From d1e9f01d2340fb7116d9729c2707f69c0e4efbe1 Mon Sep 17 00:00:00 2001
From: Cian Heasley <frownline@gmail.com>
Date: Thu, 13 Aug 2020 12:06:48 +0100
Subject: [PATCH 1/6] win_dnscat2_powershell_implementation.yml

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
---
 .../win_dnscat2_powershell_implementation.yml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/windows/process_creation/win_dnscat2_powershell_implementation.yml

diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
new file mode 100644
index 000000000..54f0cb0d9
--- /dev/null
+++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -0,0 +1,35 @@
+title: DNSCat2 Powershell Implementation Detection Via Process Creation
+id: b11d75d6-d7c1-11ea-87d0-0242ac130003
+status: experimental
+description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
+author: Cian Heasley
+reference:
+    - https://github.com/lukebaggett/dnscat2-powershell
+    - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
+    - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
+date: 2020/08/08
+tags:
+    - attack.command_and_control
+    - attack.t1071
+    - attack.t1071.004
+    - attack.t1001.003
+    - attack.t1041
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith:
+            - '*\powershell.exe'
+        Image|endswith:
+            - '*\nslookup.exe'
+        CommandLine|endswith:
+            - '*\nslookup.exe'
+    condition: selection | count(Image) by ParentImage > 100
+fields:
+    - Image
+    - CommandLine
+    - ParentImage
+falsepositives:
+    - Other powershell scripts that call nslookup.exe
+level: high

From b8b4ab5a2ac7533a4c473df2214514cf69cd91ab Mon Sep 17 00:00:00 2001
From: Cian Heasley <frownline@gmail.com>
Date: Thu, 13 Aug 2020 12:07:34 +0100
Subject: [PATCH 2/6] win_mouse_lock.yml

In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
---
 win_mouse_lock.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 win_mouse_lock.yml

diff --git a/win_mouse_lock.yml b/win_mouse_lock.yml
new file mode 100644
index 000000000..09d7d7c1d
--- /dev/null
+++ b/win_mouse_lock.yml
@@ -0,0 +1,31 @@
+title: Mouse Lock Credential Gathering
+id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
+status: experimental
+description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
+author: Cian Heasley
+reference:
+    - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
+    - https://sourceforge.net/projects/mouselock/
+date: 2020/08/13
+tags:
+    - attack.credential_access
+    - attack.collection
+    - attack.t1056.002
+logsource:
+    category: process_creation
+detection:
+    selection:
+        Product:|contains:
+            - 'Mouse Lock'
+        Company:|contains:
+            - 'Misc314'
+        CommandLine:|endswith:
+            - 'Mouse Lock_*.exe'
+    condition: selection
+fields:
+    - Product
+    - Company
+    - CommandLine
+falsepositives:
+    - Legitimate uses of Mouse Lock software
+level: medium

From 6fa5a6c93d5a29305b82a7641ac896d4218f3889 Mon Sep 17 00:00:00 2001
From: Cian Heasley <frownline@gmail.com>
Date: Thu, 13 Aug 2020 12:08:04 +0100
Subject: [PATCH 3/6] Delete win_mouse_lock.yml

---
 win_mouse_lock.yml | 31 -------------------------------
 1 file changed, 31 deletions(-)
 delete mode 100644 win_mouse_lock.yml

diff --git a/win_mouse_lock.yml b/win_mouse_lock.yml
deleted file mode 100644
index 09d7d7c1d..000000000
--- a/win_mouse_lock.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Mouse Lock Credential Gathering
-id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
-status: experimental
-description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
-author: Cian Heasley
-reference:
-    - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
-    - https://sourceforge.net/projects/mouselock/
-date: 2020/08/13
-tags:
-    - attack.credential_access
-    - attack.collection
-    - attack.t1056.002
-logsource:
-    category: process_creation
-detection:
-    selection:
-        Product:|contains:
-            - 'Mouse Lock'
-        Company:|contains:
-            - 'Misc314'
-        CommandLine:|endswith:
-            - 'Mouse Lock_*.exe'
-    condition: selection
-fields:
-    - Product
-    - Company
-    - CommandLine
-falsepositives:
-    - Legitimate uses of Mouse Lock software
-level: medium

From b378b3d62b4fef559b6761b50704c02a874c1b65 Mon Sep 17 00:00:00 2001
From: Cian Heasley <frownline@gmail.com>
Date: Thu, 13 Aug 2020 12:09:07 +0100
Subject: [PATCH 4/6] win_mouse_lock.yml

In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
---
 .../process_creation/win_mouse_lock.yml       | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 rules/windows/process_creation/win_mouse_lock.yml

diff --git a/rules/windows/process_creation/win_mouse_lock.yml b/rules/windows/process_creation/win_mouse_lock.yml
new file mode 100644
index 000000000..09d7d7c1d
--- /dev/null
+++ b/rules/windows/process_creation/win_mouse_lock.yml
@@ -0,0 +1,31 @@
+title: Mouse Lock Credential Gathering
+id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
+status: experimental
+description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
+author: Cian Heasley
+reference:
+    - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
+    - https://sourceforge.net/projects/mouselock/
+date: 2020/08/13
+tags:
+    - attack.credential_access
+    - attack.collection
+    - attack.t1056.002
+logsource:
+    category: process_creation
+detection:
+    selection:
+        Product:|contains:
+            - 'Mouse Lock'
+        Company:|contains:
+            - 'Misc314'
+        CommandLine:|endswith:
+            - 'Mouse Lock_*.exe'
+    condition: selection
+fields:
+    - Product
+    - Company
+    - CommandLine
+falsepositives:
+    - Legitimate uses of Mouse Lock software
+level: medium

From 6dc8dbb6d890018258b64814de8b48e5fc81c472 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 17 Aug 2020 15:01:52 +0200
Subject: [PATCH 5/6] style: removed lists where unnecessary

---
 .../win_dnscat2_powershell_implementation.yml            | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
index 54f0cb0d9..55bbc427e 100644
--- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
+++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -19,12 +19,9 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith:
-            - '*\powershell.exe'
-        Image|endswith:
-            - '*\nslookup.exe'
-        CommandLine|endswith:
-            - '*\nslookup.exe'
+        ParentImage|endswith: '*\powershell.exe'
+        Image|endswith: '*\nslookup.exe'
+        CommandLine|endswith: '*\nslookup.exe'
     condition: selection | count(Image) by ParentImage > 100
 fields:
     - Image

From 8a02541b0a1fcdfb1ab514e6577be0aa180b1433 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 17 Aug 2020 15:02:16 +0200
Subject: [PATCH 6/6] style: removed lists where unnecessary

---
 rules/windows/process_creation/win_mouse_lock.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_mouse_lock.yml b/rules/windows/process_creation/win_mouse_lock.yml
index 09d7d7c1d..9ac5c53a8 100644
--- a/rules/windows/process_creation/win_mouse_lock.yml
+++ b/rules/windows/process_creation/win_mouse_lock.yml
@@ -15,12 +15,9 @@ logsource:
     category: process_creation
 detection:
     selection:
-        Product:|contains:
-            - 'Mouse Lock'
-        Company:|contains:
-            - 'Misc314'
-        CommandLine:|endswith:
-            - 'Mouse Lock_*.exe'
+        Product:|contains: 'Mouse Lock'
+        Company:|contains: 'Misc314'
+        CommandLine:|endswith: 'Mouse Lock_*.exe'
     condition: selection
 fields:
     - Product