Merge pull request #812 from tliffick/master

added new rules for malware
2024-11-06 17:35:19 +00:00 · 2020-06-10 17:37:19 +02:00 · 2020-06-10 17:37:19 +02:00 · 97c45f9d46
commit 97c45f9d46
parent 48e4e31713 96309d247b
3 changed files with 83 additions and 0 deletions
--- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
+++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml
@ -0,0 +1,27 @@
+title: Lazarus Session Highjacker
+id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
+description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
+status: experimental
+references:
+    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+author: Trent Liffick (@tliffick)
+date: 2020/06/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: 
+            - '*\mstdc.exe'
+            - '*\gpvc.exe'
+    filter:
+        Image:
+            - 'C:\Windows\System32\\*'
+            - 'C:\Windows\SysWOW64\\*'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: high
--- a/rules/windows/process_creation/win_susp_findstr_lnk.yml
+++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml
@ -0,0 +1,26 @@
+title: Findstr Launching .lnk File
+id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
+description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
+status: experimental
+references:
+    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
+tags:
+    - attack.defense_evasion
+    - attack.t1202
+author: Trent Liffick
+date: 2020/05/01
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\findstr.exe'
+        CommandLine: '*.lnk'
+    condition: selection
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: medium
--- a/rules/windows/sysmon/sysmon_reg_office_security.yml
+++ b/rules/windows/sysmon/sysmon_reg_office_security.yml
@ -0,0 +1,30 @@
+title: Office Security Settings Changed
+id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
+status: experimental
+description: Detects registry changes to Office macro settings
+author: Trent Liffick (@tliffick)
+date: 2020/05/22
+references:
+tags:
+    - attack.defense_evasion
+    - attack.t1112
+falsepositives:
+    - Valid Macros and/or internal documents
+level: high
+logsource:
+  service: sysmon
+  product: windows
+detection:
+    sec_settings:
+      EventID:
+            - 12
+            - 13
+      TargetObject|endswith:
+            - '*\Security\Trusted Documents\TrustRecords'
+            - '*\Security\AccessVBOM'
+            - '*\Security\VBAWarnings'
+      EventType:
+            - SetValue
+            - DeleteValue
+            - CreateValue
+    condition: sec_settings