Merge pull request #4355 from nasbench/new-rules-13-07-23

feat: new rules and updates
2023-07-24 14:58:49 +02:00
parent 366aefca83 e1d07780b3
commit d79fdf6f51
27 changed files with 653 additions and 81 deletions
@@ -58,3 +58,4 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.*
 0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.*
 e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*
+ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe
@@ -6,27 +6,27 @@ references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
 author: D3F7A5105
 date: 2023/01/02
+modified: 2023/07/13
 tags:
    - attack.defense_evasion
    - attack.t1562.002
 logsource:
    category: file_event
    product: windows
-    definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
+    definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
 detection:
    selection:
        TargetFilename|endswith: '.evtx'
-    filter_path:
+    filter_main_path:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
-    filter_baseimage:
+    filter_main_baseimage:
        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
-    filter_img:
+    filter_main_generic_img:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\system32\dllhost.exe'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
-    - Admin activity
-    - Backup activity
-level: medium
+    - Administrator or backup activity
+level: high
@@ -28,9 +28,6 @@ detection:
            - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Files that accidentally contain these strings
 level: high
@@ -0,0 +1,31 @@
+title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
+id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
+related:
+    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
+      type: derived
+status: experimental
+description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
+references:
+    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        - Image|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+        - TargetFilename|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,47 @@
+title: Abusable DLL Potential Sideloading From Suspicious Location
+id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
+status: experimental
+description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
+references:
+    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
+    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
+author: X__Junior (Nextron Systems)
+date: 2023/07/11
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection_dll:
+        ImageLoaded|endswith:
+            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
+            - '\coreclr.dll'
+            - '\facesdk.dll'
+            - '\HPCustPartUI.dll'
+            - '\libcef.dll'
+            - '\ZIPDLL.dll'
+    selection_folders_1:
+        ImageLoaded|contains:
+            - ':\Perflogs\'
+            - ':\Users\Public\'
+            - '\Temporary Internet'
+            - '\Windows\Temp\'
+    selection_folders_2:
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Favorites\'
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Favourites\'
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Contacts\'
+        - ImageLoaded|contains|all:
+            - ':\Users\'
+            - '\Pictures\'
+    condition: selection_dll and 1 of selection_folders_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,31 @@
+title: Potential CCleanerDU.DLL Sideloading
+id: 1fbc0671-5596-4e17-8682-f020a0b995dc
+status: experimental
+description: Detects potential DLL sideloading of "CCleanerDU.dll"
+references:
+    - https://lab52.io/blog/2344-2/
+author: X__Junior (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\CCleanerDU.dll'
+    filter_main_path:
+        Image|startswith:
+            - 'C:\Program Files\CCleaner\'
+            - 'C:\Program Files (x86)\CCleaner\'
+        Image|endswith:
+            - '\CCleaner.exe'
+            - '\CCleaner64.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+level: medium
@@ -0,0 +1,29 @@
+title: Potential CCleanerReactivator.DLL Sideloading
+id: 3735d5ac-d770-4da0-99ff-156b180bc600
+status: experimental
+description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
+references:
+    - https://lab52.io/blog/2344-2/
+author: X__Junior
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\CCleanerReactivator.dll'
+    filter_main_path:
+        Image|startswith:
+            - 'C:\Program Files\CCleaner\'
+            - 'C:\Program Files (x86)\CCleaner\'
+        Image|endswith: '\CCleanerReactivator.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
+level: medium
@@ -6,9 +6,9 @@ references:
    - https://content.fireeye.com/apt-41/rpt-apt41
    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
-author: Sorina Ionescu
+author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022/08/17
-modified: 2023/04/18
+modified: 2023/07/20
 tags:
    - attack.command_and_control
    - attack.t1102
@@ -22,24 +22,48 @@ detection:
        DestinationHostname|endswith:
            - '.cloudflare.com'
            - '.githubusercontent.com'
+            - '4shared.com'
+            - 'anonfiles.com'
            - 'cdn.discordapp.com'
+            - 'ddns.net'
+            - 'discord.com/api/webhooks/'
            - 'docs.google.com'
+            - 'drive.google.com'
+            - 'dropbox.com'
+            - 'dropmefiles.com'
            - 'facebook.com'
            - 'feeds.rapidfeeds.com'
            - 'fotolog.com'
+            - 'ghostbin.co/'
+            - 'gist.githubusercontent.com'
+            - 'hastebin.com'
            - 'imgur.com'
            - 'livejournal.com'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'onedrive.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
+            - 'privatlab.com'
+            - 'privatlab.net'
+            - 'raw.githubusercontent.com'
            - 'reddit.com'
+            - 'send.exploit.in'
+            - 'sendspace.com'
            - 'steamcommunity.com'
+            - 'storage.googleapis.com'
+            - 't.me'
            - 'technet.microsoft.com'
+            - 'temp.sh'
+            - 'transfer.sh'
            - 'twitter.com'
+            - 'ufile.io'
+            - 'vimeo.com'
+            - 'wetransfer.com'
            - 'youtube.com'
-    filter_main_brave:
-        Image|endswith: '\brave.exe'
+    # Note: Add/Remove browsers that you don't use or those that have custom install locations
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
@@ -52,8 +76,6 @@ detection:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
-    filter_main_maxthon:
-        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
@@ -67,16 +89,8 @@ detection:
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
-    filter_main_opera:
-        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
-    filter_main_seamonkey:
-        Image|endswith: '\seamonkey.exe'
-    filter_main_vivaldi:
-        Image|endswith: '\vivaldi.exe'
-    filter_main_whale:
-        Image|endswith: '\whale.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' #Microsoft Defender executable
@@ -85,6 +99,91 @@ detection:
        Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
    filter_optional_qlik:
        Image|endswith: '\Engine.exe' #Process from qlik.com app
+    filter_main_brave:
+        Image|endswith: '\brave.exe'
+        Image|startswith: 'C:\Program Files\BraveSoftware\'
+    filter_main_maxthon:
+        Image|contains: '\AppData\Local\Maxthon\'
+        Image|endswith: '\maxthon.exe'
+    filter_main_opera:
+        Image|contains: '\AppData\Local\Programs\Opera\'
+        Image|endswith: '\opera.exe'
+    filter_main_seamonkey:
+        Image|startswith:
+            - 'C:\Program Files\SeaMonkey\'
+            - 'C:\Program Files (x86)\SeaMonkey\'
+        Image|endswith: '\seamonkey.exe'
+    filter_main_vivaldi:
+        Image|contains: '\AppData\Local\Vivaldi\'
+        Image|endswith: '\vivaldi.exe'
+    filter_main_whale:
+        Image|startswith:
+            - 'C:\Program Files\Naver\Naver Whale\'
+            - 'C:\Program Files (x86)\Naver\Naver Whale\'
+        Image|endswith: '\whale.exe'
+    filter_main_tor:
+        Image|contains: '\Tor Browser\'
+    filter_main_whaterfox:
+        Image|startswith:
+            - 'C:\Program Files\Waterfox\'
+            - 'C:\Program Files (x86)\Waterfox\'
+        Image|endswith: '\Waterfox.exe'
+    filter_main_midori:
+        Image|contains: '\AppData\Local\Programs\midori-ng\'
+        Image|endswith: '\Midori Next Generation.exe'
+    filter_main_slimbrowser:
+        Image|startswith:
+            - 'C:\Program Files\SlimBrowser\'
+            - 'C:\Program Files (x86)\SlimBrowser\'
+        Image|endswith: '\slimbrowser.exe'
+    filter_main_flock:
+        Image|contains: '\AppData\Local\Flock\'
+        Image|endswith: '\Flock.exe'
+    filter_main_phoebe:
+        Image|contains: '\AppData\Local\Phoebe\'
+        Image|endswith: '\Phoebe.exe'
+    filter_main_falkon:
+        Image|startswith:
+            - 'C:\Program Files\Falkon\'
+            - 'C:\Program Files (x86)\Falkon\'
+        Image|endswith: '\falkon.exe'
+    filter_main_qtweb:
+        Image|startswith:
+            - 'C:\Program Files (x86)\QtWeb\'
+            - 'C:\Program Files\QtWeb\'
+        Image|endswith: '\QtWeb.exe'
+    filter_main_avant:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Avant Browser\'
+            - 'C:\Program Files\Avant Browser\'
+        Image|endswith: '\avant.exe'
+    filter_main_whatsapp:
+        Image|startswith:
+            - 'C:\Program Files (x86)\WindowsApps\'
+            - 'C:\Program Files\WindowsApps\'
+        Image|endswith: 'WhatsApp.exe'
+    filter_main_telegram:
+        Image|contains: '\AppData\Roaming\Telegram Desktop\'
+        Image|endswith: '\Telegram.exe'
+    filter_main_onedrive:
+        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
+        Image|endswith: '\OneDrive.exe'
+    filter_main_dropbox:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Dropbox\Client\'
+            - 'C:\Program Files\Dropbox\Client\'
+        Image|endswith: '\Dropbox.exe'
+    filter_main_mega:
+        Image|contains: '\AppData\Local\MEGAsync\'
+        Image|endswith: 'MEGAsync.exe'
+    filter_main_googledrive:
+        Image|startswith:
+            - 'C:\Program Files\Google\Drive File Stream\'
+            - 'C:\Program Files (x86)\Google\Drive File Stream\'
+        Image|endswith: 'GoogleDriveFS.exe'
+    filter_main_discord:
+            Image|contains: '\AppData\Local\Discord\'
+            Image|endswith: '\Discord.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
@@ -0,0 +1,32 @@
+title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
+id: e2812b49-bae0-4b21-b366-7c142eafcde2
+status: experimental
+description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
+references:
+    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+logsource:
+    category: ps_script
+    product: windows
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection_class:
+        ScriptBlockText|contains: 'Win32_NTEventlogFile'
+    selection_function:
+        ScriptBlockText|contains:
+            - '.BackupEventlog('
+            - '.ChangeSecurityPermissions('
+            - '.ChangeSecurityPermissionsEx('
+            - '.ClearEventLog('
+            - '.Delete('
+            - '.DeleteEx('
+            - '.Rename('
+            - '.TakeOwnerShip('
+            - '.TakeOwnerShipEx('
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administration and backup scripts
+level: medium
@@ -0,0 +1,31 @@
+title: Suspicious Ping/Copy Command Combination
+id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
+status: experimental
+description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.
+references:
+    - Internal Research
+author: X__Junior (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
+    selection_cmd:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_cli:
+        CommandLine|contains: # Count
+            - ' -n '
+            - ' /n '
+        CommandLine|contains|all:
+            - 'ping' # Covers "ping" and "ping.exe"
+            - 'copy '
+            - ' /y '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -17,6 +17,7 @@ logsource:
    category: process_creation
    product: windows
 detection:
+    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
        CommandLine|contains:
@@ -0,0 +1,24 @@
+title: Insecure Transfer Via Curl.EXE
+id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
+status: experimental
+description: Detects execution of "curl.exe" with the "--insecure" flag.
+references:
+    - Internal Research
+author: X__Junior (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli:
+        - CommandLine|re: '\s-k\s'
+        - CommandLine|contains: '--insecure'
+    condition: all of selection_*
+falsepositives:
+    - Access to badly maintained internal or development systems
+level: medium
@@ -1,4 +1,4 @@
-title: Findstr LSASS
+title: LSASS Process Reconnaissance Via Findstr.EXE
 id: fe63010f-8823-4864-a96b-a7b4a0f7b929
 status: experimental
 description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
@@ -6,6 +6,7 @@ references:
    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 author: Florian Roth (Nextron Systems)
 date: 2022/08/12
+modified: 2023/07/13
 tags:
    - attack.credential_access
    - attack.t1552.006
@@ -20,12 +21,12 @@ detection:
        CommandLine|contains: 'lsass'
    selection_special:
        CommandLine|contains:
-            - ' /i lsass.exe'
            - ' /i "lsass'
-            - 'findstr lsass'
-            - 'findstr.exe lsass'
+            - ' /i lsass.exe'
            - 'findstr "lsass'
+            - 'findstr lsass'
            - 'findstr.exe "lsass'
+            - 'findstr.exe lsass'
    condition: all of selection_findstr_* or selection_special
 falsepositives:
    - Unknown
@@ -1,14 +1,15 @@
-title: Findstr Suspicious ParentCommandLine
+title: Potentially Suspicious Findstr.EXE Execution
 id: ccb5742c-c248-4982-8c5c-5571b9275ad3
-related: 
+related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
 status: experimental
-description: Detects findstring commands with a suspicious ParentCommandLine
+description: Detects execution of "findstr" as a child process of potentially suspicious parent command lines. This is often the case when "findstr" is used to filter out the results of certain reconnaissance commands such as "tasklist" or "ipconfig /all"
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
 author: frack113
 date: 2023/07/06
+modified: 2023/07/13
 tags:
    - attack.discovery
    - attack.t1057
@@ -16,14 +17,15 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_findstr_img:
+    selection_img:
        - Image|endswith: '\findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
-    selection_findstr_parent:
-        ParentCommandLine|contains: 'tasklist'
-    filter_optional_httpd:
-        CommandLine|contains: 'httpd.exe'
-    condition: all of selection_findstr_* and not 1 of filter_optional_*
+    selection_parent_cli:
+        ParentCommandLine|contains:
+            # Note: Add additional CLI to increase and enhance coverage
+            - 'ipconfig '
+            - 'tasklist'
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: medium
@@ -3,7 +3,6 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
 status: test
 description: Detects the addition of a new rule to the Windows firewall via netsh
 references:
-    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
 author: Markus Neis, Sander Wiebing
 date: 2019/01/29
@@ -11,6 +10,7 @@ modified: 2023/02/10
 tags:
    - attack.defense_evasion
    - attack.t1562.004
+    - attack.s0246
 logsource:
    category: process_creation
    product: windows
@@ -33,5 +33,5 @@ detection:
    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Legitimate administration activity
-    - Software installations and removal
+    - Software installations
 level: medium
@@ -0,0 +1,28 @@
+title: Firewall Rule Update Via Netsh.EXE
+id: a70dcb37-3bee-453a-99df-d0c683151be6
+status: test
+description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
+references:
+    - https://ss64.com/nt/netsh.html
+author: X__Junior (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\netsh.exe'
+        - OriginalFileName: 'netsh.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
+            # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
+            - ' firewall '
+            - ' set '
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administration activity
+    - Software installations and removal
+level: medium
@@ -0,0 +1,43 @@
+title: PowerShell Execution With Potential Decryption Capabilities
+id: 434c08ba-8406-4d15-8b24-782cb071a691
+status: experimental
+description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
+references:
+    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
+author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cli_dir:
+        CommandLine|contains:
+            - "Get-ChildItem "
+            - "dir "
+            - "gci "
+            - "ls "
+    selection_cli_gc:
+        CommandLine|contains:
+            - "Get-Content "
+            - "gc "
+            - 'cat '
+            - 'type '
+    selection_cli_specific:
+        CommandLine|contains|all:
+            - ' ^| '
+            - '\*.lnk'
+            - '-Recurse'
+            - '-Skip '
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -4,7 +4,7 @@ status: experimental
 description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
 references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
-author: 'pH-T (Nextron Systems), Nasreddine Bencherchali'
+author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/03/15
 modified: 2022/07/28
 tags:
@@ -1,12 +1,14 @@
-title: Scheduled Task Executing Powershell Encoded Payload from Registry
-id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
-status: test
-description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
+title: Scheduled Task Executing Payload from Registry
+id: 86588b36-c6d3-465f-9cee-8f9093e07798
+related:
+    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
+      type: derived
+status: experimental
+description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
 references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
-author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport
-date: 2022/02/12
-modified: 2023/02/04
+author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/18
 tags:
    - attack.execution
    - attack.persistence
@@ -20,17 +22,23 @@ detection:
        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
-    selection_cli:
-        CommandLine|contains|all:
-            - '/Create'
-            - 'FromBase64String'
+    selection_cli_create:
+        CommandLine|contains: '/Create'
+    selection_cli_get:
+        CommandLine|contains:
            - 'Get-ItemProperty'
+            - ' gp ' # Alias
+    selection_cli_hive:
        CommandLine|contains:
            - 'HKCU:'
            - 'HKLM:'
            - 'registry::'
            - 'HKEY_'
-    condition: all of selection_*
+    filter_main_encoding:
+        CommandLine|contains:
+            - 'FromBase64String'
+            - 'encodedcommand'
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
-    - Unlikely
-level: high
+    - Unknown
+level: medium
@@ -0,0 +1,42 @@
+title: Scheduled Task Executing Encoded Payload from Registry
+id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
+status: test
+description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
+references:
+    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
+author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2022/02/12
+modified: 2023/02/04
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1053.005
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_create:
+        CommandLine|contains: '/Create'
+    selection_cli_encoding:
+        CommandLine|contains:
+            - 'FromBase64String'
+            - 'encodedcommand'
+    selection_cli_get:
+        CommandLine|contains:
+            - 'Get-ItemProperty'
+            - ' gp ' # Alias
+    selection_cli_hive:
+        CommandLine|contains:
+            - 'HKCU:'
+            - 'HKLM:'
+            - 'registry::'
+            - 'HKEY_'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -10,7 +10,7 @@ references:
    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
 author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105
 date: 2019/09/26
-modified: 2023/05/31
+modified: 2023/07/13
 tags:
    - attack.defense_evasion
    - attack.t1070.001
@@ -37,8 +37,11 @@ detection:
            - 'Remove-EventLog '
            - 'Limit-EventLog '
            - 'Clear-WinEvent '
-    selection_other_wmic:
-        Image|endswith: '\wmic.exe'
+    selection_other_wmi:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\wmic.exe'
        CommandLine|contains: 'ClearEventLog'
    filter_msiexec:
        # Example seen during office update/installation:
@@ -0,0 +1,34 @@
+title: Potentially Suspicious Call To Win32_NTEventlogFile Class
+id: caf201a9-c2ce-4a26-9c3a-2b9525413711
+related:
+    - id: e2812b49-bae0-4b21-b366-7c142eafcde2
+      type: similar
+status: experimental
+description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
+references:
+    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_class:
+        CommandLine|contains: 'Win32_NTEventlogFile'
+    selection_function:
+        CommandLine|contains:
+            - '.BackupEventlog('
+            - '.ChangeSecurityPermissions('
+            - '.ChangeSecurityPermissionsEx('
+            - '.ClearEventLog('
+            - '.Delete('
+            - '.DeleteEx('
+            - '.Rename('
+            - '.TakeOwnerShip('
+            - '.TakeOwnerShipEx('
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -11,7 +11,7 @@ references:
    - https://twitter.com/jonasLyk/status/1555914501802921984
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/06
-modified: 2023/07/05
+modified: 2023/07/20
 tags:
    - attack.defense_evasion
    - attack.t1564.004
@@ -21,33 +21,37 @@ logsource:
 detection:
    selection:
        Image|contains:
-            - '~1.exe'
            - '~1.bat'
+            - '~1.dll'
+            - '~1.exe'
+            - '~1.hta'
+            - '~1.js'
            - '~1.msi'
+            - '~1.ps1'
+            - '~1.tmp'
            - '~1.vbe'
            - '~1.vbs'
-            - '~1.dll'
-            - '~1.ps1'
-            - '~1.js'
-            - '~1.hta'
-            - '~2.exe'
            - '~2.bat'
+            - '~2.dll'
+            - '~2.exe'
+            - '~2.hta'
+            - '~2.js'
            - '~2.msi'
+            - '~2.ps1'
+            - '~2.tmp'
            - '~2.vbe'
            - '~2.vbs'
-            - '~2.dll'
-            - '~2.ps1'
-            - '~2.js'
-            - '~2.hta'
-    filter:
-        - ParentImage: 'C:\Windows\explorer.exe'
-        - ParentImage|endswith:
-            - '\WebEx\WebexHost.exe'
-            - '\thor\thor64.exe'
-            - '-installer.exe'  # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe
-        - Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
-        - Image|contains: '\vcredi'
-    condition: selection and not filter
+    filter_main_generic_parent:
+        ParentImage: 'C:\Windows\explorer.exe'
+    filter_optional_webex:
+        ParentImage|endswith: '\WebEx\WebexHost.exe'
+    filter_optional_thor:
+        ParentImage|endswith: '\thor\thor64.exe'
+    filter_optional_winzip:
+        Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
+    filter_optional_vcred:
+        Image|endswith: '\VCREDI~1.EXE'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
-level: high
+    - Software Installers
+level: medium
@@ -0,0 +1,27 @@
+title: Suspicious Process Execution From Fake Recycle.Bin Folder
+id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
+related:
+    - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
+      type: derived
+status: experimental
+description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
+references:
+    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains:
+            - ':\RECYCLERS.BIN\'
+            - ':\RECYCLER.BIN\'
+            - ':\RECYCLE.BIN\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -17,7 +17,7 @@ references:
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022/09/01
-modified: 2023/03/04
+modified: 2023/07/13
 tags:
    - attack.defense_evasion
    - attack.t1489
@@ -145,6 +145,7 @@ detection:
            - 'MSOLAP$TPSAMA'
            - 'MSOLAPSTPS'
            - 'MSOLAPSTPSAMA'
+            - 'mssecflt'
            - 'MSSQ!I.SPROFXENGAGEMEHT'
            - 'MSSQ0SHAREPOINT'
            - 'MSSQ0SOPHOS'
@@ -174,6 +175,7 @@ detection:
            - 'SAVService'
            - 'ScSecSvc'
            - 'SDRSVC'
+            - 'sense'
            - 'SentinelAgent'
            - 'SentinelHelperService'
            - 'SepMasterService'
@@ -0,0 +1,29 @@
+title: Potential ReflectDebugger Content Execution Via WerFault.EXE
+id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
+related:
+    - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
+      type: derived
+status: experimental
+description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
+references:
+    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
+    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+author: X__Junior (Nextron Systems)
+date: 2023/06/30
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\WerFault.exe'
+        - OriginalFileName: 'WerFault.exe'
+    selection_cli:
+        CommandLine|contains: ' -pr '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,26 @@
+title: Potential WerFault ReflectDebugger Registry Value Abuse
+id: 0cf2e1c6-8d10-4273-8059-738778f981ad
+related:
+    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
+      type: derived
+status: experimental
+description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
+references:
+    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
+    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
+author: X__Junior
+date: 2023/05/18
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: 'SetValue'
+        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high