diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 50ebcec54..c6fba1fd6 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -6,7 +6,7 @@ status: experimental references: - https://twitter.com/SBousseaden/status/1483810148602814466 date: 2022/01/20 -modified: 2022/10/31 +modified: 2022/11/07 tags: - attack.execution logsource: @@ -79,7 +79,10 @@ detection: - 12 ValidatedPolicy: 1 filter_gac: - FileNameBuffer|endswith: '\stdole.dll' + # If other DLLs show up from this process. Filter the path containing this string `\Windows\assembly\GAC\` + FileNameBuffer|endswith: + - '\stdole.dll' + - '\msdatasrc.dll' ProcessNameBuffer|endswith: '\mscorsvw.exe' ProcessNameBuffer|contains: '\Windows\Microsoft.NET\' RequestedPolicy: 8 diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index f3915298f..bbbc5cf51 100755 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali date: 2020/05/26 -modified: 2022/10/28 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036.005 @@ -14,78 +14,78 @@ logsource: detection: selection: TargetFilename|endswith: - - '\svchost.exe' - - '\rundll32.exe' - - '\services.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\spoolsv.exe' - - '\lsass.exe' - - '\smss.exe' - - '\csrss.exe' - - '\conhost.exe' - - '\wininit.exe' - - '\lsm.exe' - - '\winlogon.exe' - - '\explorer.exe' - - '\taskhost.exe' - - '\Taskmgr.exe' - - '\sihost.exe' - - '\RuntimeBroker.exe' - - '\smartscreen.exe' - - '\dllhost.exe' - - '\audiodg.exe' - - '\wlanext.exe' - '\AtBroker.exe' + - '\audiodg.exe' + - '\backgroundTaskHost.exe' - '\bcdedit.exe' - '\bitsadmin.exe' + - '\cmdl32.exe' + - '\cmstp.exe' + - '\conhost.exe' + - '\csrss.exe' + - '\dasHost.exe' + - '\dfrgui.exe' + - '\dllhost.exe' + - '\dwm.exe' + - '\eventcreate.exe' + - '\eventvwr.exe' + - '\explorer.exe' + - '\extrac32.exe' + - '\fontdrvhost.exe' - '\ipconfig.exe' - - '\LsaIso.exe' - - '\LogonUI.exe' + - '\iscsicli.exe' + - '\iscsicpl.exe' - '\logman.exe' + - '\LogonUI.exe' + - '\LsaIso.exe' + - '\lsass.exe' + - '\lsm.exe' + - '\msiexec.exe' - '\msinfo32.exe' - '\mstsc.exe' - - '\msiexec.exe' - '\nbtstat.exe' - - '\regini.exe' - - '\TiWorker.exe' - - '\WmiPrvSE.exe' - - '\WUDFHost.exe' - - '\taskhostw.exe' - - '\dasHost.exe' - - '\wslhost.exe' - - '\fontdrvhost.exe' - - '\dwm.exe' - - '\backgroundTaskHost.exe' - - '\SystemSettingsBroker.exe' - '\odbcconf.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regini.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\RuntimeBroker.exe' - '\schtasks.exe' - - '\SearchProtocolHost.exe' - - '\SearchIndexer.exe' - '\SearchFilterHost.exe' - - '\SecurityHealthSystray.exe' + - '\SearchIndexer.exe' + - '\SearchProtocolHost.exe' - '\SecurityHealthService.exe' + - '\SecurityHealthSystray.exe' + - '\services.exe' - '\ShellAppRuntime.exe' + - '\sihost.exe' + - '\smartscreen.exe' + - '\smss.exe' + - '\spoolsv.exe' + - '\svchost.exe' + - '\SystemSettingsBroker.exe' + - '\taskhost.exe' + - '\taskhostw.exe' + - '\Taskmgr.exe' + - '\TiWorker.exe' - '\vssadmin.exe' - '\w32tm.exe' - '\WerFault.exe' - '\WerFaultSecure.exe' - '\wermgr.exe' - '\wevtutil.exe' + - '\wininit.exe' + - '\winlogon.exe' - '\winrshost.exe' - - '\wlrmdr.exe' - '\WinRTNetMUAHostServer.exe' + - '\wlanext.exe' + - '\wlrmdr.exe' + - '\WmiPrvSE.exe' + - '\wslhost.exe' - '\WSReset.exe' + - '\WUDFHost.exe' - '\WWAHost.exe' - - '\iscsicpl.exe' - - '\iscsicli.exe' - - '\extrac32.exe' - - '\eventvwr.exe' - - '\eventcreate.exe' - - '\dfrgui.exe' - - '\cmdl32.exe' - - '\cmstp.exe' filter1: TargetFilename|startswith: - 'C:\Windows\System32\' @@ -95,6 +95,7 @@ detection: Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' + - '\bcdedit.exe' filter2: TargetFilename|startswith: 'C:\$WINDOWS.~BT\' Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 9fe5b68f7..b59852995 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -3,8 +3,10 @@ id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e related: - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 type: derived + - id: 3215aa19-f060-4332-86d5-5602511f3ca8 + type: similar status: experimental -description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default. +description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default. references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations @@ -13,7 +15,7 @@ references: - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali, frack113 date: 2022/06/19 -modified: 2022/07/28 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036.007 @@ -25,7 +27,7 @@ detection: TargetFilename|endswith: - '.zip' - '.rar' - - '.lnk' + #- '.lnk' # legitimate links can happen just anywhere - '.iso' - '.exe' TargetFilename|contains: @@ -36,15 +38,16 @@ detection: - '.ppt.' - '.pptx.' - '.jpg.' + - '.pdf.' selection_exe: TargetFilename|endswith: - '.zip.exe' - '.rar.exe' - filter: - TargetFilename|contains: - - '\AppData\Roaming\Microsoft\Office\Recent\' - - '\AppData\Roaming\Microsoft\Windows\Recent\' - condition: 1 of selection_* and not