diff --git a/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml similarity index 100% rename from rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml rename to rules/windows/dns_query/dns_query_dns_hybridconnectionmgr_servicebus.yml diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml similarity index 77% rename from rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml rename to rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index 76de527b8..c1f908588 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,10 +1,10 @@ -action: global title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S date: 2021/07/16 -modified: 2021/08/06 +modified: 2021/09/09 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -15,11 +15,6 @@ tags: - attack.t1566 - attack.t1203 # - threat_group.Sourgum -falsepositives: - - Unlikely -level: critical ---- -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef logsource: product: windows category: file_event @@ -37,16 +32,6 @@ detection: - 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini' - 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini' condition: selection ---- -id: 32b5db62-cb5f-4266-9639-0fa48376ac00 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: - - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32' - - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32' - keywords: - - IMJPUEXP.DLL - condition: selection and keywords +falsepositives: + - Unlikely +level: critical \ No newline at end of file diff --git a/rules/windows/file_event/file_event_pingback_backdoor.yml b/rules/windows/file_event/file_event_pingback_backdoor.yml new file mode 100644 index 000000000..5b9417ab3 --- /dev/null +++ b/rules/windows/file_event/file_event_pingback_backdoor.yml @@ -0,0 +1,24 @@ +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +modified: 2021/09/09 +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml new file mode 100644 index 000000000..07e01fa6a --- /dev/null +++ b/rules/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml @@ -0,0 +1,25 @@ +title: Wmiprvse Wbemcomn DLL Hijack +id: 614a7e17-5643-4d89-b6fe-f9df1a79641c +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +status: experimental +date: 2020/10/12 +modified: 2021/09/09 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1021.002 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html +logsource: + product: windows + category: file_event +detection: + selection: + Image: System + TargetFilename|endswith: '\wbem\wbemcomn.dll' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml new file mode 100644 index 000000000..fd9ed05c8 --- /dev/null +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -0,0 +1,24 @@ +title: Pingback Backdoor +id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +modified: 2021/09/09 +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml similarity index 75% rename from rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml rename to rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 8b47fd5ae..5eeb2e833 100644 --- a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,9 +1,9 @@ -action: global title: Wmiprvse Wbemcomn DLL Hijack +id: 7707a579-e0d8-4886-a853-ce47e4575aaa description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. status: experimental date: 2020/10/12 -modified: 2021/06/10 +modified: 2021/09/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -12,21 +12,6 @@ tags: - attack.t1021.002 references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -falsepositives: - - Unknown -level: critical ---- -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c -logsource: - product: windows - category: file_event -detection: - selection: - Image: System - TargetFilename|endswith: '\wbem\wbemcomn.dll' - condition: selection ---- -id: 7707a579-e0d8-4886-a853-ce47e4575aaa logsource: product: windows category: image_load @@ -35,3 +20,6 @@ detection: Image|endswith: '\wmiprvse.exe' ImageLoaded|endswith: '\wbem\wbemcomn.dll' condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml similarity index 70% rename from rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml rename to rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml index 470b8f102..eeb517332 100644 --- a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml @@ -1,5 +1,5 @@ -action: global title: Abusing Windows Telemetry For Persistence +id: f548a603-c9f2-4c89-b511-b089f7e94549 status: experimental description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. references: @@ -11,32 +11,19 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/07/15 +modified: 2021/09/09 fields: - EventID - CommandLine - TargetObject - Details -falsepositives: - - none -level: high ---- -id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: - - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ - Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' - condition: selection ---- -id: f548a603-c9f2-4c89-b511-b089f7e94549 logsource: product: windows category: process_creation detection: selection: CommandLine|re: '(?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft Compatibility Appraiser.*' - condition: selection \ No newline at end of file + condition: selection +falsepositives: + - none +level: high diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/process_creation/process_creation_pingback_backdoor.yml similarity index 61% rename from rules/windows/sysmon/sysmon_pingback_backdoor.yml rename to rules/windows/process_creation/process_creation_pingback_backdoor.yml index a800c432c..bb111e313 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/process_creation/process_creation_pingback_backdoor.yml @@ -1,40 +1,16 @@ -action: global title: Pingback Backdoor +id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj date: 2021/05/05 -falsepositives: - - Very unlikely -level: high +modified: 2021/09/09 references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 tags: - attack.persistence - attack.t1574.001 ---- -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: updata.exe - TargetFilename: 'C:\Windows\oci.dll' - condition: selection ---- -id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b -logsource: - product: windows - category: image_load -detection: - selection: - Image|endswith: 'msdtc.exe' - ImageLoaded: 'C:\Windows\oci.dll' - condition: selection ---- -id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 logsource: product: windows category: process_creation @@ -47,3 +23,6 @@ detection: - 'start' - 'auto' condition: selection +falsepositives: + - Very unlikely +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml new file mode 100644 index 000000000..459fc1536 --- /dev/null +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -0,0 +1,30 @@ +title: Abusing Windows Telemetry For Persistence +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 +status: experimental +description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 +author: Sreeman +date: 2020/09/29 +modified: 2021/09/09 +fields: + - EventID + - CommandLine + - TargetObject + - Details +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' + condition: selection +falsepositives: + - none +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml new file mode 100644 index 000000000..1126237c2 --- /dev/null +++ b/rules/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -0,0 +1,31 @@ +title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +id: 32b5db62-cb5f-4266-9639-0fa48376ac00 +status: experimental +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +author: Sittikorn S +date: 2021/07/16 +modified: 2021/09/09 +references: + - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ + - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ + - https://nvd.nist.gov/vuln/detail/cve-2021-33771 + - https://nvd.nist.gov/vuln/detail/cve-2021-31979 +tags: + - attack.credential_access + - attack.t1566 + - attack.t1203 + # - threat_group.Sourgum +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: + - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32' + - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32' + keywords: + - IMJPUEXP.DLL + condition: selection and keywords +falsepositives: + - Unlikely +level: critical \ No newline at end of file