From 9168512ec86a2f9018e49da44e87c39828625551 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Jun 2023 18:18:57 +0200 Subject: [PATCH 01/50] rule: MOVEit Transfer 0day --- ...e_event_win_moveit_transfer_0day_jun23.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml diff --git a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml new file mode 100644 index 000000000..259bd5fde --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml @@ -0,0 +1,21 @@ +title: Potential MOVEit Transfer Exploitation +id: c3b2a774-3152-4989-83c1-7afc48fd1599 +status: experimental +description: Detects the creation of files with unexcpected extensions in the root folder of the MOVEit Transfer service. First reports mentioned uncommon file types in the wwwroot folder as signs of a compromised. Attackers used that folder as a staging directory for the exfiltration. +references: + - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ + - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 +author: Florian Roth +date: 2023/06/01 +tags: + - attack.t1190 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|re: '\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat)' + condition: selection +falsepositives: + - Unknown +level: high From 74949eddd1f04c17e2bc0e347a5732ffc29c22e0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Jun 2023 18:21:02 +0200 Subject: [PATCH 02/50] doc: fix typo --- .../file_event/file_event_win_moveit_transfer_0day_jun23.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml index 259bd5fde..0c9439676 100644 --- a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml +++ b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml @@ -1,7 +1,7 @@ title: Potential MOVEit Transfer Exploitation id: c3b2a774-3152-4989-83c1-7afc48fd1599 status: experimental -description: Detects the creation of files with unexcpected extensions in the root folder of the MOVEit Transfer service. First reports mentioned uncommon file types in the wwwroot folder as signs of a compromised. Attackers used that folder as a staging directory for the exfiltration. +description: Detects the creation of files with unexpected extensions in the root folder of the MOVEit Transfer service. First reports mentioned uncommon file types in the wwwroot folder as signs of a compromised. Attackers used that folder as a staging directory for the exfiltration. references: - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 From c7cd7d0c836be176ea76d68b82ba9d9e37a4cff1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Jun 2023 18:29:16 +0200 Subject: [PATCH 03/50] refactor: update with info from Rapid7 post --- .../file_event_win_moveit_transfer_0day_jun23.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml index 0c9439676..e7d03a4d0 100644 --- a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml +++ b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml @@ -5,6 +5,7 @@ description: Detects the creation of files with unexpected extensions in the roo references: - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 + - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ author: Florian Roth date: 2023/06/01 tags: @@ -13,9 +14,11 @@ logsource: category: file_event product: windows detection: - selection: + selection_re: TargetFilename|re: '\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat)' - condition: selection + selection_known_ioc: + TargetFilename|contains: '\MOVEit Transfer\wwwroot\human2.aspx' + condition: 1 of selection falsepositives: - Unknown level: high From 5e54aab908a66779700e3cd549b1a03b649b7aa6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Jun 2023 18:46:17 +0200 Subject: [PATCH 04/50] fix: condition --- .../file_event/file_event_win_moveit_transfer_0day_jun23.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml index e7d03a4d0..242565b56 100644 --- a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml +++ b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml @@ -18,7 +18,7 @@ detection: TargetFilename|re: '\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat)' selection_known_ioc: TargetFilename|contains: '\MOVEit Transfer\wwwroot\human2.aspx' - condition: 1 of selection + condition: 1 of selection_* falsepositives: - Unknown level: high From e98d480e238c9fe95e2c01bb58b7b4e51c3c96e4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 1 Jun 2023 21:30:30 +0200 Subject: [PATCH 05/50] chore: update metadata --- .../MOVEit-Transfer-Unknown-Exploit/README.md | 15 ++++++++ ...vent_win_exploit_other_moveit_transfer.yml | 38 +++++++++++++++++++ ...e_event_win_moveit_transfer_0day_jun23.yml | 24 ------------ 3 files changed, 53 insertions(+), 24 deletions(-) create mode 100644 rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md create mode 100644 rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml delete mode 100644 rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md new file mode 100644 index 000000000..380835108 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md @@ -0,0 +1,15 @@ +# MOVEit Transfer Critical Vulnerability (May 2023) + +## Summary + +Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. + +You can find more information on the threat in the following articles: + +- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) +- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) +- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/) + +## Rules + +- []() diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml new file mode 100644 index 000000000..19406ac77 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml @@ -0,0 +1,38 @@ +title: Potential MOVEit Transfer Exploitation +id: c3b2a774-3152-4989-83c1-7afc48fd1599 +status: experimental +description: | + Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service. + Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration. +references: + - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ + - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 + - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ + - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: file_event + product: windows +detection: + selection_generic: + TargetFilename|contains: '\MOVEit Transfer\wwwroot\' + TargetFilename|endswith: + - '.7z' + - '.bat' + - '.dll' + - '.exe' + - '.ps1' + - '.rar' + - '.vbe' + - '.vbs' + - '.zip' + selection_known_ioc: + TargetFilename|endswith: '\MOVEit Transfer\wwwroot\human2.aspx' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml b/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml deleted file mode 100644 index 242565b56..000000000 --- a/rules/windows/file/file_event/file_event_win_moveit_transfer_0day_jun23.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Potential MOVEit Transfer Exploitation -id: c3b2a774-3152-4989-83c1-7afc48fd1599 -status: experimental -description: Detects the creation of files with unexpected extensions in the root folder of the MOVEit Transfer service. First reports mentioned uncommon file types in the wwwroot folder as signs of a compromised. Attackers used that folder as a staging directory for the exfiltration. -references: - - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ - - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ -author: Florian Roth -date: 2023/06/01 -tags: - - attack.t1190 -logsource: - category: file_event - product: windows -detection: - selection_re: - TargetFilename|re: '\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat)' - selection_known_ioc: - TargetFilename|contains: '\MOVEit Transfer\wwwroot\human2.aspx' - condition: 1 of selection_* -falsepositives: - - Unknown -level: high From 714d603110f6c6655b74c3733e91744bcd8c10ff Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 1 Jun 2023 21:31:24 +0200 Subject: [PATCH 06/50] Update README.md --- .../2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md index 380835108..d66c74606 100644 --- a/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md +++ b/rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md @@ -12,4 +12,4 @@ You can find more information on the threat in the following articles: ## Rules -- []() +- [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml) From 6a476a61376bdab15b69a94901c7af1da2f24148 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Jun 2023 09:18:17 +0200 Subject: [PATCH 07/50] rules: Op Triangulation --- ...amberts_ios_implant_c2_beacon_activity.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml diff --git a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml new file mode 100644 index 000000000..5e3c75c7d --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml @@ -0,0 +1,34 @@ +title: Potential Operation Triangulation C2 Beaconing Activity +id: aa03c712-75c6-438b-8d42-de88f2427e09 +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +references: + - https://securelist.com/operation-triangulation/109842/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-host|contains: + - 'addatamarket.