Updates

rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml

@@ -29,5 +29,5 @@ detection:
         ParentImage|endswith: '\wbem\WmiPrvSE.exe'
     condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml

@@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E
 status: experimental
 references:
     - https://redcanary.com/blog/raspberry-robin/
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: CD_ROM_
 date: 2022/05/21
 logsource:

rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml

@@ -20,7 +20,7 @@ detection:
         CommandLine|contains: '.dmp'
     condition: selection and dumpfile
 falsepositives:
-    - Legitimate use of WinRAR with a command line in which .dmp appears incidentally
+    - Legitimate use of WinRAR with a command line in which .dmp appears accidentally
 level: high
 tags:
     - attack.collection

rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml

@@ -1,12 +1,14 @@
 title: Wab Execution From Non Default Location
 id: 395907ee-96e5-4666-af2e-2ca91688e151
 status: experimental
-description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
 references:
     - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -15,7 +17,9 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe'
     filter:
         Image|startswith:
             - 'C:\Windows\WinSxS\'
@@ -23,5 +27,5 @@ detection:
             - 'C:\Program Files (x86)\Windows Mail\'
     condition: selection and not filter
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml

@@ -1,12 +1,14 @@
-title: Wab.Exe Unusual Parent Or Child Processes
+title: Wab/Wabmig Unusual Parent Or Child Processes
 id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
 status: experimental
-description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity
+description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
 references:
     - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -20,10 +22,15 @@ detection:
             - \WmiPrvSE.exe
             - \svchost.exe
             - \dllhost.exe
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
     selection_child:
-        ParentImage|endswith: '\wab.exe'
+        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
+        ParentImage|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
     condition: 1 of selection_*
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml

@@ -4,8 +4,10 @@ status: experimental
 description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
 references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/09/14
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -19,6 +21,7 @@ detection:
             - 'Asd123.aaaa'
             - 'password123'
             - '123456789'
+            - 'P@ssw0rd!'
     condition: selection
 falsepositives:
     - Legitimate usage of the passwords by users via commandline (should be discouraged)