feat: more updates

2023-05-05 17:52:47 +02:00
parent bd0a9e2bae
commit f1cd74e303
27 changed files with 234 additions and 136 deletions
@@ -1,6 +1,6 @@
 title: Suspicious Remote Thread Target
 id: f016c716-754a-467f-a39e-63c06f773987
-status: experimental
+status: deprecated
 description: |
  Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
  This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
@@ -9,7 +9,7 @@ references:
    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/25
-modified: 2022/08/29
+modified: 2023/05/05
 logsource:
    product: windows
    category: create_remote_thread
@@ -1,15 +1,15 @@
-title: Moriya Rootkit
+title: Moriya Rootkit File Created
 id: a1507d71-0b60-44f6-b17c-bf53220fdd88
 related:
    - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
      type: derived
 status: test
-description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
+description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
 references:
    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
 author: Bhabesh Raj
 date: 2021/05/06
-modified: 2022/10/09
+modified: 2023/05/05
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -1,4 +1,4 @@
-title: Bumblebee Remote Thread Creation
+title: Potential Bumblebee Remote Thread Creation
 id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
 status: experimental
 description: Detects remote thread injection events based on action seen used by bumblebee
@@ -2,7 +2,7 @@

 ## Summary

-Withsecure labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.
+WithSecure Labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.

 You can find more information on the threat in the following articles:

@@ -10,4 +10,7 @@ You can find more information on the threat in the following articles:

