ed69849 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -6,6 +6,7 @@ references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/23 +modified: 2023/05/26 tags: - attack.persistence - attack.t1003 @@ -21,6 +22,7 @@ detection: - '\Setup' Details|contains: - ':\PerfLogs\' + - ':\ProgramData\' - ':\Temp\' - ':\Users\Public\' - ':\Windows\Registration\CRMLog' From 00751c4c6d01252686891843dccbae1af50ffe6f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 May 2023 16:10:46 +0200 Subject: [PATCH 4/8] fix: issue to pass the tests --- ...c_creation_win_malware_qakbot_regsvr32_calc_pattern.yml | 7 ++++--- .../proc_creation_win_regsvr32_susp_child_process.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_1.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_2.yml | 2 +- .../proc_creation_win_regsvr32_susp_parent.yml | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 4ec1aeb0f..06ca443bd 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -15,9 +15,10 @@ logsource: detection: selection: Image|endswith: '\regsvr32.exe' - CommandLine|endswith: - - ' -s calc' - - ' /s calc' + CommandLine|contains: + - ' /s' + - ' -s' + CommandLine|endswith: ' calc' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index 6afe447bb..b2d1a88fc 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -39,7 +39,7 @@ detection: filter_main_werfault: Image|endswith: '\werfault.exe' CommandLine|contains: ' -u -p ' - condition: selection + condition: selection and not 1 of filter_main_* falsepositives: - Unlikely, but can rarely occur. Apply additional filters accordingly. level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index b288c1d02..f8d66650c 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -1,5 +1,5 @@ title: Regsvr32 Execution From Potential Suspicious Location -id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index aa4a3b299..4c924d585 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,5 +1,5 @@ title: Regsvr32 Execution From Highly Suspicious Location -id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +id: 327ff235-94eb-4f06-b9de-aaee571324be status: experimental description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index dbdad5227..a6cd6f49e 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -30,7 +30,7 @@ detection: filter_main_rpcproxy: ParentImage: C:\Windows\System32\cmd.exe CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' - condition: all of selection_* and not 1 of filter_main_* + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary - Some legitimate Windows services From 574c63ea06260742c087c14dbff302e4a164d0ee Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 May 2023 16:34:06 +0200 Subject: [PATCH 5/8] fix: fp found in testing --- ...creation_win_regsvr32_susp_exec_path_1.yml | 5 +-- ...creation_win_regsvr32_susp_exec_path_2.yml | 32 +++++++++++++------ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index f8d66650c..d8e2551c8 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -22,6 +22,7 @@ detection: - OriginalFileName: 'REGSVR32.EXE' selection_cli: CommandLine|contains: + - ':\ProgramData\' - ':\Temp\' - ':\Users\Public\' - ':\Windows\Temp\' @@ -29,5 +30,5 @@ detection: - '\AppData\Roaming\' condition: all of selection_* falsepositives: - - Some installers might execute "regsvr32" with DLLs located in %TEMP%. Apply additional filters if necessary. -level: high + - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 4c924d585..581efc05b 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -16,10 +16,9 @@ detection: selection_img: - Image|endswith: '\regsvr32.exe' - OriginalFileName: 'REGSVR32.EXE' - selection_cli: + selection_path_1: CommandLine|contains: - ':\PerfLogs\' - - ':\ProgramData\' - ':\Temp\' - '\Windows\Registration\CRMLog' - '\Windows\System32\com\dmp\' @@ -35,17 +34,30 @@ detection: - '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\' - '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\' - '\Windows\Tasks\' - - '\Windows\Temp\' - '\Windows\Tracing\' - filter_main_exclude_known_dirs: + selection_path_2: + CommandLine|contains: + # This is to avoid collisions with CLI starting with "C:\" + - ' "C:\' + - ' C:\' + - " 'C:\\" + - 'D:\' + selection_exclude_known_dirs: CommandLine|contains: # Note: add additional locations that are related to third party applications - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\ProgramData\' - - ':\Users\' - - ':\Windows\' - condition: all of selection_* or (selection_img and not 1 of filter_main_exclude_*) + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\ProgramData\' + - 'C:\Users\' + # Note: The space added here are to avoid collisions with the "regsvr32" binary full path + - ' C:\Windows\' + - ' "C:\Windows\' + - " 'C:\\Windows\\" + filter_main_empty: + CommandLine|contains: '' + filter_main_null: + CommandLine|contains: null + condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_ falsepositives: - Unlikely level: high From f8ca220ade6a2a6ffb15bad6f45b3675e9ee194d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 May 2023 17:26:50 +0200 Subject: [PATCH 6/8] Update proc_creation_win_regsvr32_susp_exec_path_2.yml --- .../proc_creation_win_regsvr32_susp_exec_path_2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 581efc05b..0d513aeb7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -54,9 +54,9 @@ detection: - ' "C:\Windows\' - " 'C:\\Windows\\" filter_main_empty: - CommandLine|contains: '' + CommandLine: '' filter_main_null: - CommandLine|contains: null + CommandLine: null condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_ falsepositives: - Unlikely From 50e0f5854730c9223efdd69b994dfb6f526f1902 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 May 2023 18:37:52 +0200 Subject: [PATCH 7/8] Update proc_creation_win_regsvr32_susp_exec_path_2.yml --- .../proc_creation_win_regsvr32_susp_exec_path_2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 0d513aeb7..fe7c15019 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -57,7 +57,7 @@ detection: CommandLine: '' filter_main_null: CommandLine: null - condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_ + condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_* falsepositives: - Unlikely level: high From bcc0c9a9e0fb1ddcfe9f8f383b57a83f57315bb5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 30 May 2023 11:17:52 +0200 Subject: [PATCH 8/8] feat: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- rules-emerging-threats/2023/Malware/Qakbot/README.md | 2 +- .../proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml | 2 +- .../proc_creation_win_lolscript_register_app.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_1.yml | 2 +- .../process_creation/proc_creation_win_regsvr32_susp_parent.yml | 2 +- .../proc_creation_win_regsvr32_uncommon_extension.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/README.md b/rules-emerging-threats/2023/Malware/Qakbot/README.md index 84f42183e..2e50a2b2e 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/README.md +++ b/rules-emerging-threats/2023/Malware/Qakbot/README.md @@ -2,7 +2,7 @@ ## Summary -QBot is a modular information stealer also known as Qakbot or Pinkslipbot. +QBot is a modular information stealer also known as Qakbot, Quakbot, Oakboat or Pinkslipbot. You can find more information on the threat in the following articles: diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 06ca443bd..db12b2f38 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,7 +1,7 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 status: experimental -description: Detects sepcific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. Which is a behavior seen used often by Qakbot +description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml index 84a92c7cb..1fb2caf8c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -1,7 +1,7 @@ title: Potential Register_App.Vbs LOLScript Abuse id: 28c8f68b-098d-45af-8d43-8089f3e35403 status: experimental -description: Detects potential abuse of the "register_app.vbs" script that's part of the windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index d8e2551c8..f34176956 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -4,7 +4,7 @@ related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes status: experimental -description: Detects execution of regsvr32 where the DLL is located in a potential suspicious location. +description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index a6cd6f49e..d0d5927f0 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -4,7 +4,7 @@ related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes status: experimental -description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. Spawning a "regsvr32" instance. +description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 50e1fa1fd..bae2dcf8f 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -35,5 +35,5 @@ detection: CommandLine: '' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Other legit extensions currently not in the list either from third party or specific windows components. + - Other legitimate extensions currently not in the list either from third party or specific Windows components. level: medium