diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml new file mode 100644 index 000000000..cb06e1d0f --- /dev/null +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -0,0 +1,62 @@ +title: Exchange Exploitation Used by HAFNIUM +id: 67bce556-312f-4c81-9162-c3c9ff2599b2 +status: experimental +description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +author: Florian Roth +date: 2021/03/03 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/themes/resources/' + selection2: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/' + c-useragent: + - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)' + - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)' + - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html' + - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)' + - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)' + - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)' + - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' + selection3: + c-uri|contains: '/ecp/' + cs-method: 'POST' + c-useragent: + - 'ExchangeServicesClient/0.0.0.0' + - 'python-requests/2.19.1' + - 'python-requests/2.25.1' + selection4: + c-uri|contains: + - '/aspnet_client/' + - '/owa/' + cs-method: 'POST' + c-useragent: + - 'antSword/v2.1' + - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + selection5: + c-uri|contains: + - '/owa/auth/Current/' + - '/ecp/default.flt' + - '/ecp/main.css' + cs-method: 'POST' + selection6: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '.js' + condition: 1 of them +falsepositives: + - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related +level: high \ No newline at end of file diff --git a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml new file mode 100644 index 000000000..952a50f56 --- /dev/null +++ b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml @@ -0,0 +1,27 @@ +title: CVE-2021-21972 VSphere Exploitation +id: 179ed852-0f9b-4009-93a7-68475910fd86 +status: experimental +description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 +author: Bhabesh Raj +date: 2021/02/24 +references: + - https://www.vmware.com/security/advisories/VMSA-2021-0002.html + - https://f5.pm/go-59627.html + - https://swarm.ptsecurity.com/unauth-rce-vmware +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri: + - '/ui/vropspluginui/rest/services/uploadova' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - OVA uploads to your VSphere appliance +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml new file mode 100644 index 000000000..2e18fec75 --- /dev/null +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -0,0 +1,35 @@ +title: CVE-2021-26858 Exchange Exploitation +id: b06335b3-55ac-4b41-937e-16b7f5d57dfd +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | + creation of non-standard files on disk by Exchange Server’s Unified Messaging service | + which could indicate dropping web shells or other malicious content +author: Bhabesh Raj +status: experimental +level: critical +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +tags: + - attack.t1203 + - attack.execution + - cve.2021-26858 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: 'UMWorkerProcess.exe' + filter: + TargetFilename|endswith: + - 'CacheCleanup.bin' + - '.txt' + - '.LOG' + - '.cfg' + - 'cleanup.bin' + condition: selection and not filter +fields: + - ComputerName + - TargetFileName +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml new file mode 100644 index 000000000..420288963 --- /dev/null +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -0,0 +1,28 @@ +title: CVE-2021-26857 Exchange Exploitation +id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | + abnormal subprocesses spawning by Exchange Server’s Unified Messaging service +author: Bhabesh Raj +status: experimental +level: critical +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +tags: + - attack.t1203 + - attack.execution + - cve.2021-26857 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: 'UMWorkerProcess.exe' + filter: + Image|endswith: + - 'wermgr.exe' + - 'WerFault.exe' + condition: selection and not filter +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 887677ecc..4a700b6a2 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,33 +1,24 @@ title: Suspicious Use of Procdump -id: 5afee48e-67dd-4e03-a783-f74259dcf998 -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +id: 03795938-1387-481b-9f4c-3f6241e604fe +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental references: - Internal Research author: Florian Roth -date: 2018/10/30 -modified: 2020/11/28 +date: 2021/02/02 tags: - attack.defense_evasion - attack.t1036 - - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - - car.2013-05-009 logsource: category: process_creation product: windows detection: - selection1: - CommandLine|contains: ' -ma ' - selection2: - CommandLine|contains: ' lsass' - selection3: - CommandLine|contains|all: + selection: + CommandLine|contains: - ' -ma ' - - 'ls' - condition: ( selection1 and selection2 ) or selection3 + condition: selection falsepositives: - - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump -level: high + - Legitimate use of procdump by a developer or administrator +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml new file mode 100644 index 000000000..299ed2930 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -0,0 +1,33 @@ +title: Suspicious Use of Procdump on LSASS +id: 5afee48e-67dd-4e03-a783-f74259dcf998 +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +modified: 2021/02/02 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one + - car.2013-05-009 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: ' -ma ' + selection2: + CommandLine|contains: ' lsass' + selection3: + CommandLine|contains|all: + - ' -ma ' + - ' ls' + condition: ( selection1 and selection2 ) or selection3 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: critical diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml new file mode 100644 index 000000000..e85f144ea --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml @@ -0,0 +1,22 @@ +title: Suspicious Rundll32 Invoking Inline VBScript +id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - 'Execute' + - 'RegRead' + - 'window.close' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_sys.yml b/rules/windows/process_creation/win_susp_rundll32_sys.yml new file mode 100644 index 000000000..a59cfd3c2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_sys.yml @@ -0,0 +1,25 @@ +title: Suspicious Rundll32 Activity Invoking Sys File +id: 731231b9-0b5d-4219-94dd-abb6959aa7ea +description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +tags: + - attack.defense_evasion + - attack.t1218.011 +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: 'rundll32.exe' + selection2: + CommandLine|contains: + - '.sys,' + - '.sys ' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml new file mode 100644 index 000000000..d224ddbf9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -0,0 +1,26 @@ +title: Suspicious VBScript UN2452 Pattern +id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61 +description: Detects suspicious inline VBScript keywords as used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Execute' + - 'CreateObject' + - 'RegRead' + - 'window.close' + - '\Microsoft\Windows\CurrentVersion' + filter: + CommandLine|contains: + - '\Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 514895549..197567f6a 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -16,6 +16,7 @@ detection: - '\nginx.exe' - '\php-cgi.exe' - '\tomcat.exe' + - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html Image|endswith: - '\cmd.exe' - '\sh.exe' diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml new file mode 100644 index 000000000..0104e1bf4 --- /dev/null +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -0,0 +1,31 @@ +title: VBScript Payload Stored in Registry +id: 46490193-1b22-4c29-bdd6-5bf63907216f +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group +status: experimental +date: 2021/03/05 +author: Florian Roth +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' + Details|contains: + - 'vbscript' + - 'jscript' + - 'mshtml' + - 'mshtml,' + - 'mshtml ' + - 'RunHTMLApplication' + - 'Execute(' + - 'CreateObject' + - 'RegRead' + - 'window.close' + filter: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection and not filter +falsepositives: + - Unknown +level: high