From 32e0100af2c99cc5fbd1f3c05a3153f052c7fac6 Mon Sep 17 00:00:00 2001 From: Swachchhanda Poudel Date: Fri, 11 Aug 2023 15:33:10 +0545 Subject: [PATCH 1/2] Added two new lolbas rules and slight modifications on exisiting rules --- .../proc_creation_win_lolbin_ftp.yml | 9 +++--- .../proc_creation_win_lolbin_susp_msedge.yml | 29 +++++++++++++++++++ .../proc_creation_win_lolbin_susp_teams.yml | 29 +++++++++++++++++++ .../registry_set_persistence_office_vsto.yml | 7 +++-- 4 files changed, 68 insertions(+), 6 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml index 93f7abf93..fc9086edc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml @@ -1,12 +1,12 @@ title: LOLBIN Execution Of The FTP.EXE Binary id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: test -description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe +description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ -author: Victor Sergeev, oscd.community +author: Victor Sergeev, oscd.community, Swachchhanda Shrawan Poudel date: 2020/10/09 -modified: 2022/11/10 +modified: 2023/08/11 tags: - attack.execution - attack.t1059 @@ -22,7 +22,8 @@ detection: - Image|endswith: '\ftp.exe' - OriginalFileName: 'ftp.exe' selection_ftp_cli: - CommandLine|contains: '-s:' + - CommandLine|contains: '-s:' + - CommandLine|contains: '/s:' condition: selection_parent or all of selection_ftp_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml new file mode 100644 index 000000000..91f8b94e7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution by Microsoft Edge Browser +id: d6947e89-2a7f-4c91-bad6-8e5c3b0f78a2 +status: experimental +description: Detects indirect command execution via Microsoft Edge browser +references: + - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ +author: Swachchhanda Shrawan Poudel +date: 2023/08/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\msedge.exe' + - OriginalFileName: 'msedge.exe' + selection_cmd: + - CommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + - ParentCommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + condition: selection_img and selection_cmd +falsepositives: + - Unlikely +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml new file mode 100644 index 000000000..c7d0cd53b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution by Microsoft Teams +id: 8abf3e61-91a2-4b34-bcc7-728d5fa92e49 +status: experimental +description: Detects indirect command execution via Microsoft teams +references: + - https://lolbas-project.github.io/lolbas/Binaries/Teams/ +author: Swachchhanda Shrawan Poudel +date: 2023/08/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\Teams.exe' + - OriginalFileName: 'Teams.exe' + selection_cmd: + - CommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + - ParentCommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + condition: selection_img and selection_cmd +falsepositives: + - Unlikely +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index 76bec65c2..cca2e001d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -5,9 +5,9 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ -author: Bhabesh Raj +author: Bhabesh Raj, Swachchhanda Shrawan Poudel date: 2021/01/10 -modified: 2023/06/28 +modified: 2023/08/11 tags: - attack.t1137.006 - attack.persistence @@ -34,6 +34,9 @@ detection: - '\integrator.exe' - '\OfficeClickToRun.exe' - '\winword.exe' + filter_teams: + Image|endswith: + - '\Teams.exe' filter_avg: Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' From 0a5d38140d07c916edf688cac6c573090ee88a7d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:55:33 +0200 Subject: [PATCH 2/2] fix: remove already covered rules and fix metadata --- .../proc_creation_win_lolbin_ftp.yml | 10 +++---- .../proc_creation_win_lolbin_susp_msedge.yml | 29 ------------------- .../proc_creation_win_lolbin_susp_teams.yml | 29 ------------------- .../registry_set_persistence_office_vsto.yml | 5 ++-- 4 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml index fc9086edc..23af4f593 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ -author: Victor Sergeev, oscd.community, Swachchhanda Shrawan Poudel +author: Victor Sergeev, oscd.community date: 2020/10/09 modified: 2023/08/11 tags: @@ -22,12 +22,10 @@ detection: - Image|endswith: '\ftp.exe' - OriginalFileName: 'ftp.exe' selection_ftp_cli: - - CommandLine|contains: '-s:' - - CommandLine|contains: '/s:' + CommandLine|contains: + - '-s:' + - '/s:' condition: selection_parent or all of selection_ftp_* -fields: - - CommandLine - - ParentImage falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml deleted file mode 100644 index 91f8b94e7..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Indirect Command Execution by Microsoft Edge Browser -id: d6947e89-2a7f-4c91-bad6-8e5c3b0f78a2 -status: experimental -description: Detects indirect command execution via Microsoft Edge browser -references: - - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ -author: Swachchhanda Shrawan Poudel -date: 2023/08/11 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\msedge.exe' - - OriginalFileName: 'msedge.exe' - selection_cmd: - - CommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - - ParentCommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - condition: selection_img and selection_cmd -falsepositives: - - Unlikely -level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml deleted file mode 100644 index c7d0cd53b..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Indirect Command Execution by Microsoft Teams -id: 8abf3e61-91a2-4b34-bcc7-728d5fa92e49 -status: experimental -description: Detects indirect command execution via Microsoft teams -references: - - https://lolbas-project.github.io/lolbas/Binaries/Teams/ -author: Swachchhanda Shrawan Poudel -date: 2023/08/11 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\Teams.exe' - - OriginalFileName: 'Teams.exe' - selection_cmd: - - CommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - - ParentCommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - condition: selection_img and selection_cmd -falsepositives: - - Unlikely -level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index cca2e001d..bb303830e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -5,7 +5,7 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ -author: Bhabesh Raj, Swachchhanda Shrawan Poudel +author: Bhabesh Raj date: 2021/01/10 modified: 2023/08/11 tags: @@ -35,8 +35,7 @@ detection: - '\OfficeClickToRun.exe' - '\winword.exe' filter_teams: - Image|endswith: - - '\Teams.exe' + Image|endswith: '\Teams.exe' filter_avg: Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'