From 742b8039661313f3fb907056fa2a863280b4207d Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:10:02 +0200 Subject: [PATCH 01/17] feat: add powershell 7 preview path --- .../file_delete_win_zone_identifier_ads_uncommon.yml | 2 ++ .../file_event/file_event_win_creation_system_file.yml | 6 ++++-- ...e_event_win_powershell_module_uncommon_creation.yml | 3 ++- ...script_policy_test_creation_by_uncommon_process.yml | 2 ++ .../file_event_win_susp_powershell_profile.yml | 9 +++++---- .../pipe_created_powershell_alternate_host_pipe.yml | 10 +++------- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index d69e47ffecf..4591128a81d 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -10,6 +10,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/09/04 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1070.004 @@ -22,6 +23,7 @@ detection: filter_main_generic: # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary Image|endswith: + - ':\Program Files\PowerShell\7-preview\pwsh.exe' - ':\Program Files\PowerShell\7\pwsh.exe' - ':\Windows\explorer.exe' - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 3ec390ae466..302977a20c4 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 -modified: 2023/10/08 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036.005 @@ -115,7 +115,9 @@ detection: # This filter handles system processes who are updated/installed using misexec. Image|endswith: ':\WINDOWS\system32\msiexec.exe' # Add more processes if you find them or simply filter msiexec on its own. If the list grows big - TargetFilename|endswith: ':\Program Files\PowerShell\7\pwsh.exe' + TargetFilename|endswith: + - ':\Program Files\PowerShell\7\pwsh.exe' + - ':\Program Files\PowerShell\7-preview\pwsh.exe' filter_main_healtray: TargetFilename|contains: ':\Windows\System32\SecurityHealth\' TargetFilename|endswith: '\SecurityHealthSystray.exe' diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 4c49d4928f4..1495dbf22c1 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/09 -modified: 2023/09/18 +modified: 2023/10/18 tags: - attack.persistence logsource: @@ -20,6 +20,7 @@ detection: - '\PowerShell\7\Modules\' filter_main_pwsh: Image|endswith: + - ':\Program Files\PowerShell\7-preview\pwsh.exe' - ':\Program Files\PowerShell\7\pwsh.exe' - ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index b0f06f0b279..9d1dffd77ef 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -6,6 +6,7 @@ references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/01 +modified: 2023/10/18 tags: - attack.defense_evasion logsource: @@ -16,6 +17,7 @@ detection: TargetFilename|contains: '__PSScriptPolicyTest_' filter_main_generic: Image|endswith: + - ':\Program Files\PowerShell\7-preview\pwsh.exe' - ':\Program Files\PowerShell\7\pwsh.exe' - ':\Windows\System32\dsac.exe' - ':\Windows\System32\ServerManager.exe' diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index 6a68b520727..c05041827e8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -5,9 +5,9 @@ description: Detects the creation or modification of a powershell profile which references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html -author: HieuTT35, Nasreddine Bencherchali +author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 -modified: 2022/08/24 +modified: 2023/10/18 tags: - attack.persistence - attack.privilege_escalation @@ -19,10 +19,11 @@ detection: selection: TargetFilename|endswith: - '\Microsoft.PowerShell_profile.ps1' - - '\WindowsPowerShell\profile.ps1' - '\PowerShell\profile.ps1' - - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' + - '\Program Files\PowerShell\7-preview\profile.ps1' - '\Program Files\PowerShell\7\profile.ps1' + - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' + - '\WindowsPowerShell\profile.ps1' condition: selection falsepositives: - System administrator creating Powershell profile manually diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index 0b958067e83..42a8e9172ea 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -7,7 +7,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019/09/12 -modified: 2022/10/10 +modified: 2023/10/18 tags: - attack.execution - attack.t1059.001 @@ -41,14 +41,10 @@ detection: - 'C:\Program Files\Microsoft\Exchange Server\' filter5: Image: - - 'C:\Windows\system32\ServerManager.exe' + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7 - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 + - 'C:\Windows\system32\ServerManager.exe' condition: selection and not 1 of filter* -fields: - - ComputerName - - User - - Image - - PipeName falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium From 544e4a3ae92419c946198d2d183b12aa47139cb3 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:10:27 +0200 Subject: [PATCH 02/17] update: gfxdownloadwrapper rule --- ...wnloadwrapper_arbitrary_file_download.yml} | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) rename rules/windows/process_creation/{proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml => proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml} (50%) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml similarity index 50% rename from rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml rename to rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index 2796c45a8da..b172054698f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -1,12 +1,12 @@ -title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +title: Arbitrary File Download Via GfxDownloadWrapper.EXE id: eee00933-a761-4cd0-be70-c42fe91731e7 status: test -description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL +description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community date: 2020/10/09 -modified: 2022/01/06 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -14,16 +14,14 @@ logsource: category: process_creation product: windows detection: - image_path: + selection: Image|endswith: '\GfxDownloadWrapper.exe' - filter: - CommandLine|contains: 'gameplayapi.intel.com' - ParentImage|endswith: - - '\GfxDownloadWrapper.exe' - - '\igfxEM.exe' - condition: image_path and not filter -fields: - - CommandLine + CommandLine|contains: + - 'http://' + - 'https://' + filter_main_known_urls: + CommandLine|contains: 'https://gameplayapi.intel.com/' + condition: image_path and not 1 of filter_main_* falsepositives: - Unknown level: medium From d0ec8ec84c3fadcd20e75ecf537625bec74a8dd9 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:10:36 +0200 Subject: [PATCH 03/17] fix: rename filename --- ...> proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml => proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml rename to rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml From d89fd4a6f2cd54029a4a8484a7c9278d67ee59d7 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:10:43 +0200 Subject: [PATCH 04/17] Update test_rules.py --- tests/test_rules.py | 59 +++++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 1e3d1bd25de..5b549403f59 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -1743,32 +1743,39 @@ def test_broken_thor_logsource_config(self): faulty_config = False # This test check of the "thor.yml" config file has a missing "WinEventLog:" prefix in Windows log sources - path_to_thor_config = "../tests/thor.yml" - path_to_thor_config = os.path.join( - os.path.dirname(os.path.realpath(__file__)), path_to_thor_config - ) - thor_logsources = self.get_rule_yaml(path_to_thor_config)[0]["logsources"] - - for key, value in thor_logsources.items(): - try: - if value["product"] == "windows": - sources_list = value["sources"] - for i in sources_list: - if not i.startswith("WinEventLog:"): - faulty_config = True - print( - Fore.RED - + "/tests/thor.yml config file has a broken source. Windows Eventlog sources must start with the keyword 'WinEventLog:'" - ) - except: - pass - - self.assertEqual( - faulty_config, - False, - Fore.RED - + "thor.yml configuration file located in 'tests/thor.yml' has a borken log source definition", - ) + path_to_thor_config = "tests/thor.yml" + try: + path_to_thor_config = os.path.join( + os.path.dirname(os.path.realpath(__file__)), path_to_thor_config + ) + thor_logsources = self.get_rule_yaml(path_to_thor_config)[0]["logsources"] + + for key, value in thor_logsources.items(): + try: + if value["product"] == "windows": + sources_list = value["sources"] + for i in sources_list: + if not i.startswith("WinEventLog:"): + faulty_config = True + print( + Fore.RED + + "/tests/thor.yml config file has a broken source. Windows Eventlog sources must start with the keyword 'WinEventLog:'" + ) + except: + pass + self.assertEqual( + faulty_config, + False, + Fore.RED + + "thor.yml configuration file located in 'tests/thor.yml' has a borken log source definition", + ) + except: + self.assertEqual( + faulty_config, + False, + Fore.RED + + "thor.yml configuration file was not found. Please make sure to run the script from the root of the sigma folder", + ) def test_re_invalid_escapes(self): faulty_rules = [] From 9bb133a94aef9425492d57a04f2ab4fe36d15d81 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:11:25 +0200 Subject: [PATCH 05/17] fix: fp reported in #4432 --- ...n_adsi_cache_creation_by_uncommon_tool.yml | 47 ++++++++++++++++++ .../file_event_win_susp_adsi_cache_usage.yml | 48 ------------------- 2 files changed, 47 insertions(+), 48 deletions(-) create mode 100644 rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml delete mode 100755 rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml diff --git a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml new file mode 100644 index 00000000000..ddaa0f8ea37 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -0,0 +1,47 @@ +title: ADSI-Cache File Creation By Uncommon Tool +id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb +status: test +description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. +references: + - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 + - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ + - https://github.com/fox-it/LDAPFragger +author: xknow @xknow_infosec, Tim Shelton +date: 2019/03/24 +modified: 2023/10/18 +tags: + - attack.t1001.003 + - attack.command_and_control +detection: + selection: + TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' + TargetFilename|endswith: '.sch' + filter_main_generic: + - Image|endswith: + - ':\Program Files\Cylance\Desktop\CylanceSvc.exe' + - ':\Windows\CCM\CcmExec.exe' + - ':\windows\system32\dllhost.exe' + - ':\Windows\system32\dsac.exe' + - ':\Windows\system32\efsui.exe' + - ':\windows\system32\mmc.exe' + - ':\windows\system32\svchost.exe' + - ':\Windows\System32\wbem\WmiPrvSE.exe' + - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe' + - Image|contains: + - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe + filter_main_office: + Image|contains|all: + - ':\Program Files\' + - '\Microsoft Office' + Image|endswith: '\OUTLOOK.EXE' + filter_optional_ldapwhoami: + Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' + filter_optional_citrix: + # Example: + # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch + Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. +level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml deleted file mode 100755 index d3b66f451ce..00000000000 --- a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Suspicious ADSI-Cache Usage By Unknown Tool -id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb -status: test -description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -references: - - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - - https://github.com/fox-it/LDAPFragger -author: xknow @xknow_infosec, Tim Shelton -date: 2019/03/24 -modified: 2023/01/12 -tags: - - attack.t1001.003 - - attack.command_and_control -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' - TargetFilename|endswith: '.sch' - filter_eq: - Image: - - 'C:\windows\system32\svchost.exe' - - 'C:\windows\system32\dllhost.exe' - - 'C:\windows\system32\mmc.exe' - - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' - - 'C:\Windows\CCM\CcmExec.exe' - - 'C:\Program Files\Cylance\Desktop\CylanceSvc.exe' - - 'C:\Windows\System32\wbem\WmiPrvSE.exe' - filter_begins: - Image|startswith: - - 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe - - 'C:\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe - filter_ends: - Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' - filter_domain_controller: - Image: - - 'C:\Windows\system32\efsui.exe' - - 'C:\Windows\system32\dsac.exe' - filter_citrix: - # Example: - # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch - Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' - condition: selection and not 1 of filter_* -falsepositives: - - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. -level: high From 8fc4050d8e4218cd530b0f13922e63e74b7009a6 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:11:42 +0200 Subject: [PATCH 06/17] update: curl related direct ip download rules --- ...ation_win_curl_download_direct_ip_exec.yml | 80 +++++++++++++++++++ ...rl_download_direct_ip_susp_extensions.yml} | 58 +++++++++----- 2 files changed, 116 insertions(+), 22 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml rename rules/windows/process_creation/{proc_creation_win_curl_download_direct_ip.yml => proc_creation_win_curl_download_direct_ip_susp_extensions.yml} (78%) diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml new file mode 100644 index 00000000000..89f690ac354 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -0,0 +1,80 @@ +title: File Download From IP URL Via Curl.EXE +id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 +related: + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + type: similar +status: experimental +description: Detects file downloads directly from IP address URL using curl.exe +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\curl.exe' + - OriginalFileName: 'curl.exe' + selection_ip: + CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + selection_http: + CommandLine|contains: 'http' + selection_flag: + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output + - '--remote-name' + - '--output' + filter_main_ext: + # Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043 + CommandLine|endswith: + - '.bat' + - '.bat"' + - '.dat' + - '.dat"' + - '.dll' + - '.dll"' + - '.exe' + - '.exe"' + - '.gif' + - '.gif"' + - '.hta' + - '.hta"' + - '.jpeg' + - '.jpeg"' + - '.log' + - '.log"' + - '.msi' + - '.msi"' + - '.png' + - '.png"' + - '.ps1' + - '.ps1"' + - '.psm1' + - '.psm1"' + - '.vbe' + - '.vbe"' + - '.vbs' + - '.vbs"' + - ".bat'" + - ".dat'" + - ".dll'" + - ".exe'" + - ".gif'" + - ".hta'" + - ".jpeg'" + - ".log'" + - ".msi'" + - ".png'" + - ".ps1'" + - ".psm1'" + - ".vbe'" + - ".vbs'" + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml similarity index 78% rename from rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml rename to rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 1cc866c15f0..95bf8ca7aef 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -5,6 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/27 tags: @@ -26,37 +27,50 @@ detection: - '--remote-name' - '--output' selection_ext: + # Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218 CommandLine|endswith: - - '.ps1' - - ".ps1'" - - '.ps1"' - - '.dat' - - ".dat'" - - '.dat"' - - '.msi' - - ".msi'" - - '.msi"' - '.bat' - - ".bat'" - '.bat"' + - '.dat' + - '.dat"' + - '.dll' + - '.dll"' - '.exe' - - ".exe'" - '.exe"' - - '.vbs' - - ".vbs'" - - '.vbs"' - - '.vbe' - - ".vbe'" - - '.vbe"' + - '.gif' + - '.gif"' - '.hta' - - ".hta'" - '.hta"' - - '.dll' - - ".dll'" - - '.dll"' + - '.jpeg' + - '.jpeg"' + - '.log' + - '.log"' + - '.msi' + - '.msi"' + - '.png' + - '.png"' + - '.ps1' + - '.ps1"' - '.psm1' - - ".psm1'" - '.psm1"' + - '.vbe' + - '.vbe"' + - '.vbs' + - '.vbs"' + - ".bat'" + - ".dat'" + - ".dll'" + - ".exe'" + - ".gif'" + - ".hta'" + - ".jpeg'" + - ".log'" + - ".msi'" + - ".png'" + - ".ps1'" + - ".psm1'" + - ".vbe'" + - ".vbs'" condition: all of selection_* falsepositives: - Unknown From 332dac9c5a7c60075a6856e7bd98a8e2441adb56 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:12:14 +0200 Subject: [PATCH 07/17] fix: update filters and selection names --- .../file_event_win_susp_lnk_double_extension.yml | 12 ++++++------ ...proc_creation_win_certutil_download_direct_ip.yml | 5 +++-- ...on_win_desktopimgdownldr_remote_file_download.yml | 2 +- ...eation_win_office_exec_from_trusted_locations.yml | 3 +-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index 43faa9d2bdc..a70fa7bfbb6 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -1,4 +1,4 @@ -title: Suspicious LNK Double Extension File +title: Suspicious LNK Double Extension File Created id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e @@ -14,7 +14,7 @@ references: - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/11/07 -modified: 2023/05/12 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036.007 @@ -35,20 +35,20 @@ detection: - '.xlsx.' filter_main_recent: TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\' - filter_optional_office: + filter_optional_office_recent: Image|endswith: # Note: Some additional office application might need to be added - '\excel.exe' - '\powerpnt.exe' - '\winword.exe' TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\' - filter_optional_excel: + filter_optional_office_excel: Image|endswith: '\excel.exe' TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel' - filter_optional_powerpoint: + filter_optional_office_powerpoint: Image|endswith: '\powerpnt.exe' TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint' - filter_optional_word: + filter_optional_office_word: Image|endswith: '\winword.exe' TargetFilename|contains: '\AppData\Roaming\Microsoft\Word' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index a3eaa05e5f3..eded0e089d6 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -13,6 +13,7 @@ references: - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ + - https://twitter.com/_JohnHammond/status/1708910264261980634 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 tags: @@ -63,9 +64,9 @@ detection: # - '://172.31.' # - '://127.' # 127.0.0.0/8 # - '://169.254.' # 169.254.0.0/16 - filter_seven_zip: + filter_main_seven_zip: CommandLine|contains: '://7-' # For https://7-zip.org/ - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index f119cb7e36e..1fb5aeb9362 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -1,4 +1,4 @@ -title: Remote File Download via Desktopimgdownldr Utility +title: Remote File Download Via Desktopimgdownldr Utility id: 214641c2-c579-4ecb-8427-0cf19df6842e status: test description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index 1c7725f762f..a8b2a2338ce 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/_JohnHammond/status/1588155401752788994 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/21 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1202 @@ -35,8 +36,6 @@ detection: # Note: these are the default locations. Admins/Users could add additional ones that you need to cover - '\AppData\Roaming\Microsoft\Templates' - '\AppData\Roaming\Microsoft\Word\Startup\' - - '\Microsoft Office (x86)\root\Templates\' - - '\Microsoft Office (x86)\Templates\' - '\Microsoft Office\root\Templates\' - '\Microsoft Office\Templates\' filter_main_dotx: From 4e419c0030fa6f52b956a05c79695d6eac166ecd Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:20:50 +0200 Subject: [PATCH 08/17] Update .yamllint --- .yamllint | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.yamllint b/.yamllint index e03e62ea407..7454a3f7f3a 100644 --- a/.yamllint +++ b/.yamllint @@ -15,7 +15,9 @@ rules: comments-indentation: disable document-start: {present: false} empty-lines: {max: 2, max-start: 2, max-end: 2} - indentation: {spaces: 4} + indentation: + spaces: 4 + indent-sequences: false line-length: disable new-line-at-end-of-file: enable trailing-spaces: {} From 4e7c8db793be4288591197255f9bbfd5998af927 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:23:33 +0200 Subject: [PATCH 09/17] Update .yamllint --- .yamllint | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.yamllint b/.yamllint index 7454a3f7f3a..9b1b458ee98 100644 --- a/.yamllint +++ b/.yamllint @@ -17,7 +17,7 @@ rules: empty-lines: {max: 2, max-start: 2, max-end: 2} indentation: spaces: 4 - indent-sequences: false + indent-sequences: whatever line-length: disable new-line-at-end-of-file: enable trailing-spaces: {} From bb3dcf38bbbac94abb2a3e35165b06ce73eba56a Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:28:16 +0200 Subject: [PATCH 10/17] Update .yamllint --- .yamllint | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.yamllint b/.yamllint index 9b1b458ee98..8d326000746 100644 --- a/.yamllint +++ b/.yamllint @@ -15,9 +15,7 @@ rules: comments-indentation: disable document-start: {present: false} empty-lines: {max: 2, max-start: 2, max-end: 2} - indentation: - spaces: 4 - indent-sequences: whatever + indentation: {spaces: 4, indent-sequences: whatever} line-length: disable new-line-at-end-of-file: enable trailing-spaces: {} From 1e32a100dbc801ddae5da483e28cb96da6ded6ec Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 19:01:28 +0200 Subject: [PATCH 11/17] Update file_event_win_adsi_cache_creation_by_uncommon_tool.yml --- ...n_adsi_cache_creation_by_uncommon_tool.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml index ddaa0f8ea37..02f52550830 100644 --- a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml +++ b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -18,18 +18,18 @@ detection: TargetFilename|endswith: '.sch' filter_main_generic: - Image|endswith: - - ':\Program Files\Cylance\Desktop\CylanceSvc.exe' - - ':\Windows\CCM\CcmExec.exe' - - ':\windows\system32\dllhost.exe' - - ':\Windows\system32\dsac.exe' - - ':\Windows\system32\efsui.exe' - - ':\windows\system32\mmc.exe' - - ':\windows\system32\svchost.exe' - - ':\Windows\System32\wbem\WmiPrvSE.exe' - - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe' + - ':\Program Files\Cylance\Desktop\CylanceSvc.exe' + - ':\Windows\CCM\CcmExec.exe' + - ':\windows\system32\dllhost.exe' + - ':\Windows\system32\dsac.exe' + - ':\Windows\system32\efsui.exe' + - ':\windows\system32\mmc.exe' + - ':\windows\system32\svchost.exe' + - ':\Windows\System32\wbem\WmiPrvSE.exe' + - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe' - Image|contains: - - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe - - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe + - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe filter_main_office: Image|contains|all: - ':\Program Files\' From fad307019cd12d32cf6453adfcbc1d5be9f5ef2f Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 19:07:23 +0200 Subject: [PATCH 12/17] Update file_event_win_adsi_cache_creation_by_uncommon_tool.yml --- .../file_event_win_adsi_cache_creation_by_uncommon_tool.