Merge pull request #1556 from frack113/PR_617_V2

Fix all the rules to pass the test

rules/windows/process_creation/win_credential_access_via_password_filter.yml

@@ -0,0 +1,26 @@
+title: Dropping Of Password Filter DLL
+id: b7966f4a-b333-455b-8370-8ca53c229762
+description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+references:
+    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
+    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+tags:
+    - attack.credential_access
+    - attack.t1174
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmdline:
+        CommandLine|contains|all:
+            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
+            - 'scecli\0*'
+            - 'reg add'
+    condition: selection_cmdline
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml

@@ -0,0 +1,22 @@
+title: Detecting Fake Instances Of Hxtsr.exe
+id: 4e762605-34a8-406d-b72e-c1a089313320
+status: experimental
+description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
+author: Sreeman
+date: 2020/04/17
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image: hxtsr.exe
+    filter:
+        FolderPath|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml

@@ -0,0 +1,28 @@
+title: Writing Of Malicious Files To The Fonts Folder
+id: ae9b0bd7-8888-4606-b444-0ed7410cb728
+description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from.
+references:
+    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+date: 2020/21/04
+modified: 2021/06/11
+author: Sreeman
+tags:
+    - attack.t1064
+    - attack.t1211
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.persistence
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection1:
+        CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*'
+    condition: selection1
+fields:
+    - CommandLine
+    - ParentProcess
+    - CommandLine
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml

@@ -0,0 +1,29 @@
+title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
+id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
+status: experimental
+description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
+references:
+    - https://dtm.uk/wuauclt/
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1085
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver'
+    filter:
+        CommandLine|contains:
+            - 'wuaueng.dll'
+            - 'UpdateDeploymentProvider.dll /ClassId'
+    condition: selection and not filter
+falsepositives:
+    - Wuaueng.dll which is a module belonging to Microsoft Wnidows Update.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_lolbin_execution_via_winget.yml

@@ -0,0 +1,26 @@
+title: Monitoring Winget For LOLbin Execution
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
+status: experimental
+references: 
+    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+author: Sreeman
+date: 2020/21/04
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - '.*(?i)winget install (--m|-m).*'
+    condition: selection
+falsepositives:
+    - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml

@@ -0,0 +1,27 @@
+title: Modification Of Existing Services For Persistence
+id: 38879043-7e1e-47a9-8d46-6bec88e201df
+description: Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.
+references:
+    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1031
+    - attack.t1058
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmdline_1:
+        CommandLine|re: '(?i)sc config.*binpath=.*'
+    selection_cmdline_2: 
+        CommandLine|re: '(?i)sc failure.*command=.*'
+    selection_cmdline_3:
+        CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*'
+    condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml

@@ -0,0 +1,27 @@
+title: Monitoring For Persistence Via BITS
+id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
+description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
+    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_1:
+        CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
+    selection_2:
+        CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*'
+    condition: selection_1 or selection_2
+falsepositives:
+    - None observed yet.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml

@@ -0,0 +1,27 @@
+title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
+id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
+description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+    - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
+status: experimental
+date: 2020/18/02
+modified: 2021/06/11
+author: Sreeman
+tags:
+    - attack.t1015
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine:
+            - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
+    condition: selection
+fields:
+    - CommandLine
+    - ParentProcess
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/win_write_protect_for_storage_disabled.yml

@@ -0,0 +1,20 @@
+title: Write Protect For Storage Disabled
+id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
+description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+status: experimental
+author: Sreeman
+date: 2021/06/11
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*'
+    condition: selection
+falsepositives:
+    - none observed
+level: medium