From e1dff01cea1792bc9a578ec9ae2a708daed2324e Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 24 Feb 2021 23:48:08 +0545 Subject: [PATCH 01/12] Added sigma rule for vSphere RCE CVE-2021-21972 --- ...here_cve_2021_21972_unauth_rce_exploit.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml diff --git a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml new file mode 100644 index 00000000..9f952597 --- /dev/null +++ b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml @@ -0,0 +1,27 @@ +title: CVE-2021-21972 VSphere Exploitation +id: 179ed852-0f9b-4009-93a7-68475910fd86 +status: experimental +description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 +author: Bhabesh Raj +date: 2021/02/24 +references: + - https://www.vmware.com/security/advisories/VMSA-2021-0002.html + - https://f5.pm/go-59627.html + - https://swarm.ptsecurity.com/unauth-rce-vmware +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri: + - '/ui/vropspluginui/rest/services/uploadova' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 From 67d3d5e22007434272c9388a726460ef20249957 Mon Sep 17 00:00:00 2001 From: markus-nclose <38457858+markus-nclose@users.noreply.github.com> Date: Thu, 25 Feb 2021 07:25:20 +0200 Subject: [PATCH 02/12] Fixed CobaltStrike typo --- rules/windows/malware/av_exploiting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index cbdec2bc..92987977 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -21,7 +21,7 @@ detection: - "*Meterpreter*" - "*Metasploit*" - "*PowerSploit*" - - "*CobaltSrike*" + - "*CobaltStrike*" - "*Swrort*" - "*Rozena*" - "*Backdoor.Cobalt*" From 6d30f87c0c17b7b702317506c1df1b3acd36501a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 2 Mar 2021 23:36:25 +0100 Subject: [PATCH 03/12] refactor: procdump use --- .../process_creation/win_susp_procdump.yml | 28 +++++---------- .../win_susp_procdump_lsass.yml | 34 +++++++++++++++++++ 2 files changed, 43 insertions(+), 19 deletions(-) create mode 100644 rules/windows/process_creation/win_susp_procdump_lsass.yml diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 9a90a1c7..4a700b6a 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,34 +1,24 @@ title: Suspicious Use of Procdump -id: 5afee48e-67dd-4e03-a783-f74259dcf998 -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +id: 03795938-1387-481b-9f4c-3f6241e604fe +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental references: - Internal Research author: Florian Roth -date: 2018/10/30 -modified: 2019/10/14 +date: 2021/02/02 tags: - attack.defense_evasion - attack.t1036 - - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - - car.2013-05-009 logsource: category: process_creation product: windows detection: - selection1: - CommandLine: - - '* -ma *' - selection2: - CommandLine: - - '* lsass*' - selection3: - CommandLine: - - '* -ma ls*' - condition: ( selection1 and selection2 ) or selection3 + selection: + CommandLine|contains: + - ' -ma ' + condition: selection falsepositives: - - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump -level: high + - Legitimate use of procdump by a developer or administrator +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml new file mode 100644 index 00000000..30676b8d --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -0,0 +1,34 @@ +title: Suspicious Use of Procdump on LSASS +id: 5afee48e-67dd-4e03-a783-f74259dcf998 +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +modified: 2021/02/02 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one + - car.2013-05-009 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '* -ma *' + selection2: + CommandLine: + - '* lsass*' + selection3: + CommandLine: + - '* -ma ls*' + condition: ( selection1 and selection2 ) or selection3 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: critical From 56eed19fbada7726eaa165f0d6f23d595678c483 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 3 Mar 2021 12:46:50 +0545 Subject: [PATCH 04/12] Added rules for successful exploitation fo CVE-2021-26857/8 in Exchannge --- .../sysmon_cve_2021_26858_msexchange.yml | 35 +++++++++++++++++++ .../sysmon_cve_2021_26857_msexchange.yml | 28 +++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml create mode 100644 rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml new file mode 100644 index 00000000..2e18fec7 --- /dev/null +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -0,0 +1,35 @@ +title: CVE-2021-26858 Exchange Exploitation +id: b06335b3-55ac-4b41-937e-16b7f5d57dfd +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | + creation of non-standard files on disk by Exchange Server’s Unified Messaging service | + which could indicate dropping web shells or other malicious content +author: Bhabesh Raj +status: experimental +level: critical +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858 + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +tags: + - attack.t1203 + - attack.execution + - cve.2021-26858 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: 'UMWorkerProcess.exe' + filter: + TargetFilename|endswith: + - 'CacheCleanup.bin' + - '.txt' + - '.LOG' + - '.cfg' + - 'cleanup.bin' + condition: selection and not filter +fields: + - ComputerName + - TargetFileName +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml new file mode 100644 index 00000000..42028896 --- /dev/null +++ b/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -0,0 +1,28 @@ +title: CVE-2021-26857 Exchange Exploitation +id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | + abnormal subprocesses spawning by Exchange Server’s