Merge pull request #872 from Neo23x0/rule-devel

Rule devel

rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml

@@ -0,0 +1,23 @@
+title: RedMimicry Winnti Playbook Dropped File
+id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+    - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains:
+            - gthread-3.6.dll
+            - sigcmm-2.4.dll
+            - \Windows\Temp\tmp.bat
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_redmimicry_winnti_proc.yml

@@ -0,0 +1,27 @@
+title: RedMimicry Winnti Playbook Execute
+id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+    - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1106
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|contains:
+            - rundll32.exe
+            - cmd.exe
+        CommandLine|contains:
+            - gthread-3.6.dll
+            - \Windows\Temp\tmp.bat
+            - sigcmm-2.4.dll
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_susp_explorer_break_proctree.yml

@@ -0,0 +1,23 @@
+title: Explorer Root Flag Process Tree Break
+id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
+description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
+status: experimental
+references:
+    - https://twitter.com/CyberRaiju/status/1273597319322058752
+    - https://twitter.com/bohops/status/1276357235954909188?s=12
+author: Florian Roth
+date: 2019/06/29
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all: 
+            - 'explorer.exe'
+            - ' /root,'
+    condition: selection
+falsepositives:
+    - Unknown how many legitimate software products use that method
+level: medium

rules/windows/process_creation/win_susp_rar_flags.yml

@@ -0,0 +1,24 @@
+title: Rar with Password or Compression Level 
+id: faa48cae-6b25-4f00-a094-08947fef582f
+status: experimental
+description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. 
+references:
+    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+author: '@ROxPinTeddy'
+date: 2020/05/12
+tags:
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+       CommandLine|contains:
+               - ' -hp'
+               - ' -m'
+    condition: selection
+falsepositives:
+    - Legitimate use of Winrar command line version
+    - Other command line tools, that use these flags
+level: medium

rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml

@@ -0,0 +1,20 @@
+title: RedMimicry Winnti Playbook Registry Manipulation
+id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+    - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+    - attack.defense_evasion
+    - attack.t1112
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry_event/sysmon_susp_service_installed.yml

@@ -14,7 +14,6 @@ logsource:
     product: windows
 detection:
     selection_1:
-        
         TargetObject:
             - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
             - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'

rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml

@@ -14,7 +14,6 @@ logsource:
     definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
 detection:
     selection_registry:
-        
         TargetObject: 
             - '*\Keyboard Layout\Preload\*'
             - '*\Keyboard Layout\Substitutes\*'

rules/windows/sysmon/sysmon_redmimicry_winnti_inject.yml

@@ -0,0 +1,22 @@
+title: RedMimicry Winnti Playbook Inject
+id: 51c1c141-efef-4686-88d6-50b8da6d5562
+description: Detects actions caused by the RedMimicry Winnti playbook
+references:
+    - https://redmimicry.com
+author: Alexander Rausch
+date: 2020/06/24
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 8
+        SourceImage|contains: rundll32.exe
+        TargetImage|contains: svchost.exe
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

tests/test_rules.py

@@ -106,6 +106,7 @@ class TestRules(unittest.TestCase):
              "t1102",
              "t1103",
              "t1105",
+             "t1106",
              "t1107",
              "t1110",
              "t1112",