Merge PR #4833 from @nasbench - New rules related to Forest Blizzard activity

new: Forest Blizzard APT - Custom Protocol Handler Creation
new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
new: Forest Blizzard APT - File Creation Activity
new: Forest Blizzard APT - JavaScript Constrained File Creation
new: Forest Blizzard APT - Process Creation Activity

rules-emerging-threats/2024/TA/Forest-Blizzard/README.md

@@ -0,0 +1,17 @@
+# Forest Blizzard’s Exploiting CVE-2022-38028
+
+## Summary
+
+Microsoft Threat Intelligence published results of their longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. 
+
+You can find more information on the threat in the following articles:
+
+- [Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials](https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/)
+
+## Rules
+
+- [Forest Blizzard APT - File Creation Activity](./file_event_win_apt_forest_blizzard_activity.yml)
+- [Forest Blizzard APT - JavaScript Constrained File Creation](./file_event_win_apt_forest_blizzard_constrained_js.yml)
+- [Forest Blizzard APT - Process Creation Activity](./proc_creation_win_apt_forest_blizzard_activity.yml)
+- [Forest Blizzard APT - Custom Protocol Handler DLL Registry Set](./registry_set_apt_forest_blizzard_custom_protocol_handler.yml)
+- [Forest Blizzard APT - Custom Protocol Handler Creation](./registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml)

rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml

@@ -0,0 +1,48 @@
+title: Forest Blizzard APT - File Creation Activity
+id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
+status: experimental
+description: |
+    Detects the creation of specific files inside of ProgramData directory.
+    These files were seen being created by Forest Blizzard as described by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_programdata_driver_store:
+        TargetFilename|startswith:
+            - 'C:\ProgramData\Microsoft\v'
+            - 'C:\ProgramData\Adobe\v'
+            - 'C:\ProgramData\Comms\v'
+            - 'C:\ProgramData\Intel\v'
+            - 'C:\ProgramData\Kaspersky Lab\v'
+            - 'C:\ProgramData\Bitdefender\v'
+            - 'C:\ProgramData\ESET\v'
+            - 'C:\ProgramData\NVIDIA\v'
+            - 'C:\ProgramData\UbiSoft\v'
+            - 'C:\ProgramData\Steam\v'
+        TargetFilename|contains:
+            - '\pnms003.inf_'
+            - '\pnms009.inf_'
+    selection_programdata_main:
+        TargetFilename|startswith: 'C:\ProgramData\'
+    selection_programdata_files_1:
+        TargetFilename|endswith:
+            - '.save'
+            - '\doit.bat'
+            - '\execute.bat'
+            - '\servtask.bat'
+        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
+    selection_programdata_files_2:
+        TargetFilename|contains: '\wayzgoose'
+        TargetFilename|endswith: '.dll'
+    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml

@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - JavaScript Constrained File Creation
+id: ec7c4e9b-9bc9-47c7-a32f-b53b598da642
+status: experimental
+description: |
+    Detects the creation of JavaScript files inside of the DriverStore directory.
+    Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|startswith: 'C:\Windows\System32\DriverStore\FileRepository\'
+        TargetFilename|endswith: '\.js'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium

rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml

@@ -0,0 +1,47 @@
+title: Forest Blizzard APT - Process Creation Activity
+id: 07db928c-8632-488e-ac7d-3db847489175
+status: experimental
+description: |
+    Detects the execution of specific processes and command line combination.
+    These were seen being created by Forest Blizzard as described by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_hashes:
+        Hashes|contains:
+            - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
+            - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
+    selection_schtasks_create:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - 'Create'
+            - '/RU'
+            - 'SYSTEM'
+            - '\Microsoft\Windows\WinSrv'
+        CommandLine|contains:
+            - 'servtask.bat'
+            - 'execute.bat'
+            - 'doit.bat'
+    selection_schtasks_delete:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - 'Delete'
+            - '/F '
+            - '\Microsoft\Windows\WinSrv'
+    selection_powershell:
+        CommandLine|contains:
+            - 'Get-ChildItem'
+            - '.save'
+            - 'Compress-Archive -DestinationPath C:\ProgramData\'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml

@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - Custom Protocol Handler Creation
+id: 5cdeb555-65de-4767-99fe-e26807465148
+status: experimental
+description: |
+    Detects the setting of a custom protocol handler with the name "rogue".
+    Seen being created by Forest Blizzard APT as reported by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\PROTOCOLS\\Handler\rogue\CLSID'
+        Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml

@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
+id: d807056b-0e00-4cec-b7f8-b8b7518e382b
+status: experimental
+description: |
+    Detects the setting of the DLL that handles the custom protocol handler.
+    Seen being created by Forest Blizzard APT as reported by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
+        Details|endswith: '.dll'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high