From ff4dee3c50da67fcea35ff7c02e96104d1468cd1 Mon Sep 17 00:00:00 2001
From: ahouspan <ahouspan@gmail.com>
Date: Wed, 10 Jan 2024 10:37:20 -0300
Subject: [PATCH] Merge PR #4650 from @ahouspan - Process Creation Cmdline
 Matches Patterns Observed in Pikabot Infections

new: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
updated: Cscript/Wscript Potentially Suspicious Child Process - WScript.exe Spawns RunDll32.exe

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ..._win_malware_pikabot_rundll32_activity.yml |  6 +--
 ...re_pikabot_combined_commands_execution.yml | 44 +++++++++++++++++++
 ...win_malware_pikabot_rundll32_discovery.yml |  5 +--
 ...win_malware_pikabot_rundll32_hollowing.yml |  5 +--
 ...n_wscript_cscript_susp_child_processes.yml | 23 ++++++++--
 5 files changed, 69 insertions(+), 14 deletions(-)
 create mode 100644 rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml
index c81794184..7b0e2de36 100644
--- a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml
+++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml
@@ -17,19 +17,17 @@ logsource:
     category: network_connection
     definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
 detection:
-    selection_parent:
+    selection:
         ParentImage|endswith: '\rundll32.exe'
-    selection_child:
         Image|endswith:
             # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
             - '\searchprotocolhost.exe'
             - '\sndvol.exe'
             - '\wermgr.exe'
             - '\wwahost.exe'
-    selection_connection:
         Protocol: tcp
         Initiated: 'true'
-    condition: all of selection_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: high
diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml
new file mode 100644
index 000000000..fec001ba3
--- /dev/null
+++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml
@@ -0,0 +1,44 @@
+title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
+id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
+status: experimental
+description: |
+    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
+    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
+    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
+references:
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
+author: Alejandro Houspanossian ('@lekz86')
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.t1105
+    - attack.t1218
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_cmd:
+        CommandLine|contains|all:
+            - 'cmd'
+            - '/c'
+    selection_pipes:
+        CommandLine|contains:
+            - ' & '
+            - ' || '
+    selection_commands_1:
+        CommandLine|contains:
+            - ' curl'
+            - ' wget'
+            - ' timeout '
+            - ' ping '
+    selection_commands_2:
+        CommandLine|contains:
+            - ' rundll32'
+            - ' mkdir '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml
index 110061f38..9f8ac350d 100644
--- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml
+++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml
@@ -19,15 +19,14 @@ logsource:
     category: process_creation
     definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
 detection:
-    selection_grandparent:
+    selection:
         GrandParentImage|endswith: '\rundll32.exe'
-    selection_cmdline:
         CommandLine:
             # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
             - 'ipconfig.exe /all'
             - 'netstat.exe -aon'
             - 'whoami.exe /all'
-    condition: all of selection_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: high
diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
index d74fbacce..bf46872d9 100644
--- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
+++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
@@ -16,9 +16,8 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection_parent:
+    selection:
         ParentImage|endswith: '\rundll32.exe'
-    selection_child:
         Image|endswith:
             # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
             - '\searchprotocolhost.exe'
@@ -28,7 +27,7 @@ detection:
     filter_main_legit_sndvol:
         Image|endswith: '\sndvol.exe'
         ParentCommandLine|contains: 'mmsys.cpl'
-    condition: all of selection_* and not 1 of filter_main_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unlikely
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml
index 2b4799250..aefacd9af 100644
--- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml
@@ -1,9 +1,16 @@
-title: Cscript/Wscript Suspicious Child Process
+title: Cscript/Wscript Potentially Suspicious Child Process
 id: b6676963-0353-4f88-90f5-36c20d443c6a
 status: experimental
-description: Detects suspicious child processes of Wscript/Cscript
-author: Nasreddine Bencherchali (Nextron Systems)
+description: |
+    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
+    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
+references:
+    - Internal Research
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
 date: 2023/05/15
+modified: 2024/01/02
 tags:
     - attack.execution
 logsource:
@@ -29,7 +36,15 @@ detection:
             - 'rundll32'
             - 'regsvr32'
             - 'msiexec'
-    condition: selection_parent and (selection_cli_script_main and 1 of selection_cli_script_option_*)
+    selection_cli_standalone:
+        Image|endswith: '\rundll32.exe'
+    filter_main_rundll32_known_exports:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|contains:
+            - 'UpdatePerUserSystemParameters'
+            - 'PrintUIEntry'
+            - 'ClearMyTracksByProcess'
+    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
 falsepositives:
     - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
 level: medium