From e4d2b6e5d94a81ea9c77cc1dc516b2f68c230435 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:07:22 +0200 Subject: [PATCH 1/3] add file_event_mal_vhd_download --- .../file_event_mal_vhd_download.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/file_event/file_event_mal_vhd_download.yml diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml new file mode 100644 index 00000000..9634cfff --- /dev/null +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -0,0 +1,28 @@ +title: Suspicious VHD Image Download From Browser +id: 8468111a-ef07-4654-903b-b863a80bbc95 +status: experimental +description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ + - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ +author: frack113 +date: 2021/10/25 +tags: + - attack.resource_development + - attack.t1587.001 +logsource: + category: file_event + product: windows + definition: in sysmon add ".vhd " +detection: + selection: + - Image|endswith: + - chrome.exe + - firefox.exe + - microsoftedge.exe + - microsoftedgecp.exe + - msedge.exe + - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier + condition: selection +level: high \ No newline at end of file From 12707f8ec5ee41e81aa5828ece3f8b91858462ad Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 25 Oct 2021 09:16:59 +0200 Subject: [PATCH 2/3] fix level --- rules/windows/file_event/file_event_mal_vhd_download.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 9634cfff..2ddeca79 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -25,4 +25,6 @@ detection: - msedge.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection -level: high \ No newline at end of file +falsepositives: + - Legitimate user creation +level: medium From 5294e91828f77ab40a3441ec71cba06506633e39 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Oct 2021 17:29:01 +0200 Subject: [PATCH 3/3] Update file_event_mal_vhd_download.yml --- rules/windows/file_event/file_event_mal_vhd_download.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml index 2ddeca79..ec4aa319 100644 --- a/rules/windows/file_event/file_event_mal_vhd_download.yml +++ b/rules/windows/file_event/file_event_mal_vhd_download.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ -author: frack113 +author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/10/25 tags: - attack.resource_development @@ -23,6 +23,9 @@ detection: - microsoftedge.exe - microsoftedgecp.exe - msedge.exe + - iexplorer.exe + - brave.exe + - opera.exe - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier condition: selection falsepositives: