Merge pull request #2020 from frack113/pc_global

Split some global process_creation rules
2024-11-06 09:25:17 +00:00 · 2021-09-15 19:03:30 +02:00 · 2021-09-15 19:03:30 +02:00 · 973e0666ac
commit 973e0666ac
parent f9b4b524c6 830c0c9f22
6 changed files with 73 additions and 40 deletions
--- a/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
+++ b/rules/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
@ -1,31 +1,21 @@
-action: global
 title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+id: fde7929d-8beb-4a4c-b922-be9974671667
 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
 author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
 date: 2020/10/05
+modified: 2021/09/11
 tags:
    - attack.defense_evasion
    - attack.t1218
-detection:
-    condition: selection
-falsepositives:
-    - App-V clients
-level: medium
---
-id: fde7929d-8beb-4a4c-b922-be9974671667
 logsource:
    product: windows
    category: process_creation
 detection:
    selection:
        Image|endswith: '\SyncAppvPublishingServer.exe'
---
-id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        - 'SyncAppvPublishingServer.exe'
+    condition: selection
+falsepositives:
+    - App-V clients
+level: medium
--- a/rules/windows/file_event/file_event_advanced_ip_scanner.yml
+++ b/rules/windows/file_event/file_event_advanced_ip_scanner.yml
@ -1,5 +1,8 @@
-action: global
 title: Advanced IP Scanner 
+id: fed85bf9-e075-4280-9159-fbe8a023d6fa
+related:
+    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+      type: derived
 status: experimental
 description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 references:
@ -10,24 +13,10 @@ references:
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
 author: '@ROxPinTeddy'
 date: 2020/05/12
-modified: 2021/05/11
+modified: 2021/09/11
 tags:
    - attack.discovery
    - attack.t1046
-falsepositives:
-    - Legitimate administrative use
-level: medium
---
-id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-       Image|contains: '\advanced_ip_scanner'
-    condition: selection
---
-id: fed85bf9-e075-4280-9159-fbe8a023d6fa
 logsource:
    category: file_event
    product: windows
@ -35,3 +24,6 @@ detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
    condition: selection
+falsepositives:
+    - Legitimate administrative use
+level: medium
--- a/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml
+++ b/rules/windows/powershell/powershell_syncappvpublishingserver_exe.yml
@ -0,0 +1,24 @@
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+related:
+    - id: fde7929d-8beb-4a4c-b922-be9974671667
+      type: derived
+description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
+date: 2020/10/05
+modified: 2021/09/11
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    product: windows
+    service: powershell
+detection:
+    selection:
+        - 'SyncAppvPublishingServer.exe'
+    condition: selection
+falsepositives:
+    - App-V clients
+level: medium
--- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml
+++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml
@ -0,0 +1,26 @@
+title: Advanced IP Scanner
+id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+status: experimental
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
+references:
+    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+author: '@ROxPinTeddy'
+date: 2020/05/12
+modified: 2021/09/12
+tags:
+    - attack.discovery
+    - attack.t1046
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+       Image|contains: '\advanced_ip_scanner'
+    condition: selection
+falsepositives:
+    - Legitimate administrative use
+level: medium
--- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
+++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
@ -6,9 +6,11 @@ related:
 status: experimental
 author: frack113
 date: 2021/07/12
+modified: 2021/09/12
 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
 tags:
    - attack.defense_evasion
    - attack.t1218
@ -18,9 +20,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '\SyncAppvPublishingServer.exe'
-        CommandLine|contains|all:
-            - '"n; '
-            - ' Start-Process '
+        CommandLine|contains: '"n; '
    condition: selection 
 fields:
    - ComputerName
--- a/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
+++ b/rules/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
@ -3,23 +3,24 @@ id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
 status: experimental
 author: frack113
 date: 2021/07/16
-description: Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files.
+modified: 2021/09/12
+description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
 tags:
    - attack.defense_evasion
+    - attack.t1218
    - attack.t1216
 logsource:
    category: process_creation
    product: windows
 detection:
    select_vbs:
-        CommandLine|contains: '\SyncAppvPublishingServer.vbs'
-    select_opt:
        CommandLine|contains|all:
+            - '\SyncAppvPublishingServer.vbs'
            - '"n;'
-            - 'Start-Process '
-    condition: select_vbs and select_opt
+    condition: select_vbs
 fields:
    - ComputerName
    - User