Merge pull request #472 from feedb/oscd

add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml

rules/linux/auditd/lnx_auditd_web_rce.yml

@@ -0,0 +1,28 @@
+title: Webshell Remote Command Execution
+status: experimental
+description: Detects posible command execution by web application/web shell
+# You need to add to the config auditd.conf: 
+# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
+# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
+# change 33 to id you webserver user. default: www-data:x:33:33
+tags:
+    - attack.persistence
+    - attack.t1100
+references:
+    - personal experience
+author: Ilyas Ochkov, Beyu Denis, oscd.community
+date: 2019/10/12
+modified: 2019/11/04
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        SYSCALL: 'execve'
+        key: 'detect_execve_www'
+    condition: selection
+falsepositives:
+    - Admin activity
+    - Crazy web applications
+level: critical

rules/windows/process_creation/process_creation_susp_bginfo.yml

@@ -0,0 +1,26 @@
+title: Application whitelisting bypass via bginfo
+status: experimental
+description: Execute VBscript code that is referenced within the *.bgi file.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
+    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+  selection:
+    Image: '*\bginfo.exe'
+    CommandLine|contains|all:
+        - '/popup'
+        - '/nolicprompt'
+  condition: selection
+falsepositives:
+    - Unknown

rules/windows/process_creation/process_creation_susp_cdb.yml

@@ -0,0 +1,24 @@
+title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner
+status: experimental
+description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
+    - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\cdb.exe'
+        CommandLine|contains: '-cf'
+    condition: selection
+falsepositives:
+    - Legitimate use of debugging tools

rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml

@@ -0,0 +1,24 @@
+title: Devtoolslauncher.exe executes specified binary
+status: experimental
+description: The Devtoolslauncher.exe executes other binary
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
+    - https://twitter.com/_felamos/status/1179811992841797632
+author: Beyu Denis, oscd.community (rule), @_felamos (idea)
+date: 2019/10/12
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\devtoolslauncher.exe'
+        CommandLine|contains: 'LaunchForDeploy'
+    condition: selection
+falsepositives:
+    - Legitimate use of devtoolslauncher.exe by legitimate user

rules/windows/process_creation/process_creation_susp_dnx.yml

@@ -0,0 +1,23 @@
+title: Application Whitelisting bypass via dnx.exe
+status: experimental
+description: Execute C# code located in the consoleapp folder
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\dnx.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of dnx.exe by legitimate user

rules/windows/process_creation/process_creation_susp_dxcap.yml

@@ -0,0 +1,26 @@
+title: Application Whitelisting bypass via dxcap.exe
+status: experimental
+description: Detects execution of of Dxcap.exe
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
+    - https://twitter.com/harr0ey/status/992008180904419328
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\dxcap.exe'
+        CommandLine|contains|all:
+            - '-c'
+            - '.exe'
+    condition: selection
+falsepositives:
+    - Legitimate execution of dxcap.exe by legitimate user

rules/windows/process_creation/process_creation_susp_msoffice.yml

@@ -0,0 +1,27 @@
+title: Malicious payload download via Office binaries
+status: experimental
+description: Downloads payload from remote server
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
+    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
+    - Reegun J (OCBC Bank)
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+modified: 2019/11/04
+tags:
+    - attack.command_and_control
+    - attack.t1105
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: 
+            - '*\powerpnt.exe'
+            - '*\winword.exe'
+            - '*\excel.exe'
+        CommandLine|contains: 'http'
+    condition: selection
+falsepositives:
+    - Unknown

rules/windows/process_creation/process_creation_susp_odbcconf.yml

@@ -0,0 +1,30 @@
+title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe
+description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file
+status: experimental
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml
+author: Beyu Denis, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        Image: '*\odbcconf.exe'
+    selection_2:
+        CommandLine|contains|all:
+            - '-f'
+            - '.rsp'
+    selection_3:    
+        CommandLine|contains|all:
+            - 'regsvr'
+            - '.dll'
+    condition: selection_1 and ( selection_2 or selection_3 )
+level: medium
+falsepositives:
+    - Legitimate use of odbcconf.exe by legitimate user

rules/windows/process_creation/process_creation_susp_openwith.yml

@@ -0,0 +1,24 @@
+title: OpenWith.exe executes specified binary
+status: experimental
+description: The OpenWith.exe executes other binary
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
+    - https://twitter.com/harr0ey/status/991670870384021504
+author: 'Beyu Denis, oscd.community (rule), @harr0ey (idea)'
+date: 2019/10/12
+modified: 2019/11/04
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\OpenWith.exe'
+        CommandLine|contains: '/c'
+    condition: selection
+falsepositives:
+    - Legitimate use of OpenWith.exe by legitimate user

rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml

@@ -0,0 +1,23 @@
+title: psr.exe capture screenshots
+status: experimental
+description: The psr.exe captures desktop screenshots and saves them on the local machine
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
+    - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+author: Beyu Denis, oscd.community
+date: 2019/10/12
+modified: 2019/11/04
+tags:
+    - attack.persistence
+    - attack.t1218
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\Psr.exe'
+        CommandLine|contains: '/start'
+    condition: selection 
+falsepositives:
+    - Unknown

rules/windows/sysmon/sysmon_webshell_creation_detect.yml

@@ -0,0 +1,44 @@
+title: Windows webshell creation
+status: experimental
+description: Posible webshell file creation on a static web site
+references:
+    - PT ESC rule and personal experience
+author: Beyu Denis, oscd.community
+date: 2019/10/22
+modified: 2019/11/04
+tags:
+    - attack.persistence
+    - attack.t1100
+level: critical
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_1:
+        EventID: 11
+    selection_2:
+        TargetFilename|contains: '\inetpub\wwwroot\'
+    selection_3:        
+        TargetFilename|contains:
+            - '.asp'
+            - '.ashx'
+            - '.ph'
+    selection_4: 
+        TargetFilename|contains:
+            - '\www\'
+            - '\htdocs\'
+            - '\html\'
+    selection_5:
+        TargetFilename|contains: '.ph'
+    selection_6:
+        - TargetFilename|contains|all: 
+            - '\'
+            - '.jsp'
+        - TargetFilename|contains|all: 
+            - '\cgi-bin\'
+            - '.pl'
+    condition: selection_1 and ( selection_2 and selection_3 ) or
+               selection_1 and ( selection_4 and selection_5 ) or
+               selection_1 and selection_6
+falsepositives:
+    - Legitimate administrator or developer creating legitimate executable files in a web application folder