From 9b0189b5f7ea0004614cbb3a80674bab5199a538 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 25 Sep 2022 16:14:21 +0200
Subject: [PATCH 1/3] Add redcannary rules

---
 .../proc_creation_win_netsupport.yml          | 27 +++++++++++++++++
 .../proc_creation_win_ultraviewer.yml         | 26 ++++++++++++++++
 .../proc_creation_win_w32tm.yml               | 30 +++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_netsupport.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_ultraviewer.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_w32tm.yml

diff --git a/rules/windows/process_creation/proc_creation_win_netsupport.yml b/rules/windows/process_creation/proc_creation_win_netsupport.yml
new file mode 100644
index 000000000..d9d99094f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_netsupport.yml
@@ -0,0 +1,27 @@
+title: Use of NetSupport Remote Access Software
+id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Description: NetSupport Client Configurator
+        - Product: NetSupport Remote Control
+        - Company: NetSupport Ltd
+        - OriginalFileName: PCICFGUI.EXE
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
diff --git a/rules/windows/process_creation/proc_creation_win_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml
new file mode 100644
index 000000000..f3781c979
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml
@@ -0,0 +1,26 @@
+title: Use of UltraViewer Remote Access Software
+id: 88656cec-6c3b-487c-82c0-f73ebb805503
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Product: UltraViewer
+        - Company: DucFabulous Co,ltd
+        - OriginalFileName: UltraViewer_Desktop.exe
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml
new file mode 100644
index 000000000..82bcbcc13
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml
@@ -0,0 +1,30 @@
+title: Use of W32tm as Timer
+id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
+status: experimental
+description: When configured with suitable command line arguments,w32tm can act as a delay mechanism
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
+    - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
+author: frack113
+date: 2022/09/25
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_w32tm:
+        - Image|endswith: '\w32tm.exe'
+        - OriginalFileName: 'w32time.dll'
+    selection_cmd:
+        CommandLine|contains|all:
+            - '/stripchart'
+            - '/computer:'
+            - '/period:'
+            - '/dataonly'
+            - '/samples:'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1124

From 58b7c910dc423ce3a8f0b6f4d8fedd237e957364 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Sep 2022 23:50:35 +0200
Subject: [PATCH 2/3] Update proc_creation_win_w32tm.yml

---
 rules/windows/process_creation/proc_creation_win_w32tm.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml
index 82bcbcc13..55c1d2255 100644
--- a/rules/windows/process_creation/proc_creation_win_w32tm.yml
+++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml
@@ -1,7 +1,7 @@
 title: Use of W32tm as Timer
 id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
 status: experimental
-description: When configured with suitable command line arguments,w32tm can act as a delay mechanism
+description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
     - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains

From e583d9fc39b6597bddec70c36d9bbc6c2ff66e70 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Sep 2022 23:52:22 +0200
Subject: [PATCH 3/3] Update proc_creation_win_w32tm.yml

---
 rules/windows/process_creation/proc_creation_win_w32tm.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml
index 55c1d2255..f3881508c 100644
--- a/rules/windows/process_creation/proc_creation_win_w32tm.yml
+++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml
@@ -24,7 +24,7 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate use
-level: medium
+level: high  # because unlikely legitimate use of that flag combination
 tags:
     - attack.discovery
     - attack.t1124