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclickcn[.]com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'webtackers[.]com' + - 'growthtransport.com' + - 'anstv.net' + - 'ans7tv.net' + condition: selection +falsepositives: + - Unknown +level: high From 32dc79e39b209ad6e950a90787e63d999125f617 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Jun 2023 09:23:42 +0200 Subject: [PATCH 08/50] Update proxy_lamberts_ios_implant_c2_beacon_activity.yml --- .../proxy_lamberts_ios_implant_c2_beacon_activity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml index 5e3c75c7d..d193bb00b 100644 --- a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml @@ -20,11 +20,11 @@ detection: - 'datamarketplace.net' - 'mobilegamerstats.com' - 'snoweeanalytics.com' - - 'tagclickcn[.]com' + - 'tagclick-cdn.com' - 'topographyupdates.com' - 'unlimitedteacup.com' - 'virtuallaughing.com' - - 'webtackers[.]com' + - 'web-trackers.com' - 'growthtransport.com' - 'anstv.net' - 'ans7tv.net' From 8ca0ea2969ea1486560073c854c4944355ab8b67 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Jun 2023 09:31:29 +0200 Subject: [PATCH 09/50] Op Triangulation DNS rule; references --- .../TA/Lamberts/net_dns_susp_telegram_api.yml | 38 +++++++++++++++++++ ...amberts_ios_implant_c2_beacon_activity.yml | 8 +++- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml diff --git a/rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml b/rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml new file mode 100644 index 000000000..d06867b66 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml @@ -0,0 +1,38 @@ +title: Potential Operation Triangulation C2 Beaconing Activity - DNS +id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +related: + - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 + type: similar +references: + - https://securelist.com/operation-triangulation/109842/ + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) +date: 2023/06/01 +tags: + - attack.command_and_control +logsource: + category: dns +detection: + selection: + query: + - 'addatamarket.net' + - 'backuprabbit.com' + - 'businessvideonews.com' + - 'cloudsponcer.com' + - 'datamarketplace.net' + - 'mobilegamerstats.com' + - 'snoweeanalytics.com' + - 'tagclick-cdn.com' + - 'topographyupdates.com' + - 'unlimitedteacup.com' + - 'virtuallaughing.com' + - 'web-trackers.com' + - 'growthtransport.com' + - 'anstv.net' + - 'ans7tv.net' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml index d193bb00b..992dfca80 100644 --- a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml @@ -1,10 +1,14 @@ -title: Potential Operation Triangulation C2 Beaconing Activity +title: Potential Operation Triangulation C2 Beaconing Activity - Proxy id: aa03c712-75c6-438b-8d42-de88f2427e09 status: experimental description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB +related: + - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 + type: similar references: - https://securelist.com/operation-triangulation/109842/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) + - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp +author: Florian Roth (Nextron Systems) date: 2023/06/01 tags: - attack.command_and_control From 413ac57a104c0bae2747312e92b0828eadeb2f77 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Jun 2023 09:34:19 +0200 Subject: [PATCH 10/50] refactor: TA folder renamed --- .../TA/{Lamberts => EquationGroup}/net_dns_susp_telegram_api.yml | 0 .../proxy_lamberts_ios_implant_c2_beacon_activity.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules-emerging-threats/2023/TA/{Lamberts => EquationGroup}/net_dns_susp_telegram_api.yml (100%) rename rules-emerging-threats/2023/TA/{Lamberts => EquationGroup}/proxy_lamberts_ios_implant_c2_beacon_activity.yml (100%) diff --git a/rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_susp_telegram_api.yml similarity index 100% rename from rules-emerging-threats/2023/TA/Lamberts/net_dns_susp_telegram_api.yml rename to rules-emerging-threats/2023/TA/EquationGroup/net_dns_susp_telegram_api.yml diff --git a/rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_lamberts_ios_implant_c2_beacon_activity.yml similarity index 100% rename from rules-emerging-threats/2023/TA/Lamberts/proxy_lamberts_ios_implant_c2_beacon_activity.yml rename to rules-emerging-threats/2023/TA/EquationGroup/proxy_lamberts_ios_implant_c2_beacon_activity.yml From 165e36648fe525154365e682423f67d5f31494ce Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Jun 2023 11:11:27 +0200 Subject: [PATCH 11/50] chore: rename and order --- ...t_dns_apt_equation_group_triangulation_c2_coms.yml} | 10 +++++----- ...proxy_apt_equation_group_triangulation_c2_coms.yml} | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) rename rules-emerging-threats/2023/TA/EquationGroup/{net_dns_susp_telegram_api.yml => net_dns_apt_equation_group_triangulation_c2_coms.yml} (100%) rename rules-emerging-threats/2023/TA/EquationGroup/{proxy_lamberts_ios_implant_c2_beacon_activity.yml => proxy_apt_equation_group_triangulation_c2_coms.yml} (100%) diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_susp_telegram_api.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml similarity index 100% rename from rules-emerging-threats/2023/TA/EquationGroup/net_dns_susp_telegram_api.yml rename to rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index d06867b66..d4b33ec77 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_susp_telegram_api.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -1,10 +1,10 @@ title: Potential Operation Triangulation C2 Beaconing Activity - DNS id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 -status: experimental -description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB related: - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp @@ -18,10 +18,13 @@ detection: selection: query: - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' - 'backuprabbit.com' - 'businessvideonews.com' - 'cloudsponcer.com' - 'datamarketplace.net' + - 'growthtransport.com' - 'mobilegamerstats.com' - 'snoweeanalytics.com' - 'tagclick-cdn.com' @@ -29,9 +32,6 @@ detection: - 'unlimitedteacup.com' - 'virtuallaughing.com' - 'web-trackers.com' - - 'growthtransport.com' - - 'anstv.net' - - 'ans7tv.net' condition: selection falsepositives: - Unknown diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_lamberts_ios_implant_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml similarity index 100% rename from rules-emerging-threats/2023/TA/EquationGroup/proxy_lamberts_ios_implant_c2_beacon_activity.yml rename to rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index 992dfca80..e5cb18a87 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_lamberts_ios_implant_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -1,10 +1,10 @@ title: Potential Operation Triangulation C2 Beaconing Activity - Proxy id: aa03c712-75c6-438b-8d42-de88f2427e09 -status: experimental -description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB related: - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 type: similar +status: experimental +description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp @@ -18,10 +18,13 @@ detection: selection: cs-host|contains: - 'addatamarket.net' + - 'ans7tv.net' + - 'anstv.net' - 'backuprabbit.com' - 'businessvideonews.com' - 'cloudsponcer.com' - 'datamarketplace.net' + - 'growthtransport.com' - 'mobilegamerstats.com' - 'snoweeanalytics.com' - 'tagclick-cdn.com' @@ -29,9 +32,6 @@ detection: - 'unlimitedteacup.com' - 'virtuallaughing.com' - 'web-trackers.com' - - 'growthtransport.com' - - 'anstv.net' - - 'ans7tv.net' condition: selection falsepositives: - Unknown From ad5207dbcaef9d1c8f74e149708a947a83b36345 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Jun 2023 23:40:13 +0200 Subject: [PATCH 12/50] rule: renamed AutoIt executable --- .../proc_creation_win_renamed_autoit.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_autoit.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml new file mode 100644 index 000000000..b52da558a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -0,0 +1,37 @@ +title: Renamed AutoIt Execution +id: f4264e47-f522-4c38-a420-04525d5b880f +status: test +description: Detects the use of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. +references: + - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w + - https://www.autoitscript.com/site/ +author: Florian Roth (Nextron Systems) +date: 2023/06/04 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - ' /AutoIt3ExecuteScript' + - ' /ErrorStdOut' + selection_2: + - Imphash: + - fdc554b3a8683918d731685855683ddf # AutoIt v2 - doesn't cover all binaries + - cd30a61b60b3d60cecdb034c8c83c290 # AutoIt v2 - doesn't cover all binaries + - Hashes|contains: + - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries + selection_3: + OriginalFileName: + - 'AutoIt3.exe' + - 'AutoIt2.exe' + filter: + Image|contains: 'AutoIt' + condition: 1 of selection* and not filter +falsepositives: + - Unknown +level: high From a58f4e090e2f209f6fed52460559f9e43e3a5aea Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Jun 2023 10:31:09 +0200 Subject: [PATCH 13/50] chore: fix format --- .../proc_creation_win_renamed_autoit.