From 2e438a5312fd0d636f3cad5e20151c46c967747b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:16:17 +0200 Subject: [PATCH 1/2] Add file_event_win_iphlpapi_dll_sideloading --- ...ile_event_win_iphlpapi_dll_sideloading.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml diff --git a/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml new file mode 100644 index 000000000..658c067f2 --- /dev/null +++ b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -0,0 +1,27 @@ +title: Malicious DLL File Dropped in the Teams or OneDrive Folder +id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163 +status: experimental +description: | + Detects creation of a malicious DLL file in the location where the OneDrive or Team applications + Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded +references: + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ +author: frack113 +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains|all: + - 'iphlpapi.dll' + - '\AppData\Local\Microsoft' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.002 From dd4a32e50f2910a3dd98718d4d40b577d9f92f3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:25:49 +0200 Subject: [PATCH 2/2] Add Ref --- rules/windows/file_rename/file_rename_win_ransomware.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 6a245c7f7..6af06ac6f 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -4,6 +4,7 @@ status: experimental description: Detects possible ransomware adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky" etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ + - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 tags: