diff --git a/rules/apt/apt_empiremonkey.yml b/rules/apt/apt_empiremonkey.yml new file mode 100644 index 000000000..b4e15d072 --- /dev/null +++ b/rules/apt/apt_empiremonkey.yml @@ -0,0 +1,32 @@ +--- +action: global +title: Empire Monkey +description: Detects EmpireMonkey APT reported Activity +references: + - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b +tags: + - attack.t1086 + - attack.execution +date: 2019/04/02 +author: Markus Neis +detection: + condition: 1 of them +falsepositives: + - Very Unlikely +level: critical +--- +logsource: + category: process_creation + product: windows +detection: + selection_cutil: + CommandLine: + - '*/i:%APPDATA%\logs.txt scrobj.dll' + Image: + - '*\cutil.exe' + selection_regsvr32: + CommandLine: + - '*/i:%APPDATA%\logs.txt scrobj.dll' + Description: + - Microsoft(C) Registerserver + \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml new file mode 100644 index 000000000..1e4ddc89d --- /dev/null +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -0,0 +1,55 @@ +title: Squirrel Lolbin +status: experimental +description: Detects Possible Squirrel Packages Manager as Lolbin +references: + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +tags: + - attack.execution +author: Karneades / Markus Neis +falsepositives: + - 1Clipboard + - Beaker Browser + - Caret + - Collectie + - Discord + - Figma + - Flow + - Ghost + - GitHub Desktop + - GitKraken + - Hyper + - Insomnia + - JIBO + - Kap + - Kitematic + - Now Desktop + - Postman + - PostmanCanary + - Rambox + - Simplenote + - Skype + - Slack + - SourceTree + - Stride + - Svgsus + - WebTorrent + - WhatsApp + - WordPress.com + - atom + - gitkraken + - slack + - teams +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + CommandLine: + - '*--processStart*.exe*' + - '*–createShortcut*.exe*' + condition: selection + + \ No newline at end of file diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml new file mode 100644 index 000000000..b233686c5 --- /dev/null +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -0,0 +1,29 @@ +title: WMI Spawning Windows PowerShell +status: experimental +description: Detects WMI spawning PowerShell +references: + - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml + - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e +author: Markus Neis / @Karneades +date: 2019/04/03 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1064 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\wmiprvse.exe' + Image: + - '*\powershell.exe' + filter: + CommandLine: + - '*&*' + condition: selection and not filter +falsepositives: + - AppvClient + - CCM +level: high \ No newline at end of file