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index b52da558a..fae512eb7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,7 +1,10 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f -status: test -description: Detects the use of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. +status: experimental +description: | + Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. + AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. + Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. references: - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w - https://www.autoitscript.com/site/ @@ -29,9 +32,9 @@ detection: OriginalFileName: - 'AutoIt3.exe' - 'AutoIt2.exe' - filter: + filter_main_legit_name: Image|contains: 'AutoIt' - condition: 1 of selection* and not filter + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high From 0348c1adbb6b3de16e2adf421a10f4d1b13f523e Mon Sep 17 00:00:00 2001 From: Daniel Bohannon <17295051+danielbohannon@users.noreply.github.com> Date: Tue, 6 Jun 2023 17:08:14 -0400 Subject: [PATCH 14/50] Permiso p0-LUCR-1 (aka GUI-vil) Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor --- ...ws_iam_s3browser_loginprofile_creation.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml diff --git a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml new file mode 100644 index 000000000..3cf7a7fbf --- /dev/null +++ b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml @@ -0,0 +1,29 @@ +title: AWS IAM S3Browser LoginProfile Creation +id: db014773-b1d3-46bd-ba26-133337c0ffee +status: experimental +description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. +references: + - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor +author: daniel.bohannon@permiso.io (@danielhbohannon) +date: 2023/05/17 +modified: 2023/05/17 +tags: + - attack.execution + - attack.t1059.009 + - attack.persistence + - attack.t1078.004 +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: iam.amazonaws.com + eventName: + - GetLoginProfile + - CreateLoginProfile + filter_tooling: + userAgent|contains: 'S3 Browser' + condition: selection_source and filter_tooling +falsepositives: + - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation +level: high From 3341303c456bdea80b6a62439a5e49292a153982 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Jun 2023 12:57:47 +0200 Subject: [PATCH 15/50] rule: LibSSH exploitation CVE-2023-2283 --- .../builtin/sshd/lnx_libssh_cve_2023_2283.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml diff --git a/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml b/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml new file mode 100644 index 000000000..032c8506c --- /dev/null +++ b/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml @@ -0,0 +1,22 @@ +title: LibSSH Error Message CVE-2023-2283 +id: 8b244735-5833-4517-a45b-28d8c63924c0 +status: experimental +description: Detects potential exploitation attempt of CVE-2023-2283 in libSSH which causes an error message stating that keys for curve25519 couldn't be generated. It is an error message that is a sign of an exploitation attempt. It's not a sign of a successful exploitation. +references: + - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 + - https://nvd.nist.gov/vuln/detail/CVE-2023-2283 + - https://www.blumira.com/cve-2023-2283/ +author: Florian Roth (Nextron Systems) +date: 2023/06/09 +tags: + - attack.t1190 +logsource: + product: linux + service: sshd +detection: + keywords: + - 'Failed to generate curve25519 keys' + condition: keywords +falsepositives: + - Other unknown conditions that could lead to the generation of this error message +level: high From bc90076967a9be526e7069bb7130f8be3fcf59f2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Jun 2023 01:02:31 +0200 Subject: [PATCH 16/50] chore: move to emerging threat and update metadata --- ...2023_2283_libssh_authentication_bypass.yml | 26 +++++++++++++++++++ .../builtin/sshd/lnx_libssh_cve_2023_2283.yml | 22 ---------------- 2 files changed, 26 insertions(+), 22 deletions(-) create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml delete mode 100644 rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml new file mode 100644 index 000000000..632384564 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -0,0 +1,26 @@ +title: Potential CVE-2023-2283 Exploitation +id: 8b244735-5833-4517-a45b-28d8c63924c0 +status: experimental +description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 couldn't be generated. It is an error message that is a sign of an exploitation attempt. It's not a sign of a successful exploitation. +references: + - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 + - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420 + - https://nvd.nist.gov/vuln/detail/CVE-2023-2283 + - https://www.blumira.com/cve-2023-2283/ + - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 +author: Florian Roth (Nextron Systems) +date: 2023/06/09 +tags: + - attack.initial_access + - attack.t1190 + - cve.2023.2283 +logsource: + product: linux + service: sshd +detection: + keywords: + - 'Failed to generate curve25519 keys' + condition: keywords +falsepositives: + - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message +level: medium diff --git a/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml b/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml deleted file mode 100644 index 032c8506c..000000000 --- a/rules/linux/builtin/sshd/lnx_libssh_cve_2023_2283.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: LibSSH Error Message CVE-2023-2283 -id: 8b244735-5833-4517-a45b-28d8c63924c0 -status: experimental -description: Detects potential exploitation attempt of CVE-2023-2283 in libSSH which causes an error message stating that keys for curve25519 couldn't be generated. It is an error message that is a sign of an exploitation attempt. It's not a sign of a successful exploitation. -references: - - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 - - https://nvd.nist.gov/vuln/detail/CVE-2023-2283 - - https://www.blumira.com/cve-2023-2283/ -author: Florian Roth (Nextron Systems) -date: 2023/06/09 -tags: - - attack.t1190 -logsource: - product: linux - service: sshd -detection: - keywords: - - 'Failed to generate curve25519 keys' - condition: keywords -falsepositives: - - Other unknown conditions that could lead to the generation of this error message -level: high From 557102fdfd98ccb589b55ae21d97b10bac8809e4 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 12 Jun 2023 08:36:27 +0200 Subject: [PATCH 17/50] fix: wording --- ..._sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index 632384564..f1a3fd561 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -1,7 +1,7 @@ title: Potential CVE-2023-2283 Exploitation id: 8b244735-5833-4517-a45b-28d8c63924c0 status: experimental -description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 couldn't be generated. It is an error message that is a sign of an exploitation attempt. It's not a sign of a successful exploitation. +description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. references: - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420 From a5786fc11bd87180bebf74281807aba5146b56cc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Jun 2023 19:32:58 +0200 Subject: [PATCH 18/50] fix: typo in rule --- .../registry_event_mimikatz_printernightmare.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 669c834f4..d7f15aaec 100644 --- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -1,4 +1,4 @@ -title: PrinterNightmare Mimimkatz Driver Name +title: PrinterNightmare Mimikatz Driver Name id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 status: test description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 @@ -6,9 +6,11 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://nvd.nist.gov/vuln/detail/cve-2021-1675 + - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth date: 2021/07/04 -modified: 2022/10/09 +modified: 2023/06/12 tags: - attack.execution - attack.t1204 From d7332e53bdbdb04661098382778bf12b51ec49b4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Jun 2023 19:33:18 +0200 Subject: [PATCH 19/50] add RustDesk domains to rule --- .../dns_query_win_remote_access_software_domains.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml index 8b0bafaa1..5e46475c9 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml @@ -19,7 +19,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: frack113, Connor Martin date: 2022/07/11 -modified: 2023/04/18 +modified: 2023/06/14 tags: - attack.command_and_control - attack.t1219 @@ -27,7 +27,7 @@ logsource: product: windows category: dns_query detection: - selection: + selection_name: QueryName|endswith: - '.getgo.com' - '.logmein.com' @@ -72,6 +72,9 @@ detection: - 'relay.kaseya.net' - 'license.bomgar.com' - '.beyondtrustcloud.com' + selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern + QueryName|endswith: '.rustdesk.com' + QueryName|startswith: 'rs-' # Exclude browsers for legitimate visits of the domains mentioned above # Add missing browsers you use and exclude the ones you don't filter_optional_brave: @@ -113,7 +116,7 @@ detection: Image|endswith: '\vivaldi.exe' filter_optional_whale: Image|endswith: '\whale.exe' - condition: selection and not 1 of filter_optional_* + condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Likely with other browser software level: medium From f65ebba31aa2eb258d59b059af559535fd4f5d43 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 17 Jun 2023 09:00:30 +0200 Subject: [PATCH 20/50] fix: FP with keyword --- .../powershell_script/posh_ps_malicious_keywords.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 9a1326c6e..77c0fcfcd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -6,7 +6,7 @@ references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 -modified: 2022/12/25 +modified: 2023/06/17 tags: - attack.execution - attack.t1059.001 @@ -22,7 +22,7 @@ detection: - 'Microsoft.Win32.UnsafeNativeMethods' - 'ReadProcessMemory.Invoke' - 'SE_PRIVILEGE_ENABLED' - - 'LSA_UNICODE_STRING' + # - 'LSA_UNICODE_STRING' # FPs with https://github.com/nsacyber/Windows-Secure-Host-Baseline/blob/a0bdd660753327addc3bf4c0500d03c2770a4740/Compliance/Scripts/Compliance.psm1#L600 - 'MiniDumpWriteDump' - 'PAGE_EXECUTE_READ' - 'SECURITY_DELEGATION' From 1562630a17acff39cf4fd8a4caa6e9936b298850 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Jun 2023 10:16:53 +0200 Subject: [PATCH 21/50] chore: update structure --- .../aws/aws_iam_s3browser_loginprofile_creation.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml index 3cf7a7fbf..d1f6ce239 100644 --- a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml @@ -6,24 +6,22 @@ references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) date: 2023/05/17 -modified: 2023/05/17 tags: - attack.execution - - attack.t1059.009 - attack.persistence + - attack.t1059.009 - attack.t1078.004 logsource: product: aws service: cloudtrail detection: - selection_source: + selection: eventSource: iam.amazonaws.com eventName: - - GetLoginProfile - - CreateLoginProfile - filter_tooling: + - 'GetLoginProfile' + - 'CreateLoginProfile' userAgent|contains: 'S3 Browser' - condition: selection_source and filter_tooling + condition: selection falsepositives: - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation level: high From e59f9d6f614990280cac635f0d672bf146f6b851 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Jun 2023 10:17:09 +0200 Subject: [PATCH 22/50] chore: add missing quotes --- rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml index d1f6ce239..6755f3547 100644 --- a/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml @@ -16,7 +16,7 @@ logsource: service: cloudtrail detection: selection: - eventSource: iam.amazonaws.com + eventSource: 'iam.amazonaws.com' eventName: - 'GetLoginProfile' - 'CreateLoginProfile' From 18e07cad4b3f2f20380d68d9b4a6a71585b6d4c7 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Wed, 28 Jun 2023 17:03:51 -0400 Subject: [PATCH 23/50] Create posh_pm_susp_netfirewallrule_reco.yml --- .../posh_pm_susp_netfirewallrule_reco.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml new file mode 100644 index 000000000..f50baced6 --- /dev/null +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml @@ -0,0 +1,27 @@ +title: Suspicious Local Firewall Enumeration +id: ea207a23-b441-4a17-9f76-ad5be47d51d3 +status: experimental +description: Adversaries may leverage Get-NetFirewallRule or Show-NetFirewallRule to enumerate the local firewall rules on a host. +references: + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' +date: 2023/06/28 +tags: + - attack.discovery + - attack.t1518.001 + - attack.t1016 +logsource: + product: windows + category: ps_module + definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b +detection: + selection: + - Payload|contains: Get-NetFirewallRule + - ContextInfo|contains: Get-NetFirewallRule + - Payload|contains: Show-NetFirewallRule + - ContextInfo|contains: Show-NetFirewallRule + condition: selection +falsepositives: + - Administrator script +level: low From 2e96df4a11078ee4f79560d43df1aa7e2218862e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 2 Jul 2023 12:23:12 +0200 Subject: [PATCH 24/50] Add posh_ps_reg_query_registry Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../posh_ps_reg_query_registry.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml new file mode 100644 index 000000000..1174a760a --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml @@ -0,0 +1,38 @@ +title: Potential Configuration And Service Reconnaissance Via Powershell +id: 064060aa-09fb-4636-817f-020a32aa7e9e +related: + - id: 970007b7-ce32-49d0-a4a4-fbef016950bd + type: similar +status: experimental +description: Detects the usage of Powershell in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md +author: frack113 +date: 2023/07/02 +tags: + - attack.discovery + - attack.t1012 + - attack.t1007 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains: + - 'Get-Item' + - 'Get-ChildItem' + selection_flag: + ScriptBlockText|contains: '-Path' + selection_key: + ScriptBlockText|contains: + - 'CurrentVersion\Windows' + - 'winlogon\' + - 'CurrentVersion\ShellServiceObjectDelayLoad' + - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" + - 'CurrentVersion\Policies\Explorer\Run' + - 'currentcontrolset\services' + condition: all of selection_* +falsepositives: + - Unknown +level: medium From ba730ee8bac1363de7a89f501fd4891225be6084 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 8 Jul 2023 11:38:52 +0200 Subject: [PATCH 25/50] Add posh_ps_mailbox_access Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../posh_ps_mailbox_access.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml new file mode 100644 index 000000000..a29de6c8c --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -0,0 +1,22 @@ +title: Powershell Maibox Access +id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 +status: experimental +description: Detects powershell scripts that use mailbox path +references: + - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md +author: frack113 +date: 2023/07/08 +tags: + - attack.defense_evasion + - attack.t1070.008 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains: '\Comms\Unistore\data' + condition: selection +falsepositives: + - Unknown +level: medium From 4f11b2c0732184c3671dffbdfa169ad999642ffc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 8 Jul 2023 12:07:59 +0200 Subject: [PATCH 26/50] Delete proc_creation_win_findstr_susp_parent.yml --- .../proc_creation_win_findstr_susp_parent.yml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml deleted file mode 100644 index 8eaf69101..000000000 --- a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Findstr Suspicious ParentCommandLine -id: ccb5742c-c248-4982-8c5c-5571b9275ad3 -related: - - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 - type: derived -status: experimental -description: Detects findstring commands with a suspicious ParentCommandLine -references: - - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist -author: frack113 -date: 2023/07/06 -tags: - - attack.discovery - - attack.t1057 -logsource: - category: process_creation - product: windows -detection: - selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_findstr_parent: - ParentCommandLine|contains: 'tasklist' - filter_optional_httpd: - CommandLine|contains: 'httpd.exe' - condition: all of selection_findstr_* and not 1 of filter_optional_* -falsepositives: - - Unknown -level: medium From 6f261ae9c05322e17809b9952e3cb5c5d9d1165f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 13 Jul 2023 10:56:27 +0200 Subject: [PATCH 27/50] chore: move to TH folder --- .../posh_pm_susp_netfirewallrule_recon.yml | 31 +++++++++++++++++++ .../posh_pm_susp_netfirewallrule_reco.yml | 27 ---------------- 2 files changed, 31 insertions(+), 27 deletions(-) create mode 100644 rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml delete mode 100644 rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml new file mode 100644 index 000000000..50b32bc54 --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -0,0 +1,31 @@ +title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet +id: ea207a23-b441-4a17-9f76-ad5be47d51d3 +status: experimental +description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. +references: + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps +author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +date: 2023/07/13 +tags: + - detection.threat_hunting + - attack.discovery + - attack.t1518.001 + - attack.t1016 +logsource: + product: windows + category: ps_module + definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b +detection: + selection_payload: + Payload|contains: + - 'Get-NetFirewallRule' + - 'Show-NetFirewallRule' + selection_contextinfo: + ContextInfo|contains: + - 'Get-NetFirewallRule' + - 'Show-NetFirewallRule' + condition: 1 of selection_* +falsepositives: + - Administration scripts +level: low diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml deleted file mode 100644 index f50baced6..000000000 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_reco.