Merge pull request #1827 from phantinuss/master

2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
2024-11-07 01:45:21 +00:00 · 2021-08-12 11:41:50 +02:00 · 2021-08-12 11:41:50 +02:00 · 418a0bbf7e
commit 418a0bbf7e
parent 6ed62b431e 08883c8e32
3 changed files with 56 additions and 30 deletions
--- a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml
+++ b/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml
@ -0,0 +1,31 @@
+title: Mailbox Export to Exchange Webserver
+id: 516376b4-05cd-4122-bae0-ad7641c38d48
+status: experimental
+description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
+references:
+    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+author: Florian Roth, Rich Warren, Christian Burkard
+date: 2021/08/09
+modified: 2021/08/11
+logsource:        
+    service: msexchange-management
+    product: windows
+detection:
+    export_command: 
+        - 'New-MailboxExportRequest'
+        - ' -Mailbox '
+    export_params:
+        - '-FilePath "\\localhost\C$'
+        - '-FilePath "\\127.0.0.1\C$'
+        - '.aspx'
+    role_assignment:
+        - 'New-ManagementRoleAssignment'
+        - ' -Role "Mailbox Import Export"'
+        - ' -User '
+    condition: (all of export_command and export_params) or all of role_assignment
+falsepositives:
+    - unlikely
+level: critical
+tags:
+    - attack.persistence  
+    - attack.t1505.003  
--- a/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml
+++ b/rules/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml
@ -0,0 +1,25 @@
+title: LittleCorporal Generated Maldoc Injection
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+references:
+    - https://github.com/connormcgarr/LittleCorporal
+status: experimental
+author: Christian Burkard
+date: 2021/08/09
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        SourceImage|endswith: 'winword.exe'
+        CallTrace|contains|all:
+            - ':\Windows\Microsoft.NET\Framework64\v2.'
+            - 'UNKNOWN'
+    condition: selection
+falsepositives:
+    - unkown
+level: high
+tags:
+    - attack.execution
+    - attack.t1204.002
+    - attack.t1055.003
--- a/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml
+++ b/rules/windows/process_creation/win_exchange_proxyshell_mailboxexport.yml
@ -1,30 +0,0 @@
-title: ProxyShell MSExchange MailBox Export Pattern
-id: 516376b4-05cd-4122-bae0-ad7641c38d48
-status: experimental
-description: Detects specific patterns found after a successful ProxyShell exploitation in relation to a Commandlet invokation of New-MailboxExportRequest 
-references:
-    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html?m=1
-author: Florian Roth, Rich Warren 
-date: 2021/08/09
-logsource:
-    product: windows
-    service: msexchange-management
-detection:
-    selection_cmdlet:
-        Message|contains|all: 
-            - 'New-MailboxExportRequest'
-            - ' -Mailbox '
-    selection_params:
-        Message|contains:
-            - '-FilePath "\\localhost\C$'
-            - '-FilePath "\\127.0.0.1\C$'
-            - '.aspx'
-    selection_assignment:
-        Message|contains|all:
-            - 'New-ManagementRoleAssignment'
-            - ' -Role "Mailbox Import Export"'
-            - ' -User "exchange.admin"'
-    condition: selection_cmdlet and selection_params or selection_assignment
-falsepositives:
-    - Unlikely
-level: critical