From 1529d0377eb7572109584abfe6e0622144ece141 Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Fri, 15 Jul 2022 12:09:55 +0200 Subject: [PATCH 1/3] blackbyte rules --- .../security/win_scheduled_task_once_0000.yml | 34 +++++++++++++++++++ .../dns_query_win_anonymfiles_com.yml | 21 ++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 rules/windows/builtin/security/win_scheduled_task_once_0000.yml create mode 100644 rules/windows/dns_query/dns_query_win_anonymfiles_com.yml diff --git a/rules/windows/builtin/security/win_scheduled_task_once_0000.yml b/rules/windows/builtin/security/win_scheduled_task_once_0000.yml new file mode 100644 index 000000000..d8a3c7678 --- /dev/null +++ b/rules/windows/builtin/security/win_scheduled_task_once_0000.yml @@ -0,0 +1,34 @@ +title: Uncommon Scheduled Task Once 00:00 +id: 970823b7-273b-460a-8afc-3a6811998529 +description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 +status: experimental +author: pH-T +date: 2022/07/15 +references: + - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +logsource: + category: process_creation + product: windows +detection: + image: + Image|contains: '\schtasks.exe' + selection_base: + CommandLine|contains: + - 'wscript' + - 'vbscript' + - 'cscript' + - 'wmic ' + - 'wmic.exe' + - 'regsvr32.exe' + - 'powershell' + - '\AppData\' + selection_content2: + CommandLine|contains: 'once' + selection_content3: + CommandLine|contains: '00:00' + bad_name: + CommandLine|contains: 'Joke' + condition: image and selection_base and (1 of selection* or bad_name) +falsepositives: + - Software installation +level: high diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml new file mode 100644 index 000000000..4c8b5a0b2 --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -0,0 +1,21 @@ +title: DNS Query for anonfiles.com Upload Domain +id: 065cceea-77ec-4030-9052-fc0affea7110 +description: Detects DNS queries for subdomains used for upload to anonfiles.com +status: experimental +date: 2022/07/15 +author: pH-T +references: + - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate anonfiles.com upload +level: high +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: .anonfiles.com + condition: selection \ No newline at end of file From e35587e922c7b65667420651a3e5c6847f08950a Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Fri, 15 Jul 2022 12:28:11 +0200 Subject: [PATCH 2/3] fix: fixed rule condition --- .../builtin/security/win_scheduled_task_once_0000.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_scheduled_task_once_0000.yml b/rules/windows/builtin/security/win_scheduled_task_once_0000.yml index d8a3c7678..a0936f937 100644 --- a/rules/windows/builtin/security/win_scheduled_task_once_0000.yml +++ b/rules/windows/builtin/security/win_scheduled_task_once_0000.yml @@ -22,13 +22,13 @@ detection: - 'regsvr32.exe' - 'powershell' - '\AppData\' - selection_content2: - CommandLine|contains: 'once' - selection_content3: - CommandLine|contains: '00:00' + selection_time: + CommandLine|contains|all: + - 'once' + - '00:00' bad_name: CommandLine|contains: 'Joke' - condition: image and selection_base and (1 of selection* or bad_name) + condition: image and selection_base and (selection_time or bad_name) falsepositives: - Software installation level: high From c232aaa7d87cca1ab2b404890d9e9e4d50e27c99 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 Jul 2022 16:20:10 +0200 Subject: [PATCH 3/3] Update dns_query_win_anonymfiles_com.yml --- .../dns_query/dns_query_win_anonymfiles_com.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 4c8b5a0b2..8911f4930 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -1,6 +1,6 @@ -title: DNS Query for anonfiles.com Upload Domain +title: DNS Query for Anonfiles.com Domain id: 065cceea-77ec-4030-9052-fc0affea7110 -description: Detects DNS queries for subdomains used for upload to anonfiles.com +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes status: experimental date: 2022/07/15 author: pH-T @@ -9,13 +9,13 @@ references: tags: - attack.exfiltration - attack.t1567.002 -falsepositives: - - Legitimate anonfiles.com upload -level: high logsource: product: windows category: dns_query detection: selection: QueryName|contains: .anonfiles.com - condition: selection \ No newline at end of file + condition: selection +falsepositives: + - Legitimate access to anonfiles.com +level: high