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious Local Firewall Enumeration -id: ea207a23-b441-4a17-9f76-ad5be47d51d3 -status: experimental -description: Adversaries may leverage Get-NetFirewallRule or Show-NetFirewallRule to enumerate the local firewall rules on a host. -references: - - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps - - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps -author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2023/06/28 -tags: - - attack.discovery - - attack.t1518.001 - - attack.t1016 -logsource: - product: windows - category: ps_module - definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b -detection: - selection: - - Payload|contains: Get-NetFirewallRule - - ContextInfo|contains: Get-NetFirewallRule - - Payload|contains: Show-NetFirewallRule - - ContextInfo|contains: Show-NetFirewallRule - condition: selection -falsepositives: - - Administrator script -level: low From 81440fe0ea5af26c8c01bfdfe04daf9190ef1083 Mon Sep 17 00:00:00 2001 From: "Mohamed Ashraf (X__Junior)" Date: Thu, 13 Jul 2023 18:27:12 +0300 Subject: [PATCH 28/50] CVE-2023-36884 rules --- .../proxy_hunting_cve_2023_36884_traffic.yml | 31 +++++++++++++++++++ ...23_36884_extenstion_ip_pattern_traffic.yml | 22 +++++++++++++ .../proxy_cve_2023_36884_traffic.yml | 21 +++++++++++++ ...roxy_cve_2023_36884_url_marker_traffic.yml | 20 ++++++++++++ .../file/file_event/file_event_win_yml | 24 ++++++++++++++ tests/cti | 2 +- 6 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml create mode 100644 rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml create mode 100644 rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml create mode 100644 rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml create mode 100644 rules/windows/file/file_event/file_event_win_yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml new file mode 100644 index 000000000..ccaeb73d5 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml @@ -0,0 +1,31 @@ +title: Potential CVE-2023-36884 Traffic +id: 6af1617f-c179-47e3-bd66-b28034a1052d +status: experimental +description: Detects files seen being used downloaded by exploiting CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: + - '/file001.search-ms' + - '/file001.url' + - '/RFile.asp' + - '/zip_k.asp' + - '/zip_k2.asp' + - '/zip_k3.asp' + - '/o2010.asp' + - '/ex001.url' + - '/file001.vbs' + - '/file1.mht' + - '/redir_obj.html' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml b/rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml new file mode 100644 index 000000000..a753e8000 --- /dev/null +++ b/rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml @@ -0,0 +1,22 @@ +title: CVE-2023-36884 File Extention and IP Addres pattern Traffic +id: d9365e39-febd-4a4b-8441-3ca91bb9d333 +status: experimental +description: Detects file extenstions appended with ip address for comprimised system pattern seen being used in CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + # hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99. + # 104.234.239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_ + selection: + cs-method: 'GET' + c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml b/rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml new file mode 100644 index 000000000..41265a6cd --- /dev/null +++ b/rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml @@ -0,0 +1,21 @@ +title: CVE-2023-36884 Traffic +id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc +status: experimental +description: Detects unique pattern seen being used in CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: '/MSHTML_C7/' + c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml b/rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml new file mode 100644 index 000000000..131506026 --- /dev/null +++ b/rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml @@ -0,0 +1,20 @@ +title: CVE-2023-36884 Traffic URL Marker +id: e59f71ff-c042-4f7a-8a82-8f53beea817e +status: experimental +description: Detects unique URL marker seen being used in CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior +date: 2023/07/12 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|contains: '/MSHTML_C7/' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/file/file_event/file_event_win_yml b/rules/windows/file/file_event/file_event_win_yml new file mode 100644 index 000000000..e0a57b05a --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_yml @@ -0,0 +1,24 @@ +title: HMM +id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 +status: experimental +description: hmm +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior (Nextron Systems) +date: 2023/07/13 +tags: + - attack.persistence + - attack.defense_evasion + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\Users\' + TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\' + TargetFilename|endswith: '\file001.url' + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/tests/cti b/tests/cti index a89063049..b195cbc81 160000 --- a/tests/cti +++ b/tests/cti @@ -1 +1 @@ -Subproject commit a89063049d8440b23100fc40e0cca06f748d0b8f +Subproject commit b195cbc81adbfb8ca3306c283179168bdd9011fa From c10a6c9870ebfaf8313e324816d8d809bf65aeee Mon Sep 17 00:00:00 2001 From: "Mohamed Ashraf (X__Junior)" Date: Thu, 13 Jul 2023 19:23:38 +0300 Subject: [PATCH 29/50] Create net_connection_win_office.yml --- .../net_connection_win_office.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_office.yml diff --git a/rules/windows/network_connection/net_connection_win_office.yml b/rules/windows/network_connection/net_connection_win_office.yml new file mode 100644 index 000000000..417d9de88 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_office.yml @@ -0,0 +1,32 @@ +title: Suspicious Office Outbound Connections +id: 3b5ba899-9842-4bc2-acc2-12308498bf42 +status: experimental +description: Detects office suit communicating to target systems on uncommon ports +references: https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.defense_evasion + - attack.t1036.005 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\wordpad.exe' + - '\wordview.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + filter_main_ports: + DestinationPort: + - 80 + - 445 + - 139 + - 443 + condition: selection and not 1 of filter_main_* +falsepositives: + - other ports can be used , apply additional filter accordingly +level: medium \ No newline at end of file From 8726f310e7a4e41d2e37f64273937424d395ea82 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 13 Jul 2023 23:30:16 +0200 Subject: [PATCH 30/50] chore: update metadata --- ...cve_2023_36884_office_windows_html_rce.yml | 12 ++++++----- ...cve_2023_36884_office_windows_html_rce.yml | 7 ++++--- ...html_rce_extenstion_ip_pattern_traffic.yml | 12 ++++++----- ...36884_office_windows_html_rce_traffic.yml} | 17 ++++++++------- ...ce_windows_html_rce_url_marker_traffic.yml | 7 ++++--- ... net_connection_win_office_susp_ports.yml} | 21 ++++++++++--------- 6 files changed, 42 insertions(+), 34 deletions(-) rename rules/windows/file/file_event/file_event_win_yml => rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml (55%) rename rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml => rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml (72%) rename rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml => rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml (51%) rename rules-emerging-threats/2023/Exploits/CVE-2023-36884/{proxy_hunting_cve_2023_36884_traffic.yml => proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml} (78%) rename rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml => rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml (68%) rename rules/windows/network_connection/{net_connection_win_office.yml => net_connection_win_office_susp_ports.yml} (67%) diff --git a/rules/windows/file/file_event/file_event_win_yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml similarity index 55% rename from rules/windows/file/file_event/file_event_win_yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml index e0a57b05a..c3d3106b6 100644 --- a/rules/windows/file/file_event/file_event_win_yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -1,15 +1,17 @@ -title: HMM +title: Potential CVE-2023-36884 Exploitation Dropped Files id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 status: experimental -description: hmm +description: Detects specific file pattern being created in the office recent folder. Seen being dropped during potential exploitation of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit -author: X__Junior (Nextron Systems) + - https://twitter.com/wdormann/status/1679184475677130755 + - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2023/07/13 tags: - attack.persistence - attack.defense_evasion - - detection.emerging_threats + - cve.2023.36884 logsource: category: file_event product: windows @@ -21,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml similarity index 72% rename from rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 41265a6cd..1e8435716 100644 --- a/rules/web/proxy_generic/proxy_cve_2023_36884_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -1,13 +1,14 @@ -title: CVE-2023-36884 Traffic +title: Potential CVE-2023-36884 Exploitation Pattern id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc status: experimental -description: Detects unique pattern seen being used in CVE-2023-36884 +description: Detects unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior date: 2023/07/12 tags: - attack.command_and_control + - cve.2023.36884 logsource: category: proxy detection: @@ -18,4 +19,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml similarity index 51% rename from rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index a753e8000..17365998e 100644 --- a/rules/web/proxy_generic/proxy_cve_2023_36884_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -1,22 +1,24 @@ -title: CVE-2023-36884 File Extention and IP Addres pattern Traffic +title: Potential CVE-2303-36884 URL Request Pattern Traffic id: d9365e39-febd-4a4b-8441-3ca91bb9d333 status: experimental -description: Detects file extenstions appended with ip address for comprimised system pattern seen being used in CVE-2023-36884 +description: Detects specific URL pattern containing a specific extension and parameters pointing to an IP address, this pattern was seen being used by RomCOM in potential exploitation of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior date: 2023/07/12 tags: - attack.command_and_control + - cve.2023.36884 logsource: category: proxy detection: - # hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99. - # 104.234.239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_ + # Examples: + # hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99. + # 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_ selection: cs-method: 'GET' c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml similarity index 78% rename from rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml index ccaeb73d5..abfa61ea9 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_hunting_cve_2023_36884_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -1,31 +1,32 @@ -title: Potential CVE-2023-36884 Traffic +title: Potential CVE-2023-36884 Exploitation - File Downloads id: 6af1617f-c179-47e3-bd66-b28034a1052d status: experimental -description: Detects files seen being used downloaded by exploiting CVE-2023-36884 +description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior date: 2023/07/12 tags: - attack.command_and_control + - cve.2023.36884 logsource: category: proxy detection: selection: cs-method: 'GET' c-uri|contains: + - '/ex001.url' - '/file001.search-ms' - '/file001.url' + - '/file001.vbs' + - '/file1.mht' + - '/o2010.asp' + - '/redir_obj.html' - '/RFile.asp' - '/zip_k.asp' - '/zip_k2.asp' - '/zip_k3.asp' - - '/o2010.asp' - - '/ex001.url' - - '/file001.vbs' - - '/file1.mht' - - '/redir_obj.html' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml similarity index 68% rename from rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index 131506026..a77f425a9 100644 --- a/rules/web/proxy_generic/proxy_cve_2023_36884_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -1,13 +1,14 @@ -title: CVE-2023-36884 Traffic URL Marker +title: Potential CVE-2023-36884 Exploitation - URL Marker id: e59f71ff-c042-4f7a-8a82-8f53beea817e status: experimental -description: Detects unique URL marker seen being used in CVE-2023-36884 +description: Detects unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior date: 2023/07/12 tags: - attack.command_and_control + - cve.2023.36884 logsource: category: proxy detection: @@ -17,4 +18,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/network_connection/net_connection_win_office.yml b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml similarity index 67% rename from rules/windows/network_connection/net_connection_win_office.yml rename to rules/windows/network_connection/net_connection_win_office_susp_ports.yml index 417d9de88..f76916507 100644 --- a/rules/windows/network_connection/net_connection_win_office.yml +++ b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml @@ -1,32 +1,33 @@ title: Suspicious Office Outbound Connections id: 3b5ba899-9842-4bc2-acc2-12308498bf42 status: experimental -description: Detects office suit communicating to target systems on uncommon ports -references: https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +description: Detects office suit applications communicating to target systems on uncommon ports +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems) date: 2023/07/12 tags: - attack.defense_evasion - - attack.t1036.005 + - attack.command_and_control logsource: category: network_connection product: windows detection: selection: Image|endswith: + - '\excel.exe' + - '\outlook.exe' + - '\powerpnt.exe' - '\winword.exe' - '\wordpad.exe' - '\wordview.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' filter_main_ports: DestinationPort: - - 80 - - 445 - 139 - 443 + - 445 + - 80 condition: selection and not 1 of filter_main_* falsepositives: - - other ports can be used , apply additional filter accordingly -level: medium \ No newline at end of file + - Other ports can be used, apply additional filter accordingly +level: medium From a953fe19d340e7d68d00b46e332284973e93879b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 13 Jul 2023 23:44:54 +0200 Subject: [PATCH 31/50] feat: add share access rule --- ...office_windows_html_rce_file_patterns.yml} | 0 ..._windows_html_rce_share_access_pattern.yml | 26 +++++++++++++++++++ 2 files changed, 26 insertions(+) rename rules-emerging-threats/2023/Exploits/CVE-2023-36884/{file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml => file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml} (100%) create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml new file mode 100644 index 000000000..99a0323dd --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -0,0 +1,26 @@ +title: Potential CVE-2023-36884 Exploitation - Share Access +id: 3df95076-9e78-4e63-accb-16699c3b74f8 +status: experimental +description: Detects access to a specific share pattern seen being used during exploitation of CVE-2023-36884 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.command_and_control + - cve.2023.36884 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' +detection: + selection_eid: + EventID: 5140 + selection_share_name: + ShareName|contains: '\\\\MSHTML_C7\\\\' + ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + selection_share_path: + ShareLocalPath|contains: '\\\\MSHTML_C7\\\\' + ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: selection_eid and 1 of selection_share_* +falsepositives: + - Unknown +level: high From ee761faffacab0d8f309a28c11e6724864573636 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 13 Jul 2023 23:46:55 +0200 Subject: [PATCH 32/50] chore: add reference --- ..._2023_36884_office_windows_html_rce_share_access_pattern.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 99a0323dd..9b1898cc7 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -2,6 +2,8 @@ title: Potential CVE-2023-36884 Exploitation - Share Access id: 3df95076-9e78-4e63-accb-16699c3b74f8 status: experimental description: Detects access to a specific share pattern seen being used during exploitation of CVE-2023-36884 +references: + - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/13 tags: From 12e5d5ead9d53f75044c67f199bda2be97212a41 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 14 Jul 2023 08:15:02 +0200 Subject: [PATCH 33/50] Move to hunting Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../posh_ps_mailbox_access.yml | 1 + .../proc_creation_win_findstr_susp_parent.yml | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+) rename {rules => rules-threat-hunting}/windows/powershell/powershell_script/posh_ps_mailbox_access.yml (95%) create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml similarity index 95% rename from rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index a29de6c8c..146c05752 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -9,6 +9,7 @@ date: 2023/07/08 tags: - attack.defense_evasion - attack.t1070.008 + - detection.threat_hunting logsource: product: windows category: ps_script diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml new file mode 100644 index 000000000..8eaf69101 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml @@ -0,0 +1,29 @@ +title: Findstr Suspicious ParentCommandLine +id: ccb5742c-c248-4982-8c5c-5571b9275ad3 +related: + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + type: derived +status: experimental +description: Detects findstring commands with a suspicious ParentCommandLine +references: + - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist +author: frack113 +date: 2023/07/06 +tags: + - attack.discovery + - attack.t1057 +logsource: + category: process_creation + product: windows +detection: + selection_findstr_img: + - Image|endswith: '\findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_findstr_parent: + ParentCommandLine|contains: 'tasklist' + filter_optional_httpd: + CommandLine|contains: 'httpd.exe' + condition: all of selection_findstr_* and not 1 of filter_optional_* +falsepositives: + - Unknown +level: medium From 99914ba9f863c14494d761c003d06667d0e258d4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 14 Jul 2023 09:00:33 +0200 Subject: [PATCH 34/50] Move to Hunting Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../powershell/powershell_script/posh_ps_reg_query_registry.yml | 1 + 1 file changed, 1 insertion(+) rename {rules => rules-threat-hunting}/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml (97%) diff --git a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml similarity index 97% rename from rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml index 1174a760a..812bc3926 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml @@ -13,6 +13,7 @@ tags: - attack.discovery - attack.t1012 - attack.t1007 + - detection.threat_hunting