From 8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 24 Apr 2024 10:04:28 +0200
Subject: [PATCH] Merge PR #4833 from @nasbench - New rules related to Forest
 Blizzard activity

new: Forest Blizzard APT - Custom Protocol Handler Creation
new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
new: Forest Blizzard APT - File Creation Activity
new: Forest Blizzard APT - JavaScript Constrained File Creation
new: Forest Blizzard APT - Process Creation Activity
---
 .../2024/TA/Forest-Blizzard/README.md         | 17 +++++++
 ...event_win_apt_forest_blizzard_activity.yml | 48 +++++++++++++++++++
 ...win_apt_forest_blizzard_constrained_js.yml | 24 ++++++++++
 ...ation_win_apt_forest_blizzard_activity.yml | 47 ++++++++++++++++++
 ...orest_blizzard_custom_protocol_handler.yml | 24 ++++++++++
 ...t_blizzard_custom_protocol_handler_dll.yml | 24 ++++++++++
 6 files changed, 184 insertions(+)
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/README.md
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml
 create mode 100644 rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml

diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/README.md b/rules-emerging-threats/2024/TA/Forest-Blizzard/README.md
new file mode 100644
index 000000000..232fa3c32
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/README.md
@@ -0,0 +1,17 @@
+# Forest Blizzard’s Exploiting CVE-2022-38028
+
+## Summary
+
+Microsoft Threat Intelligence published results of their longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. 
+
+You can find more information on the threat in the following articles:
+
+- [Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials](https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/)
+
+## Rules
+
+- [Forest Blizzard APT - File Creation Activity](./file_event_win_apt_forest_blizzard_activity.yml)
+- [Forest Blizzard APT - JavaScript Constrained File Creation](./file_event_win_apt_forest_blizzard_constrained_js.yml)
+- [Forest Blizzard APT - Process Creation Activity](./proc_creation_win_apt_forest_blizzard_activity.yml)
+- [Forest Blizzard APT - Custom Protocol Handler DLL Registry Set](./registry_set_apt_forest_blizzard_custom_protocol_handler.yml)
+- [Forest Blizzard APT - Custom Protocol Handler Creation](./registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml)
diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml
new file mode 100644
index 000000000..e74e876fe
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml
@@ -0,0 +1,48 @@
+title: Forest Blizzard APT - File Creation Activity
+id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
+status: experimental
+description: |
+    Detects the creation of specific files inside of ProgramData directory.
+    These files were seen being created by Forest Blizzard as described by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_programdata_driver_store:
+        TargetFilename|startswith:
+            - 'C:\ProgramData\Microsoft\v'
+            - 'C:\ProgramData\Adobe\v'
+            - 'C:\ProgramData\Comms\v'
+            - 'C:\ProgramData\Intel\v'
+            - 'C:\ProgramData\Kaspersky Lab\v'
+            - 'C:\ProgramData\Bitdefender\v'
+            - 'C:\ProgramData\ESET\v'
+            - 'C:\ProgramData\NVIDIA\v'
+            - 'C:\ProgramData\UbiSoft\v'
+            - 'C:\ProgramData\Steam\v'
+        TargetFilename|contains:
+            - '\pnms003.inf_'
+            - '\pnms009.inf_'
+    selection_programdata_main:
+        TargetFilename|startswith: 'C:\ProgramData\'
+    selection_programdata_files_1:
+        TargetFilename|endswith:
+            - '.save'
+            - '\doit.bat'
+            - '\execute.bat'
+            - '\servtask.bat'
+        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
+    selection_programdata_files_2:
+        TargetFilename|contains: '\wayzgoose'
+        TargetFilename|endswith: '.dll'
+    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml
new file mode 100644
index 000000000..1e64dedad
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml
@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - JavaScript Constrained File Creation
+id: ec7c4e9b-9bc9-47c7-a32f-b53b598da642
+status: experimental
+description: |
+    Detects the creation of JavaScript files inside of the DriverStore directory.
+    Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|startswith: 'C:\Windows\System32\DriverStore\FileRepository\'
+        TargetFilename|endswith: '\.js'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium
diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml
new file mode 100644
index 000000000..048ea757a
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml
@@ -0,0 +1,47 @@
+title: Forest Blizzard APT - Process Creation Activity
+id: 07db928c-8632-488e-ac7d-3db847489175
+status: experimental
+description: |
+    Detects the execution of specific processes and command line combination.
+    These were seen being created by Forest Blizzard as described by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_hashes:
+        Hashes|contains:
+            - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
+            - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
+    selection_schtasks_create:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - 'Create'
+            - '/RU'
+            - 'SYSTEM'
+            - '\Microsoft\Windows\WinSrv'
+        CommandLine|contains:
+            - 'servtask.bat'
+            - 'execute.bat'
+            - 'doit.bat'
+    selection_schtasks_delete:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - 'Delete'
+            - '/F '
+            - '\Microsoft\Windows\WinSrv'
+    selection_powershell:
+        CommandLine|contains:
+            - 'Get-ChildItem'
+            - '.save'
+            - 'Compress-Archive -DestinationPath C:\ProgramData\'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml
new file mode 100644
index 000000000..07a673e6a
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml
@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - Custom Protocol Handler Creation
+id: 5cdeb555-65de-4767-99fe-e26807465148
+status: experimental
+description: |
+    Detects the setting of a custom protocol handler with the name "rogue".
+    Seen being created by Forest Blizzard APT as reported by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\PROTOCOLS\\Handler\rogue\CLSID'
+        Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml
new file mode 100644
index 000000000..d1de35a7a
--- /dev/null
+++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml
@@ -0,0 +1,24 @@
+title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
+id: d807056b-0e00-4cec-b7f8-b8b7518e382b
+status: experimental
+description: |
+    Detects the setting of the DLL that handles the custom protocol handler.
+    Seen being created by Forest Blizzard APT as reported by MSFT.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/23
+tags:
+    - attack.persistence
+    - attack.t1547.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
+        Details|endswith: '.dll'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high