Unified Messaging service +author: Bhabesh Raj +status: experimental +level: critical +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857 + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +tags: + - attack.t1203 + - attack.execution + - cve.2021-26857 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: 'UMWorkerProcess.exe' + filter: + Image|endswith: + - 'wermgr.exe' + - 'WerFault.exe' + condition: selection and not filter +falsepositives: + - Unknown From 8c95f90075f3473b24f28675c7090d3d610008a6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 3 Mar 2021 09:08:24 +0100 Subject: [PATCH 05/12] Update web_vsphere_cve_2021_21972_unauth_rce_exploit.yml --- rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml index 9f952597..952a50f5 100644 --- a/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml +++ b/rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml @@ -20,8 +20,8 @@ fields: - c-ip - c-dns falsepositives: - - Unknown -level: critical + - OVA uploads to your VSphere appliance +level: high tags: - attack.initial_access - attack.t1190 From e17986ebd3f9c734ab6743d3dd0abb104edd4021 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 3 Mar 2021 09:58:43 +0100 Subject: [PATCH 06/12] rule: HAFNIUM Exchange exploitation --- .../web/web_exchange_exploitation_hafnium.yml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 rules/web/web_exchange_exploitation_hafnium.yml diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml new file mode 100644 index 00000000..516c5ffe --- /dev/null +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -0,0 +1,62 @@ +title: Exchange Exploitation Used by HAFNIUM +id: 67bce556-312f-4c81-9162-c3c9ff2599b2 +status: experimental +description: Detects CVE-2020-0688 Exploitation attempts +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +author: Florian Roth +date: 2021/03/03 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/themes/resources/' + selection2: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/' + c-useragent: + - 'DuckDuckBot/1.0; (http://duckduckgo.com/duckduckbot.html)' + - 'facebookexternalhit/1.1 (http://www.facebook.com/externalhit_uatext.php)' + - 'Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)' + - 'Mozilla/5.0 (compatible; Bingbot/2.0; http://www.bing.com/bingbot.htm)' + - 'Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html' + - 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Exabot-Thumbnails)' + - 'Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)' + - 'Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots)' + - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' + selection3: + c-uri|contains: '/ecp/' + cs-method: 'POST' + c-useragent: + - 'ExchangeServicesClient/0.0.0.0' + - 'python-requests/2.19.1' + - 'python-requests/2.25.1' + selection4: + c-uri|contains: + - '/aspnet_client/' + - '/owa/' + cs-method: 'POST' + c-useragent: + - 'antSword/v2.1' + - 'Googlebot/2.1 ( http://www.googlebot.com/bot.html)' + - 'Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)' + selection5: + c-uri|contains: + - '/owa/auth/Current/' + - '/ecp/default.flt' + - '/ecp/main.css' + cs-method: 'POST' + selection6: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '.js' + condition: 1 of them +falsepositives: + - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related +level: high \ No newline at end of file From d8ded5ebdc4ac730dc3346f5a0006bcd219456d3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 3 Mar 2021 10:15:45 +0100 Subject: [PATCH 07/12] refactor: changed symbols after feedback from Volexity --- .../web/web_exchange_exploitation_hafnium.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml index 516c5ffe..a813d613 100644 --- a/rules/web/web_exchange_exploitation_hafnium.yml +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -20,15 +20,15 @@ detection: cs-method: 'POST' c-uri|contains: '/owa/auth/Current/' c-useragent: - - 'DuckDuckBot/1.0; (http://duckduckgo.com/duckduckbot.html)' - - 'facebookexternalhit/1.1 (http://www.facebook.com/externalhit_uatext.php)' - - 'Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)' - - 'Mozilla/5.0 (compatible; Bingbot/2.0; http://www.bing.com/bingbot.htm)' - - 'Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html' - - 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Exabot-Thumbnails)' - - 'Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)' - - 'Mozilla/5.0 (compatible; YandexBot/3.0; http://yandex.com/bots)' - - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' + - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)' + - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)' + - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html' + - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)' + - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)' + - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)' + - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' selection3: c-uri|contains: '/ecp/' cs-method: 'POST' @@ -43,8 +43,8 @@ detection: cs-method: 'POST' c-useragent: - 'antSword/v2.1' - - 'Googlebot/2.1 ( http://www.googlebot.com/bot.html)' - - 'Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)' + - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' selection5: c-uri|contains: - '/owa/auth/Current/' @@ -55,7 +55,7 @@ detection: cs-method: 'POST' c-uri|contains|all: - '/ecp/' - - '.js' + - '.js' condition: 1 of them falsepositives: - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related From bea2f226c698092412962e56693a13602906303d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 4 Mar 2021 17:35:25 +0100 Subject: [PATCH 08/12] fix: description --- rules/web/web_exchange_exploitation_hafnium.