Merge pull request #3232 from pH-T/master

blackbyte rules

rules/windows/builtin/security/win_scheduled_task_once_0000.yml

@@ -0,0 +1,34 @@
+title: Uncommon Scheduled Task Once 00:00
+id: 970823b7-273b-460a-8afc-3a6811998529
+description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
+status: experimental
+author: pH-T
+date: 2022/07/15
+references:
+    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    image:
+        Image|contains: '\schtasks.exe'
+    selection_base:
+        CommandLine|contains:
+            - 'wscript'
+            - 'vbscript'
+            - 'cscript'
+            - 'wmic '
+            - 'wmic.exe'
+            - 'regsvr32.exe'
+            - 'powershell'
+            - '\AppData\'
+    selection_time:
+        CommandLine|contains|all:
+            - 'once'
+            - '00:00'
+    bad_name:
+        CommandLine|contains: 'Joke'
+    condition: image and selection_base and (selection_time or bad_name)
+falsepositives:
+    - Software installation
+level: high

rules/windows/dns_query/dns_query_win_anonymfiles_com.yml

@@ -0,0 +1,21 @@
+title: DNS Query for Anonfiles.com Domain
+id: 065cceea-77ec-4030-9052-fc0affea7110
+description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
+status: experimental
+date: 2022/07/15
+author: pH-T
+references:
+    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
+tags:
+    - attack.exfiltration
+    - attack.t1567.002
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection:
+        QueryName|contains: .anonfiles.com
+    condition: selection
+falsepositives:
+    - Legitimate access to anonfiles.com
+level: high