New rules

rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml

@@ -0,0 +1,27 @@
+title: Bumblebee Remote Thread Creation
+id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
+status: experimental
+description: Detects remote thread injection events based on action seen used by bumblebee
+author: Nasreddine Bencherchali
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+date: 2022/09/27
+logsource:
+    product: windows
+    category: create_remote_thread
+detection:
+    selection:
+        SourceImage|endswith:
+            - '\wabmig.exe'
+            - '\wab.exe'
+            - '\ImagingDevices.exe'
+        TargetImage|endswith: '\rundll32.exe'
+    condition: selection
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218.011
+    - attack.t1059.001
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml

@@ -0,0 +1,25 @@
+title: Copy DMP Files From Share
+id: 044ba588-dff4-4918-9808-3f95e8160606
+status: experimental
+description: Detects usage of the copy command to copy files with the .dmp extensions from a remote share
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            # Example: copy \\<host>\\<folder>\\lsass.dmp C:\Users\lsass.dmp
+            - ' /c '
+            - '.dmp'
+            - 'copy '
+            - ' \\\\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.credential_access

rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml

@@ -0,0 +1,29 @@
+title: ImagingDevices Unusual Parent Or Child Processes
+id: f11f2808-adb4-46c0-802a-8660db50fa99
+status: experimental
+description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith:
+            # Add more if known
+            - \WmiPrvSE.exe
+            - \svchost.exe
+            - \dllhost.exe
+        Image|endswith: '\ImagingDevices.exe'
+    selection_child:
+        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
+        ParentImage|endswith: '\ImagingDevices.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml

@@ -0,0 +1,30 @@
+title: Winrar Compressing Dump Files
+id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
+related:
+    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
+      type: derived
+status: experimental
+description: Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration
+references:
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+author: Nasreddine Bencherchali
+date: 2022/09/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith:
+            - '\7z.exe'
+            - '\7zr.exe'
+            - '\7za.exe'
+        - Description|contains: '7-Zip'
+    dumpfile:
+        CommandLine|contains: '.dmp'
+    condition: selection and dumpfile
+falsepositives:
+    - Legitimate use of 7-Zip with a command line in which .dmp appears accidentally
+level: high
+tags:
+    - attack.collection
+    - attack.t1560.001