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml index a813d613..cb06e1d0 100644 --- a/rules/web/web_exchange_exploitation_hafnium.yml +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -1,7 +1,7 @@ title: Exchange Exploitation Used by HAFNIUM id: 67bce556-312f-4c81-9162-c3c9ff2599b2 status: experimental -description: Detects CVE-2020-0688 Exploitation attempts +description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ From bdc35aa3ec4af065ce2991571177aaf34aaa6051 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Mar 2021 11:34:17 +0100 Subject: [PATCH 09/12] Update win_webshell_spawn.yml --- rules/windows/process_creation/win_webshell_spawn.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 982cd23f..c65a8a9b 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -16,6 +16,7 @@ detection: - '*\nginx.exe' - '*\php-cgi.exe' - '*\tomcat.exe' + - '*\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html Image: - '*\cmd.exe' - '*\sh.exe' From c3b84f2d5b1c0b682d3a2fb8bd487b98459b5e0b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Mar 2021 11:54:35 +0100 Subject: [PATCH 10/12] UNC2452 rules - GoldMax, Sibot, GoldFinder https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ --- .../win_susp_rundll32_inline_vbs.yml | 22 +++++++++++++ .../win_susp_rundll32_sys.yml | 25 +++++++++++++++ .../win_susp_vbscript_unc2452.yml | 26 ++++++++++++++++ .../sysmon_reg_vbs_payload_stored.yml | 31 +++++++++++++++++++ 4 files changed, 104 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_sys.yml create mode 100644 rules/windows/process_creation/win_susp_vbscript_unc2452.yml create mode 100644 rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml new file mode 100644 index 00000000..e85f144e --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml @@ -0,0 +1,22 @@ +title: Suspicious Rundll32 Invoking Inline VBScript +id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - 'Execute' + - 'RegRead' + - 'window.close' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_sys.yml b/rules/windows/process_creation/win_susp_rundll32_sys.yml new file mode 100644 index 00000000..7799135d --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_sys.yml @@ -0,0 +1,25 @@ +title: Suspicious Rundll32 Activity Invoking Sys File +id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +tags: + - attack.defense_evasion + - attack.t1218.011 +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: 'rundll32.exe' + selection2: + CommandLine|contains: + - '.sys,' + - '.sys ' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml new file mode 100644 index 00000000..e61dc188 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -0,0 +1,26 @@ +title: Suspicious VBScript UN2452 Pattern +id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61 +description: Detects suspicious inline VBScript keywords as used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Execute' + - 'CreateObject' + - 'RegRead' + - 'window.close' + - '\Microsoft\Windows\CurrentVersion' + filter: + CommandLine|contains: + - '\Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml new file mode 100644 index 00000000..d31a0429 --- /dev/null +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -0,0 +1,31 @@ +title: VBScript Payload Stored in Registry +id: 46490193-1b22-4c29-bdd6-5bf63907216f +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group +status: experimental +date: 2021/03/05 +author: Florian Roth +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' + Details|contains: + - 'vbscript' + - 'jscript' + - 'mshtml' + - 'mshtml,' + - 'mshtml ' + - 'RunHTMLApplication' + - 'Execute(' + - 'CreateObject' + - 'RegRead' + - 'window.close' + filter: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection +falsepositives: + - Unknown +level: high From b864768de8bcc1cc5edad47ea872ca6f99b1dd63 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Mar 2021 11:55:49 +0100 Subject: [PATCH 11/12] fix: wrong conditions --- rules/windows/process_creation/win_susp_vbscript_unc2452.yml | 2 +- rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml index e61dc188..d224ddbf 100644 --- a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -20,7 +20,7 @@ detection: filter: CommandLine|contains: - '\Software\Microsoft\Windows\CurrentVersion\Run' - condition: selection + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index d31a0429..0104e1bf 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -25,7 +25,7 @@ detection: - 'window.close' filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' - condition: selection + condition: selection and not filter falsepositives: - Unknown level: high From a61fbe6bd8864f6d1f01364c7ba052e8e245d106 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Mar 2021 12:09:43 +0100 Subject: [PATCH 12/12] fix: duplicate UUID --- rules/windows/process_creation/win_susp_rundll32_sys.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_rundll32_sys.yml b/rules/windows/process_creation/win_susp_rundll32_sys.yml index 7799135d..a59cfd3c 100644 --- a/rules/windows/process_creation/win_susp_rundll32_sys.yml +++ b/rules/windows/process_creation/win_susp_rundll32_sys.yml @@ -1,5 +1,5 @@ title: Suspicious Rundll32 Activity Invoking Sys File -id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +id: 731231b9-0b5d-4219-94dd-abb6959aa7ea description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 status: experimental references: