From 5051334e85c2454996815089caff3befddf8c5be Mon Sep 17 00:00:00 2001
From: "Tim Burrell (MSTIC)" <timb@microsoft.com>
Date: Thu, 2 Jan 2020 14:47:55 +0000
Subject: [PATCH 1/5] Sigma queries for -- terminating threads in a svchost
 process (InvokePhantom uses this technique to disable windows event logging)
 -- GALLIUM threat intel IOCs in recent MSTIC blog/release.

---
 rules/apt/apt_gallium.yml                     | 59 +++++++++++++++++++
 .../windows/sysmon/sysmon_invoke_phantom.yml  | 25 ++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 rules/apt/apt_gallium.yml
 create mode 100644 rules/windows/sysmon/sysmon_invoke_phantom.yml

diff --git a/rules/apt/apt_gallium.yml b/rules/apt/apt_gallium.yml
new file mode 100644
index 000000000..cecab4cff
--- /dev/null
+++ b/rules/apt/apt_gallium.yml
@@ -0,0 +1,59 @@
+action: global
+title: GALLIUM artefacts
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+status: experimental
+description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
+author: Tim Burrell
+references:
+    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+tags:
+    - attack.credential_access
+    - attack.command_and_control
+falsepositives:
+    - unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    exec_selection:
+        EventID: 1
+        Hashes:
+            - '*53a44c2396d15c3a03723fa5e5db54cafd527635*'
+            - '*9c5e496921e3bc882dc40694f1dcc3746a75db19*'
+            - '*aeb573accfd95758550cf30bf04f389a92922844*'
+            - '*79ef78a797403a4ed1a616c68e07fff868a8650a*'
+            - '*4f6f38b4cec35e895d91c052b1f5a83d665c2196*'
+            - '*1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d*'
+            - '*e841a63e47361a572db9a7334af459ddca11347a*'
+            - '*c28f606df28a9bc8df75a4d5e5837fc5522dd34d*'
+            - '*2e94b305d6812a9f96e6781c888e48c7fb157b6b*'
+            - '*dd44133716b8a241957b912fa6a02efde3ce3025*'
+            - '*8793bf166cb89eb55f0593404e4e933ab605e803*'
+            - '*a39b57032dbb2335499a51e13470a7cd5d86b138*'
+            - '*41cc2b15c662bc001c0eb92f6cc222934f0beeea*'
+            - '*d209430d6af54792371174e70e27dd11d3def7a7*'
+            - '*1c6452026c56efd2c94cea7e0f671eb55515edb0*'
+            - '*c6b41d3afdcdcaf9f442bbe772f5da871801fd5a*'
+            - '*4923d460e22fbbf165bbbaba168e5a46b8157d9f*'
+            - '*f201504bd96e81d0d350c3a8332593ee1c9e09de*'
+            - '*ddd2db1127632a2a52943a2fe516a2e7d05d70d2*'
+    condition: exec_selection
+---
+logsource:
+    product: windows
+    service: dns-server
+detection:
+    c2_selection:
+        EventID: 257
+        QNAME: 
+            - 'asyspy256.ddns.net'
+            - 'hotkillmail9sddcc.ddns.net'
+            - 'rosaf112.ddns.net'
+            - 'cvdfhjh1231.myftp.biz'
+            - 'sz2016rose.ddns.net'
+            - 'dffwescwer4325.myftp.biz'
+            - 'cvdfhjh1231.ddns.net'
+    condition: c2_selection
diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml
new file mode 100644
index 000000000..bcc268eb0
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml
@@ -0,0 +1,25 @@
+title: Suspect svchost memory access
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+status: experimental
+description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
+author: Tim Burrell
+references:
+    - https://github.com/hlldz/Invoke-Phant0m
+    - https://twitter.com/timbmsft/status/900724491076214784
+tags:
+    - attack.t1089
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 10
+        TargetImage: '*\windows\system32\svchost.exe'
+        GrantedAccess: '0x1f3fff'
+        CallTrace:
+         - '*unknown*'
+    condition: selection
+falsepositives:
+    - unknown
+level: high

From 9bd040268138a743a3895c67d8e8ee770ef7aea3 Mon Sep 17 00:00:00 2001
From: "Tim Burrell (MSTIC)" <timb@microsoft.com>
Date: Thu, 2 Jan 2020 20:05:28 +0000
Subject: [PATCH 2/5] fixup - unique rule id; use process_creation instead of
 sysmon EventID:1

---
 rules/apt/apt_gallium.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/apt/apt_gallium.yml b/rules/apt/apt_gallium.yml
index cecab4cff..36cfffd1b 100644
--- a/rules/apt/apt_gallium.yml
+++ b/rules/apt/apt_gallium.yml
@@ -1,6 +1,6 @@
 action: global
 title: GALLIUM artefacts
-id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+id: 440a56bf-7873-4439-940a-1c8a671073c2
 status: experimental
 description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
 author: Tim Burrell
@@ -15,11 +15,10 @@ falsepositives:
 level: high
 ---
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     exec_selection:
-        EventID: 1
         Hashes:
             - '*53a44c2396d15c3a03723fa5e5db54cafd527635*'
             - '*9c5e496921e3bc882dc40694f1dcc3746a75db19*'

From 6db20d4bad0d2f7cb9d3f3ff6fe6398a1162f42b Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 15 Jan 2020 21:23:32 +0100
Subject: [PATCH 3/5] rule: windows audit cve

---
 rules/windows/builtin/win_audit_cve.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/builtin/win_audit_cve.yml

diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/win_audit_cve.yml
new file mode 100644
index 000000000..6564853e7
--- /dev/null
+++ b/rules/windows/builtin/win_audit_cve.yml
@@ -0,0 +1,22 @@
+title: Audit CVE Event
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+status: experimental
+description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
+references:
+    - https://twitter.com/VM_vivisector/status/1217190929330655232
+    - https://twitter.com/davisrichardg/status/1217517547576348673
+    - https://twitter.com/DidierStevens/status/1217533958096924676
+    - https://twitter.com/FlemmingRiis/status/1217147415482060800
+author: Florian Roth
+date: 2020/01/15
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Source: 'Microsoft-Windows-Audit-CVE'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+

From 41c4a499b408e53564217bf43d917ac514be423d Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 15 Jan 2020 21:27:40 +0100
Subject: [PATCH 4/5] rule: added a reference

---
 rules/windows/builtin/win_audit_cve.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/win_audit_cve.yml
index 6564853e7..e23a7a0f4 100644
--- a/rules/windows/builtin/win_audit_cve.yml
+++ b/rules/windows/builtin/win_audit_cve.yml
@@ -3,6 +3,7 @@ id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
 status: experimental
 description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
 references:
+    - https://twitter.com/mattifestation/status/1217179698008068096
     - https://twitter.com/VM_vivisector/status/1217190929330655232
     - https://twitter.com/davisrichardg/status/1217517547576348673
     - https://twitter.com/DidierStevens/status/1217533958096924676

From e35ebcc18537a421c0e14da1baa92cf8bbd0500d Mon Sep 17 00:00:00 2001
From: 2d4d <46819580+2d4d@users.noreply.github.com>
Date: Wed, 15 Jan 2020 21:59:33 +0100
Subject: [PATCH 5/5] complete_cve_2019-19781

---
 rules/web/web_citrix_cve_2019_19781_exploit.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml
index 2d63d3fe6..8f4cc5d0d 100644
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@@ -6,21 +6,20 @@ references:
     - https://support.citrix.com/article/CTX267027
     - https://isc.sans.edu/diary/25686
     - https://twitter.com/mpgn_x64/status/1216787131210829826
+    - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/01/13
+modified: 2020/01/15
 logsource:
     category: webserver
-    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'
+    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
     selection:
         c-uri-path: 
             - '*/../vpns/*'
             - '*/vpns/cfg/smb.conf'
-            - '*/vpns/portal/scripts/newbm.pl*'
-            - '*/vpns/portal/scripts/rmbm.pl*'
-            - '*/vpns/portal/scripts/picktheme.pl*'
+            - '*/vpns/portal/scripts/*.pl*'
     condition: selection
 fields:
     - client_ip