Merge pull request #3535 from nasbench/nasbench-rule-devel

New rules + update
2022-09-29 11:01:29 +02:00
parent 5533d7367f 4a5dcf8586
commit a888ecb8b8
30 changed files with 312 additions and 19 deletions
@@ -0,0 +1,27 @@
+title: Bumblebee Remote Thread Creation
+id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
+status: experimental
+description: Detects remote thread injection events based on action seen used by bumblebee
+author: Nasreddine Bencherchali
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+date: 2022/09/27
+logsource:
+    product: windows
+    category: create_remote_thread
+detection:
+    selection:
+        SourceImage|endswith:
+            - '\wabmig.exe'
+            - '\wab.exe'
+            - '\ImagingDevices.exe'
+        TargetImage|endswith: '\rundll32.exe'
+    condition: selection
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218.011
+    - attack.t1059.001
+falsepositives:
+    - Unknown
+level: high
@@ -9,15 +9,17 @@ related:
      type: obsoletes
 status: experimental
 description: |
-  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
-  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
+    - https://redcanary.com/blog/misbehaving-rats/
 author: frack113
 date: 2022/07/11
+modified: 2022/09/19
 logsource:
    product: windows
    category: dns_query
@@ -27,9 +29,11 @@ detection:
            - '.getgo.com'
            - '.logmein.com'
            - '.ammyy.com'
+            - '.netsupportsoftware.com' # For NetSupport Manager RAT
+            - 'remoteutilities.com' # Usage of Remote Utilities RAT
    condition: selection
 falsepositives:
-    - Unknown
+    - FP may be caused in legitimate usage of the softwares mentioned above
 level: medium
 tags:
    - attack.command_and_control
@@ -0,0 +1,26 @@
+title: Suspicious Binary Writes Via AnyDesk
+id: 2d367498-5112-4ae5-a06a-96e7bc33a211
+status: experimental
+description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
+author: Nasreddine Bencherchali
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+date: 2022/09/28
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\anydesk.exe'
+        TargetFilename|endswith:
+            - '.dll'
+            - '.exe'
+    filter_dlls:
+        TargetFilename|endswith: '\gcapi.dll'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
 author: Greg (rule)
 date: 2022/07/21
-modified: 2022/07/25
+modified: 2022/09/27
 tags:
    - attack.t1547
    - attack.persistence
@@ -8,7 +8,7 @@ references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
 author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
 date: 2022/08/14
-modified: 2022/09/27
+modified: 2022/09/28
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -423,7 +423,9 @@ detection:
    filter_azure:
        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
    filter_dell:
-        Image: 'C:\Windows\System32\backgroundTaskHost.exe'
+        Image|startswith:
+            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    condition: selection and not 1 of filter_*
 falsepositives:
@@ -0,0 +1,26 @@
+title: AnyDesk Inline Piped Password
+id: b1377339-fda6-477a-b455-ac0923f9ec2c
+status: experimental
+author: Nasreddine Bencherchali
+date: 2022/09/28
+description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
+            - '/c'
+            - 'echo '
+            - ' --set-password'
+    condition: selection
+falsepositives:
+    - Legitimate piping of the password to anydesk
+    - Some FP could occure with similar tools that uses the same command line '--set-password'
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -8,13 +8,14 @@ references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
 tags:
+    - attack.command_and_control
    - attack.t1219
 logsource:
    category: process_creation
    product: windows
 detection:
    selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
            - '--install'
            - '--start-with-win'
            - '--silent'
@@ -0,0 +1,25 @@
+title: Copy DMP Files From Share
+id: 044ba588-dff4-4918-9808-3f95e8160606
+status: experimental
+description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            # Example: copy \\<host>\\<folder>\\lsass.dmp C:\Users\lsass.dmp
+            - ' /c '
+            - '.dmp'
+            - 'copy '
+            - ' \\\\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.credential_access
@@ -0,0 +1,29 @@
+title: ImagingDevices Unusual Parent Or Child Processes
+id: f11f2808-adb4-46c0-802a-8660db50fa99
+status: experimental
+description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith:
+            # Add more if known
+            - \WmiPrvSE.exe
+            - \svchost.exe
+            - \dllhost.exe
+        Image|endswith: '\ImagingDevices.exe'
+    selection_child:
+        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
+        ParentImage|endswith: '\ImagingDevices.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -29,5 +29,5 @@ detection:
        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
@@ -0,0 +1,25 @@
+title: Execution of Renamed NetSupport RAT
+id: 0afbd410-de03-4078-8491-f132303cb67d
+status: experimental
+description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings
+author: Nasreddine Bencherchali
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+date: 2022/09/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Product|contains: 'NetSupport Remote Control'
+        - OriginalFileName|contains: 'client32.exe'
+        - Imphash: a9d50692e95b79723f3e76fcf70d023e
