From a2ca199e7d0e0063bccdbf5732b428aaf2bedb28 Mon Sep 17 00:00:00 2001
From: Trent Liffick <trent.liffick@outlook.com>
Date: Wed, 3 Jun 2020 17:38:03 -0400
Subject: [PATCH] added rules for Lazaurs and hhsgov

---
 .../win_apt_lazarus_session_highjack.yml      | 27 +++++++++++++++++++
 .../process_creation/win_susp_findstr_lnk.yml | 27 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
 create mode 100644 rules/windows/process_creation/win_susp_findstr_lnk.yml

diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
new file mode 100644
index 000000000..a9fc5185d
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@@ -0,0 +1,27 @@
+title: Lazarus Session Highjacker
+id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
+description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
+status: experimental
+references:
+  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+author: Trent Liffick (@tliffick)
+date: 2020/06/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+      Image: 
+        - '*\mstdc.exe'
+        - '*\gpvc.exe'
+    filter:
+      Image:
+        - 'C:\Windows\System32\\*'
+        - 'C:\Windows\SysWOW64\\*'
+    condition: selection and not filter
+falsepositives:
+  - unknown
+level: high
diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml
new file mode 100644
index 000000000..07fb7d3bf
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml
@@ -0,0 +1,27 @@
+title: Findstr Launching .lnk File
+id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
+description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
+status: experimental
+references:
+  - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
+tags:
+  - attack.execution
+  - attack.t1202
+  - attack.1034
+author: Trent Liffick
+date: 2020/05/01
+logsource:
+  category: process_creation
+  product: windows
+detection:
+    selection:
+        Image: '*\findstr.exe'
+        CommandLine: '*.lnk'
+    condition: selection
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: medium