Merge PR #4406 from @nasbench - Multiple Updates & Additions

new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process new: CVE-2023-40477 Potential Exploitation - .REV File Creation new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI new: LOL-Binary Copied From System Directory new: LSASS Dump Keyword In CommandLine new: Old TLS1.0/TLS1.1 Protocol Version Enabled new: Potentially Suspicious Child Process Of WinRAR.EXE new: VMMap Signed Dbghelp.DLL Potential Sideloading update: 7Zip Compressing Dump Files - Reduce level update: LOLBIN Execution From Abnormal Drive update: LSASS Memory Dump File Creation - Deprecated update: Potential Browser Data Stealing - Increase coverage with more browsers update: Potentially Suspicious Compression Tool Parameters update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations update: Suspicious Child Process Of Manage Engine ServiceDesk update: Suspicious Copy From or To System Directory - Add new folder "WinSxS" update: VMMap Unsigned Dbghelp.DLL Potential Sideloading update: Winrar Execution in Non-Standard Folder update: Wscript Execution from Non C Drive - Deprecated --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-09-07 11:42:15 +02:00
parent ffcb5855f5
commit bdffe3a7fe
37 changed files with 598 additions and 160 deletions
@@ -1,12 +1,12 @@
 title: LSASS Memory Dump File Creation
 id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
-status: test
+status: deprecated
 description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2022/10/09
+modified: 2023/08/29
 tags:
    - attack.credential_access
    - attack.t1003.001
@@ -1,12 +1,13 @@
 title: Wscript Execution from Non C Drive
 id: 5b80cf53-3a46-4adc-960b-05ec19348d74
-status: experimental
+status: deprecated
 description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
 references:
    - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt
    - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/
 author: Aaron Herman
 date: 2022/10/01
+modified: 2023/08/29
 tags:
    - attack.execution
    - attack.t1059
@@ -0,0 +1,28 @@
+title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
+id: e4556676-fc5c-4e95-8c39-5ef27791541f
+related:
+    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+      type: similar
+status: experimental
+description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
+references:
+    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/30
+tags:
+    - attack.execution
+    - cve.2023.38331
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\WinRAR.exe'
+        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
+        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,42 @@
+title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
+id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+related:
+    - id: e4556676-fc5c-4e95-8c39-5ef27791541f
+      type: similar
+status: experimental
+description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
+references:
+    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
+author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
+date: 2023/08/30
+tags:
+    - detection.emerging_threats
+    - attack.execution
+    - attack.t1203
+    - cve.2023.38331
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\WinRAR.exe'
+    selection_folder:
+        CommandLine|contains: '\AppData\Local\Temp\Rar$'
+    selection_double_ext:
+        CommandLine|re: '\.[a-zA-Z0-9]{1,4} \.'
+    selection_binaries:
+        # Note: add additional binaries that the attacker might use
+        - Image|endswith:
+            - '\cmd.exe'
+            - '\wscript.exe'
+        - OriginalFileName:
+            - 'Cmd.Exe'
+            - 'cscript.exe'
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+            - 'wscript.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,27 @@
+title: CVE-2023-40477 Potential Exploitation - .REV File Creation
+id: c3bd6c55-d495-4c34-918e-e03e8828c074
+status: experimental
+description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
+references:
+    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
+    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
+    - https://www.rarlab.com/vuln_rev3_names.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.execution
+    - cve.2023.40477
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\explorer.exe' # When extracted via context menu
+            - '\WinRAR.exe'
+        TargetFilename|endswith: '.rev'
+    condition: selection
+falsepositives:
+    - Legitimate extraction of multipart or recovery volumes ZIP files
+level: low
@@ -0,0 +1,34 @@
+title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
+id: e5a29b54-6fe7-4258-8a23-82960e31231a
+status: experimental
+description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
+references:
+    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
+    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
+    - https://www.rarlab.com/vuln_rev3_names.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.execution
+    - cve.2023.40477
+    - detection.emerging_threats
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Provider_Name: 'Application Error'
+        EventID: 1000
+        AppName: 'WinRAR.exe'
+    filter_main_fixed_version:
+        # TODO: fix this when the "lt" modifier is implemented for software versions
+        AppVersion|startswith:
+            - '6.23.'
+            - '6.24.'
+            - '6.25.'
+            - '6.26.'
+            - '7.'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate crash for reasons other than exploitation of the vulnerability
+level: medium
@@ -0,0 +1,26 @@
+title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
+id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5
+status: experimental
+description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
+references:
+    - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.defense_evasion
+    - attack.t1218.011
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith:
+            - '\1.dll, DllRegisterServer' # In case of full path exec
+            - ' 1.dll, DllRegisterServer' # In case of direct exec
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,12 +1,12 @@
-title: Suspicious Compression Tool Parameters
+title: Potentially Suspicious Compression Tool Parameters
 id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
 status: test
-description: Detects suspicious command line arguments of common data compression tools
+description: Detects potentially suspicious command line arguments of common data compression tools
 references:
    - https://twitter.com/SBousseaden/status/1184067445612535811
 author: Florian Roth (Nextron Systems), Samir Bousseaden
 date: 2019/10/15
-modified: 2021/11/27
+modified: 2023/08/29
 tags:
    - attack.collection
    - attack.t1560.001
@@ -26,9 +26,11 @@ detection:
            - ' -sdel'
            - ' -dw'
            - ' -hp'
-    falsepositive:
-        ParentImage|startswith: 'C:\Program'
-    condition: selection and not falsepositive
+    filter_main_generic:
+        ParentImage|contains:
+            - ':\Program Files\'
+            - ':\Program Files (x86)\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
-level: high
+level: medium
@@ -3,8 +3,10 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391
 related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsoletes
+    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+      type: obsoletes
 status: experimental
-description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
+description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
 references:
    - https://www.google.com/search?q=procdump+lsass
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
@@ -22,7 +24,7 @@ logsource:
    product: windows
    category: file_event
 detection:
-    selection1:
+    selection_1:
        TargetFilename|endswith:
            - '\lsass.dmp'
            - '\lsass.zip'
@@ -30,22 +32,22 @@ detection:
            - '\Andrew.dmp'
            - '\Coredump.dmp'
            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
-    selection2:
+    selection_2:
        TargetFilename|contains:
            - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
            - '\lsassdump'
            - '\lsassdmp'
-    selection3:
+    selection_3:
        TargetFilename|contains|all:
            - '\lsass'
            - '.dmp'
-    selection4:
+    selection_4:
        TargetFilename|contains: 'SQLDmpr'
        TargetFilename|endswith: '.mdmp'
-    selection5:
+    selection_5:
        TargetFilename|startswith: 'nanodump'
        TargetFilename|endswith: '.dmp'
-    condition: 1 of selection*
+    condition: 1 of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,31 @@
+title: VMMap Signed Dbghelp.DLL Potential Sideloading
+id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
+related:
+    - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
+      type: similar
+status: experimental
+description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
+references:
+    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/05
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll'
+        Image|endswith:
+            - '\vmmap.exe'
+            - '\vmmap64.exe'
+        Signed: 'true'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -1,11 +1,15 @@
-title: VMMap Dbghelp.DLL Potential Sideloading
+title: VMMap Unsigned Dbghelp.DLL Potential Sideloading
 id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
+related:
+    - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
+      type: similar
 status: experimental
-description: Detects potential DLL sideloading of dbghelp.dll by the Sysinternals VMMap.
+description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
 references:
    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/07/28
+modified: 2023/09/05
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -4,12 +4,12 @@ related:
    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
      type: derived
 status: experimental
-description: Detects a suspicious 7zip execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration
+description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
 references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/27
-modified: 2023/03/10
+modified: 2023/08/31
 tags:
    - attack.collection
    - attack.t1560.001
@@ -32,5 +32,6 @@ detection:
            - '.dump'
    condition: all of selection_*
 falsepositives:
-    - Unknown
-level: high
+    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
+    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
+level: medium
@@ -1,14 +1,14 @@
-title: Manage Engine Java Suspicious Sub Process
+title: Suspicious Child Process Of Manage Engine ServiceDesk
 id: cea2b7ea-792b-405f-95a1-b903ea06458f
 status: experimental
-description: Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process
+description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
 references:
    - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
    - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
    - https://blog.viettelcybersecurity.com/saml-show-stopper/
 author: Florian Roth (Nextron Systems)
 date: 2023/01/18
-modified: 2023/01/21
+modified: 2023/08/29
 tags:
    - attack.command_and_control
    - attack.t1102
@@ -21,41 +21,40 @@ detection:
            - '\ManageEngine\ServiceDesk\'
            - '\java.exe'
        Image|endswith:
-            - '\powershell.exe'
-            - '\sh.exe'
-            - '\bash.exe'
-            - '\pwsh.exe'
-            - '\schtasks.exe'
-            - '\certutil.exe'
-            - '\whoami.exe'  # Often used in POCs
-            - '\bitsadmin.exe'
-            - '\wscript.exe'
-            - '\cscript.exe'
-            - '\scrcons.exe'
-            # - '\regsvr32.exe'
-            # - '\hh.exe'
-            - '\wmic.exe'
-            - '\mshta.exe'
-            # - '\rundll32.exe'
-            - '\forfiles.exe'
-            # - '\scriptrunner.exe'
-            - '\mftrace.exe'
            - '\AppVLP.exe'
+            - '\bash.exe'
+            - '\bitsadmin.exe'
+            - '\calc.exe'
+            - '\certutil.exe'
+            - '\cscript.exe'
            - '\curl.exe'
-            - '\notepad.exe'  # Often used in POCs
-            - '\systeminfo.exe'
+            - '\forfiles.exe'
+            - '\mftrace.exe'
+            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
-            - '\reg.exe'
+            - '\notepad.exe'  # Often used in POCs
+            - '\powershell.exe'
+            - '\pwsh.exe'
            - '\query.exe'
-    filter_net:
+            - '\reg.exe'
+            - '\schtasks.exe'
+            - '\scrcons.exe'
+            - '\sh.exe'
+            - '\systeminfo.exe'
+            - '\whoami.exe'  # Often used in POCs
+            - '\wmic.exe'
+            - '\wscript.exe'
+            # - '\hh.exe'
+            # - '\regsvr32.exe'
+            # - '\rundll32.exe'
+            # - '\scriptrunner.exe'
+    filter_main_net:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: ' stop'
-    condition: selection and not 1 of filter_*
-fields:
-    - CommandLine
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Legitimate sub processes started by Manage Engine ServiceDesk Pro
 level: high
@@ -18,8 +18,8 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: '\Windows\System32\lsass.exe'
        ParentImage|endswith: '\Windows\System32\lsass.exe'
+        Image|endswith: '\Windows\System32\lsass.exe'
    condition: selection
 falsepositives:
    - Unknown
@@ -0,0 +1,31 @@
+title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
+id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
+related:
+    - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
+      type: similar
+status: experimental
+description: |
+    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
+references:
+    - https://twitter.com/M_haggis/status/1699056847154725107
+    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
+    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
+    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/05
+tags:
+    - attack.execution
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
+            - 'http'
+            - ' 0'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,12 +1,13 @@
-title: Suspicious Rundll32 Without Any CommandLine Params
+title: Rundll32 Execution Without CommandLine Parameters
 id: 1775e15e-b61b-4d14-a1a3-80981298085a
 status: experimental
 description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
 references:
    - https://www.cobaltstrike.com/help-opsec
+    - https://twitter.com/ber_m1ng/status/1397948048135778309
 author: Florian Roth (Nextron Systems)
 date: 2021/05/27
-modified: 2022/10/06
+modified: 2023/08/31
 tags:
    - attack.defense_evasion
    - attack.t1202
@@ -15,17 +16,15 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|endswith: '\rundll32.exe'
-    filter1:
-        ParentImage|endswith: '\svchost.exe'
+        CommandLine|endswith:
+            - '\rundll32.exe'
+            - '\rundll32.exe"'
+            - '\rundll32'
    filter2:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not 1 of filter*
-fields:
-    - ParentImage
-    - ParentCommandLine
 falsepositives:
    - Possible but rare
 level: high
@@ -1,31 +1,28 @@
-title: Rundll32 With Suspicious Parent Process
+title: Rundll32 Spawned Via Explorer.EXE
 id: 1723e720-616d-4ddc-ab02-f7e3685a4713
 status: experimental
-description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. 
+description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
 references:
    - https://redcanary.com/blog/raspberry-robin/
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: CD_ROM_
 date: 2022/05/21
-modified: 2023/02/09
+modified: 2023/08/31
 tags:
    - attack.defense_evasion
 logsource:
    category: process_creation
    product: windows
 detection:
+    selection_parent:
+        ParentImage|endswith: '\explorer.exe'
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
-    selection_parent:
-        ParentImage|endswith: '\explorer.exe'
-    filter:
+    filter_main_generic:
        - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
        - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
-    condition: all of selection_* and not filter
-fields:
-    - Image
-    - ParentImage
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: medium
@@ -1,12 +1,13 @@
-title: Suspicious Windows App Activity
+title: Potentially Suspicious Windows App Activity
 id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
 status: experimental
-description: Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
+description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
 references:
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/12
+modified: 2023/08/31
 tags:
    - attack.defense_evasion
 logsource:
@@ -19,20 +20,29 @@ detection:
    selection_susp_img:
        Image|endswith:
            # You can add more LOLBINs
-            - '\poweshell.exe'
-            - '\pwsh.exe'
-            - '\rundll32.exe'
-            - '\regsvr32.exe'
-            - '\mshta.exe'
+            - '\cmd.exe'
            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
            - '\wscript.exe'
    selection_susp_cli:
-        # You can add more suspicious keywords
+        # You can add more potentially suspicious keywords
        CommandLine|contains:
            - 'cmd /c'
            - 'Invoke-'
            - 'Base64'
-    condition: selection_parent and 1 of selection_susp_*
+    filter_optional_terminal:
+        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
+        ParentImage|endswith: '\WindowsTerminal.exe'
+        # Note: to avoid FP add the default shells and profiles that your WT integrates
+        Image|endswith:
+            - '\powershell.exe'
+            - '\cmd.exe'
+            - '\pwsh.exe'
+    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
-level: high
+    - Legitimate packages that make use of external binaries such as Windows Terminal
+level: medium
@@ -12,7 +12,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/23
-modified: 2023/01/29
+modified: 2023/08/29
 tags:
    - attack.credential_access
    - attack.t1555.003
@@ -38,10 +38,31 @@ detection:
            - 'robocopy.exe'
    selection_path:
        CommandLine|contains:
-            - '\Opera Software\Opera Stable\'
-            - '\Mozilla\Firefox\Profiles'
-            - '\Microsoft\Edge\User Data\'
+            - '\Amigo\User Data'
+            - '\BraveSoftware\Brave-Browser\User Data'
+            - '\CentBrowser\User Data'
+            - '\Chromium\User Data'
+            - '\CocCoc\Browser\User Data'
+            - '\Comodo\Dragon\User Data'
+            - '\Elements Browser\User Data'
+            - '\Epic Privacy Browser\User Data'
+            - '\Google\Chrome Beta\User Data'
+            - '\Google\Chrome SxS\User Data'
            - '\Google\Chrome\User Data\'
+            - '\Kometa\User Data'
+            - '\Maxthon5\Users'
+            - '\Microsoft\Edge\User Data'
+            - '\Mozilla\Firefox\Profiles'
+            - '\Nichrome\User Data'
+            - '\Opera Software\Opera GX Stable\'
+            - '\Opera Software\Opera Neon\User Data'
+            - '\Opera Software\Opera Stable\'
+            - '\Orbitum\User Data'
+            - '\QIP Surf\User Data'
+            - '\Sputnik\User Data'
+            - '\Torch\User Data'
+            - '\uCozMedia\Uran\User Data'
+            - '\Vivaldi\User Data'
    condition: all of selection_*
 falsepositives:
    - Unknown
@@ -56,9 +56,6 @@ detection:
            - '$'
        - CommandLine|contains: '\Sysvol\'
    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Administrative scripts
 level: high
@@ -1,18 +1,19 @@
-title: Suspicious Copy From or To System32
+title: Suspicious Copy From or To System Directory
 id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 related:
    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
      type: derived
 status: test
 description: |
-    Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.
-    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations
+    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
+    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
 references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
 author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
 date: 2020/07/03
-modified: 2023/01/31
+modified: 2023/08/29
 tags:
    - attack.defense_evasion
    - attack.t1036.003
@@ -43,10 +44,8 @@ detection:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
-    condition: 1 of selection* and target
-fields:
-    - CommandLine
-    - ParentCommandLine
+            - '\WinSxS'
+    condition: 1 of selection_* and target
 falsepositives:
    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
@@ -0,0 +1,60 @@
+title: LOL-Binary Copied From System Directory
+id: f5d19838-41b5-476c-98d8-ba8af4929ee2
+related:
+    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
+      type: derived
+status: experimental
+description: |
+    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
+references:
+    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
+    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/29
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_tools_cmd:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains: 'copy '
+    selection_tools_pwsh:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        CommandLine|contains:
+            - 'copy-item'
+            - ' copy '
+            - 'cpi '
+            - ' cp '
+    selection_tools_other:
+        - Image|endswith:
+            - '\robocopy.exe'
+            - '\xcopy.exe'
+        - OriginalFileName:
+            - 'robocopy.exe'
+            - 'XCOPY.EXE'
+    selection_target_path:
+        CommandLine|contains:
+            - '\System32'
+            - '\SysWOW64'
+            - '\WinSxS'
+    selection_target_lolbin:
+        CommandLine|contains:
+            # Note: add more binaries to increase coverage
+            - '\bitsadmin.exe'
+            - '\calc.exe'
+            - '\certutil.exe'
+            - '\cmdl32.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+    condition: 1 of selection_tools_* and all of selection_target_*
+falsepositives:
+    - Unknown
+level: high
@@ -66,10 +66,10 @@ detection:
            - 'WriteInt32'
            - 'WriteProcessMemory'
            - 'ZeroFreeGlobalAllocUnicode'
-    filter_mpcmdrun:
+    filter_optional_mpcmdrun:
        Image|endswith: '\MpCmdRun.exe'
        CommandLine|contains: 'GetLoadLibraryWAddress32'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -1,14 +1,17 @@
-title: LOLBIN From Abnormal Drive
+title: LOLBIN Execution From Abnormal Drive
 id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
+related:
+    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
+      type: similar
 status: test
-description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO.
+description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
 references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.scythe.io/library/threat-emulation-qakbot
    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
-author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
 date: 2022/01/25
-modified: 2023/04/12
+modified: 2023/08/29
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,24 +19,27 @@ logsource:
    product: windows
 detection:
    selection:
+        # Note: add more lolbins for additional coverage
        - Image|endswith:
-            - '\rundll32.exe'
            - '\calc.exe'
-            - '\mshta.exe'
-            - '\cscript.exe'
-            - '\wscript.exe'
-            - '\regsvr32.exe'
-            - '\installutil.exe'
+            - '\certutil.exe'
            - '\cmstp.exe'
+            - '\cscript.exe'
+            - '\installutil.exe'
+            - '\mshta.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
        - OriginalFileName:
-            - 'RUNDLL32.EXE'
            - 'CALC.EXE'
-            - 'MSHTA.EXE'
-            - 'cscript.exe'
-            - 'wscript.exe'
-            - 'REGSVR32.EXE'
-            - 'installutil.exe'
+            - 'CertUtil.exe'
            - 'CMSTP.EXE'
+            - 'cscript.exe'
+            - 'installutil.exe'
+            - 'MSHTA.EXE'
+            - 'REGSVR32.EXE'
+            - 'RUNDLL32.EXE'
+            - 'wscript.exe'
    filter_main_currentdirectory:
        CurrentDirectory|contains: 'C:\'
    filter_main_empty:
@@ -0,0 +1,49 @@
+title: LSASS Dump Keyword In CommandLine
+id: ffa6861c-4461-4f59-8a41-578c39f3f23e
+related:
+    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
+      type: derived
+status: test
+description: |
+    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
+references:
+    - https://github.com/Hackndo/lsassy
+    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
+    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
+    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
+    - https://github.com/helpsystems/nanodump
+    - https://github.com/CCob/MirrorDump
+author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
+date: 2019/10/24
+modified: 2023/08/29
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - CommandLine|contains:
+            - 'lsass.dmp'
+            - 'lsass.zip'
+            - 'lsass.rar'
+            - 'Andrew.dmp'
+            - 'Coredump.dmp'
+            - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
+            - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
+            - 'lsassdump'
+            - 'lsassdmp'
+        - CommandLine|contains|all:
+            - 'lsass'
+            - '.dmp'
+        - CommandLine|contains|all:
+            - 'SQLDmpr'
+            - '.mdmp'
+        - CommandLine|contains|all:
+            - 'nanodump'
+            - '.dmp'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
@@ -1,34 +0,0 @@
-title: LSASS Memory Dumping
-id: ffa6861c-4461-4f59-8a41-578c39f3f23e
-status: test
-description: |
-  Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.
-  Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
-references:
-    - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
-    - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
-author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2023/03/06
-tags:
-    - attack.credential_access
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'lsass'
-            - '.dmp'
-    filter:
-        Image|endswith: '\werfault.exe'
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-falsepositives:
-    - Unlikely
-level: high
@@ -4,12 +4,12 @@ related:
    - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
      type: similar
 status: experimental
-description: Detects a suspicious winrar execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration
+description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
 references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
 author: Florian Roth (Nextron Systems)
 date: 2022/01/04
-modified: 2023/03/10
+modified: 2023/09/07
 tags:
    - attack.collection
    - attack.t1560.001
@@ -28,5 +28,6 @@ detection:
            - '.dump'
    condition: all of selection_*
 falsepositives:
-    - Legitimate use of WinRAR with a command line in which .dmp appears accidentally
-level: high
+    - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally
+    - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting
+level: medium
@@ -0,0 +1,45 @@
+title: Potentially Suspicious Child Process Of WinRAR.EXE
+id: 146aace8-9bd6-42ba-be7a-0070d8027b76
+related:
+    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+      type: similar
+status: experimental
+description: Detects potentially suspicious child processes of WinRAR.exe.
+references:
+    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.execution
+    - attack.t1203
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\WinRAR.exe'
+    selection_binaries:
+        # Note: add additional binaries that the attacker might use
+        - Image|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+        - OriginalFileName:
+            - 'Cmd.Exe'
+            - 'cscript.exe'
+            - 'mshta.exe'
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+            - 'regsvr32.exe'
+            - 'RUNDLL32.EXE'
+            - 'wscript.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/cyb3rops/status/1460978167628406785
 author: Florian Roth (Nextron Systems), Tigzy
 date: 2021/11/17
-modified: 2022/12/25
+modified: 2023/08/31
 tags:
    - attack.collection
    - attack.t1560.001
@@ -19,12 +19,17 @@ detection:
            - '\rar.exe'
            - '\winrar.exe'
        - Description: 'Command line RAR'
-    filter:
+    filter_main_unrar:
+        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
+        Image|endswith: '\UnRAR.exe'
+    filter_main_path:
        Image|contains:
-            - '\WinRAR'
-            - 'C:\Windows\Temp'
-            - '\UnRAR.exe'
-    condition: selection and not filter
+            - ':\Program Files (x86)\WinRAR\'
+            - ':\Program Files\WinRAR\'
+    filter_optional_temp:
+        # Note: in some occasion installers were seen dropping "rar" in TEMP
+        Image|contains: ':\Windows\Temp\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
-level: high
+level: medium
@@ -0,0 +1,31 @@
+title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
+id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
+related:
+    - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
+      type: similar
+status: experimental
+description: |
+    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
+references:
+    - https://twitter.com/M_haggis/status/1699056847154725107
+    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
+    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
+    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
+author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
+date: 2023/09/05
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
+        TargetObject|endswith:
+            - '\http'
+            - '\https'
+        Details|contains: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,24 @@
+title: Old TLS1.0/TLS1.1 Protocol Version Enabled
+id: 439957a7-ad86-4a8f-9705-a28131c6821b
+status: experimental
+description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
+references:
+    - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/05
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains:
+            - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
+            - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
+        TargetObject|endswith: '\Enabled'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Legitimate enabling of the old tls versions due to incompatibility
+level: medium