From e987c669d012f3a6994ef7d2cec33cd30192a8bc Mon Sep 17 00:00:00 2001
From: "nasreddine.bencherchali@nextron-systems.com"
 <8741929+nasbench@users.noreply.github.com>
Date: Wed, 28 Sep 2022 09:50:56 +0200
Subject: [PATCH] Updates

---
 ...win_lolbins_with_wmiprvse_parent_process.yml |  2 +-
 ...oc_creation_win_rundll32_parent_explorer.yml |  1 +
 .../proc_creation_win_susp_winrar_dmp.yml       |  2 +-
 ..._wab_execution_from_non_default_location.yml | 10 +++++++---
 .../proc_creation_win_wab_unusual_parents.yml   | 17 ++++++++++++-----
 ...oc_creation_win_weak_or_abused_passwords.yml |  3 +++
 6 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
index 658c9c1ad..d7e302321 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml
@@ -29,5 +29,5 @@ detection:
         ParentImage|endswith: '\wbem\WmiPrvSE.exe'
     condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
index 9d73005a8..86a5ee3f5 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -4,6 +4,7 @@ description: Detects suspicious start of rundll32.exe with a parent process of E
 status: experimental
 references:
     - https://redcanary.com/blog/raspberry-robin/
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: CD_ROM_
 date: 2022/05/21
 logsource:
diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
index 7fa86299a..dc6c839b6 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml
@@ -20,7 +20,7 @@ detection:
         CommandLine|contains: '.dmp'
     condition: selection and dumpfile
 falsepositives:
-    - Legitimate use of WinRAR with a command line in which .dmp appears incidentally
+    - Legitimate use of WinRAR with a command line in which .dmp appears accidentally
 level: high
 tags:
     - attack.collection
diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
index 601a65f63..1a188d5a9 100644
--- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
@@ -1,12 +1,14 @@
 title: Wab Execution From Non Default Location
 id: 395907ee-96e5-4666-af2e-2ca91688e151
 status: experimental
-description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
 references:
     - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -15,7 +17,9 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe'
     filter:
         Image|startswith:
             - 'C:\Windows\WinSxS\'
@@ -23,5 +27,5 @@ detection:
             - 'C:\Program Files (x86)\Windows Mail\'
     condition: selection and not filter
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml
index ad84a9698..f5720ce04 100644
--- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml
+++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml
@@ -1,12 +1,14 @@
-title: Wab.Exe Unusual Parent Or Child Processes
+title: Wab/Wabmig Unusual Parent Or Child Processes
 id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
 status: experimental
-description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity
+description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
 references:
     - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -20,10 +22,15 @@ detection:
             - \WmiPrvSE.exe
             - \svchost.exe
             - \dllhost.exe
-        Image|endswith: '\wab.exe'
+        Image|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
     selection_child:
-        ParentImage|endswith: '\wab.exe'
+        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
+        ParentImage|endswith:
+            - '\wab.exe'
+            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
     condition: 1 of selection_*
 falsepositives:
-    - Unlikely
+    - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
index 0afe7b43e..0068a7f2c 100644
--- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
+++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
@@ -4,8 +4,10 @@ status: experimental
 description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
 references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
+    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali
 date: 2022/09/14
+modified: 2022/09/27
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -19,6 +21,7 @@ detection:
             - 'Asd123.aaaa'
             - 'password123'
             - '123456789'
+            - 'P@ssw0rd!'
     condition: selection
 falsepositives:
     - Legitimate usage of the passwords by users via commandline (should be discouraged)