Merge pull request #3522 from frack113/redcannary_20220925

Add redcannary rules
2022-09-28 08:45:06 +02:00
parent 46ef664ec6 e583d9fc39
commit ec6d237cd0
3 changed files with 83 additions and 0 deletions
@@ -0,0 +1,27 @@
+title: Use of NetSupport Remote Access Software
+id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Description: NetSupport Client Configurator
+        - Product: NetSupport Remote Control
+        - Company: NetSupport Ltd
+        - OriginalFileName: PCICFGUI.EXE
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -0,0 +1,26 @@
+title: Use of UltraViewer Remote Access Software
+id: 88656cec-6c3b-487c-82c0-f73ebb805503
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Product: UltraViewer
+        - Company: DucFabulous Co,ltd
+        - OriginalFileName: UltraViewer_Desktop.exe
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -0,0 +1,30 @@
+title: Use of W32tm as Timer
+id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
+status: experimental
+description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
+    - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_w32tm:
+        - Image|endswith: '\w32tm.exe'
+        - OriginalFileName: 'w32time.dll'
+    selection_cmd:
+        CommandLine|contains|all:
+            - '/stripchart'
+            - '/computer:'
+            - '/period:'
+            - '/dataonly'
+            - '/samples:'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use
+level: high  # because unlikely legitimate use of that flag combination
+tags:
+    - attack.discovery
+    - attack.t1124