Merge pull request #754 from Neo23x0/rule-devel

Rule devel

rules/proxy/proxy_ua_apt.yml

@@ -45,6 +45,7 @@ detection:
         - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
         - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
         - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'  # Hidden Cobra malware
     condition: selection
 fields:
     - ClientIP

rules/windows/process_creation/win_crime_maze_ransomware.yml

@@ -0,0 +1,40 @@
+title: Maze Ransomware
+id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
+status: experimental
+description: Detects specific process characteristics of Maze ransomware word document droppers
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
+    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
+author: Florian Roth
+date: 2020/05/08
+tags:
+    - attack.execution
+    - attack.t1204
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # Dropper
+    selection1:
+        ParentImage|endswith:
+            - '\WINWORD.exe'
+        Image|endswith:
+            - '*.tmp'
+    # Binary Execution
+    selection2:
+        Image|endswith: '\wmic.exe'
+        ParentImage|contains: '\Temp\'
+        CommandLine|endswith: 'shadowcopy delete'
+    # Specific Pattern
+    selection3: 
+        CommandLine|endswith: 'shadowcopy delete'
+        CommandLine|contains: '\..\..\system32'
+    condition: 1 of them
+fields:
+    - ComputerName
+    - User
+    - Image
+falsepositives:
+    - Unlikely
+level: critical