Merge pull request #561 from Neo23x0/devel

Devel

rules/proxy/proxy_ua_frameworks.yml

@@ -37,6 +37,9 @@ detection:
         - 'SIPDROID'
         - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
 
+        # Empire
+        - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'
+
         # Exploits
         - '*wordpress hash grabber*'
         - '*exploit*'

rules/windows/process_creation/win_exploit_cve_2019_1388.yml

@@ -3,6 +3,7 @@ id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
 status: experimental
 description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
 references:
+    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
     - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
 author: Florian Roth
 date: 2019/11/20

rules/windows/process_creation/win_process_creation_bitsadmin_download.yml

@@ -10,17 +10,22 @@ tags:
     - attack.persistence
     - attack.t1197
     - attack.s0190
+date: 2017/03/09
+modified: 2019/12/06
 author: Michael Haag
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         Image:
             - '*\bitsadmin.exe'
         CommandLine:
-            - /transfer
-    condition: selection
+            - '* /transfer *'
+    selection2:
+        CommandLine:
+            - '*copy bitsadmin.exe*'
+    condition: selection1 or selection2
 fields:
     - CommandLine
     - ParentCommandLine