From bf80eace812deb64065d83c8fade1da50ffa61e0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 25 May 2023 02:13:00 +0200 Subject: [PATCH] feat: first batch update for regsvr32 --- .../proc_creation_win_regsvr32_anomalies.yml | 64 ++++--------------- ...oc_creation_win_regsvr32_flags_anomaly.yml | 15 ++--- ...creation_win_regsvr32_http_ip_pattern.yml} | 11 ++-- ..._creation_win_regsvr32_network_pattern.yml | 30 +++++++++ .../proc_creation_win_regsvr32_no_dll.yml | 38 ----------- ...ation_win_regsvr32_susp_child_process.yml} | 18 ++++-- ...creation_win_regsvr32_susp_extensions.yml} | 18 ++++-- ...eation_win_regsvr32_uncommon_extension.yml | 39 +++++++++++ 8 files changed, 116 insertions(+), 117 deletions(-) rename rules/windows/process_creation/{proc_creation_win_regsvr32_http_pattern.yml => proc_creation_win_regsvr32_http_ip_pattern.yml} (82%) create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml rename rules/windows/process_creation/{proc_creation_win_regsvr32_spawn_explorer.yml => proc_creation_win_regsvr32_susp_child_process.yml} (54%) rename rules/windows/process_creation/{proc_creation_win_regsvr32_image.yml => proc_creation_win_regsvr32_susp_extensions.yml} (73%) create mode 100644 rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml index 0eaa0c49d..5a1fec453 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml @@ -1,13 +1,13 @@ -title: Regsvr32 Anomaly +title: Regsvr32 Execution Anomaly id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental -description: Detects various anomalies in relation to regsvr32.exe +description: Detects various anomalies or uncommon execution trees related "regsvr32.exe" references: - - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html + - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton date: 2019/01/16 -modified: 2023/02/26 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -19,68 +19,26 @@ logsource: detection: selection1: Image|endswith: '\regsvr32.exe' - CommandLine|contains: '\Temp\' + CommandLine|contains: + - '\Temp\' + - '\AppData\Local' + - 'C:\Users\Public' selection2: Image|endswith: '\regsvr32.exe' ParentImage|endswith: + - '\cmd.exe' + - '\mshta.exe' + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' - - '\powershell_ise.exe' - selection3: - Image|endswith: '\regsvr32.exe' - ParentImage|endswith: '\cmd.exe' - selection4a: - Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: - - '/i:' - - 'http' - CommandLine|endswith: 'scrobj.dll' - selection4b: - Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: - - '/i:' - - 'ftp' - CommandLine|endswith: 'scrobj.dll' - selection5: - Image|endswith: - - '\cscript.exe' - - '\wscript.exe' - ParentImage|endswith: '\regsvr32.exe' selection6: Image|endswith: '\EXCEL.EXE' CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' - selection7: - ParentImage|endswith: '\mshta.exe' - Image|endswith: '\regsvr32.exe' - selection8: - Image|endswith: '\regsvr32.exe' - CommandLine|contains: - - '\AppData\Local' - - 'C:\Users\Public' - selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 - Image|endswith: '\regsvr32.exe' - CommandLine|endswith: - - '.jpg' - - '.jpeg' - - '.png' - - '.gif' - - '.bin' - - '.tmp' - - '.temp' - - '.txt' filter1: CommandLine|contains: - '\AppData\Local\Microsoft\Teams' - '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll' - filter2: - ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' - CommandLine|contains: '\Program Files\Box\Box\Temp\' - filter_legitimate: - CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: 1 of selection* and not 1 of filter* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index f09267f9e..e85146025 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,12 +1,12 @@ -title: Regsvr32 Flags Anomaly +title: Potentially Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time +description: Detects a potential command line flag anomaly related to "regsvr32" in which "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) date: 2019/07/13 -modified: 2021/11/27 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -17,12 +17,9 @@ detection: selection: Image|endswith: '\regsvr32.exe' CommandLine|contains: ' /i:' - filter: + filter_main_flag: CommandLine|contains: ' /n ' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index 715d87889..da769056b 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,13 +1,14 @@ title: Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 status: experimental -description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN +description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address and a IP address. references: - - https://twitter.com/mrd0x/status/1461041276514623491c19-ps + - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) date: 2022/01/11 -modified: 2023/01/11 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -16,7 +17,7 @@ logsource: product: windows detection: selection_flags: - CommandLine|contains|all: + CommandLine|contains: - ' /s' - ' /u' selection_ip: @@ -41,5 +42,5 @@ detection: - ' /i:https://9' condition: all of selection_* falsepositives: - - FQDNs that start with a number + - FQDNs that start with a number such as "7-Zip" level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml new file mode 100644 index 000000000..4c4706e8c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -0,0 +1,30 @@ +title: +id: 867356ee-9352-41c9-a8f2-1be690d78216 +status: experimental +description: Detects +references: + - https://twitter.com/mrd0x/status/1461041276514623491 + - https://twitter.com/tccontre18/status/1480950986650832903 + - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ +author: Florian Roth (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1218.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + selection_flag: + CommandLine|contains: ' /i' + selection_protocol: + CommandLine|contains: + - 'ftp' + - 'http' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml deleted file mode 100644 index 32603fb9a..000000000 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml +++ /dev/null @@ -1,38 +0,0 @@ -title: Regsvr32 Command Line Without DLL -id: 50919691-7302-437f-8e10-1fe088afa145 -status: test -description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line -references: - - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth (Nextron Systems) -date: 2019/07/17 -modified: 2022/12/25 -tags: - - attack.defense_evasion - - attack.t1574 - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\regsvr32.exe' - filter: - CommandLine|contains: - - '.dll' - - '.ocx' - - '.cpl' - - '.ax' - - '.bav' - - '.ppl' - filter_null1_for_4688: - CommandLine: null - filter_null2_for_4688: - CommandLine: '' - condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688 -falsepositives: - - Unknown -fields: - - CommandLine - - ParentCommandLine -level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml similarity index 54% rename from rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index a8ad65c94..85d9243bb 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -1,13 +1,13 @@ -title: Regsvr32 Spawning Explorer +title: Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca status: experimental -description: Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon. +description: Detects suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ - https://www.echotrail.io/insights/search/regsvr32.exe -author: elhoim +author: elhoim, Florian Roth (Nextron Systems) date: 2022/05/05 -modified: 2022/07/28 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -17,8 +17,14 @@ logsource: detection: selection: ParentImage|endswith: '\regsvr32.exe' - Image|endswith: '\explorer.exe' + Image|endswith: + - '\calc.exe' + - '\cscript.exe' + - '\explorer.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\wscript.exe' condition: selection falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_regsvr32_image.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 55a4ab29e..a756cc3b1 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,17 +1,17 @@ -title: Suspicious Regsvr32 Execution With Image Extension +title: Regsvr32 Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec type: similar status: experimental -description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files +description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://guides.lib.umich.edu/c.php?g=282942&p=1885348 -author: frack113 +author: Florian Roth (Nextron Systems), frack113 date: 2021/11/29 -modified: 2022/10/31 +modified: 2023/05/24 tags: - attack.defense_evasion - attack.t1218.010 @@ -21,12 +21,15 @@ logsource: detection: selection_img: - Image|endswith: '\regsvr32.exe' - - OriginalFileName: '\REGSVR32.EXE' + - OriginalFileName: 'REGSVR32.EXE' selection_cli: CommandLine|endswith: # Add more image extensions + # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + - '.bin' - '.bmp' - '.cr2' + - '.dat' - '.eps' - '.gif' - '.ico' @@ -37,9 +40,12 @@ detection: - '.png' - '.raw' - '.sr2' + - '.temp' - '.tif' - '.tiff' + - '.tmp' + - '.txt' condition: all of selection_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml new file mode 100644 index 000000000..3fa164d5d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -0,0 +1,39 @@ +title: Regsvr32 DLL Execution With Uncommon Extension +id: 50919691-7302-437f-8e10-1fe088afa145 +status: test +description: Detects a "regsvr32" execution where the file doesn't contain a common file extension used. +references: + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems) +date: 2019/07/17 +modified: 2023/05/24 +tags: + - attack.defense_evasion + - attack.t1574 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\regsvr32.exe' + - OriginalFileName: 'REGSVR32.EXE' + filter_main_legit_ext: + CommandLine|contains: + # Note: For better accuracy you might not want to use contains + - '.ax' + - '.cpl' + - '.dll' # Covers ".dll.mui" + - '.ocx' + filter_optional_pascal: + CommandLine|contains: '.ppl' + filter_optional_avg: + CommandLine|contains: '.bav' + filter_main_null_4688: + CommandLine: null + filter_main_empty_4688: + CommandLine: '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Other legit extensions currently not in the list either from third party or specific windows component +level: medium