From 8b2f23ffbb9c4b976484dbc0e3cad114b34994e5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 8 Apr 2022 16:32:46 +0200 Subject: [PATCH 1/3] fix: possible FP with Veeam software --- .../proc_creation_win_susp_base64_cmdline_param.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml index 69e6cf857..c68adbda7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml @@ -13,7 +13,9 @@ detection: selection: - CommandLine|endswith: '==' - CommandLine|contains: '== -' - condition: selection + filter: + Image|endswith: '\VeeamAgent.exe' + condition: selection and not 1 of filter* falsepositives: - Legitimate software that uses base64 encoded values in its command line level: medium From c18f246c233ff606d410bd8abc0ba59ee72b744e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 8 Apr 2022 16:33:19 +0200 Subject: [PATCH 2/3] docs: modified date --- .../proc_creation_win_susp_base64_cmdline_param.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml index c68adbda7..f6e9e1c00 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml @@ -4,6 +4,7 @@ status: experimental description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.) author: Florian Roth date: 2022/04/05 +modified: 2022/04/08 references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d logsource: From ed90f8eefca89c343e04a69e287c4c97a78ba16a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Apr 2022 19:22:28 +0200 Subject: [PATCH 3/3] docs: reworked rule --- .../file_access_win_browser_credential_stealing.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml index f0eeca908..b9fb94baa 100644 --- a/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml +++ b/rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml @@ -1,11 +1,14 @@ -title: Browser Credential Stealing +title: Browser Credential Store Access id: 91cb43db-302a-47e3-b3c8-7ede481e27bf status: experimental -description: Steals cookies and credentials from the user +description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing references: - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users author: frack113 date: 2022/04/09 +tags: + - attack.t1003 + - attack.credential_access logsource: category: file_access product: windows @@ -34,9 +37,6 @@ detection: TargetFilename|endswith: '\APPDATA\LOCAL\MICROSOFT\WINDOWS\WEBCACHE\WEBCACHEV01.DAT' condition: selection and not 1 of filter_* falsepositives: - - Very Probably - Antivirus, Anti-Spyware, Anti-Malware Software + - Backup software level: medium -tags: - - attack.t1003 - - attack.credential_access