Rule Updates & Fixes

.yamllint

@@ -15,7 +15,7 @@ rules:
     comments-indentation: disable
     document-start: {present: false}
     empty-lines: {max: 2, max-start: 2, max-end: 2}
-    indentation: {spaces: 4}
+    indentation: {spaces: 4, indent-sequences: whatever}
     line-length: disable
     new-line-at-end-of-file: enable
     trailing-spaces: {}

rules-emerging-threats/2023/TA/Lazarus/README.md

@@ -0,0 +1,16 @@
+# Lazarus APT
+
+Last Updated: 18/10/2023
+
+## Summary
+
+ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor that ESET is naming LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp. Four different execution chains were identified, delivering three types of payloads via DLL side-loading.
+
+You can find more information on the threat in the following articles:
+
+- [Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company](https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/)
+- [Lazarus hackers breach aerospace firm with new LightlessCan malware](https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/)
+
+## Rules
+
+- [Lazarus APT DLL Sideloading Activity](./image_load_apt_lazarus_side_load_activity.yml)

rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml

@@ -0,0 +1,35 @@
+title: Lazarus APT DLL Sideloading Activity
+id: 24007168-a26b-4049-90d0-ce138e13a5cf
+status: experimental
+description: Detects sideloading of trojanized dll's used in lazarus apt campaign in the case of a Spanish aerospace company
+references:
+    - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
+    - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
+author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/18
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: image_load
+detection:
+    selection_mscoree:
+        Image: 'C:\ProgramShared\PresentationHost.exe'
+        ImageLoaded: ':\ProgramShared\mscoree.dll'
+    selection_colorui:
+        Image: 'C:\ProgramData\Adobe\colorcpl.exe'
+        ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
+    selection_mapistub:
+        Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
+        ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
+    selection_hid:
+        Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
+        ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml

@@ -67,37 +67,32 @@ detection:
             - '\wmic.exe'
             - '\wscript.exe'
     filter_main_winlogon_1:
-        SourceImage: 'C:\Windows\System32\winlogon.exe'
-        TargetImage:
-            - 'C:\Windows\System32\services.exe' # happens on Windows 7
-            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
-            - 'C:\Windows\System32\csrss.exe' # multiple OS
+        SourceImage|endswith: ':\Windows\System32\winlogon.exe'
+        TargetImage|endswith:
+            - ':\Windows\System32\services.exe' # happens on Windows 7
+            - ':\Windows\System32\wininit.exe' # happens on Windows 7
+            - ':\Windows\System32\csrss.exe' # multiple OS
     filter_main_winlogon_2:
         SourceImage: 'C:\Windows\System32\winlogon.exe'
         TargetParentImage: 'System'
         TargetParentProcessId: 4
-    filter_main_provtool:
-        SourceImage: 'C:\Windows\System32\provtool.exe'
-        TargetParentProcessId: 0
-    filter_main_vssvc:
-        SourceImage: 'C:\Windows\System32\VSSVC.exe'
-        TargetImage: 'System'
     filter_main_schtasks_conhost:
-        SourceImage:
-            - 'C:\Windows\System32\schtasks.exe'
-            - 'C:\Windows\SysWOW64\schtasks.exe'
-        TargetImage: 'C:\Windows\System32\conhost.exe'
-    filter_main_mmc:
-        SourceImage: 'C:\Windows\explorer.exe'
-        TargetImage: 'C:\Windows\System32\mmc.exe'
-    filter_optional_nvidia:
-        SourceImage: 'C:\Windows\explorer.exe'
-        TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
-    # filter_optional_powerpnt:
-    #     # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
-    #     SourceImage|contains: '\Microsoft Office\'
-    #     SourceImage|endswith: '\POWERPNT.EXE'
-    #     TargetImage: 'C:\Windows\System32\csrss.exe'
+        SourceImage|endswith:
+            - ':\Windows\System32\schtasks.exe'
+            - ':\Windows\SysWOW64\schtasks.exe'
+        TargetImage|endswith: ':\Windows\System32\conhost.exe'
+    filter_main_explorer:
+        SourceImage|endswith: ':\Windows\explorer.exe'
+        TargetImage|endswith:
+            - ':\Windows\System32\mmc.exe'
+            - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
+    filter_main_system:
+        TargetImage: 'System'
+    filter_optional_powerpnt:
+        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
+        SourceImage|contains: '\Microsoft Office\'
+        SourceImage|endswith: '\POWERPNT.EXE'
+        TargetImage|endswith: ':\Windows\System32\csrss.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown

rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml

@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/07/13
+modified: 2023/10/19
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -30,30 +30,29 @@ detection:
             - '\spoolsv.exe'
             - '\wordpad.exe'
             - '\write.exe'
-    filter_optional_spoolsv:
-        SourceImage: 'C:\Windows\System32\csrss.exe'
-        TargetImage: 'C:\Windows\System32\spoolsv.exe'
+    filter_main_csrss:
+        SourceImage|endswith: ':\Windows\System32\csrss.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:
         SourceImage|contains: 'unknown process'
     filter_optional_vmtoolsd:
-        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
+        SourceImage|endswith: ':\Program Files\VMware\VMware Tools\vmtoolsd.exe'
         StartFunction: 'GetCommandLineW'
-        TargetImage:
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\System32\notepad.exe'
-            - 'C:\Windows\System32\spoolsv.exe'
-    filter_optional_rundll32:
-        SourceImage: 'C:\Windows\System32\rundll32.exe'
-        TargetImage: 'C:\Windows\explorer.exe'
+        TargetImage|endswith:
+            - ':\Windows\explorer.exe'
+            - ':\Windows\System32\notepad.exe'
+            - ':\Windows\System32\spoolsv.exe'
+    filter_main_rundll32:
+        SourceImage|endswith: ':\Windows\System32\rundll32.exe'
+        TargetImage|endswith: ':\Windows\explorer.exe'
         StartFunction:
             - 'LoadLibraryW'
             - 'FreeLibrary'
     filter_optional_winzip:
-        SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
-        TargetImage: 'C:\Windows\explorer.exe'
-    condition: selection and not 1 of filter_optional_*
+        SourceImage|endswith: ':\Program Files\WinZip\FAHWindow64.exe'
+        TargetImage|endswith: ':\Windows\explorer.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high

rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml

@@ -10,6 +10,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/04
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -22,6 +23,7 @@ detection:
     filter_main_generic:
         # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
         Image|endswith:
+            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
             - ':\Program Files\PowerShell\7\pwsh.exe'
             - ':\Windows\explorer.exe'
             - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml

@@ -0,0 +1,50 @@
+title: ADSI-Cache File Creation By Uncommon Tool
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+status: test
+description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
+references:
+    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+    - https://github.com/fox-it/LDAPFragger
+author: xknow @xknow_infosec, Tim Shelton
+date: 2019/03/24
+modified: 2023/10/18
+tags:
+    - attack.t1001.003
+    - attack.command_and_control
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
+        TargetFilename|endswith: '.sch'
+    filter_main_generic:
+        - Image|endswith:
+              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
+              - ':\Windows\CCM\CcmExec.exe'
+              - ':\windows\system32\dllhost.exe'
+              - ':\Windows\system32\dsac.exe'
+              - ':\Windows\system32\efsui.exe'
+              - ':\windows\system32\mmc.exe'
+              - ':\windows\system32\svchost.exe'
+              - ':\Windows\System32\wbem\WmiPrvSE.exe'
+              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
+        - Image|contains:
+              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
+              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
+    filter_main_office:
+        Image|contains|all:
+            - ':\Program Files\'
+            - '\Microsoft Office'
+        Image|endswith: '\OUTLOOK.EXE'
+    filter_optional_ldapwhoami:
+        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
+    filter_optional_citrix:
+        # Example:
+        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
+        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
+level: medium

rules/windows/file/file_event/file_event_win_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/26
-modified: 2023/10/08
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -115,7 +115,9 @@ detection:
         # This filter handles system processes who are updated/installed using misexec.
         Image|endswith: ':\WINDOWS\system32\msiexec.exe'
         # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
-        TargetFilename|endswith: ':\Program Files\PowerShell\7\pwsh.exe'
+        TargetFilename|endswith:
+            - ':\Program Files\PowerShell\7\pwsh.exe'
+            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
     filter_main_healtray:
         TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
         TargetFilename|endswith: '\SecurityHealthSystray.exe'

rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml

@@ -7,7 +7,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/09
-modified: 2023/09/18
+modified: 2023/10/18
 tags:
     - attack.persistence
 logsource:
@@ -20,6 +20,7 @@ detection:
             - '\PowerShell\7\Modules\'
     filter_main_pwsh:
         Image|endswith:
+            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
             - ':\Program Files\PowerShell\7\pwsh.exe'
             - ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
             - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'

rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml

@@ -6,6 +6,7 @@ references:
     - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/01
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
 logsource:
@@ -16,6 +17,7 @@ detection:
         TargetFilename|contains: '__PSScriptPolicyTest_'
     filter_main_generic:
         Image|endswith:
+            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
             - ':\Program Files\PowerShell\7\pwsh.exe'
             - ':\Windows\System32\dsac.exe'
             - ':\Windows\System32\ServerManager.exe'

rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml

@@ -1,4 +1,4 @@
-title: Suspicious LNK Double Extension File
+title: Suspicious LNK Double Extension File Created
 id: 3215aa19-f060-4332-86d5-5602511f3ca8
 related:
     - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
@@ -14,7 +14,7 @@ references:
     - https://twitter.com/luc4m/status/1073181154126254080
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022/11/07
-modified: 2023/05/12
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1036.007
@@ -35,20 +35,20 @@ detection:
             - '.xlsx.'
     filter_main_recent:
         TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
-    filter_optional_office:
+    filter_optional_office_recent:
         Image|endswith:
             # Note: Some additional office application might need to be added
             - '\excel.exe'
             - '\powerpnt.exe'
             - '\winword.exe'
         TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
-    filter_optional_excel:
+    filter_optional_office_excel:
         Image|endswith: '\excel.exe'
         TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
-    filter_optional_powerpoint:
+    filter_optional_office_powerpoint:
         Image|endswith: '\powerpnt.exe'
         TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
-    filter_optional_word:
+    filter_optional_office_word:
         Image|endswith: '\winword.exe'
         TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*