Merge pull request #1329 from Neo23x0/rule-devel

Rule devel

rules/web/web_cve_2020_3452_cisco_asa_ftd.yml

@@ -0,0 +1,37 @@
+title: Cisco ASA FTD Exploit CVE-2020-3452
+id: aba47adc-4847-4970-95c1-61dce62a8b29
+status: experimental
+description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
+author: Florian Roth
+date: 2021/01/07
+references:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
+    - https://twitter.com/aboul3la/status/1286012324722155525
+    - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
+logsource:
+    category: webserver
+detection:
+    selection_endpoint:
+        c-uri|contains:
+            - '+CSCOT+/translation-table'
+            - '+CSCOT+/oem-customization'
+    selection_path_select:
+        c-uri|contains:
+            - '&textdomain=/'
+            - '&textdomain=%'
+            - '&name=/'
+            - '&name=%'
+    select_status_code:
+        sc-status: 200
+    condition: selection_endpoint and selection_path_select and select_status_code
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.t1100 # an old one
+    - attack.t1190
+    - attack.initial_access
+    - cve.2020-3452

rules/windows/process_creation/win_office_shell.yml

@@ -9,7 +9,7 @@ tags:
     - attack.execution
     - attack.t1204          # an old one
     - attack.t1204.002
-author: Michael Haag, Florian Roth, Markus Neis
+author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
 date: 2018/04/06
 modified: 2020/09/01
 logsource:
@@ -24,6 +24,8 @@ detection:
             - '*\MSPUB.exe'
             - '*\VISIO.exe'
             - '*\OUTLOOK.EXE'
+            - '*\MSACCESS.EXE'
+            - '*\EQNEDT32.EXE'
         Image:
             - '*\cmd.exe'
             - '*\powershell.exe'
@@ -44,6 +46,7 @@ detection:
             - '*\mftrace.exe'
             - '*\AppVLP.exe'
             - '*\svchost.exe'  # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
+            - '*\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
     condition: selection
 fields:
     - CommandLine

rules/windows/process_creation/win_susp_wuauclt.yml

@@ -0,0 +1,27 @@
+title: Windows Update Client LOLBIN
+id: d7825193-b70a-48a4-b992-8b5b3015cc11
+status: experimental
+description: Detects code execution via the Windows Update client (wuauclt)
+references:
+    - https://dtm.uk/wuauclt/
+author: FPT.EagleEye Team
+date: 2020/10/17
+tags:
+    - attack.command_and_control
+    - attack.execution
+    - attack.t1105
+    - attack.t1218
+logsource:
+    product: windows
+    service: process_creation
+detection:
+    selection:
+        ProcessCommandline|contains|all: 
+            - '/UpdateDeploymentProvider'
+            - '/RunHandlerComServer'
+        Image|endswith: 
+            - '\wuauclt.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_webshell_spawn.yml

@@ -30,7 +30,7 @@ tags:
     - attack.persistence
     - attack.t1505.003
     - attack.privilege_escalation       # an old one
-    - attack.t1100      # an old one
+    - attack.t1190
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high