From 3cf1be9e8da97ce2eaf1b83517d4b5703f5d78ee Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 10:08:41 +0200 Subject: [PATCH 1/7] rule: exchange vulnerability CVE-2021-28480 --- .../web/web_expl_exchange_cve_2021_28480.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/web/web_expl_exchange_cve_2021_28480.yml diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml new file mode 100644 index 00000000..62cd6efd --- /dev/null +++ b/rules/web/web_expl_exchange_cve_2021_28480.yml @@ -0,0 +1,23 @@ +title: Exchange Exploitation CVE-2021-28480 +id: a2a9d722-0acb-4096-bccc-daaf91a5037b +status: experimental +description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480 +references: + - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +author: Florian Roth +date: 2021/05/14 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/owa/calendar/a' + cs-method: 'POST' + filter: + sc-status: 503 + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file From e4a1ce4498ed0445449b1cefb9297cc3b9e3de2f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 17:34:52 +0200 Subject: [PATCH 2/7] rule: ngrok rdp port exposure --- .../process_creation/win_susp_ngrok_pua.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_ngrok_pua.yml diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml new file mode 100644 index 00000000..f27744e7 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -0,0 +1,24 @@ +title: Ngrok RDP Exposure Pattern +id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected RDP service publicly available +status: experimental +references: + - https://ngrok.com/docs + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp +author: Florian Roth +date: 2021/05/14 +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' tcp 3389' + condition: selection +falsepositives: + - Another tool that uses the command line switches of Ngrok +level: high From a655c5c1a0daf5c07a7851769adc579273472f33 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 17:44:53 +0200 Subject: [PATCH 3/7] update ngrok rule --- .../process_creation/win_susp_ngrok_pua.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml index f27744e7..d67b9875 100644 --- a/rules/windows/process_creation/win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -1,11 +1,12 @@ -title: Ngrok RDP Exposure Pattern +title: Ngrok Usage id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 -description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected RDP service publicly available +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available status: experimental references: - https://ngrok.com/docs - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp + - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection author: Florian Roth date: 2021/05/14 tags: @@ -15,10 +16,16 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: CommandLine|contains: - ' tcp 3389' - condition: selection + selection2: + CommandLine|contains|all: + - ' start ' + - '--all' + - '--config' + - '.yml' + condition: 1 of them falsepositives: - Another tool that uses the command line switches of Ngrok level: high From 48757423efd2f5654c75a3c7f0094656d63c94bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 May 2021 18:06:53 +0200 Subject: [PATCH 4/7] rule darkside patterns --- rules/windows/malware/win_mal_darkside.yml | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/malware/win_mal_darkside.yml diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml new file mode 100644 index 00000000..bd71ca99 --- /dev/null +++ b/rules/windows/malware/win_mal_darkside.yml @@ -0,0 +1,28 @@ +title: DarkSide Ransomware Pattern +id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c +author: Florian Roth +date: 2021/05/14 +description: Detects DarkSide Ransomware and helpers +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ + - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - "=[char][byte]('0x'+" + - ' -work worker0 -path ' + selection2: + ParentCommandLine|contains: + - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contians: + - '\AppData\Local\Temp\' + condition: 1 of them +falsepositives: + - Unknown + - UAC bypass method used by other malware +level: critical From 526ab4f707c4f56dc4eb540d58c2bfc0e7cfb066 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:02:49 +0200 Subject: [PATCH 5/7] feat: trademark test case --- tests/test_rules.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 160c98df..9fc340cc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -17,6 +17,8 @@ from colorama import Fore class TestRules(unittest.TestCase): MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules + TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" @@ -58,6 +60,19 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + "There are rule files with extensions other than .yml") + def test_legal_trademark_violations(self): + files_with_legal_issues = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + with open(file, 'r') as fh: + file_data = fh.read() + for tm in self.TRADE_MARKS: + if tm in file_data: + files_with_legal_issues.append(file) + + self.assertEqual(files_with_legal_issues, [], Fore.RED + + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] From 02bf32ce6cf46399ccb284cc58801ffb8877e704 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:09:08 +0200 Subject: [PATCH 6/7] fixed more legal issues --- .../silenttrinity_stager_msbuild_activity.yml | 2 +- tests/test_rules.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml index 124148c1..ab68f0b0 100644 --- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -4,7 +4,7 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ tags: - - attack.execution # example MITRE ATT&CK category + - attack.execution - attack.t1127.001 status: experimental author: Kiran kumar s, oscd.community diff --git a/tests/test_rules.py b/tests/test_rules.py index 9fc340cc..9849bbdd 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -372,9 +372,10 @@ class TestRules(unittest.TestCase): for key in logsource: if key.lower() not in ['category', 'product', 'service', 'definition']: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + def get_mitre_data(): """ - Generate tags from live MITRE ATT&CKĀ® TAXI service to get up-to-date data + Generate tags from live TAXI service to get up-to-date data """ # Get ATT&CK information lift = attack_client() From 9b32e72d0bbd84f044644000400ca1501a393e4c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 15 May 2021 13:19:12 +0200 Subject: [PATCH 7/7] fix: syntax issue --- rules/windows/malware/win_mal_darkside.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml index bd71ca99..26d609be 100644 --- a/rules/windows/malware/win_mal_darkside.yml +++ b/rules/windows/malware/win_mal_darkside.yml @@ -19,7 +19,7 @@ detection: selection2: ParentCommandLine|contains: - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - Image|contians: + Image|contains: - '\AppData\Local\Temp\' condition: 1 of them falsepositives: