From 22547e188bc02e05eb67c79a05011b4245ccd7b5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 3 Sep 2020 13:30:14 +0200 Subject: [PATCH 1/6] some fixes and additions --- rules/proxy/proxy_ua_apt.yml | 1 + rules/windows/process_creation/win_crime_snatch_ransomware.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 0baf02b23a6..482cc5a4fe7 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -47,6 +47,7 @@ detection: - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/ - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ condition: selection fields: - ClientIP diff --git a/rules/windows/process_creation/win_crime_snatch_ransomware.yml b/rules/windows/process_creation/win_crime_snatch_ransomware.yml index 20daf7255de..a12ec84ea4a 100644 --- a/rules/windows/process_creation/win_crime_snatch_ransomware.yml +++ b/rules/windows/process_creation/win_crime_snatch_ransomware.yml @@ -1,7 +1,7 @@ title: Snatch Ransomware id: 5325945e-f1f0-406e-97b8-65104d393fff status: experimental -description: Detects specific process characteristics of Maze ransomware word document droppers +description: Detects specific process characteristics of Snatch ransomware word document droppers references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth From e1529b445e03a39f0afe151119fd7de3472f9678 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 5 Sep 2020 09:17:23 +0200 Subject: [PATCH 2/6] docs: added MITRE ATT&CK tags --- rules/windows/process_creation/win_susp_mpcmdrun_download.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml index f4ee01c70a7..4dd0c5d2045 100644 --- a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml @@ -10,6 +10,8 @@ references: tags: - attack.defense_evasion - attack.t1218.010 + - attack.command_and_control + - attack.t1105 logsource: category: process_creation product: windows From 7d6043bd0d6b230594f8d66d3e4c387d4b113518 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 10 Sep 2020 10:33:11 +0200 Subject: [PATCH 3/6] rule: reworked suspicious user agents --- rules/proxy/proxy_ua_suspicious.yml | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml index 72e7fb39f69..7f9517736da 100644 --- a/rules/proxy/proxy_ua_suspicious.yml +++ b/rules/proxy/proxy_ua_suspicious.yml @@ -9,18 +9,22 @@ date: 2017/07/08 logsource: category: proxy detection: - selection: - c-useragent: - # Badly scripted UA + selection1: + c-useragent|startswith: - 'user-agent' # User-Agent: User-Agent: - - '* (compatible;MSIE *' # typical typo - missing space - - '*.0;Windows NT *' # typical typo - missing space - - 'Mozilla/3.0 *' - - 'Mozilla/2.0 *' - - 'Mozilla/1.0 *' - - 'Mozilla *' # missing slash - - ' Mozilla/*' # leading space - - 'Mozila/*' # single 'l' + - 'Mozilla/3.0 ' + - 'Mozilla/2.0 ' + - 'Mozilla/1.0 ' + - 'Mozilla ' # missing slash + - ' Mozilla/' # leading space + - 'Mozila/' # single 'l' + - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488 + selection2: + c-useragent|contains: + - ' (compatible;MSIE ' # typical typo - missing space + - '.0;Windows NT ' # typical typo - missing space + selection3: + c-useragent: - '_' - 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912 - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ @@ -29,7 +33,7 @@ detection: falsepositives: c-useragent: - 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content - condition: selection and not falsepositives + condition: ( selection1 or selection2 or selection3 ) and not falsepositives fields: - ClientIP - c-uri From e7c6794ecd6cfd9bd5c96ffabc2ec9a1f3093726 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Oct 2020 09:18:30 +0200 Subject: [PATCH 4/6] rule: suspicious wmic process call create + rundll32 --- .../win_susp_wmic_proc_create_rundll32.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml diff --git a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml new file mode 100644 index 00000000000..72ee04d1a89 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml @@ -0,0 +1,26 @@ +title: Suspicious WMI Execution using Rundll32 +id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 +status: experimental +description: Detects WMI executing rundll32 +references: + - https://thedfirreport.com/2020/10/08/ryuks-return/ +author: Florian Roth +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'process call create' + - 'rundll32' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.t1047 +falsepositives: + - Unknown +level: high From 0d0cda0f86c1d9691427d4b6a50fbc5bbf73bad2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Oct 2020 09:18:42 +0200 Subject: [PATCH 5/6] docs: improved false positive notes --- rules/windows/process_creation/win_susp_wmi_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index b57efa6c43b..3c33aca3b6a 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -29,6 +29,5 @@ tags: - attack.t1047 - car.2016-03-002 falsepositives: - - Will need to be tuned - - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. + - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine level: medium From 3affdd12e026edb6cfa240676a62bca1632cd5bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Oct 2020 09:51:35 +0200 Subject: [PATCH 6/6] fix: rule title casing --- .../process_creation/win_susp_wmic_proc_create_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml index 72ee04d1a89..9ed00e6b9c7 100644 --- a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml +++ b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml @@ -1,4 +1,4 @@ -title: Suspicious WMI Execution using Rundll32 +title: Suspicious WMI Execution Using Rundll32 id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 status: experimental description: Detects WMI executing rundll32