diff --git a/.github/ISSUE_TEMPLATE/false_positive_report.yml b/.github/ISSUE_TEMPLATE/false_positive_report.yml index 9c79fde77..28baa4439 100644 --- a/.github/ISSUE_TEMPLATE/false_positive_report.yml +++ b/.github/ISSUE_TEMPLATE/false_positive_report.yml @@ -7,7 +7,7 @@ body: label: Rule UUID placeholder: "f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0" description: | - You can copy the rule id from the `uuid` field in the rule. + You can copy the rule id from the `id` field in the rule. validations: required: true diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md new file mode 100644 index 000000000..1440b16a8 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md @@ -0,0 +1,17 @@ +# MOVEit Transfer Critical Vulnerability (May 2023) + +## Summary + +Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. + +You can find more information on the threat in the following articles: + +- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) +- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) +- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/) +- [CRITICAL VULNERABILITY IN PROGRESS MOVEIT TRANSFER: TECHNICAL ANALYSIS AND RECOMMENDATIONS - TrustedSec](https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/) +- [MOVEit Transfer Critical Vulnerability Rapid Response - Huntress](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response) + +## Rules + +- [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml) diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml new file mode 100644 index 000000000..bc3a079fe --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml @@ -0,0 +1,58 @@ +title: Potential MOVEit Transfer Exploitation +id: c3b2a774-3152-4989-83c1-7afc48fd1599 +status: experimental +description: | + Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service. + Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration. +references: + - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ + - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 + - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ + - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/01 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: file_event + product: windows +detection: + selection_generic: + TargetFilename|contains: + - '\MOVEit Transfer\wwwroot\' + - '\MOVEitTransfer\wwwroot\' + TargetFilename|endswith: + - '.7z' + - '.bat' + - '.dll' + - '.exe' + - '.ps1' + - '.rar' + - '.vbe' + - '.vbs' + - '.zip' + selection_known_ioc: + TargetFilename|endswith: + - '\MOVEit Transfer\wwwroot\human2.aspx' + - '\MOVEitTransfer\wwwroot\human2.aspx' + selection_compiled_asp: + CreationUtcTime|startswith: + - '2023-05-26 ' + - '2023-05-27 ' + - '2023-05-28 ' + - '2023-05-29 ' + - '2023-05-30 ' + - '2023-05-31 ' + - '2023-06-01 ' + - '2023-06-02 ' + - '2023-06-03 ' + TargetFilename|contains|all: + - '\Windows\Microsoft.net\Framework64\v' + - '\Temporary ASP.NET Files\' + - 'App_Web_' + TargetFilename|endswith: '.dll' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml new file mode 100644 index 000000000..d4b33ec77 --- /dev/null +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -0,0 +1,38 @@ +title: Potential Operation Triangulation C2 Beaconing Activity - DNS +id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 +related: + - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 + type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +references: + - https://securelist.com/operation-triangulation/109842/ + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: dns +detection: + selection: + query: + - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'growthtransport.com' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclick-cdn.com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'web-trackers.com' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml new file mode 100644 index 000000000..e5cb18a87 --- /dev/null +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -0,0 +1,38 @@ +title: Potential Operation Triangulation C2 Beaconing Activity - Proxy +id: aa03c712-75c6-438b-8d42-de88f2427e09 +related: + - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 + type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +references: + - https://securelist.com/operation-triangulation/109842/ + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-host|contains: + - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'growthtransport.com' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclick-cdn.com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'web-trackers.com' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml new file mode 100644 index 000000000..533c0c4ed --- /dev/null +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -0,0 +1,27 @@ +title: Potentially Suspicious Shell Script Creation in Profile Folder +id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 +status: experimental +description: Detects the creation of shell scripts under the "profile.d" path. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.persistence +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|contains: '/etc/profile.d/' + TargetFilename|endswith: + - '.csh' + - '.sh' + condition: selection +falsepositives: + - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. + - Regular file creation during system update or software installation by the package manager +level: low # Can be increased to a higher level after some tuning diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml new file mode 100644 index 000000000..facf55864 --- /dev/null +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -0,0 +1,27 @@ +title: Wget Creating Files in Tmp Directory +id: 35a05c60-9012-49b6-a11f-6bab741c9f74 +status: experimental +description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + product: linux + category: file_event +detection: + selection: + Image|endswith: '/wget' + TargetFilename|startswith: + - '/tmp/' + - '/var/tmp/' + condition: selection +falsepositives: + - Legitimate downloads of files in the tmp folder. +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml new file mode 100644 index 000000000..15f24392a --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -0,0 +1,25 @@ +title: Crontab Enumeration +id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 +status: experimental +description: Detects usage of crontab to list the tasks of the user +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1007 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/crontab' + CommandLine|contains: ' -l' + condition: selection +falsepositives: + - Legitimate use of crontab +level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml new file mode 100644 index 000000000..73eaf0076 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -0,0 +1,33 @@ +title: OS Architecture Discovery Via Grep +id: d27ab432-2199-483f-a297-03633c05bae6 +status: experimental +description: | + Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection_process: + Image|endswith: '/grep' + selection_architecture: + CommandLine|endswith: + - 'aarch64' + - 'arm' + - 'i386' + - 'i686' + - 'mips' + - 'x86_64' + condition: all of selection_* +falsepositives: + - Unknown +level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml new file mode 100644 index 000000000..5b618f296 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -0,0 +1,28 @@ +title: Potential GobRAT File Discovery Via Grep +id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 +status: experimental +description: Detects the use of grep to discover specific files created by the GobRAT malware +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/grep' + CommandLine|contains: + - 'apached' + - 'frpc' + - 'sshd.sh' + - 'zone.arm' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml new file mode 100644 index 000000000..5359bdca9 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Nohup Execution +id: 457df417-8b9d-4912-85f3-9dbda39c3645 +related: + - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 + type: derived +status: experimental +description: Detects execution of binaries located in potentially suspicious locations via "nohup" +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/nohup' + CommandLine|contains: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml new file mode 100644 index 000000000..6e1f53c00 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -0,0 +1,21 @@ +title: Potentially Suspicious Execution From Tmp Folder +id: 312b42b1-bded-4441-8b58-163a3af58775 +status: experimental +description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|startswith: '/tmp/' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml new file mode 100644 index 000000000..64236d73d --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -0,0 +1,31 @@ +title: Shell Execution Of Process Located In Tmp Directory +id: 2fade0b6-7423-4835-9d4f-335b39b83867 +status: experimental +description: Detects execution of shells from a parent process located in a temporary (/tmp) directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + ParentImage|startswith: '/tmp/' + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml new file mode 100644 index 000000000..71eedc0df --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -0,0 +1,35 @@ +title: Execution Of Script Located In Potentially Suspicious Directory +id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 +status: experimental +description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection_img: + Image|endswith: + - '/bash' + - '/csh' + - '/dash' + - '/fish' + - '/ksh' + - '/sh' + - '/zsh' + selection_flag: + CommandLine|contains: ' -c ' + selection_paths: + # Note: Add more suspicious paths + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml new file mode 100644 index 000000000..87af0ce34 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -0,0 +1,29 @@ +title: Download File To Potentially Suspicious Directory Via Wget +id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 +status: experimental +description: Detects the use of wget to download content to a suspicious directory +references: + - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html + - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ + - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection + - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2023/06/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/wget' + selection_output: + - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection + - CommandLine|contains: '--output-document' + selection_path: + CommandLine|contains: '/tmp/' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml new file mode 100644 index 000000000..d135bed8a --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -0,0 +1,35 @@ +title: Potential SmadHook.DLL Sideloading +id: 24b6cf51-6122-469e-861a-22974e9c1e5b +status: experimental +description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus +references: + - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ + - https://www.qurium.org/alerts/targeted-malware-against-crph/ +author: X__Junior (Nextron Systems) +date: 2023/06/01 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\SmadHook32c.dll' + - '\SmadHook64c.dll' + filter_main_legit_path: + Image: + - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe' + - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe' + - 'C:\Program Files\SMADAV\SmadavProtect32.exe' + - 'C:\Program Files\SMADAV\SmadavProtect64.exe' + ImageLoaded|startswith: + - 'C:\Program Files (x86)\SMADAV\' + - 'C:\Program Files\SMADAV\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high