Merge remote-tracking branch 'upstream/master'

2017-09-09 11:33:18 -04:00
parent b109a1277e bfe8378455
commit e2213347ad
8 changed files with 69 additions and 3 deletions
@@ -19,12 +19,14 @@ detection:
        ServiceFileName: '*\DumpSvc.exe'
    wannacry:
        ServiceName: 'mssecsvc2.0'
+    persistence:
+        ServiceFileName: '* net user *'
    others:
        ServiceName:
            - 'pwdump*'
            - 'gsecdump*'
            - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or others )
+    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
 falsepositives: 
    - Penetration testing
 level: critical
@@ -0,0 +1,20 @@
+title: WMI Persistence
+status: experimental
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+author: Florian Roth
+reference: https://twitter.com/mattifestation/status/899646620148539397
+logsource:
+    product: windows
+    service: wmi
+detection:
+    selection:
+        EventID: 5861
+    keywords:
+        - 'CommandLineEventConsumer'
+        - 'CommandLineTemplate'
+        - 'Binding EventFilter'
+    condition: selection and 1 of keywords
+falsepositives:
+    - Unknown (data set is too small; further testing needed)
+level: high
+
@@ -23,6 +23,7 @@ detection:
            - '*\sh.exe'
            - '*\bash.exe'
            - '*\scrcons.exe'
+            - '*\regsvr32.exe'  # see https://twitter.com/subTee/status/899283365647458305
            - '*\hh.exe'  # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
    condition: selection
 falsepositives:
@@ -1,4 +1,4 @@
-title: Command Line Executaion with suspicious URL and AppData Strings
+title: Command Line Execution with suspicious URL and AppData Strings
 status: experimental
 description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
 reference:
@@ -2,6 +2,7 @@ title: Regsvr32 Anomaly
 status: experimental
 description: Detects various anomalies in relation to regsvr32.exe
 author: Florian Roth
+reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
 logsource:
    product: windows
    service: sysmon
@@ -0,0 +1,18 @@
+title: Suspicious Svchost Process
+status: experimental
+description: Detects a suspicious scvhost process start 
+author: Florian Roth
+date: 2017/08/15
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\svchost.exe'
+    filter:
+        ParentImage: '*\services.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,19 @@
+title: Microsoft Binary Github Communication
+status: experimental
+description: Detects an executable in the Windows folder accessing github.com
+reference: https://twitter.com/M_haggis/status/900741347035889665
+author: Michael Haag (idea), Florian Roth (rule)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        DestinationHostname: '*.github.com'
+        Image: 'C:\Windows\*'
+    condition: selection
+falsepositives:
+    - 'Unknown'
+    - '@subTee in your network'
+level: high
+
@@ -28,12 +28,17 @@ logsources:
    product: windows
    service: powershell-classic
    conditions:
-      source: 'Windows PowerShell'    
+      source: 'Windows PowerShell'
  windows-powershell:
    product: windows
    service: taskscheduler
    conditions:
      source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
+  windows-wmi:
+    product: windows
+    service: wmi
+    conditions:
+      source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
  windows-dns-server:
    product: windows
    service: dns-server