+        - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
+    filter:
+        Image|endswith: '\client32.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
@@ -0,0 +1,28 @@
+title: Execution of Renamed Remote Utilities RAT (RURAT)
+id: 9ef27c24-4903-4192-881a-3adde7ff92a5
+status: experimental
+description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
+author: Nasreddine Bencherchali
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+date: 2022/09/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Product: 'Remote Utilities'
+    filter:
+        Image|endswith:
+            - '\rutserv.exe'
+            - '\rfusclient.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.collection
+    - attack.command_and_control
+    - attack.discovery
+    - attack.s0592
@@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E
 status: experimental
 references:
    - https://redcanary.com/blog/raspberry-robin/
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: CD_ROM_
 date: 2022/05/21
 logsource:
@@ -19,7 +19,7 @@ detection:
        - Company: 'ScreenConnect Software'
    condition: selection
 falsepositives:
-    - Legitimate use
+    - Legitimate usage of the tool
 level: medium
 tags:
    - attack.command_and_control
@@ -0,0 +1,30 @@
+title: 7Zip Compressing Dump Files
+id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
+related:
+    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
+      type: derived
+status: experimental
+description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith:
+            - '\7z.exe'
+            - '\7zr.exe'
+            - '\7za.exe'
+        - Description|contains: '7-Zip'
+    dumpfile:
+        CommandLine|contains: '.dmp'
+    condition: selection and dumpfile
+falsepositives:
+    - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally
+level: high
+tags:
+    - attack.collection
+    - attack.t1560.001
@@ -0,0 +1,28 @@
+title: Execution of NetSupport RAT From Unusual Location
+id: 37e8d358-6408-4853-82f4-98333fca7014
+status: experimental
+description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files')
+author: Nasreddine Bencherchali
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+date: 2022/09/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\client32.exe'
+        - Product|contains: 'NetSupport Remote Control'
+        - OriginalFileName|contains: 'client32.exe'
+        - Imphash: a9d50692e95b79723f3e76fcf70d023e
+        - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
+    filter:
+        Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
@@ -0,0 +1,27 @@
+title: Execution of Remote Utilities RAT (RURAT) From Unusual Location
+id: e01fa958-6893-41d4-ae03-182477c5e77d
+status: experimental
+description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files')
+author: Nasreddine Bencherchali
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+date: 2022/09/19
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith:
+            - '\rutserv.exe'
+            - '\rfusclient.exe'
+        - Product: 'Remote Utilities'
+    filter:
+        Image|startswith:
+            - 'C:\Program Files\Remote Utilities'
+            - 'C:\Program Files (x86)\Remote Utilities'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
@@ -20,7 +20,7 @@ detection:
        CommandLine|contains: '.dmp'
    condition: selection and dumpfile
 falsepositives:
-    - Legitimate use of WinRAR with a command line in which .dmp appears incidentally
+    - Legitimate use of WinRAR with a command line in which .dmp appears accidentally
 level: high
 tags:
    - attack.collection
@@ -1,12 +1,14 @@
 title: Wab Execution From Non Default Location
 id: 395907ee-96e5-4666-af2e-2ca91688e151
 status: experimental
-description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
 references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -15,7 +17,9 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\WinSxS\'
@@ -23,5 +27,5 @@ detection:
            - 'C:\Program Files (x86)\Windows Mail\'
    condition: selection and not filter
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high
@@ -1,12 +1,14 @@
-title: Wab.Exe Unusual Parent Or Child Processes
+title: Wab/Wabmig Unusual Parent Or Child Processes
 id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
 status: experimental
-description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity
+description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
 references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -20,10 +22,15 @@ detection:
            - \WmiPrvSE.exe
            - \svchost.exe
            - \dllhost.exe
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    selection_child:
-        ParentImage|endswith: '\wab.exe'
+        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
+        ParentImage|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    condition: 1 of selection_*
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high
@@ -4,8 +4,10 @@ status: experimental
 description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
 references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/09/14
+modified: 2022/09/27
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -19,6 +21,7 @@ detection:
            - 'Asd123.aaaa'
            - 'password123'
            - '123456789'
+            - 'P@ssw0rd!'
    condition: selection
 falsepositives:
    - Legitimate usage of the passwords by users via commandline (should be discouraged)