Merge pull request #1556 from frack113/PR_617_V2

Fix all the rules to pass the test

rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml

@@ -0,0 +1,30 @@
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
+author: Sreeman
+date: 2020/13/03
+modified: 2021/06/11
+references:
+    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+tags: 
+    - attack.t1204
+    - attack.t1193
+    - attack.execution
+    - attack.initial_access
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        CommandLine|contains: '.SettingContent-ms'
+    filter:
+        FilePath|contains:
+            - 'immersivecontrolpanel'
+    condition: selection and not filter
+falsepositives: 
+    - unknown
+fields: 
+    - ParentProcess
+    - CommandLine
+    - ParentCommandLine
+level: medium

rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml

@@ -0,0 +1,25 @@
+title: Using AppVLP To Circumvent ASR File Path Rule
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+status: experimental
+description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
+author: Sreeman
+date: 2020/13/03
+modified: 2021/06/11
+tags: 
+    - attack.t1218
+    - attack.defense_evasion
+    - attack.execution
+logsource: 
+    product: windows
+    service: security
+detection: 
+    selection:
+        CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)'
+    condition: selection
+falsepositives: 
+    - unknown
+fields: 
+    - ParentProcess
+    - CommandLine
+    - ParentCommandLine
+level: medium

rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml

@@ -0,0 +1,44 @@
+title: Suspicious Werfault.exe Network Connection Outbound
+id: e12c75f2-d09e-43f6-90e4-6a23842907af
+status: experimental
+description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
+references:
+    - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
+author: Sreeman
+date: 2021/03/09
+modified: 2021/06/11
+tags:
+    - attack.command_and_control
+    - attack.t1571
+logsource:
+  product: windows
+  category: network_connection
+detection:
+  selection:
+    Image: 'werfault.exe'
+  filter1:
+    ParentImage: 'svchost.exe'
+  filter2:
+    DestinationIp:
+        - '104.42.151.234'
+        - '104.43.193.48'
+        - '52.255.188.83'
+        - '13.64.90.137'
+        - '168.61.161.212'
+        - '13.88.21.125'
+        - '40.88.32.150'
+        - '52.147.198.201'
+        - '52.239.207.100'
+        - '52.176.224.96'
+        - '2607:7700:0:24:0:1:287e:1894'
+        - '10.*'
+        - '192.168.*'
+        - '127.*'
+  filter3:
+    DestinationHostname|contains:
+        - '*.windowsupdate.com'
+        - '*.microsoft.com'
+  condition: selection and not ( filter1 and filter2 and filter3 )
+falsepositives:
+    - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces
+level: medium

rules/windows/process_creation/win_credential_access_via_password_filter.yml

@@ -0,0 +1,26 @@
+title: Dropping Of Password Filter DLL
+id: b7966f4a-b333-455b-8370-8ca53c229762
+description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+references:
+    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
+    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+tags:
+    - attack.credential_access
+    - attack.t1174
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmdline:
+        CommandLine|contains|all:
+            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
+            - 'scecli\0*'
+            - 'reg add'
+    condition: selection_cmdline
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml

@@ -0,0 +1,22 @@
+title: Detecting Fake Instances Of Hxtsr.exe
+id: 4e762605-34a8-406d-b72e-c1a089313320
+status: experimental
+description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
+author: Sreeman
+date: 2020/04/17
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image: hxtsr.exe
+    filter:
+        FolderPath|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml

@@ -0,0 +1,28 @@
+title: Writing Of Malicious Files To The Fonts Folder
+id: ae9b0bd7-8888-4606-b444-0ed7410cb728
+description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from.
+references:
+    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+date: 2020/21/04
+modified: 2021/06/11
+author: Sreeman
+tags:
+    - attack.t1064
+    - attack.t1211
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.persistence
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection1:
+        CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*'
+    condition: selection1
+fields:
+    - CommandLine
+    - ParentProcess
+    - CommandLine
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml

@@ -0,0 +1,29 @@
+title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
+id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
+status: experimental
+description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
+references:
+    - https://dtm.uk/wuauclt/
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1085
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver'
+    filter:
+        CommandLine|contains:
+            - 'wuaueng.dll'
+            - 'UpdateDeploymentProvider.dll /ClassId'
+    condition: selection and not filter
+falsepositives:
+    - Wuaueng.dll which is a module belonging to Microsoft Wnidows Update.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_lolbin_execution_via_winget.yml

@@ -0,0 +1,26 @@
+title: Monitoring Winget For LOLbin Execution
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
+status: experimental
+references: 
+    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+author: Sreeman
+date: 2020/21/04
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - '.*(?i)winget install (--m|-m).*'
+    condition: selection
+falsepositives:
+    - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml

@@ -0,0 +1,27 @@
+title: Modification Of Existing Services For Persistence
+id: 38879043-7e1e-47a9-8d46-6bec88e201df
+description: Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.
+references:
+    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1031
+    - attack.t1058
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmdline_1:
+        CommandLine|re: '(?i)sc config.*binpath=.*'
+    selection_cmdline_2: 
+        CommandLine|re: '(?i)sc failure.*command=.*'
+    selection_cmdline_3:
+        CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*'
+    condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml

@@ -0,0 +1,27 @@
+title: Monitoring For Persistence Via BITS
+id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
+description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
+status: experimental
+author: Sreeman
+date: 2020/10/29
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
+    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_1:
+        CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
+    selection_2:
+        CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*'
+    condition: selection_1 or selection_2
+falsepositives:
+    - None observed yet.
+fields:
+    - CommandLine
+level: medium

rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml

@@ -0,0 +1,27 @@
+title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
+id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
+description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+    - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
+status: experimental
+date: 2020/18/02
+modified: 2021/06/11
+author: Sreeman
+tags:
+    - attack.t1015
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine:
+            - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
+    condition: selection
+fields:
+    - CommandLine
+    - ParentProcess
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/win_write_protect_for_storage_disabled.yml

@@ -0,0 +1,20 @@
+title: Write Protect For Storage Disabled
+id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
+description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
+status: experimental
+author: Sreeman
+date: 2021/06/11
+modified: 2021/06/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*'
+    condition: selection
+falsepositives:
+    - none observed
+level: medium

rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml

@@ -0,0 +1,41 @@
+action: global
+title: Abusing Windows Telemetry For Persistence
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+status: Experimental
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
+references:
+    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1112
+    - attack.t1053
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+fields:
+    - EventID
+    - CommandLine
+    - TargetObject
+    - Details
+falsepositives:
+    - none
+level: high
+---
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains:
+            - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
+        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+    condition: selection
+---
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*'
+    condition: selection