Merge pull request #2008 from frack113/master

Split global sysmon rules

rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -1,10 +1,10 @@
-action: global
 title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
 status: experimental
 description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 author: Sittikorn S
 date: 2021/07/16
-modified: 2021/08/06
+modified: 2021/09/09
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
     - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
@@ -15,11 +15,6 @@ tags:
     - attack.t1566
     - attack.t1203
     # - threat_group.Sourgum
-falsepositives:
-    - Unlikely
-level: critical
----
-id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
 logsource:
     product: windows
     category: file_event
@@ -37,16 +32,6 @@ detection:
             - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
             - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
     condition: selection
----
-id: 32b5db62-cb5f-4266-9639-0fa48376ac00
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    selection:
-        TargetObject|contains: 
-            - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32'
-            - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32'
-    keywords:
-        - IMJPUEXP.DLL
-    condition: selection and keywords
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/file_event/file_event_pingback_backdoor.yml

@@ -0,0 +1,24 @@
+title: Pingback Backdoor
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
+status: experimental
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+author: Bhabesh Raj
+date: 2021/05/05
+modified: 2021/09/09
+references:
+    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+tags:
+    - attack.persistence
+    - attack.t1574.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection: 
+        Image|endswith: updata.exe
+        TargetFilename: 'C:\Windows\oci.dll'
+    condition: selection
+falsepositives:
+    - Very unlikely
+level: high

rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml

@@ -0,0 +1,25 @@
+title: Wmiprvse Wbemcomn DLL Hijack
+id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
+status: experimental
+date: 2020/10/12
+modified: 2021/09/09
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+tags:
+    - attack.execution
+    - attack.t1047
+    - attack.lateral_movement
+    - attack.t1021.002
+references:
+    - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image: System
+        TargetFilename|endswith: '\wbem\wbemcomn.dll'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/image_load/image_load_pingback_backdoor.yml

@@ -0,0 +1,24 @@
+title: Pingback Backdoor
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
+status: experimental
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
+author: Bhabesh Raj
+date: 2021/05/05
+modified: 2021/09/09
+references:
+    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+tags:
+    - attack.persistence
+    - attack.t1574.001
+logsource:
+    product: windows
+    category: image_load
+detection:
+    selection:
+        Image|endswith: 'msdtc.exe'
+        ImageLoaded: 'C:\Windows\oci.dll'
+    condition: selection
+falsepositives:
+    - Very unlikely
+level: high

rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml

@@ -1,9 +1,9 @@
-action: global
 title: Wmiprvse Wbemcomn DLL Hijack
+id: 7707a579-e0d8-4886-a853-ce47e4575aaa
 description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
 status: experimental
 date: 2020/10/12
-modified: 2021/06/10
+modified: 2021/09/09
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
@@ -12,21 +12,6 @@ tags:
     - attack.t1021.002
 references:
     - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
-falsepositives:
-    - Unknown
-level: critical
---- 
-id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
-logsource:
-    product: windows
-    category: file_event
-detection:
-    selection:
-        Image: System
-        TargetFilename|endswith: '\wbem\wbemcomn.dll'
-    condition: selection
----
-id: 7707a579-e0d8-4886-a853-ce47e4575aaa
 logsource:
     product: windows
     category: image_load
@@ -35,3 +20,6 @@ detection:
         Image|endswith: '\wmiprvse.exe'
         ImageLoaded|endswith: '\wbem\wbemcomn.dll'
     condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml

@@ -1,5 +1,5 @@
-action: global
 title: Abusing Windows Telemetry For Persistence
+id: f548a603-c9f2-4c89-b511-b089f7e94549
 status: experimental
 description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
 references:
@@ -11,32 +11,19 @@ tags:
     - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/07/15
+modified: 2021/09/09
 fields:
     - EventID
     - CommandLine
     - TargetObject
     - Details
-falsepositives:
-    - none
-level: high
----
-id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    selection:
-        TargetObject|contains:
-            - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
-        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
-    condition: selection
----
-id: f548a603-c9f2-4c89-b511-b089f7e94549
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
         CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*'
-    condition: selection
+    condition: selection
+falsepositives:
+    - none
+level: high

rules/windows/process_creation/process_creation_pingback_backdoor.yml

@@ -1,40 +1,16 @@
-action: global
 title: Pingback Backdoor
+id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
 status: experimental
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 author: Bhabesh Raj
 date: 2021/05/05
-falsepositives:
-    - Very unlikely
-level: high
+modified: 2021/09/09
 references:
     - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
     - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
 tags:
     - attack.persistence
     - attack.t1574.001
----
-id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
-logsource:
-    product: windows
-    category: file_event
-detection:
-    selection: 
-        Image|endswith: updata.exe
-        TargetFilename: 'C:\Windows\oci.dll'
-    condition: selection
----
-id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
-logsource:
-    product: windows
-    category: image_load
-detection:
-    selection:
-        Image|endswith: 'msdtc.exe'
-        ImageLoaded: 'C:\Windows\oci.dll'
-    condition: selection
----
-id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
 logsource:
     product: windows
     category: process_creation
@@ -47,3 +23,6 @@ detection:
             - 'start'
             - 'auto'
     condition: selection
+falsepositives:
+    - Very unlikely
+level: high

rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml

@@ -0,0 +1,30 @@
+title: Abusing Windows Telemetry For Persistence
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+status: experimental
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
+references:
+    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1112
+    - attack.t1053
+author: Sreeman
+date: 2020/09/29
+modified: 2021/09/09
+fields:
+    - EventID
+    - CommandLine
+    - TargetObject
+    - Details
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
+        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+    condition: selection
+falsepositives:
+    - none
+level: high

rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -0,0 +1,31 @@
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+id: 32b5db62-cb5f-4266-9639-0fa48376ac00
+status: experimental
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+author: Sittikorn S
+date: 2021/07/16
+modified: 2021/09/09
+references:
+    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-33771
+    - https://nvd.nist.gov/vuln/detail/cve-2021-31979
+tags:
+    - attack.credential_access
+    - attack.t1566
+    - attack.t1203
+    # - threat_group.Sourgum
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains: 
+            - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32'
+            - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32'
+    keywords:
+        - IMJPUEXP.DLL
+    condition: selection and keywords
+falsepositives:
+    - Unlikely
+level: critical