Auto stash before rebase of "Neo23x0/master"

2024-11-06 17:35:19 +00:00 · 2019-04-03 16:25:18 +02:00 · 2019-04-03 16:25:18 +02:00 · d2e605fc5c
commit d2e605fc5c
parent 6cc1770351
2 changed files with 87 additions and 0 deletions
--- a/rules/apt/apt_empiremonkey.yml
+++ b/rules/apt/apt_empiremonkey.yml
@ -0,0 +1,32 @@
+---
+action: global
+title: Empire Monkey 
+description: Detects EmpireMonkey APT reported Activity 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+    - attack.t1086
+    - attack.execution
+date: 2019/04/02
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Very Unlikely 
+level: critical
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cutil:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Image:
+            - '*\cutil.exe'
+    selection_regsvr32:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Description: 
+            - Microsoft(C) Registerserver
+        
--- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml
@ -0,0 +1,55 @@
+title: Squirrel Lolbin
+status: experimental
+description: Detects Possible Squirrel Packages Manager as Lolbin 
+references:
+    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/  
+tags:
+    - attack.execution     
+author: Karneades / Markus Neis
+falsepositives:
+    - 1Clipboard
+    - Beaker Browser
+    - Caret
+    - Collectie
+    - Discord
+    - Figma
+    - Flow
+    - Ghost
+    - GitHub Desktop
+    - GitKraken
+    - Hyper
+    - Insomnia
+    - JIBO
+    - Kap
+    - Kitematic
+    - Now Desktop
+    - Postman
+    - PostmanCanary
+    - Rambox
+    - Simplenote
+    - Skype
+    - Slack
+    - SourceTree
+    - Stride
+    - Svgsus
+    - WebTorrent
+    - WhatsApp
+    - WordPress.com
+    - atom
+    - gitkraken
+    - slack
+    - teams
+level: high
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\update.exe'                           # Check if folder Name matches executed binary  \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
+        CommandLine:
+            - '*--processStart*.exe*'
+            - '*–createShortcut*.exe*'
+    condition: selection 
+  
+