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml index 02f52550830..d4f260a42a8 100644 --- a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml +++ b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -12,6 +12,9 @@ modified: 2023/10/18 tags: - attack.t1001.003 - attack.command_and_control +logsource: + product: windows + category: file_event detection: selection: TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' From 23d8cafab7a915a58c9705af05275d0c93e1b82a Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 19:19:27 +0200 Subject: [PATCH 13/17] Update proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml --- ..._creation_win_gfxdownloadwrapper_arbitrary_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index b172054698f..9e7b1738e04 100644 --- a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -21,7 +21,7 @@ detection: - 'https://' filter_main_known_urls: CommandLine|contains: 'https://gameplayapi.intel.com/' - condition: image_path and not 1 of filter_main_* + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium From 4959a25169b3e788f12805a409c78b14e9dae176 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 18 Oct 2023 20:32:22 +0200 Subject: [PATCH 14/17] update fp filter and certoc rules --- ...created_powershell_alternate_host_pipe.yml | 43 +++++++++---------- ... => proc_creation_win_certoc_download.yml} | 14 ++++-- ...creation_win_certoc_download_direct_ip.yml | 30 +++++++++++++ 3 files changed, 60 insertions(+), 27 deletions(-) rename rules/windows/process_creation/{proc_creation_win_lolbin_certoc_download.yml => proc_creation_win_certoc_download.yml} (63%) create mode 100644 rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index 42a8e9172ea..0a615a21fe7 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -18,33 +18,30 @@ logsource: detection: selection: PipeName|startswith: '\PSHost' - filter1: - Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' - - '\WINDOWS\System32\sdiagnhost.exe' - - '\WINDOWS\System32\wsmprovhost.exe' - - '\Windows\system32\dsac.exe' - - '\Windows\system32\wbem\wmiprvse.exe' - - '\ForefrontActiveDirectoryConnector.exe' - - 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers - filter2: - Image: null - filter3: # Microsoft SQL Server\130\Tools\ + filter_main_generic: + Image|contains: + - ':\Program Files\Citrix\' + - ':\Program Files\Microsoft\Exchange Server\' + - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7 + - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 + - ':\Windows\system32\dsac.exe' + - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers + - ':\Windows\System32\sdiagnhost.exe' + - ':\Windows\system32\ServerManager.exe' + - ':\Windows\system32\wbem\wmiprvse.exe' + - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' + - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' + - ':\Windows\System32\wsmprovhost.exe' + - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' + - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + filter_main_sqlserver: # Microsoft SQL Server\130\Tools\ Image|contains|all: - ':\Program Files' - '\Microsoft SQL Server\' Image|endswith: '\Tools\Binn\SQLPS.exe' - filter4: - Image|startswith: - - 'C:\Program Files\Citrix\' - - 'C:\Program Files\Microsoft\Exchange Server\' - filter5: - Image: - - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7 - - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 - - 'C:\Windows\system32\ServerManager.exe' - condition: selection and not 1 of filter* + filter_main_null: + Image: null + condition: selection and not 1 of filter_main_* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_certoc_download.yml similarity index 63% rename from rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml rename to rules/windows/process_creation/proc_creation_win_certoc_download.yml index 6f109b22134..4ae525bbdf0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download.yml @@ -1,11 +1,15 @@ -title: Suspicious File Download via CertOC.exe +title: File Download via CertOC.EXE id: 70ad0861-d1fe-491c-a45f-fa48148a300d +related: + - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a + type: similar status: test -description: Detects when a user downloads file by using CertOC.exe +description: Detects when a user downloads a file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -17,8 +21,10 @@ detection: - Image|endswith: '\certoc.exe' - OriginalFileName: 'CertOC.exe' selection_cli: - CommandLine|contains: '-GetCACAPS' + CommandLine|contains|all: + - '-GetCACAPS' + - 'http' condition: all of selection* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml new file mode 100644 index 00000000000..b0e8ea59898 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -0,0 +1,30 @@ +title: File Download From IP Based URL Via CertOC.EXE +id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a +related: + - id: 70ad0861-d1fe-491c-a45f-fa48148a300d + type: similar +status: experimental +description: Detects when a user downloads a file from an IP based URL using CertOC.exe +references: + - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.command_and_control + - attack.execution + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\certoc.exe' + - OriginalFileName: 'CertOC.exe' + selection_ip: + CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + selection_cli: + CommandLine|contains: '-GetCACAPS' + condition: all of selection* +falsepositives: + - Unknown +level: high From ecb8ceb28fde32f5a977cbcb0cab316723fe984e Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Thu, 19 Oct 2023 02:03:32 +0200 Subject: [PATCH 15/17] feat: add lazarus dll sideloading et rules --- .../2023/TA/Lazarus/README.md | 16 +++++++++ ...ge_load_apt_lazarus_side_load_activity.yml | 35 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 rules-emerging-threats/2023/TA/Lazarus/README.md create mode 100644 rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml diff --git a/rules-emerging-threats/2023/TA/Lazarus/README.md b/rules-emerging-threats/2023/TA/Lazarus/README.md new file mode 100644 index 00000000000..abe27e1666c --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lazarus/README.md @@ -0,0 +1,16 @@ +# Lazarus APT + +Last Updated: 18/10/2023 + +## Summary + +ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor that ESET is naming LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp. Four different execution chains were identified, delivering three types of payloads via DLL side-loading. + +You can find more information on the threat in the following articles: + +- [Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company](https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/) +- [Lazarus hackers breach aerospace firm with new LightlessCan malware](https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/) + +## Rules + +- [Lazarus APT DLL Sideloading Activity](./image_load_apt_lazarus_side_load_activity.yml) diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml new file mode 100644 index 00000000000..1392024aaa2 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -0,0 +1,35 @@ +title: Lazarus APT DLL Sideloading Activity +id: 24007168-a26b-4049-90d0-ce138e13a5cf +status: experimental +description: Detects sideloading of trojanized dll's used in lazarus apt campaign in the case of a Spanish aerospace company +references: + - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ + - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ +author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 + - detection.emerging_threats +logsource: + product: windows + category: image_load +detection: + selection_mscoree: + Image: 'C:\ProgramShared\PresentationHost.exe' + ImageLoaded: ':\ProgramShared\mscoree.dll' + selection_colorui: + Image: 'C:\ProgramData\Adobe\colorcpl.exe' + ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll' + selection_mapistub: + Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe' + ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll' + selection_hid: + Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe' + ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high From 8a9400a92b52f3165405e7ba705fe59dd56f6b02 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:02:11 +0200 Subject: [PATCH 16/17] fix: fp found in testing --- ...emote_thread_win_uncommon_source_image.yml | 47 +++++++++---------- ...emote_thread_win_uncommon_target_image.yml | 29 ++++++------ 2 files changed, 35 insertions(+), 41 deletions(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index eeaa4d2b2a6..321e57290f2 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -67,37 +67,32 @@ detection: - '\wmic.exe' - '\wscript.exe' filter_main_winlogon_1: - SourceImage: 'C:\Windows\System32\winlogon.exe' - TargetImage: - - 'C:\Windows\System32\services.exe' # happens on Windows 7 - - 'C:\Windows\System32\wininit.exe' # happens on Windows 7 - - 'C:\Windows\System32\csrss.exe' # multiple OS + SourceImage|endswith: ':\Windows\System32\winlogon.exe' + TargetImage|endswith: + - ':\Windows\System32\services.exe' # happens on Windows 7 + - ':\Windows\System32\wininit.exe' # happens on Windows 7 + - ':\Windows\System32\csrss.