diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml new file mode 100644 index 000000000..47999251e --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -0,0 +1,27 @@ +title: Bumblebee Remote Thread Creation +id: 994cac2b-92c2-44bf-8853-14f6ca39fbda +status: experimental +description: Detects remote thread injection events based on action seen used by bumblebee +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +date: 2022/09/27 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\wabmig.exe' + - '\wab.exe' + - '\ImagingDevices.exe' + TargetImage|endswith: '\rundll32.exe' + condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml index 742ec1d9a..3fb6d2b0c 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -9,15 +9,17 @@ related: type: obsoletes status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution + - https://redcanary.com/blog/misbehaving-rats/ author: frack113 date: 2022/07/11 +modified: 2022/09/19 logsource: product: windows category: dns_query @@ -27,9 +29,11 @@ detection: - '.getgo.com' - '.logmein.com' - '.ammyy.com' + - '.netsupportsoftware.com' # For NetSupport Manager RAT + - 'remoteutilities.com' # Usage of Remote Utilities RAT condition: selection falsepositives: - - Unknown + - FP may be caused in legitimate usage of the softwares mentioned above level: medium tags: - attack.command_and_control diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml new file mode 100644 index 000000000..aaaac6289 --- /dev/null +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -0,0 +1,26 @@ +title: Suspicious Binary Writes Via AnyDesk +id: 2d367498-5112-4ae5-a06a-96e7bc33a211 +status: experimental +description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/28 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\anydesk.exe' + TargetFilename|endswith: + - '.dll' + - '.exe' + filter_dlls: + TargetFilename|endswith: '\gcapi.dll' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 78039d23b..a7b422a4c 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) date: 2022/07/21 -modified: 2022/07/25 +modified: 2022/09/27 tags: - attack.t1547 - attack.persistence diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 53f7ec255..1213ebb0b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/27 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.persistence @@ -423,7 +423,9 @@ detection: filter_azure: ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_dell: - Image: 'C:\Windows\System32\backgroundTaskHost.exe' + Image|startswith: + - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml new file mode 100644 index 000000000..c27c46d22 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -0,0 +1,26 @@ +title: AnyDesk Inline Piped Password +id: b1377339-fda6-477a-b455-ac0923f9ec2c +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/28 +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag +references: + - https://redcanary.com/blog/misbehaving-rats/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password + - '/c' + - 'echo ' + - ' --set-password' + condition: selection +falsepositives: + - Legitimate piping of the password to anydesk + - Some FP could occure with similar tools that uses the same command line '--set-password' +level: high +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml index 4cf3b46ed..56babca75 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml @@ -8,13 +8,14 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment tags: + - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' diff --git a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml new file mode 100644 index 000000000..0277d4b14 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml @@ -0,0 +1,25 @@ +title: Copy DMP Files From Share +id: 044ba588-dff4-4918-9808-3f95e8160606 +status: experimental +description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: copy \\\\\\lsass.dmp C:\Users\lsass.dmp + - ' /c ' + - '.dmp' + - 'copy ' + - ' \\\\' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml new file mode 100644 index 000000000..b2e89c510 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -0,0 +1,29 @@ +title: ImagingDevices Unusual Parent Or Child Processes +id: f11f2808-adb4-46c0-802a-8660db50fa99 +status: experimental +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\ImagingDevices.exe' + selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: '\ImagingDevices.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 658c9c1ad..d7e302321 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -29,5 +29,5 @@ detection: ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml new file mode 100644 index 000000000..e3bb4105a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -0,0 +1,25 @@ +title: Execution of Renamed NetSupport RAT +id: 0afbd410-de03-4078-8491-f132303cb67d +status: experimental +description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E + filter: + Image|endswith: '\client32.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml new file mode 100644 index 000000000..67108fb20 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -0,0 +1,28 @@ +title: Execution of Renamed Remote Utilities RAT (RURAT) +id: 9ef27c24-4903-4192-881a-3adde7ff92a5 +status: experimental +description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + Product: 'Remote Utilities' + filter: + Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.collection + - attack.command_and_control + - attack.discovery + - attack.s0592 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 9d73005a8..86a5ee3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E status: experimental references: - https://redcanary.com/blog/raspberry-robin/ + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 515f45653..f0d31afec 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -19,7 +19,7 @@ detection: - Company: 'ScreenConnect Software' condition: selection falsepositives: - - Legitimate use + - Legitimate usage of the tool level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml new file mode 100644 index 000000000..0079f9ca3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -0,0 +1,30 @@ +title: 7Zip Compressing Dump Files +id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 +related: + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived +status: experimental +description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' + - Description|contains: '7-Zip' + dumpfile: + CommandLine|contains: '.dmp' + condition: selection and dumpfile +falsepositives: + - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally +level: high +tags: + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml new file mode 100644 index 000000000..5ee17263d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -0,0 +1,28 @@ +title: Execution of NetSupport RAT From Unusual Location +id: 37e8d358-6408-4853-82f4-98333fca7014 +status: experimental +description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\client32.exe' + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml new file mode 100644 index 000000000..464f1000f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -0,0 +1,27 @@ +title: Execution of Remote Utilities RAT (RURAT) From Unusual Location +id: e01fa958-6893-41d4-ae03-182477c5e77d +status: experimental +description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + - Product: 'Remote Utilities' + filter: + Image|startswith: + - 'C:\Program Files\Remote Utilities' + - 'C:\Program Files (x86)\Remote Utilities' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 7fa86299a..dc6c839b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: '.dmp' condition: selection and dumpfile falsepositives: - - Legitimate use of WinRAR with a command line in which .dmp appears incidentally + - Legitimate use of WinRAR with a command line in which .dmp appears accidentally level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 601a65f63..1a188d5a9 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,12 +1,14 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: experimental -description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -15,7 +17,9 @@ logsource: product: windows detection: selection: - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' filter: Image|startswith: - 'C:\Windows\WinSxS\' @@ -23,5 +27,5 @@ detection: - 'C:\Program Files (x86)\Windows Mail\' condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index ad84a9698..f5720ce04 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,12 +1,14 @@ -title: Wab.Exe Unusual Parent Or Child Processes +title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: experimental -description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -20,10 +22,15 @@ detection: - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) selection_child: - ParentImage|endswith: '\wab.exe' + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) condition: 1 of selection_* falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml index 0afe7b43e..0068a7f2c 100644 --- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -4,8 +4,10 @@ status: experimental description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/09/14 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -19,6 +21,7 @@ detection: - 'Asd123.aaaa' - 'password123' - '123456789' + - 'P@ssw0rd!' condition: selection falsepositives: - Legitimate usage of the passwords by users via commandline (should be discouraged)