From 344eb713c5a8e5defc98ee9010cdbc25872adb52 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 21 May 2020 09:39:57 +0200
Subject: [PATCH 1/2] rule: Greenbug campaign

---
 .../win_apt_greenbug_may20.yml                | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 rules/windows/process_creation/win_apt_greenbug_may20.yml

diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
new file mode 100644
index 000000000..bf327a181
--- /dev/null
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -0,0 +1,46 @@
+title: Greenbug Campaign Indicators
+id: 3711eee4-a808-4849-8a14-faf733da3612
+status: experimental
+description: Detects tools and process executions as observed in a Greenbug campaign in May 2020
+references:
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
+author: Florian Roth
+date: 2020/05/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all: 
+            - 'bitsadmin /transfer'
+            - 'CSIDL_APPDATA'
+    selection2:
+        CommandLine|contains|all: 
+            - 'PowerShell.exe'
+            - '-ExecutionPolicy Bypass'
+            - 'CSIDL_SYSTEM_DRIVE'
+    selection3: 
+        CommandLine|contains:
+            - '\msf.ps1'
+            - '8989 -e cmd.exe'
+            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
+            - '-nop -w hidden -c $k=new-object'
+            - '[Net.CredentialCache]::DefaultCredentials;IEX '
+            - ' -nop -w hidden -c $m=new-object net.webclient;$m'
+            - '-noninteractive -executionpolicy bypass whoami'
+            - '-noninteractive -executionpolicy bypass netstat -a'
+            - 'L3NlcnZlc'  # base64 encoded '/server='
+    selection4:
+        Image|endswith:
+            - '\adobe\Adobe.exe'
+            - '\oracle\local.exe'
+            - '\revshell.exe'
+            - 'infopagesbackup\ncat.exe'
+            - 'CSIDL_SYSTEM\cmd.exe'
+            - '\programdata\oracle\java.exe'
+            - 'CSIDL_COMMON_APPDATA\comms\comms.exe'
+            - '\Programdata\VMware\Vmware.exe'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

From 9a3b6c1c7712279691e0c177a7d8e282fca8847b Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 21 May 2020 09:44:11 +0200
Subject: [PATCH 2/2] docs: added MITRE ATT&CK group tag

---
 rules/windows/process_creation/win_apt_greenbug_may20.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
index bf327a181..765f79a4b 100644
--- a/rules/windows/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -6,6 +6,8 @@ references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
 author: Florian Roth
 date: 2020/05/20
+tags:
+    - attack.g0049
 logsource:
     category: process_creation
     product: windows