logsource: product: windows category: ps_script From d3cf1892fced57a3d005408a566dbe36b8f51c79 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 14 Jul 2023 10:19:28 +0200 Subject: [PATCH 35/50] chore: update metadata --- ...try.yml => posh_ps_registry_reconnaissance.yml} | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) rename rules-threat-hunting/windows/powershell/powershell_script/{posh_ps_reg_query_registry.yml => posh_ps_registry_reconnaissance.yml} (70%) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml similarity index 70% rename from rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 812bc3926..8f3e4722b 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -1,10 +1,10 @@ -title: Potential Configuration And Service Reconnaissance Via Powershell +title: Potential Registry Reconnaissance Via Powershell Script id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar status: experimental -description: Detects the usage of Powershell in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +description: Detects PowerShell script with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 @@ -27,13 +27,13 @@ detection: ScriptBlockText|contains: '-Path' selection_key: ScriptBlockText|contains: + - 'currentcontrolset\services' + - 'CurrentVersion\Policies\Explorer\Run' + - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" + - 'CurrentVersion\ShellServiceObjectDelayLoad' - 'CurrentVersion\Windows' - 'winlogon\' - - 'CurrentVersion\ShellServiceObjectDelayLoad' - - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - - 'CurrentVersion\Policies\Explorer\Run' - - 'currentcontrolset\services' condition: all of selection_* falsepositives: - - Unknown + - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium From 6d419e6c311dd2054e7bc4f7f648ace076ab3f1e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 14 Jul 2023 10:44:30 +0200 Subject: [PATCH 36/50] chore: update metadata --- .../powershell/powershell_script/posh_ps_mailbox_access.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 146c05752..f0c62970f 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -1,7 +1,7 @@ -title: Powershell Maibox Access +title: Windows Mail App Mailbox Access Via PowerShell Script id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 status: experimental -description: Detects powershell scripts that use mailbox path +description: Detects powershell script that try to access the Windows Mail app MailBox via code. This could be used by an attacker to exfiltrate or delete the content of the emails for example. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md author: frack113 @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: 'Requirements: Script Block Logging must be enabled' + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 detection: selection: ScriptBlockText|contains: '\Comms\Unistore\data' From 9ac75808b85c3158fc80dd646412b0270eb59514 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 14 Jul 2023 11:17:37 +0200 Subject: [PATCH 37/50] Update README.md Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3beca5442..b05fd30f7 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,9 @@ E.g. * Tell us about false positives (issues section) * Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule +To help you, we may ask you for a return. +The PR will be tagged with "Author Input Required", however without a response it will have to be closed after 1 month of inactivity. + ## Work on open issues The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation. From db6bf8da10c56275fde50537fe5b65c7854433c3 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 17 Jul 2023 09:43:29 +0200 Subject: [PATCH 38/50] fix: wording --- ...t_cve_2023_36884_office_windows_html_rce_file_patterns.yml | 4 ++-- .../proxy_exploit_cve_2023_36884_office_windows_html_rce.yml | 2 +- ..._office_windows_html_rce_extenstion_ip_pattern_traffic.yml | 2 +- ..._2023_36884_office_windows_html_rce_url_marker_traffic.yml | 2 +- ...023_36884_office_windows_html_rce_share_access_pattern.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index c3d3106b6..b1220facd 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -1,7 +1,7 @@ -title: Potential CVE-2023-36884 Exploitation Dropped Files +title: Potential CVE-2023-36884 Exploitation Dropped File id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 status: experimental -description: Detects specific file pattern being created in the office recent folder. Seen being dropped during potential exploitation of CVE-2023-36884 +description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit - https://twitter.com/wdormann/status/1679184475677130755 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 1e8435716..d5a2d8c51 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -1,7 +1,7 @@ title: Potential CVE-2023-36884 Exploitation Pattern id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc status: experimental -description: Detects unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 +description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index 17365998e..4f32a5902 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -1,7 +1,7 @@ title: Potential CVE-2303-36884 URL Request Pattern Traffic id: d9365e39-febd-4a4b-8441-3ca91bb9d333 status: experimental -description: Detects specific URL pattern containing a specific extension and parameters pointing to an IP address, this pattern was seen being used by RomCOM in potential exploitation of CVE-2023-36884 +description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index a77f425a9..af236df6b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -1,7 +1,7 @@ title: Potential CVE-2023-36884 Exploitation - URL Marker id: e59f71ff-c042-4f7a-8a82-8f53beea817e status: experimental -description: Detects unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 +description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 9b1898cc7..9146d9b16 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -1,7 +1,7 @@ title: Potential CVE-2023-36884 Exploitation - Share Access id: 3df95076-9e78-4e63-accb-16699c3b74f8 status: experimental -description: Detects access to a specific share pattern seen being used during exploitation of CVE-2023-36884 +description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) From 6761b32a04c4c9cf0fce5f93390849c434428229 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 17 Jul 2023 09:54:51 +0200 Subject: [PATCH 39/50] Change to regex --- .../posh_ps_registry_reconnaissance.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 8f3e4722b..e602aba0b 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -19,21 +19,9 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection_cmdlet: - ScriptBlockText|contains: - - 'Get-Item' - - 'Get-ChildItem' - selection_flag: - ScriptBlockText|contains: '-Path' - selection_key: - ScriptBlockText|contains: - - 'currentcontrolset\services' - - 'CurrentVersion\Policies\Explorer\Run' - - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - - 'CurrentVersion\ShellServiceObjectDelayLoad' - - 'CurrentVersion\Windows' - - 'winlogon\' - condition: all of selection_* + selection: + ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\' + condition: selection falsepositives: - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium From bea4310b527d057b20cf39ab82a41c3c061ba916 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:03:25 +0200 Subject: [PATCH 40/50] Update rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../powershell/powershell_script/posh_ps_mailbox_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index f0c62970f..2ef3a4d9b 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -1,7 +1,7 @@ title: Windows Mail App Mailbox Access Via PowerShell Script id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 status: experimental -description: Detects powershell script that try to access the Windows Mail app MailBox via code. This could be used by an attacker to exfiltrate or delete the content of the emails for example. +description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md author: frack113 From 981ceebab2c49f45f3a34f150265b7e86b490212 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:04:58 +0200 Subject: [PATCH 41/50] feat: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../powershell_script/posh_ps_registry_reconnaissance.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index e602aba0b..3369c27b5 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -1,10 +1,10 @@ -title: Potential Registry Reconnaissance Via Powershell Script +title: Potential Registry Reconnaissance Via PowerShell Script id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar status: experimental -description: Detects PowerShell script with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. +description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 @@ -20,6 +20,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection: + # TODO: switch to |re|i: after sigma specification v2 is released ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\' condition: selection falsepositives: From 3921490664c9ebd4c03b4958d40e10f97b3a7291 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:08:34 +0200 Subject: [PATCH 42/50] feat: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...3_36884_office_windows_html_rce_share_access_pattern.