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' TargetParentImage: 'System' TargetParentProcessId: 4 - filter_main_provtool: - SourceImage: 'C:\Windows\System32\provtool.exe' - TargetParentProcessId: 0 - filter_main_vssvc: - SourceImage: 'C:\Windows\System32\VSSVC.exe' - TargetImage: 'System' filter_main_schtasks_conhost: - SourceImage: - - 'C:\Windows\System32\schtasks.exe' - - 'C:\Windows\SysWOW64\schtasks.exe' - TargetImage: 'C:\Windows\System32\conhost.exe' - filter_main_mmc: - SourceImage: 'C:\Windows\explorer.exe' - TargetImage: 'C:\Windows\System32\mmc.exe' - filter_optional_nvidia: - SourceImage: 'C:\Windows\explorer.exe' - TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' - # filter_optional_powerpnt: - # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 - # SourceImage|contains: '\Microsoft Office\' - # SourceImage|endswith: '\POWERPNT.EXE' - # TargetImage: 'C:\Windows\System32\csrss.exe' + SourceImage|endswith: + - ':\Windows\System32\schtasks.exe' + - ':\Windows\SysWOW64\schtasks.exe' + TargetImage|endswith: ':\Windows\System32\conhost.exe' + filter_main_explorer: + SourceImage|endswith: ':\Windows\explorer.exe' + TargetImage|endswith: + - ':\Windows\System32\mmc.exe' + - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + filter_main_system: + TargetImage: 'System' + filter_optional_powerpnt: + # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 + SourceImage|contains: '\Microsoft Office\' + SourceImage|endswith: '\POWERPNT.EXE' + TargetImage|endswith: ':\Windows\System32\csrss.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml index 6862fe416bc..d240d2edefe 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml @@ -9,7 +9,7 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) date: 2022/03/16 -modified: 2023/07/13 +modified: 2023/10/19 tags: - attack.defense_evasion - attack.privilege_escalation @@ -30,30 +30,29 @@ detection: - '\spoolsv.exe' - '\wordpad.exe' - '\write.exe' - filter_optional_spoolsv: - SourceImage: 'C:\Windows\System32\csrss.exe' - TargetImage: 'C:\Windows\System32\spoolsv.exe' + filter_main_csrss: + SourceImage|endswith: ':\Windows\System32\csrss.exe' filter_optional_aurora_1: StartFunction: 'EtwpNotificationThread' filter_optional_aurora_2: SourceImage|contains: 'unknown process' filter_optional_vmtoolsd: - SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe' + SourceImage|endswith: ':\Program Files\VMware\VMware Tools\vmtoolsd.exe' StartFunction: 'GetCommandLineW' - TargetImage: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\System32\notepad.exe' - - 'C:\Windows\System32\spoolsv.exe' - filter_optional_rundll32: - SourceImage: 'C:\Windows\System32\rundll32.exe' - TargetImage: 'C:\Windows\explorer.exe' + TargetImage|endswith: + - ':\Windows\explorer.exe' + - ':\Windows\System32\notepad.exe' + - ':\Windows\System32\spoolsv.exe' + filter_main_rundll32: + SourceImage|endswith: ':\Windows\System32\rundll32.exe' + TargetImage|endswith: ':\Windows\explorer.exe' StartFunction: - 'LoadLibraryW' - 'FreeLibrary' filter_optional_winzip: - SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe' - TargetImage: 'C:\Windows\explorer.exe' - condition: selection and not 1 of filter_optional_* + SourceImage|endswith: ':\Program Files\WinZip\FAHWindow64.exe' + TargetImage|endswith: ':\Windows\explorer.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high From cabde9795674f5001fdc8df02ea48baf943b3bfc Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 23 Oct 2023 10:12:55 +0200 Subject: [PATCH 17/17] fix: typo --- .../TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index 1392024aaa2..680ed7a9330 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -1,7 +1,7 @@ title: Lazarus APT DLL Sideloading Activity id: 24007168-a26b-4049-90d0-ce138e13a5cf status: experimental -description: Detects sideloading of trojanized dll's used in lazarus apt campaign in the case of a Spanish aerospace company +description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/