Updated Rules to Use OriginalFileName

2022-05-12 23:27:48 +01:00
parent 9878233c05
commit d8a3ca6919
26 changed files with 171 additions and 107 deletions
@@ -7,16 +7,19 @@ references:
    - https://redcanary.com/threat-detection-report/threats/qbot/
 author: frack113
 date: 2022/02/13
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: \esentutl.exe
+    selection_img:
+        - Image|endswith: '\esentutl.exe'
+        - OriginalFileName: 'esentutl.exe'
+    selection_cli:
        CommandLine|contains|all:
            - '/r '
            - '\Windows\WebCache'
-    condition: selection
+    condition: all of selection*
 falsepositives:
    - Legitimate use
 level: medium
@@ -4,16 +4,19 @@ status: experimental
 description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe 
 author: frack113
 date: 2022/04/08
+modified: 2022/05/12
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\VaultCmd.exe'
+    selection_img:
+        - Image|endswith: '\VaultCmd.exe'
+        - OriginalFileName|contains: 'VAULTCMD.EXE'
+    selection_cli:
        CommandLine|contains: '/listcreds:'
-    condition: selection
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: medium
@@ -7,15 +7,17 @@ references:
  - https://github.com/OTRF/detection-hackathon-apt29/issues/17
  - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
 date: 2020/05/02
-modified: 2021/11/27
+modified: 2022/05/15
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
-    Image|endswith: '\rundll32.exe'
+  selection_img:
+    - Image|endswith: '\rundll32.exe'
+    - OriginalFileName|contains: 'RUNDLL32.EXE'
+  selection_cli:
    CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
-  condition: selection
+  condition: all of selection*
 falsepositives:
  - Unknown
 level: medium
@@ -9,12 +9,14 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
    where_exe:
-        Image|endswith: '\where.exe'
+        - Image|endswith: '\where.exe'
+        - OriginalFileName|contains: 'where.exe'
    where_opt:
        CommandLine|contains:
            - 'Bookmarks'
@@ -7,13 +7,14 @@ references:
  - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
  - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 date: 2018/08/13
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
  selection:
-    Image|endswith: '\whoami.exe'
+    - Image|endswith: '\whoami.exe'
+    - OriginalFileName|contains: 'whoami.exe'
  condition: selection
 falsepositives:
  - Admin activity
@@ -7,7 +7,7 @@ references:
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 author: Florian Roth
 date: 2021/08/12
-modified: 2021/08/26
+modified: 2021/05/12
 tags:
    - attack.discovery
    - attack.t1033
@@ -17,9 +17,10 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: '\whoami.exe'
+        - Image|endswith: '\whoami.exe'
+        - OriginalFileName|contains: 'whoami.exe'
    filter1:
-        ParentImage|endswith: 
+        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    filter2:
@@ -7,18 +7,20 @@ references:
  - https://twitter.com/bohops/status/994405551751815170
  - https://redcanary.com/blog/lateral-movement-winrm-wmi/
 date: 2020/10/07
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
-    Image|endswith: '\cscript.exe'
+  selection_img:
+    - Image|endswith: '\cscript.exe'
+    - OriginalFileName|contains: 'cscript.exe'
+  selection_cli:
    CommandLine|contains|all:
      - 'winrm'
      - 'invoke Create wmicimv2/Win32_'
      - '-r:http'
-  condition: selection
+  condition: all of selection*
 falsepositives:
  - Legitimate use for administartive purposes. Unlikely

@@ -8,13 +8,14 @@ references:
  - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
  - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
 date: 2019/01/16
-modified: 2022/01/07
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
  selection:
-    Image|endswith: '\wmic.exe'
+    - Image|endswith: '\wmic.exe'
+    - OriginalFileName|contains: 'wmic.exe'
  selection2:
    CommandLine|contains|all:
      - 'process'
@@ -6,17 +6,19 @@ author: 'oscd.community, Zach Stanford @svch0st'
 references:
  - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
 date: 2020/10/05
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
-    Image|endswith: '\wsl.exe'
+  selection_img:
+    - Image|endswith: '\wsl.exe'
+    - OriginalFileName|contains: 'wsl.exe'
+  selection_cli:
    CommandLine|contains:
      - ' -e '
      - ' --exec '
-  condition: selection
+  condition: all of selection*
 falsepositives:
  - Automation and orchestration scripts may use this method execute scripts etc
 level: medium
@@ -6,7 +6,7 @@ references:
    - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2021/11/18
+modified: 2022/05/12
 tags:
    - attack.command_and_control
    - attack.execution
@@ -16,17 +16,19 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection:
+    selection_cli:
        CommandLine|contains|all:
            - '/UpdateDeploymentProvider'
            - '/RunHandlerComServer'
            - '.dll'
-        Image|endswith: '\wuauclt.exe'
+    selection_img:
+        - Image|endswith: '\wuauclt.exe'
+        - OriginalFileName|contains: 'wuauclt.exe'
    filter:
        CommandLine|contains:
            - ' /ClassId '
            - ' wuaueng.dll '
-    condition: selection and not filter
+    condition: all of selection* and not filter
 falsepositives:
    - Unknown
 level: high
@@ -6,14 +6,17 @@ author: Florian Roth
 references:
    - https://redcanary.com/blog/blackbyte-ransomware/
 date: 2022/02/26
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\Wuauclt.exe'
-        CommandLine|endswith: '\Wuauclt.exe' 
-    condition: selection
+    selection_img:
+        - Image|endswith: '\Wuauclt.exe'
+        - OriginalFileName|contains: 'Wuauclt.exe'
+    selection_cli:
+        CommandLine|endswith: '\Wuauclt.exe'
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -9,14 +9,17 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
 author: frack113
 date: 2021/12/12
+modified: 2022/05/12
 logsource:
    product: windows
    category: process_creation
 detection:
-    test_5:
-        Image|endswith: '\wmic.exe'
+    selection_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName|contains: 'wmic.exe'
+    selection_cli:
        CommandLine|contains: ' group'
-    condition: test_5
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: low
@@ -7,17 +7,19 @@ references:
  - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
-    Image|endswith: '\cmstp.exe'
+  selection_img:
+    - Image|endswith: '\cmstp.exe'
+    - OriginalFileName|contains: 'CMSTP.EXE'
+  selection_cli:
    CommandLine|contains:
      - '/s'
      - '/au'
-  condition: selection
+  condition: all of selection*
 fields:
  - ComputerName
  - User
@@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
 references:
  - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
@@ -14,7 +14,7 @@ detection:
  selection:
    ParentImage|endswith: '\wsreset.exe'
  filter:
-    Image|endswith: '\conhost.exe'
+    OriginalFileName|contains: 'CONHOST.EXE'
  condition: selection and not filter
 falsepositives:
  - Unknown
@@ -7,12 +7,14 @@ references:
  - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
  - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
 date: 2021/12/20
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
  sc:
-    Image|endswith: '\sc.exe'
+    - Image|endswith: '\sc.exe'
+    - OriginalFileName|contains: 'sc.exe'
  cli:
    CommandLine|contains|all:
      - 'sdset'
@@ -8,7 +8,7 @@ tags:
    - attack.t1059
 author: behops, Bhabesh Raj
 date: 2021/10/08
-modified: 2021/10/10
+modified: 2022/05/12
 references:
    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
 fields:
@@ -24,13 +24,13 @@ logsource:
 detection:
    selection:
        ParentImage|endswith: '\vmtoolsd.exe'
-        Image|endswith:
-            - '\cmd.exe'
-            - '\powershell.exe'
-            - '\rundll32.exe'
-            - '\regsvr32.exe'
-            - '\wscript.exe'
-            - '\cscript.exe'
+        OriginalFileName|contains:
+            - 'Cmd.Exe'
+            - 'PowerShell.EXE'
+            - 'RUNDLL32.EXE'
+            - 'REGSVR32.EXE'
+            - 'wscript.exe'
+            - 'cscript.exe'
    filter:
        CommandLine|contains:
            - '\VMware\VMware Tools\poweron-vm-default.bat'
@@ -27,50 +27,62 @@ detection:
            - '\caddy.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
-        ParentImage|endswith: 
+        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
-        ParentImage|contains: 
+        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
-        ParentImage|endswith: 
+        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    susp_net_utility:
-        Image|endswith:
-            - '\net.exe'
-            - '\net1.exe'
+        OriginalFileName|contains:
+            - 'net.exe'
+            - 'net1.exe'
        CommandLine|contains:
            - ' user '
            - ' use '
            - ' group '
    susp_ping_utility:
-        Image|endswith: '\ping.exe'
+        OriginalFileName|contains: 'ping.exe'
        CommandLine|contains: ' -n '
    susp_change_dir:
        CommandLine|contains:
            - '&cd&echo'  # china chopper web shell
            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
    susp_wmic_utility:
-        Image|endswith: '\wmic.exe'
-        CommandLine|contains: ' /node:' 
+        OriginalFileName|contains: 'wmic.exe'
+        CommandLine|contains: ' /node:'
    susp_misc_discovery_binaries:
-        Image|endswith:
+        - Image|endswith:
            - '\whoami.exe'
            - '\systeminfo.exe'
            - '\quser.exe'
-            - '\ipconfig.exe' 
-            - '\pathping.exe' 
-            - '\tracert.exe' 
-            - '\netstat.exe' 
-            - '\schtasks.exe' 
-            - '\vssadmin.exe' 
-            - '\wevtutil.exe' 
-            - '\tasklist.exe' 
+            - '\ipconfig.exe'
+            - '\pathping.exe'
+            - '\tracert.exe'
+            - '\netstat.exe'
+            - '\schtasks.exe'
+            - '\vssadmin.exe'
+            - '\wevtutil.exe'
+            - '\tasklist.exe'
+        - OriginalFileName|contains:
+            - 'whoami.exe'
+            - 'sysinfo.exe'
+            - 'quser.exe'
+            - 'ipconfig.exe'
+            - 'pathping.exe'
+            - 'tracert.exe'
+            - 'netstat.exe'
+            - 'schtasks.exe'
+            - 'VSSADMIN.EXE'
+            - 'wevtutil.exe'
+            - 'tasklist.exe'
    susp_misc_discovery_commands:
        CommandLine|contains:
            - ' Test-NetConnection '
@@ -7,6 +7,7 @@ references:
    - https://nsudo.m2team.org/en-us/
 author: Florian Roth
 date: 2022/01/28
+modified: 2022/05/12
 tags:
    - attack.privilege_escalation
    - attack.discovery
@@ -15,10 +16,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_user:
        User|contains: 'TrustedInstaller'
-        Image|endswith: '\whoami.exe'
-    condition: selection
+    selection_img:
+        - OriginalFileName|contains: 'whoami.exe'
+        - Image|endswith: '\whoami.exe'
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -6,21 +6,23 @@ references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 author: Teymur Kheirkhabarov, Florian Roth
 date: 2019/10/23
-modified: 2022/01/28
+modified: 2022/05/12
 tags:
    - attack.privilege_escalation
-    - attack.discovery    
+    - attack.discovery
    - attack.t1033
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
-        Image|endswith: '\whoami.exe'
-    condition: selection
+    selection_img:
+        - OriginalFileName|contains: 'whoami.exe'
+        - Image|endswith: '\whoami.exe'
+    condition: all of selection*
 falsepositives:
    - Possible name overlap with NT AUHTORITY substring to cover all languages
 level: high
@@ -6,6 +6,7 @@ references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
 author: Florian Roth
 date: 2021/05/05
+modified: 2022/05/12
 tags:
    - attack.privilege_escalation
    - attack.discovery
@@ -14,10 +15,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\whoami.exe'
+    selection_img:
+        - Image|endswith: '\whoami.exe'
+        - OriginalFileName|contains: 'whoami.exe'
+    selection_cli:
        CommandLine|contains: '/priv'
-    condition: selection
+    condition: all of selection*
 falsepositives:
    - Administrative activity (rare lookups on current privileges)
 level: high
@@ -6,19 +6,21 @@ author: Olaf Hartong
 references:
  - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
 date: 2019/05/22
-modified: 2021/11/27
+modified: 2022/05/12
 logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
+  selection_img:
    Image|endswith: '\schtasks.exe'
+    OriginalFileName|contains: 'schtasks.exe'
+  selection_cli:
    CommandLine|contains|all:
      - '/change'
      - '/TN'
      - '/RU'
      - '/RP'
-  condition: selection
+  condition: all of selection*
 falsepositives:
  - Unknown
 level: high
@@ -7,19 +7,21 @@ references:
    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
 author: Markus Neis / @Karneades
 date: 2019/04/03
-modified: 2021/02/24
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_parent:
        ParentImage|endswith: '\wmiprvse.exe'
-        Image|endswith: '\powershell.exe'
+    selection_img:
+        - Image|endswith: '\powershell.exe'
+        - OriginalFileName|contains: 'PowerShell.EXE'
    filter_null1:
        CommandLine: 'null'
    filter_null2:  # some backends need the null value in a separate expression
        CommandLine: null
-    condition: selection and not filter_null1 and not filter_null2
+    condition: all of selection* and not filter_null1 and not filter_null2
 falsepositives:
    - AppvClient
    - CCM
@@ -7,20 +7,23 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
 date: 2022/01/01
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: \WMIC.exe
-        CommandLine|contains: 
-            - process 
+    selection_img:
+        - Image|endswith: \WMIC.exe
+        - OriginalFileName|contains: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains:
+            - process
            - qfe
    filter:
        CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` 
            - call
-            - create 
-    condition: selection and not filter
+            - create
+    condition: all of selection* and not filter
 falsepositives:
    - Unknown
 level: medium
@@ -7,21 +7,24 @@ references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
 date: 2022/03/13
+modified: 2022/05/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: \WMIC.exe
+    selection_img:
+        - Image|endswith: \WMIC.exe
+        - OriginalFileName|contains: 'wmic.exe'
+    selection_cli:
        CommandLine|contains|all:
            - '/node:'
            - process
            - call
-            - create 
-    condition: selection
+            - create
+    condition: all of selection*
 falsepositives:
    - Unknown
-level: medium 
+level: medium
 tags:
    - attack.execution
    - attack.t1047
@@ -7,6 +7,7 @@ description: |
  A common feedback message is that "No instance(s) Available" if the service queried is not running.
  A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable
 author: frack113
+modified: 2022/05/12
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
@@ -15,12 +16,14 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: \WMIC.exe
+    selection_img:
+        - Image|endswith: \WMIC.exe
+        - OriginalFileName|contains: 'wmic.exe'
+    selection_cli:
        CommandLine|contains|all:
            - '/node:'
-            - service 
-    condition: selection
+            - service
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: medium
@@ -10,10 +10,12 @@ logsource:
  category: process_creation
  product: windows
 detection:
-  selection:
-    Image|endswith: \WMIC.exe
+  selection_img:
+    - Image|endswith: \WMIC.exe
+    - OriginalFileName|contains: 'wmic.exe'
+  selection_cli:
    CommandLine|contains: call uninstall
-  condition: selection
+  condition: all of selection*
 falsepositives:
  - Unknown
 level: medium