From a66ba61712588a1b4aa85ea9bb1e045984b75515 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 27 Sep 2022 10:27:21 +0200 Subject: [PATCH 01/12] Fix small typos --- rules/windows/file_event/file_event_win_ripzip_attack.yml | 4 ++-- .../proc_creation_win_process_dump_rundll32_comsvcs.yml | 4 ++-- .../process_creation/proc_creation_win_susp_sharpview.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 7f71a7886..a7b422a4c 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) date: 2022/07/21 -modified: 2022/07/25 +modified: 2022/09/27 tags: - attack.t1547 - attack.persistence @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk - TargetFileName|contains|all: + TargetFilename|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' Image|endswith: '\explorer.exe' diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 4143a47ad..eafc641e8 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -14,7 +14,7 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 author: Florian Roth, Modexp, Nasreddine Bencherchali (update) date: 2020/02/18 -modified: 2022/08/04 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.credential_access @@ -33,7 +33,7 @@ detection: CommandLine|contains|all: - 'comsvcs' - 'full' - Commandline|contains: + CommandLine|contains: - '24 ' - '#24' - '#+24' diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index daae592e1..87b842f9a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -8,7 +8,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 -modified: 2022/09/13 +modified: 2022/09/27 logsource: category: process_creation product: windows @@ -16,7 +16,7 @@ detection: selection: - OriginalFileName: SharpView.exe - Image|endswith: '\SharpView.exe' - - Commandline|contains: + - CommandLine|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping From 43d12249a0f034661e1c22a76c715ad40b85563d Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 27 Sep 2022 12:13:16 +0200 Subject: [PATCH 02/12] Renamed create remote thread rules --- ...n_cactustorch.yml => create_remote_thread_win_cactustorch.yml} | 0 ...> create_remote_thread_win_cobaltstrike_process_injection.yml} | 0 ...d_loadlibrary.yml => create_remote_thread_win_loadlibrary.yml} | 0 ...s.yml => create_remote_thread_win_password_dumper_keepass.yml} | 0 ...ass.yml => create_remote_thread_win_password_dumper_lsass.yml} | 0 ...yml => create_remote_thread_win_powershell_code_injection.yml} | 0 ....yml => create_remote_thread_win_susp_powershell_rundll32.yml} | 0 ...yml => create_remote_thread_win_susp_remote_thread_source.yml} | 0 ...yml => create_remote_thread_win_susp_remote_thread_target.yml} | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/create_remote_thread/{sysmon_cactustorch.yml => create_remote_thread_win_cactustorch.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_cobaltstrike_process_injection.yml => create_remote_thread_win_cobaltstrike_process_injection.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_createremotethread_loadlibrary.yml => create_remote_thread_win_loadlibrary.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_password_dumper_keepass.yml => create_remote_thread_win_password_dumper_keepass.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_password_dumper_lsass.yml => create_remote_thread_win_password_dumper_lsass.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_powershell_code_injection.yml => create_remote_thread_win_powershell_code_injection.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_powershell_rundll32.yml => create_remote_thread_win_susp_powershell_rundll32.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_remote_thread_source.yml => create_remote_thread_win_susp_remote_thread_source.yml} (100%) rename rules/windows/create_remote_thread/{sysmon_susp_remote_thread_target.yml => create_remote_thread_win_susp_remote_thread_target.yml} (100%) diff --git a/rules/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml diff --git a/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml diff --git a/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml similarity index 100% rename from rules/windows/create_remote_thread/sysmon_susp_remote_thread_target.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml From e987c669d012f3a6994ef7d2cec33cd30192a8bc Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 09:50:56 +0200 Subject: [PATCH 03/12] Updates --- ...win_lolbins_with_wmiprvse_parent_process.yml | 2 +- ...oc_creation_win_rundll32_parent_explorer.yml | 1 + .../proc_creation_win_susp_winrar_dmp.yml | 2 +- ..._wab_execution_from_non_default_location.yml | 10 +++++++--- .../proc_creation_win_wab_unusual_parents.yml | 17 ++++++++++++----- ...oc_creation_win_weak_or_abused_passwords.yml | 3 +++ 6 files changed, 25 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 658c9c1ad..d7e302321 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -29,5 +29,5 @@ detection: ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 