filter + #filter: + # TargetFilename|contains: + # - '\AppData\Roaming\Microsoft\Office\Recent\' + # - '\AppData\Roaming\Microsoft\Windows\Recent\' + condition: 1 of selection_* falsepositives: - Unlikely level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml new file mode 100644 index 000000000..5f407aeec --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -0,0 +1,41 @@ +title: Suspicious LNK Double Extension Files +id: 3215aa19-f060-4332-86d5-5602511f3ca8 +related: + - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e + type: derived +status: experimental +description: Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default. +references: + - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations + - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles + - https://twitter.com/malwrhunterteam/status/1235135745611960321 + - https://twitter.com/luc4m/status/1073181154126254080 +author: Nasreddine Bencherchali, frack113 +date: 2022/11/07 +tags: + - attack.defense_evasion + - attack.t1036.007 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.lnk' + TargetFilename|contains: + - '.doc.' + - '.docx.' + - '.xls.' + - '.xlsx.' + - '.ppt.' + - '.pptx.' + - '.jpg.' + - '.pdf.' + filter: + TargetFilename|contains: + - '\AppData\Roaming\Microsoft\Office\Recent\' + - '\AppData\Roaming\Microsoft\Windows\Recent\' + condition: selection and not filter +falsepositives: + - Users creating a shortcut on e.g. desktop +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index 8f983590c..d0f1b7646 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth date: 2021/07/27 -modified: 2022/09/20 +modified: 2022/11/07 tags: - attack.execution - attack.t1059 @@ -15,31 +15,31 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_normal_1: CommandLine|contains: '\cmd.exe /C whoami' ParentImage|startswith: 'C:\Temp' - selection2: + selection_normal_2: CommandLine|contains: - 'cmd.exe /c echo' - '> \\\\.\\pipe' - '\whoami.exe' ParentImage|endswith: '\dllhost.exe' - selection3: + selection_normal_3: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - selection_special1: + selection_special_conhost: CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' ParentCommandLine|contains: - '/C whoami' - 'cmd.exe /C echo' - ' > \\\\.\\pipe' - filter_special1: - # Internet Download Manager - Chrome Extension + filter_internet_download_manager: + # Internet Download Manager - Chrome Extension (Remove this filter if you don't use this extension) ParentCommandLine|contains: - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe' - 'chrome-extension://' - condition: 1 of selection* and (selection_special1 and not filter_special1) + condition: 1 of selection_normal_* or (selection_special_conhost and not filter_internet_download_manager) falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_calc.yml b/rules/windows/process_creation/proc_creation_win_susp_calc.yml index 1d6c29b00..2666e7c5d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_calc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_calc.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth date: 2019/02/09 -modified: 2022/08/04 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036 @@ -14,15 +14,16 @@ logsource: category: process_creation product: windows detection: - selection: - - CommandLine|contains: '\calc.exe ' - - Image|endswith: '\calc.exe' - filter: + selection_1: + CommandLine|contains: '\calc.exe ' + selection_2: + Image|endswith: '\calc.exe' + filter_2: Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - condition: selection and not filter + condition: selection_1 or ( selection_2 and not filter_2 ) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml index 7e2192179..fae60156f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/mattifestation/status/1326228491302563846 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) date: 2019/02/22 -modified: 2021/12/01 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1140 @@ -22,7 +22,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: '\mshta.exe' CommandLine|contains: - 'vbscript' @@ -34,8 +34,8 @@ detection: - '.doc' - '.zip' - '.dll' - - '.exe' - condition: selection1 + # - '.exe' + condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml index 38853b98f..e1b1d23e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml @@ -8,7 +8,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth date: 2021/07/17 -modified: 2022/07/14 +modified: 2022/11/07 tags: - attack.execution - attack.t1106 @@ -33,7 +33,7 @@ detection: - 'C:\Users\Public' # Suspicious Execution Locations filter3: - Image|contains: + Image|startswith: - 'C:\Windows\System32' - 'C:\Windows\SysWOW64' # Suspicious extensions @@ -44,7 +44,7 @@ detection: CommandLine|endswith: - 'mshta.exe' - 'mshta' - condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 ) + condition: ( selection_base and ( selection1 or selection2 ) ) or ( selection_base and not 1 of filter* ) falsepositives: - Unknown level: high