Merge pull request #300 from yt0ng/development

Sqirrel packages manager, EmpireMonkey, WMI Spawning PowerShel
2024-11-07 17:58:52 +00:00 · 2019-04-03 19:20:46 +02:00 · 2019-04-03 19:20:46 +02:00 · b4b7d810fc
commit b4b7d810fc
parent 6cc1770351 e0459cec1c
3 changed files with 116 additions and 0 deletions
--- a/rules/apt/apt_empiremonkey.yml
+++ b/rules/apt/apt_empiremonkey.yml
@ -0,0 +1,32 @@
+---
+action: global
+title: Empire Monkey 
+description: Detects EmpireMonkey APT reported Activity 
+references:
+    - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
+tags:
+    - attack.t1086
+    - attack.execution
+date: 2019/04/02
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Very Unlikely 
+level: critical
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cutil:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Image:
+            - '*\cutil.exe'
+    selection_regsvr32:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Description: 
+            - Microsoft(C) Registerserver
+        
--- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
@ -0,0 +1,55 @@
+title: Squirrel Lolbin
+status: experimental
+description: Detects Possible Squirrel Packages Manager as Lolbin 
+references:
+    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/  
+tags:
+    - attack.execution     
+author: Karneades / Markus Neis
+falsepositives:
+    - 1Clipboard
+    - Beaker Browser
+    - Caret
+    - Collectie
+    - Discord
+    - Figma
+    - Flow
+    - Ghost
+    - GitHub Desktop
+    - GitKraken
+    - Hyper
+    - Insomnia
+    - JIBO
+    - Kap
+    - Kitematic
+    - Now Desktop
+    - Postman
+    - PostmanCanary
+    - Rambox
+    - Simplenote
+    - Skype
+    - Slack
+    - SourceTree
+    - Stride
+    - Svgsus
+    - WebTorrent
+    - WhatsApp
+    - WordPress.com
+    - atom
+    - gitkraken
+    - slack
+    - teams
+level: high
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\update.exe'                           # Check if folder Name matches executed binary  \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
+        CommandLine:
+            - '*--processStart*.exe*'
+            - '*–createShortcut*.exe*'
+    condition: selection 
+  
+    
--- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml
+++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
@ -0,0 +1,29 @@
+title: WMI Spawning Windows PowerShell
+status: experimental
+description: Detects WMI spawning PowerShell 
+references:
+    - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
+author: Markus Neis / @Karneades
+date: 2019/04/03
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1064
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage:
+            - '*\wmiprvse.exe'
+        Image:
+            - '*\powershell.exe'
+    filter:
+        CommandLine:
+            - '*&amp;*'
+    condition: selection and not filter
+falsepositives:
+    - AppvClient
+    - CCM
+level: high