Merge PR #4650 from @ahouspan - Process Creation Cmdline Matches Patterns Observed in Pikabot Infections

new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
updated: Cscript/Wscript Potentially Suspicious Child Process - WScript.exe Spawns RunDll32.exe

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml

@@ -17,19 +17,17 @@ logsource:
     category: network_connection
     definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
 detection:
-    selection_parent:
+    selection:
         ParentImage|endswith: '\rundll32.exe'
-    selection_child:
         Image|endswith:
             # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
             - '\searchprotocolhost.exe'
             - '\sndvol.exe'
             - '\wermgr.exe'
             - '\wwahost.exe'
-    selection_connection:
         Protocol: tcp
         Initiated: 'true'
-    condition: all of selection_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: high

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

@@ -0,0 +1,44 @@
+title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
+id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
+status: experimental
+description: |
+    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
+    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
+    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
+references:
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
+author: Alejandro Houspanossian ('@lekz86')
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.t1105
+    - attack.t1218
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_cmd:
+        CommandLine|contains|all:
+            - 'cmd'
+            - '/c'
+    selection_pipes:
+        CommandLine|contains:
+            - ' & '
+            - ' || '
+    selection_commands_1:
+        CommandLine|contains:
+            - ' curl'
+            - ' wget'
+            - ' timeout '
+            - ' ping '
+    selection_commands_2:
+        CommandLine|contains:
+            - ' rundll32'
+            - ' mkdir '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml

@@ -19,15 +19,14 @@ logsource:
     category: process_creation
     definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
 detection:
-    selection_grandparent:
+    selection:
         GrandParentImage|endswith: '\rundll32.exe'
-    selection_cmdline:
         CommandLine:
             # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
             - 'ipconfig.exe /all'
             - 'netstat.exe -aon'
             - 'whoami.exe /all'
-    condition: all of selection_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: high

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml

@@ -16,9 +16,8 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection_parent:
+    selection:
         ParentImage|endswith: '\rundll32.exe'
-    selection_child:
         Image|endswith:
             # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
             - '\searchprotocolhost.exe'
@@ -28,7 +27,7 @@ detection:
     filter_main_legit_sndvol:
         Image|endswith: '\sndvol.exe'
         ParentCommandLine|contains: 'mmsys.cpl'
-    condition: all of selection_* and not 1 of filter_main_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unlikely
 level: high

rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml

@@ -1,9 +1,16 @@
-title: Cscript/Wscript Suspicious Child Process
+title: Cscript/Wscript Potentially Suspicious Child Process
 id: b6676963-0353-4f88-90f5-36c20d443c6a
 status: experimental
-description: Detects suspicious child processes of Wscript/Cscript
-author: Nasreddine Bencherchali (Nextron Systems)
+description: |
+    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
+    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
+references:
+    - Internal Research
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
 date: 2023/05/15
+modified: 2024/01/02
 tags:
     - attack.execution
 logsource:
@@ -29,7 +36,15 @@ detection:
             - 'rundll32'
             - 'regsvr32'
             - 'msiexec'
-    condition: selection_parent and (selection_cli_script_main and 1 of selection_cli_script_option_*)
+    selection_cli_standalone:
+        Image|endswith: '\rundll32.exe'
+    filter_main_rundll32_known_exports:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|contains:
+            - 'UpdatePerUserSystemParameters'
+            - 'PrintUIEntry'
+            - 'ClearMyTracksByProcess'
+    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
 falsepositives:
     - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
 level: medium