 ## Rules

- 
+- [Potential APT FIN7 Related PowerShell Script Created](./file_event_win_apt_fin7_powershell_scripts_naming_convention.yml)
+- [Potential APT FIN7 POWERHOLD Execution](./posh_ps_apt_fin7_powerhold.yml)
+- [Potential POWERTRASH Script Execution](./posh_ps_apt_fin7_powertrash_execution.yml)
+- [Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity](./proc_creation_win_apt_fin7_powertrash_lateral_movement.yml)
@@ -1,4 +1,4 @@
-title: FIN7 POWERHOLD Execution
+title: Potential APT FIN7 POWERHOLD Execution
 id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
 status: test
 description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
@@ -1,4 +1,4 @@
-title: Potential FIN7 Reconnaissance/POWERTRASH Related Activity
+title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
 id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
 status: experimental
 description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
@@ -5,9 +5,10 @@ description: Detects issues with Windows Defender Real-Time Protection features
 references:
    - Internal Research
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
-    - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346
+    - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes)
 author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)
 date: 2023/03/28
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -19,7 +20,12 @@ detection:
        EventID:
            - 3002 # Real-Time Protection feature has encountered an error and failed
            - 3007 # Real-time Protection feature has restarted
-    condition: selection
+    filter_optional_network_inspection:
+        Feature_Name: '%%886' # Network Inspection System
+        Reason:
+            - '%%892' # The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the device.
+            - '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required
 level: medium
@@ -1,17 +1,17 @@
-title: CACTUSTORCH Remote Thread Creation
+title: HackTool - CACTUSTORCH Remote Thread Creation
 id: 2e4e488a-6164-4811-9ea1-f960c7359c40
 status: test
 description: Detects remote thread creation from CACTUSTORCH as described in references.
 references:
-    - https://twitter.com/SBousseaden/status/1090588499517079552
+    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
 author: '@SBousseaden (detection), Thomas Patzke (rule)'
 date: 2019/02/01
-modified: 2022/12/25
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
-    - attack.t1055.012
    - attack.execution
+    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
@@ -1,13 +1,13 @@
-title: CobaltStrike Process Injection
+title: HackTool - Potential CobaltStrike Process Injection
 id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
 status: test
-description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
+description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
 date: 2018/11/30
-modified: 2022/12/25
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.t1055.001
@@ -1,13 +1,14 @@
-title: KeePass Password Dumping
+title: Remote Thread Created In KeePass.EXE
 id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
 status: experimental
-description: Detects remote thread creation in KeePass.exe indicating password dumping activity
+description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
 references:
    - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
    - https://github.com/denandz/KeeFarce
    - https://github.com/GhostPack/KeeThief
 author: Timon Hackenjos
 date: 2022/04/22
+modified: 2023/05/05
 tags:
    - attack.credential_access
    - attack.t1555.005
@@ -1,16 +1,13 @@
-title: Suspicious Remote Thread Source
+title: Remote Thread Creation By Uncommon Source Image
 id: 66d31e5f-52d6-40a4-9615-002d3789a119
 status: experimental
-description: |
-  Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
-  This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
-  It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
+description: Detects uncommon processes creating remote threads
 references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019/10/27
-modified: 2023/03/09
+modified: 2023/05/05
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -22,8 +19,8 @@ detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
-            - '\cvtres.exe'
            - '\cscript.exe'
+            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
@@ -41,7 +38,7 @@ detection:
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
-            - '\monitoringhost.exe'
+            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
@@ -66,56 +63,42 @@ detection:
            - '\w3wp.exe'
            - '\winlogon.exe'
            - '\winscp.exe'
-            - '\wmic.exe'
            - '\winword.exe'
+            - '\wmic.exe'
            - '\wscript.exe'
    filter_vs:
        - SourceImage|contains: 'Visual Studio'
        - SourceParentImage|contains: '\Programs\Microsoft VS Code\'
-    filter2:
+    filter_main_winlogon_1:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetImage:
            - 'C:\Windows\System32\services.exe' # happens on Windows 7
            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
            - 'C:\Windows\System32\csrss.exe' # multiple OS
-    filter2b:
+    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetParentImage: 'System'
        TargetParentProcessId: 4
-    filter3:
+    filter_main_provtool:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetParentProcessId: 0
-    filter4:
-        SourceImage|endswith: '\git.exe'
-        TargetImage|endswith:
-            - '\git.exe'
-            - 'C:\Windows\System32\conhost.exe'
-    filter5:
+    filter_main_vssvc:
        SourceImage: 'C:\Windows\System32\VSSVC.exe'
        TargetImage: 'System'
-    filter_powershell:
-        SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
-    filter_schtasks_conhost:
+    filter_main_schtasks_conhost:
        SourceImage:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
-    filter_nvidia:
+    filter_optional_nvidia:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
-    #filter_powerpnt:
+    #filter_optional_powerpnt:
    #    # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
    #    SourceImage|contains: '\Microsoft Office\'
    #    SourceImage|endswith: '\POWERPNT.EXE'
    #    TargetImage: 'C:\Windows\System32\csrss.exe'
-    condition: selection and not 1 of filter*
-fields:
-    - ComputerName
-    - User
-    - SourceImage
-    - TargetImage
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
-notes:
-    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
@@ -1,12 +1,15 @@
-title: Remote Thread Creation in Suspicious Targets
+title: Remote Thread Creation In Uncommon Target Image
 id: a1a144b7-5c9b-4853-a559-2172be8d4a03
+related:
+    - id: f016c716-754a-467f-a39e-63c06f773987
+      type: obsoletes
 status: experimental
-description: Detects a remote thread creation in suspicious target images
+description: Detects uncommon target processes for remote thread creation
 references:
    - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2022/09/29
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -17,20 +20,24 @@ logsource:
 detection:
    selection:
        TargetImage|endswith:
-            - '\mspaint.exe'
            - '\calc.exe'
-            - '\notepad.exe'
-            - '\sethc.exe'
-            - '\write.exe'
-            - '\wordpad.exe'
+            - '\calculator.exe'
            - '\explorer.exe'
-    filter:
+            - '\mspaint.exe'
+            - '\notepad.exe'
+            - '\ping.exe'
+            - '\sethc.exe'
+            - '\spoolsv.exe'
+            - '\wordpad.exe'
+            - '\write.exe'
+    filter_optional_aurora_1:
        StartFunction: 'EtwpNotificationThread'
-    filter_programfiles:
-        SourceImage|startswith:
-            - 'C:\Program Files\'
-            - 'C:\Program Files (x86)\'
-    condition: selection and not 1 of filter*
+    filter_optional_aurora_2:
+        SourceImage|contains: 'unknown process'
+    filter_main_spoolsv:
+        SourceImage: 'C:\Windows\System32\csrss.exe'
+        TargetImage: 'C:\Windows\System32\spoolsv.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high
@@ -34,7 +34,7 @@ detection:
            - '\UsageLogs\svchost.exe.log'
            - '\UsageLogs\wscript.exe.log'
            - '\UsageLogs\wmic.exe.log'
-    filter_rundll:
+    filter_main_rundll32:
        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
        ParentImage|endswith: '\MsiExec.exe'
        ParentCommandLine|contains: ' -Embedding'
@@ -42,7 +42,7 @@ detection:
        CommandLine|contains|all:
            - 'Temp'
            - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
 level: high
@@ -0,0 +1,21 @@
+title: NTDS.DIT Created
+id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
+status: experimental
+description: Detects creation of a file named "ntds.dit" (Active Directory Database)
+references:
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: 'ntds.dit'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
@@ -1,7 +1,10 @@
-title: Suspicious NTDS.DIT Creation
+title: NTDS.DIT Creation By Uncommon Parent Process
 id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
+related:
+    - id: 11b1ed55-154d-4e82-8ad7-83739298f720
+      type: similar
 status: test
-description: Detects suspicious creations of a file named "ntds.dit" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner
+description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process, directory
 references:
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
@@ -16,21 +19,21 @@ tags:
 logsource:
    product: windows
    category: file_event
-    definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
+    definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'
 detection:
    selection_file:
        TargetFilename|endswith: '\ntds.dit'
    selection_process_parent:
        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
        ParentImage|endswith:
+            - '\cscript.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
-            - '\wscript.exe'
-            - '\cscript.exe'
            - '\w3wp.exe'
-            - '\php-cgi.exe'
-            - '\nginx.exe'
-            - '\httpd.exe'
+            - '\wscript.exe'
    selection_process_parent_path:
        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
        ParentImage|contains:
@@ -40,12 +43,6 @@ detection:
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
-    selection_process_child:
-        Image|contains:
-            - '\AppData\'
-            - '\Temp\'
-            - '\Public\'
-            - '\PerfLogs\'
    condition: selection_file and 1 of selection_process_*
 falsepositives:
    - Unknown
@@ -1,11 +1,14 @@
-title: Suspicious Process Writes Ntds.dit
+title: NTDS.DIT Creation By Uncommon Process
 id: 11b1ed55-154d-4e82-8ad7-83739298f720
-status: experimental
-description: Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file
+related:
+    - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
+      type: similar
+status: test
+description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
 references:
    - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
    - https://adsecurity.org/?p=2398
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/11
 modified: 2022/07/14
 tags:
@@ -16,18 +19,28 @@ logsource:
    product: windows
    category: file_event
 detection:
-    selection:
+    selection_ntds:
        TargetFilename|endswith: '\ntds.dit'
+    selection_process_img:
        Image|endswith:
            # Add more suspicious processes as you see fit
-            - '\powershell.exe'
-            - '\pwsh.exe'
            - '\cmd.exe'
-            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
            - '\wsl.exe'
-    condition: selection
+            - '\wt.exe'
+    selection_process_paths:
+        Image|contains:
+            - '\AppData\'
+            - '\Temp\'
+            - '\Public\'
+            - '\PerfLogs\'
+    condition: selection_ntds and 1 of selection_process_*
 falsepositives:
    - Unknown
 level: high
@@ -1,13 +1,14 @@
-title: Suspicious NTDS Exfil Filename Patterns
+title: NTDS Exfiltration Filename Patterns
 id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
 status: test
-description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
+description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
 references:
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
    - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
 author: Florian Roth (Nextron Systems)