9d73005a8..86a5ee3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E status: experimental references: - https://redcanary.com/blog/raspberry-robin/ + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 7fa86299a..dc6c839b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains: '.dmp' condition: selection and dumpfile falsepositives: - - Legitimate use of WinRAR with a command line in which .dmp appears incidentally + - Legitimate use of WinRAR with a command line in which .dmp appears accidentally level: high tags: - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 601a65f63..1a188d5a9 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,12 +1,14 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: experimental -description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -15,7 +17,9 @@ logsource: product: windows detection: selection: - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' filter: Image|startswith: - 'C:\Windows\WinSxS\' @@ -23,5 +27,5 @@ detection: - 'C:\Program Files (x86)\Windows Mail\' condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index ad84a9698..f5720ce04 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,12 +1,14 @@ -title: Wab.Exe Unusual Parent Or Child Processes +title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: experimental -description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -20,10 +22,15 @@ detection: - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - Image|endswith: '\wab.exe' + Image|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) selection_child: - ParentImage|endswith: '\wab.exe' + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: + - '\wab.exe' + - '\wabmig.exe' # (Microsoft Address Book Import Tool) condition: 1 of selection_* falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml index 0afe7b43e..0068a7f2c 100644 --- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -4,8 +4,10 @@ status: experimental description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali date: 2022/09/14 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.execution @@ -19,6 +21,7 @@ detection: - 'Asd123.aaaa' - 'password123' - '123456789' + - 'P@ssw0rd!' condition: selection falsepositives: - Legitimate usage of the passwords by users via commandline (should be discouraged) From d262ea2df8f44a5096ce614c7deb565d94d89cdd Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 09:51:13 +0200 Subject: [PATCH 04/12] New rules --- .../create_remote_thread_win_bumblebee.yml | 27 +++++++++++++++++ .../proc_creation_win_copy_dmp_from_share.yml | 25 ++++++++++++++++ ...on_win_imaging_devices_unusual_parents.yml | 29 ++++++++++++++++++ .../proc_creation_win_susp_7zip_dmp.yml | 30 +++++++++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml create mode 100644 rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml create mode 100644 rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml new file mode 100644 index 000000000..47999251e --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -0,0 +1,27 @@ +title: Bumblebee Remote Thread Creation +id: 994cac2b-92c2-44bf-8853-14f6ca39fbda +status: experimental +description: Detects remote thread injection events based on action seen used by bumblebee +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +date: 2022/09/27 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\wabmig.exe' + - '\wab.exe' + - '\ImagingDevices.exe' + TargetImage|endswith: '\rundll32.exe' + condition: selection +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml new file mode 100644 index 000000000..0277d4b14 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml @@ -0,0 +1,25 @@ +title: Copy DMP Files From Share +id: 044ba588-dff4-4918-9808-3f95e8160606 +status: experimental +description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: copy \\\\\\lsass.dmp C:\Users\lsass.dmp + - ' /c ' + - '.dmp' + - 'copy ' + - ' \\\\' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml new file mode 100644 index 000000000..b2e89c510 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -0,0 +1,29 @@ +title: ImagingDevices Unusual Parent Or Child Processes +id: f11f2808-adb4-46c0-802a-8660db50fa99 +status: experimental +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\ImagingDevices.exe' + selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy + ParentImage|endswith: '\ImagingDevices.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml new file mode 100644 index 000000000..26285572d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -0,0 +1,30 @@ +title: Winrar Compressing Dump Files +id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 +related: + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived +status: experimental +description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali +date: 2022/09/27 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' + - Description|contains: '7-Zip' + dumpfile: + CommandLine|contains: '.dmp' + condition: selection and dumpfile +falsepositives: + - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally +level: high +tags: + - attack.collection + - attack.t1560.001 From e3b32652403ba4a4b412dfa1898835a28c4e2399 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 10:48:30 +0200 Subject: [PATCH 05/12] Update image_load_side_load_from_non_system_location.yml --- .../image_load_side_load_from_non_system_location.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 53f7ec255..1213ebb0b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/27 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.persistence @@ -423,7 +423,9 @@ detection: filter_azure: ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_dell: - Image: 'C:\Windows\System32\backgroundTaskHost.exe' + Image|startswith: + - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: From df6c167b177ec5326b7cc975e989a039f0807f07 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 10:48:51 +0200 Subject: [PATCH 06/12] New Rules --- ...s_query_remote_access_software_domains.yml | 12 +++++--- ...oc_creation_win_renamed_netsupport_rat.yml | 25 +++++++++++++++++ .../proc_creation_win_renamed_rurat.yml | 28 +++++++++++++++++++ .../proc_creation_win_screenconnect.yml | 2 +- ..._win_susp_netsupport_rat_exec_location.yml | 28 +++++++++++++++++++ ..._creation_win_susp_rurat_exec_location.yml | 27 ++++++++++++++++++ 6 files changed, 117 insertions(+), 5 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_rurat.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml index 742ec1d9a..3fb6d2b0c 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -9,15 +9,17 @@ related: type: obsoletes status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution + - https://redcanary.com/blog/misbehaving-rats/ author: frack113 date: 2022/07/11 +modified: 2022/09/19 logsource: product: windows category: dns_query @@ -27,9 +29,11 @@ detection: - '.getgo.com' - '.logmein.com' - '.ammyy.com' + - '.netsupportsoftware.com' # For NetSupport Manager RAT + - 'remoteutilities.com' # Usage of Remote Utilities RAT condition: selection falsepositives: - - Unknown + - FP may be caused in legitimate usage of the softwares mentioned above level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml new file mode 100644 index 000000000..4ad3dd467 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -0,0 +1,25 @@ +title: Execution of Renamed NetSupport RAT +id: 0afbd410-de03-4078-8491-f132303cb67d +status: experimental +description: Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|endswith: '\client32.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml new file mode 100644 index 000000000..0325c15f3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -0,0 +1,28 @@ +title: Execution of Renamed Remote Utilities RAT (RURAT) +id: 9ef27c24-4903-4192-881a-3adde7ff92a5 +status: experimental +description: Detects execution of renamed Remote Utilities (RURAT) via Imphash, Product and OriginalFileName strings +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + Product: 'Remote Utilities' + filter: + Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.collection + - attack.command_and_control + - attack.discovery + - attack.s0592 diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 515f45653..f0d31afec 100644 --- a/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -19,7 +19,7 @@ detection: - Company: 'ScreenConnect Software' condition: selection falsepositives: - - Legitimate use + - Legitimate usage of the tool level: medium tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml new file mode 100644 index 000000000..5ee17263d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -0,0 +1,28 @@ +title: Execution of NetSupport RAT From Unusual Location +id: 37e8d358-6408-4853-82f4-98333fca7014 +status: experimental +description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\client32.exe' + - Product|contains: 'NetSupport Remote Control' + - OriginalFileName|contains: 'client32.exe' + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + filter: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml new file mode 100644 index 000000000..464f1000f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -0,0 +1,27 @@ +title: Execution of Remote Utilities RAT (RURAT) From Unusual Location +id: e01fa958-6893-41d4-ae03-182477c5e77d +status: experimental +description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/19 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\rutserv.exe' + - '\rfusclient.exe' + - Product: 'Remote Utilities' + filter: + Image|startswith: + - 'C:\Program Files\Remote Utilities' + - 'C:\Program Files (x86)\Remote Utilities' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion From b71644d0c8a2af165be1b77390268de98a760a02 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 11:52:07 +0200 Subject: [PATCH 07/12] New rules + small mitre update --- ...vent_win_anydesk_writing_susp_binaries.yml | 26 +++++++++++++++++++ ...ion_win_anydesk_piped_password_via_cli.yml | 26 +++++++++++++++++++ ...oc_creation_win_anydesk_silent_install.yml | 3 ++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml create mode 100644 rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml new file mode 100644 index 000000000..dd301c10d --- /dev/null +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -0,0 +1,26 @@ +title: Suspicious Binary Writes Via AnyDesk +id: 2d367498-5112-4ae5-a06a-96e7bc33a211 +status: experimental +description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +author: Nasreddine Bencherchali +references: + - https://redcanary.com/blog/misbehaving-rats/ +date: 2022/09/28 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\anydesk.exe' + TargetFilename|endswith: + - '.dll' + - '.exe' + filter_dlls: + TargetFilename|endswith: '\gcapi.dll' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml new file mode 100644 index 000000000..0fcd497d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -0,0 +1,26 @@ +title: AnyDesk Inline Piped Password +id: b1377339-fda6-477a-b455-ac0923f9ec2c +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/28 +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag +references: + - https://redcanary.com/blog/misbehaving-rats/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password + - '/c' + - 'echo ' + - ' --set-password' + condition: selection +falsepositives: + - Legitimate piping of the password to anydesk + - Some FP could occure with similar tools that uses the same command line '--set-password' +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml index 4cf3b46ed..56babca75 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml @@ -8,13 +8,14 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment tags: + - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' From ea253821104dc79acb4494be12c47b9e0e625804 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:26:23 +0200 Subject: [PATCH 08/12] increased level --- .../file_event/file_event_win_anydesk_writing_susp_binaries.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml index dd301c10d..aaaac6289 100644 --- a/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -20,7 +20,7 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Unknown -level: medium +level: high tags: - attack.command_and_control - attack.t1219 From 5ee44a69922ee3603b96d8c41802a5d702ff6181 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:27:23 +0200 Subject: [PATCH 09/12] increased level --- .../proc_creation_win_anydesk_piped_password_via_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml index 0fcd497d4..c27c46d22 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -20,7 +20,7 @@ detection: falsepositives: - Legitimate piping of the password to anydesk - Some FP could occure with similar tools that uses the same command line '--set-password' -level: medium +level: high tags: - attack.command_and_control - attack.t1219 From 5391a5cab4a209312f44bda326a29988eb2ef0cd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 13:28:53 +0200 Subject: [PATCH 10/12] changed casing, increased level --- .../proc_creation_win_renamed_netsupport_rat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 4ad3dd467..e3bb4105a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -14,12 +14,12 @@ detection: - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: Image|endswith: '\client32.exe' condition: selection and not filter falsepositives: - Unknown -level: medium +level: high tags: - attack.defense_evasion From 69b31b19b1bdf3b67b1a2a1c2647e609c752f258 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 13:37:36 +0200 Subject: [PATCH 11/12] Update rules/windows/process_creation/proc_creation_win_renamed_rurat.yml Co-authored-by: Florian Roth --- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 0325c15f3..67108fb20 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,7 +1,7 @@ title: Execution of Renamed Remote Utilities RAT (RURAT) id: 9ef27c24-4903-4192-881a-3adde7ff92a5 status: experimental -description: Detects execution of renamed Remote Utilities (RURAT) via Imphash, Product and OriginalFileName strings +description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field author: Nasreddine Bencherchali references: - https://redcanary.com/blog/misbehaving-rats/ From 4a5dcf8586ddef9a9f60a2bddce59dbc322fc51d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 28 Sep 2022 13:37:42 +0200 Subject: [PATCH 12/12] Update rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml Co-authored-by: Florian Roth --- .../process_creation/proc_creation_win_susp_7zip_dmp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml index 26285572d..0079f9ca3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml @@ -1,4 +1,4 @@ -title: Winrar Compressing Dump Files +title: 7Zip Compressing Dump Files id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc