Merge branch 'master' into rule-devel

2022-03-07 15:38:58 +01:00
parent 0d083039ab 91ab32aa48
commit c93fd80482
8 changed files with 144 additions and 26 deletions
@@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/09/18
+modified: 2022/03/06
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 tags:
@@ -21,7 +21,11 @@ logsource:
 detection:
    selection:
        EventID: 4697 
-        ServiceFileName|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        ServiceFileName|contains|all:
+            - 'rundll32.exe'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+            - 'powershell'
    condition: selection
 falsepositives:
    - Unknown
@@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2022/03/06
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
 tags:
@@ -21,7 +21,16 @@ logsource:
 detection:
    selection:
        EventID: 4697
-        ServiceFileName|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        ServiceFileName|contains|all:
+            - '&&'
+            - 'rundll32'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+        ServiceFileName|contains:
+            - value
+            - invoke
+            - comspec
+            - iex
    condition: selection
 falsepositives:
    - Unknown
@@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/11/30
+modified: 2022/03/06
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 falsepositives:
    - unknown
 level: medium
@@ -22,5 +17,16 @@ detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
-        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: selection
+        ImagePath|contains|all:
+            - 'new-object'
+            - 'text.encoding]::ascii'
+            - 'readtoend'
+        ImagePath|contains:    
+            - ':system.io.compression.deflatestream'
+            - 'system.io.streamreader'
+    condition: selection
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/11/30
+modified: 2022/03/06
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@@ -19,8 +19,14 @@ detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
-        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+        ImagePath|contains|all:
+            - 'set'
+            - '&&'
+            - 'mshta'
+            - 'vbscript:createobject'
+            - '.run'
+            - '(window.close)'
    condition: selection
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -4,10 +4,7 @@ status: experimental
 description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
 author: Sreeman
 date: 2020/04/17
-modified: 2021/07/07
-tags:
-    - attack.defense_evasion
-    - attack.t1036
+modified: 2022/03/06
 logsource:
    product: windows
    category: process_creation
@@ -15,8 +12,12 @@ detection:
    selection:
        Image: hxtsr.exe
    filter:
-        CurrentDirectory|re: '(?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe'
+        CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_'
+        CurrentDirectory|endswith: '\hxtsr.exe'
    condition: selection and not filter
 falsepositives:
    - unknown
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1036
@@ -0,0 +1,25 @@
+title: Suspicious OfflineScannerShell.exe Execution From Another Folder
+id: 02b18447-ea83-4b1b-8805-714a8a34546a
+status: experimental
+description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory 
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
+author: frack113
+date: 2022/03/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    lolbas:
+        Image|endswith: '\OfflineScannerShell.exe'
+    filter_correct:
+        CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
+    filter_missing: 
+        CurrentDirectory: null
+    condition: lolbas and not 1 of filter_*
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218 
@@ -0,0 +1,23 @@
+title: Suspicious Replace.exe Execution
+id: 9292293b-8496-4715-9db6-37028dcda4b3
+status: experimental
+description: Replace.exe is used to replace file with another file
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Replace/
+author: frack113
+date: 2022/03/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    lolbas:
+        CommandLine|contains|all: 
+            - 'replace '
+            - '/A'
+    condition: lolbas 
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1105
@@ -10,18 +10,62 @@ tags:
    - attack.t1574.011
 author: Sreeman
 date: 2020/09/29
-modified: 2021/08/10
+modified: 2022/03/06
 logsource:
    category: process_creation
    product: windows
 detection:
    selection_cmdline_1:
-        CommandLine|re: '(?i)sc config.*binpath=.*'
+        CommandLine|contains|all:
+            - 'sc '
+            - 'config '
+            - 'binpath='
    selection_cmdline_2: 
-        CommandLine|re: '(?i)sc failure.*command=.*'
+        CommandLine|contains|all:
+            - 'sc '
+            - 'failure'
+            - 'command='
    selection_cmdline_3:
-        CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*'
-    condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3
+        CommandLine|contains|all:
+            - 'reg '
+            - 'add '
+            - 'FailureCommand'
+        CommandLine|contains:
+            - '.sh'
+            - '.exe'
+            - '.dll'
+            - '.bin$'
+            - '.bat'
+            - '.cmd'
+            - '.js'
+            - '.msh$'
+            - '.reg$'
+            - '.scr'
+            - '.ps'
+            - '.vb'
+            - '.jar'
+            - '.pl'
+    selection_cmdline_4:
+        CommandLine|contains|all:
+            - 'reg '
+            - 'add '
+            - 'ImagePath'
+        CommandLine|contains:
+            - '.sh'
+            - '.exe'
+            - '.dll'
+            - '.bin$'
+            - '.bat'
+            - '.cmd'
+            - '.js'
+            - '.msh$'
+            - '.reg$'
+            - '.scr'
+            - '.ps'
+            - '.vb'
+            - '.jar'
+            - '.pl'
+    condition: 1 of selection_cmdline_*
 falsepositives:
    - unknown
 level: medium