 date: 2022/03/11
+modified: 2023/05/05
 tags:
    - attack.credential_access
    - attack.t1003.003
@@ -15,11 +16,11 @@ logsource:
    product: windows
    category: file_event
 detection:
-    selection_file:
+    selection:
        TargetFilename|endswith:
            - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
            - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
-    condition: selection_file
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,39 @@
+title: Suspicious File Created In PerfLogs
+id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
+status: experimental
+description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
+references:
+    - Internal Research
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|startswith: 'C:\PerfLogs\'
+        TargetFilename|endswith:
+            - '.7z'
+            - '.bat'
+            - '.bin'
+            - '.chm'
+            - '.dll'
+            - '.exe'
+            - '.hta'
+            - '.lnk'
+            - '.ps1'
+            - '.psm1'
+            - '.py'
+            - '.scr'
+            - '.sys'
+            - '.vbe'
+            - '.vbs'
+            - '.zip'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium
@@ -1,4 +1,4 @@
-title: Suspicious VHD Image Download From Browser
+title: VHD Image Download Via Browser
 id: 8468111a-ef07-4654-903b-b863a80bbc95
 status: test
 description: |
@@ -10,7 +10,7 @@ references:
    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
 author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2021/10/25
-modified: 2023/04/18
+modified: 2023/05/05
 tags:
    - attack.resource_development
    - attack.t1587.001
@@ -1,4 +1,4 @@
-title: DLL Sideloading Of DBGCORE.DLL
+title: Potential DLL Sideloading Of DBGCORE.DLL
 id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
 status: experimental
 description: Detects DLL sideloading of "dbgcore.dll"
@@ -6,7 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 date: 2022/10/25
-modified: 2023/03/15
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -19,18 +19,18 @@ logsource:
 detection:
    selection:
        ImageLoaded|endswith: '\dbgcore.dll'
-    filter_generic:
+    filter_main_generic:
        ImageLoaded|startswith:
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
-            - 'C:\Windows\SoftwareDistribution\'
-            - 'C:\Windows\SystemTemp\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
-    #filter_steam:
-    #    ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
-    condition: selection and not 1 of filter_*
+            - 'C:\Windows\SoftwareDistribution\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SystemTemp\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    filter_optional_steam:
+        ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
-level: high
+level: medium
@@ -1,4 +1,4 @@
-title: DLL Sideloading Of DBGHELP.DLL
+title: Potential DLL Sideloading Of DBGHELP.DLL
 id: 6414b5cd-b19d-447e-bb5e-9f03940b5784
 status: experimental
 description: Detects DLL sideloading of "dbghelp.dll"
@@ -6,7 +6,7 @@ references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 date: 2022/10/25
-modified: 2023/03/15
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -19,21 +19,24 @@ logsource:
 detection:
    selection:
        ImageLoaded|endswith: '\dbghelp.dll'
-    filter_generic:
-        - ImageLoaded|startswith:
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
-            - 'C:\Windows\SoftwareDistribution\'
-            - 'C:\Windows\SystemTemp\'
+    filter_main_generic:
+        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
-        - ImageLoaded|endswith:
-            - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
-            - '\Epic Games\MagicLegends\x86\dbghelp.dll'
+            - 'C:\Windows\SoftwareDistribution\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SystemTemp\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    filter_optional_anaconda:
+        ImageLoaded|endswith:
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll'
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll'
-    condition: selection and not 1 of filter_*
+    filter_optional_epicgames:
+        ImageLoaded|endswith:
+            - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
+            - '\Epic Games\MagicLegends\x86\dbghelp.dll'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
-level: high
+level: medium
@@ -9,7 +9,7 @@ references:
    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
-modified: 2023/03/15
+modified: 2023/05/05
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -440,32 +440,29 @@ detection:
            - '\wow64log.dll'
            - '\WptsExtensions.dll'
            - '\wbemcomn.dll'
-    filter_generic:
+    filter_main_generic:
+        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\SystemTemp\'
-    filter_appvpolicy:
-        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
+            - 'C:\$WINDOWS.~BT\'
+    filter_optional_office_appvpolicy:
        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
-    filter_azure:
+        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
+    filter_optional_azure:
        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
-    filter_dell:
+    filter_optional_dell:
        Image|startswith:
            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
-    filter_cleanmgr:
-        Image: 'C:\Windows\System32\cleanmgr.exe'
-        ImageLoaded|endswith: '\ssshim.dll'
-    filter_upgrade:
-        Image|startswith: 'C:\$WINDOWS.~BT\'
-    filter_dell_wldp:
+    filter_optional_dell_wldp:
        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
        Image|endswith: '\wldp.dll'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
 level: high
@@ -0,0 +1,27 @@
+title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
+id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
+status: experimental
+description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from uncommon location
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\gup.exe'
+        ImageLoaded|endswith: '\libcurl.dll'
+    filter_main_notepad_plusplus:
+        Image|endswith: '\Notepad++\updater\GUP.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium