diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index f3915298f..bbbc5cf51 100755 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali date: 2020/05/26 -modified: 2022/10/28 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036.005 @@ -14,78 +14,78 @@ logsource: detection: selection: TargetFilename|endswith: - - '\svchost.exe' - - '\rundll32.exe' - - '\services.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\spoolsv.exe' - - '\lsass.exe' - - '\smss.exe' - - '\csrss.exe' - - '\conhost.exe' - - '\wininit.exe' - - '\lsm.exe' - - '\winlogon.exe' - - '\explorer.exe' - - '\taskhost.exe' - - '\Taskmgr.exe' - - '\sihost.exe' - - '\RuntimeBroker.exe' - - '\smartscreen.exe' - - '\dllhost.exe' - - '\audiodg.exe' - - '\wlanext.exe' - '\AtBroker.exe' + - '\audiodg.exe' + - '\backgroundTaskHost.exe' - '\bcdedit.exe' - '\bitsadmin.exe' + - '\cmdl32.exe' + - '\cmstp.exe' + - '\conhost.exe' + - '\csrss.exe' + - '\dasHost.exe' + - '\dfrgui.exe' + - '\dllhost.exe' + - '\dwm.exe' + - '\eventcreate.exe' + - '\eventvwr.exe' + - '\explorer.exe' + - '\extrac32.exe' + - '\fontdrvhost.exe' - '\ipconfig.exe' - - '\LsaIso.exe' - - '\LogonUI.exe' + - '\iscsicli.exe' + - '\iscsicpl.exe' - '\logman.exe' + - '\LogonUI.exe' + - '\LsaIso.exe' + - '\lsass.exe' + - '\lsm.exe' + - '\msiexec.exe' - '\msinfo32.exe' - '\mstsc.exe' - - '\msiexec.exe' - '\nbtstat.exe' - - '\regini.exe' - - '\TiWorker.exe' - - '\WmiPrvSE.exe' - - '\WUDFHost.exe' - - '\taskhostw.exe' - - '\dasHost.exe' - - '\wslhost.exe' - - '\fontdrvhost.exe' - - '\dwm.exe' - - '\backgroundTaskHost.exe' - - '\SystemSettingsBroker.exe' - '\odbcconf.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regini.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\RuntimeBroker.exe' - '\schtasks.exe' - - '\SearchProtocolHost.exe' - - '\SearchIndexer.exe' - '\SearchFilterHost.exe' - - '\SecurityHealthSystray.exe' + - '\SearchIndexer.exe' + - '\SearchProtocolHost.exe' - '\SecurityHealthService.exe' + - '\SecurityHealthSystray.exe' + - '\services.exe' - '\ShellAppRuntime.exe' + - '\sihost.exe' + - '\smartscreen.exe' + - '\smss.exe' + - '\spoolsv.exe' + - '\svchost.exe' + - '\SystemSettingsBroker.exe' + - '\taskhost.exe' + - '\taskhostw.exe' + - '\Taskmgr.exe' + - '\TiWorker.exe' - '\vssadmin.exe' - '\w32tm.exe' - '\WerFault.exe' - '\WerFaultSecure.exe' - '\wermgr.exe' - '\wevtutil.exe' + - '\wininit.exe' + - '\winlogon.exe' - '\winrshost.exe' - - '\wlrmdr.exe' - '\WinRTNetMUAHostServer.exe' + - '\wlanext.exe' + - '\wlrmdr.exe' + - '\WmiPrvSE.exe' + - '\wslhost.exe' - '\WSReset.exe' + - '\WUDFHost.exe' - '\WWAHost.exe' - - '\iscsicpl.exe' - - '\iscsicli.exe' - - '\extrac32.exe' - - '\eventvwr.exe' - - '\eventcreate.exe' - - '\dfrgui.exe' - - '\cmdl32.exe' - - '\cmstp.exe' filter1: TargetFilename|startswith: - 'C:\Windows\System32\' @@ -95,6 +95,7 @@ detection: Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' + - '\bcdedit.exe' filter2: TargetFilename|startswith: 'C:\$WINDOWS.~BT\' Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 9fe5b68f7..b59852995 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -3,8 +3,10 @@ id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e related: - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 type: derived + - id: 3215aa19-f060-4332-86d5-5602511f3ca8 + type: similar status: experimental -description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default. +description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default. references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations @@ -13,7 +15,7 @@ references: - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali, frack113 date: 2022/06/19 -modified: 2022/07/28 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036.007 @@ -25,7 +27,7 @@ detection: TargetFilename|endswith: - '.zip' - '.rar' - - '.lnk' + #- '.lnk' # legitimate links can happen just anywhere - '.iso' - '.exe' TargetFilename|contains: @@ -36,15 +38,16 @@ detection: - '.ppt.' - '.pptx.' - '.jpg.' + - '.pdf.' selection_exe: TargetFilename|endswith: - '.zip.exe' - '.rar.exe' - filter: - TargetFilename|contains: - - '\AppData\Roaming\Microsoft\Office\Recent\' - - '\AppData\Roaming\Microsoft\Windows\Recent\' - condition: 1 of selection_* and not filter + #filter: + # TargetFilename|contains: + # - '\AppData\Roaming\Microsoft\Office\Recent\' + # - '\AppData\Roaming\Microsoft\Windows\Recent\' + condition: 1 of selection_* falsepositives: - Unlikely level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml new file mode 100644 index 000000000..5f407aeec --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -0,0 +1,41 @@ +title: Suspicious LNK Double Extension Files +id: 3215aa19-f060-4332-86d5-5602511f3ca8 +related: + - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e + type: derived +status: experimental +description: Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default. +references: + - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations + - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles + - https://twitter.com/malwrhunterteam/status/1235135745611960321 + - https://twitter.com/luc4m/status/1073181154126254080 +author: Nasreddine Bencherchali, frack113 +date: 2022/11/07 +tags: + - attack.defense_evasion + - attack.t1036.007 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '.lnk' + TargetFilename|contains: + - '.doc.' + - '.docx.' + - '.xls.' + - '.xlsx.' + - '.ppt.' + - '.pptx.' + - '.jpg.' + - '.pdf.' + filter: + TargetFilename|contains: + - '\AppData\Roaming\Microsoft\Office\Recent\' + - '\AppData\Roaming\Microsoft\Windows\Recent\' + condition: selection and not filter +falsepositives: + - Users creating a shortcut on e.g. desktop +level: medium