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 9146d9b16..975779b7b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -3,7 +3,7 @@ id: 3df95076-9e78-4e63-accb-16699c3b74f8 status: experimental description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 references: - - Internal Research + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/13 tags: @@ -18,10 +18,10 @@ detection: EventID: 5140 selection_share_name: ShareName|contains: '\\\\MSHTML_C7\\\\' - ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + ShareName|re: '\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' selection_share_path: ShareLocalPath|contains: '\\\\MSHTML_C7\\\\' - ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + ShareLocalPath|re: '\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' condition: selection_eid and 1 of selection_share_* falsepositives: - Unknown From ee9ced87be16fe131298298e767a75556ac339d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:14:37 +0200 Subject: [PATCH 43/50] feat: update path --- ...36884_office_windows_html_rce_share_access_pattern.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 975779b7b..9e9d57a5c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -17,11 +17,11 @@ detection: selection_eid: EventID: 5140 selection_share_name: - ShareName|contains: '\\\\MSHTML_C7\\\\' - ShareName|re: '\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + ShareName|contains: '\MSHTML_C7\' + ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' selection_share_path: - ShareLocalPath|contains: '\\\\MSHTML_C7\\\\' - ShareLocalPath|re: '\\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + ShareLocalPath|contains: '\MSHTML_C7\' + ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' condition: selection_eid and 1 of selection_share_* falsepositives: - Unknown From dc9a5c9263d2895c692d4b93d9d3c174c6d2e648 Mon Sep 17 00:00:00 2001 From: "Mohamed Ashraf (X__Junior)" Date: Mon, 17 Jul 2023 14:44:15 +0300 Subject: [PATCH 44/50] Update cti --- tests/cti | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/cti b/tests/cti index b195cbc81..a89063049 160000 --- a/tests/cti +++ b/tests/cti @@ -1 +1 @@ -Subproject commit b195cbc81adbfb8ca3306c283179168bdd9011fa +Subproject commit a89063049d8440b23100fc40e0cca06f748d0b8f From b99089e2527fb5c0f59be36eafc355e496d045ce Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 17 Jul 2023 13:57:27 +0200 Subject: [PATCH 45/50] fix: typo --- .../network_connection/net_connection_win_office_susp_ports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml index f76916507..9340c6090 100644 --- a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml @@ -29,5 +29,5 @@ detection: - 80 condition: selection and not 1 of filter_main_* falsepositives: - - Other ports can be used, apply additional filter accordingly + - Other ports can be used, apply additional filters accordingly level: medium From 4e626ac9ba75c0d18502af47ab089d449bc64db4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 14:25:37 +0200 Subject: [PATCH 46/50] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b05fd30f7..8e1d39f52 100644 --- a/README.md +++ b/README.md @@ -120,8 +120,8 @@ E.g. * Tell us about false positives (issues section) * Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule -To help you, we may ask you for a return. -The PR will be tagged with "Author Input Required", however without a response it will have to be closed after 1 month of inactivity. +In order to enhance or fix some issues with a specific PR we might ask the author for some additional input. +In such cases, the PR will be tagged with "Author Input Required". If the author of the PR does not respond in a timely manner the PR will automatically be closed after 1 month of inactivity. ## Work on open issues From f083be8458bdf74a4035069840afe86c840aee08 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 17 Jul 2023 14:39:48 -0400 Subject: [PATCH 47/50] Fixed typo in comment DragonOK and not dargonOK :) --- rules/web/proxy_generic/proxy_ua_malware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 9eeebb88d..1e53895de 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -23,7 +23,7 @@ detection: selection: c-useragent: # RATs - - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK + - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 From 764963c2c71b69ba05d1241dc863649b0e861782 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 18 Jul 2023 14:09:12 +0200 Subject: [PATCH 48/50] refactor: increased level --- ...eation_win_mpcmdrun_remove_windows_defender_definition.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index a997c77f2..b72143303 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -7,7 +7,7 @@ references: - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ author: frack113 date: 2021/07/07 -modified: 2023/02/03 +modified: 2023/07/18 tags: - attack.defense_evasion - attack.t1562.001 @@ -30,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium +level: high From 0055269b8e2f8ea7cb0be6aa3ccaa5ee2b18171e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 19 Jul 2023 14:10:39 +0200 Subject: [PATCH 49/50] chore: update submodule tests/cti --- tests/cti | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/cti b/tests/cti index a89063049..340ee4525 160000 --- a/tests/cti +++ b/tests/cti @@ -1 +1 @@ -Subproject commit a89063049d8440b23100fc40e0cca06f748d0b8f +Subproject commit 340ee452560dcc41c03664637611e529a11bedf2 From 9acc4e1823a8ca6c80f4a9e19dd95d88e9e30e0c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 20 Jul 2023 11:08:44 +0200 Subject: [PATCH 50/50] feat: add rules related to pwsh set-acl cmdlet usage (#4352) --- .../powershell_script/posh_ps_set_acl.yml | 32 ++++++++++++ .../posh_ps_set_acl_susp_location.yml | 49 +++++++++++++++++++ .../proc_creation_win_powershell_set_acl.yml | 38 ++++++++++++++ ...n_win_powershell_set_acl_susp_location.yml | 49 +++++++++++++++++++ 4 files changed, 168 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_set_acl.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml new file mode 100644 index 000000000..55bcb8aa4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -0,0 +1,32 @@ +title: PowerShell Script Change Permission Via Set-Acl - PsScript +id: cae80281-ef23-44c5-873b-fd48d2666f49 +related: + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell scripts set ACL to of a file or a folder +references: + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1222 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains|all: + - 'Set-Acl ' + - '-AclObject ' + - '-Path ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml new file mode 100644 index 000000000..6dd1f8085 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -0,0 +1,49 @@ +title: PowerShell Set-Acl On Windows Folder - PsScript +id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived +status: experimental +description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +references: + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1222 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection_cmdlet: + ScriptBlockText|contains|all: + - 'Set-Acl ' + - '-AclObject ' + selection_paths: + # Note: Add more suspicious paths + ScriptBlockText|contains: + - '-Path "C:\Windows' + - '-Path "C:/Windows' + - "-Path 'C:\\Windows" + - "-Path 'C:/Windows" + - '-Path C:\\Windows' + - '-Path C:/Windows' + - '-Path $env:windir' + - '-Path "$env:windir' + - "-Path '$env:windir" + selection_permissions: + # Note: Add more suspicious permissions + ScriptBlockText|contains: + - 'FullControl' + - 'Allow' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml new file mode 100644 index 000000000..5dbc22e03 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -0,0 +1,38 @@ +title: PowerShell Script Change Permission Via Set-Acl +id: bdeb2cff-af74-4094-8426-724dc937f20a +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell execution to set the ACL of a file or a folder +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/10/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + selection_cmdlet: + CommandLine|contains|all: + - 'Set-Acl ' + - '-AclObject ' + - '-Path ' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml new file mode 100644 index 000000000..b9a60ecb7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -0,0 +1,49 @@ +title: PowerShell Set-Acl On Windows Folder +id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp +related: + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived +status: experimental +description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 + - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/10/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + selection_cmdlet: + CommandLine|contains|all: + - 'Set-Acl ' + - '-AclObject ' + selection_paths: + # Note: Add more suspicious paths + CommandLine|contains: + - '-Path "C:\Windows' + - "-Path 'C:\\Windows" + - '-Path %windir%' + - '-Path $env:windir' + selection_permissions: + # Note: Add more suspicious permissions + CommandLine|contains: + - 'FullControl' + - 'Allow' + condition: all of selection_* +falsepositives: + - Unknown +level: high