From 8cf78fb4e65e7a51f6368c089a7b60feaf37b7e6 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 20 Jan 2022 11:08:08 +0100
Subject: [PATCH] rules: advancedrun executions

---
 .../process_creation/win_susp_advancedrun.yml | 28 +++++++++++++++++
 .../win_susp_advancedrun_priv_user.yml        | 30 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_advancedrun.yml
 create mode 100644 rules/windows/process_creation/win_susp_advancedrun_priv_user.yml

diff --git a/rules/windows/process_creation/win_susp_advancedrun.yml b/rules/windows/process_creation/win_susp_advancedrun.yml
new file mode 100644
index 000000000..911766159
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_advancedrun.yml
@@ -0,0 +1,28 @@
+title: Suspicious AdvancedRun Execution
+id: d2b749ee-4225-417e-b20e-a8d2193cbb84
+status: experimental
+description: Detects the execution of AdvancedRun utitlity
+references:
+    - https://twitter.com/splinter_code/status/1483815103279603714
+    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
+    - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+author: Florian Roth
+date: 2022/01/20
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith: '\AdvancedRun.exe'
+        - CommandLine|contains|all:
+            - ' /EXEFilename '
+            - ' /Run'
+        - CommandLine|contains|all:
+            - ' /WindowState 0'
+            - ' /RunAs '
+            - ' /CommandLine '
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml
new file mode 100644
index 000000000..9401ed7d6
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_advancedrun_priv_user.yml
@@ -0,0 +1,30 @@
+title: Suspicious AdvancedRun Runas Priv User
+id: fa00b701-44c6-4679-994d-5a18afa8a707
+status: experimental
+description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller or SYSTEM account 
+references:
+    - https://twitter.com/splinter_code/status/1483815103279603714
+    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
+    - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+author: Florian Roth
+date: 2022/01/20
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - '/EXEFilename'
+            - '/CommandLine'
+    selection_runas:
+        - CommandLine|contains: 
+            - ' /RunAs 8 '
+            - ' /RunAs 4 '
+        - CommandLine|endswith: 
+            - '/RunAs 8'
+            - '/RunAs 4'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high