From b32ed3c81726905edf05a3a54f8e7a48832f51ac Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 24 Aug 2019 12:38:51 +0200
Subject: [PATCH 1/7] rules: encoded FromBase64String keyword

---
 .../win_encoded_frombase64string.yml          | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/win_encoded_frombase64string.yml

diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml
new file mode 100644
index 00000000..c66b16a5
--- /dev/null
+++ b/rules/windows/process_creation/win_encoded_frombase64string.yml
@@ -0,0 +1,22 @@
+title: Encoded FromBase64String
+status: experimental
+description: Detects a base64 encoded FromBase64String keyword in a process command line
+author: Florian Roth
+date: 2019/08/24
+tags:
+    - attack.t1086
+    - attack.t1140
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|base64offset|contains: '::FromBase64String'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: critical

From c321fc26806cf7517037c1e94cf5880e953cb98e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 24 Aug 2019 13:49:40 +0200
Subject: [PATCH 2/7] rule: csc.exe suspicious source folder

---
 .../process_creation/win_susp_csc_folder.yml  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_csc_folder.yml

diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
new file mode 100644
index 00000000..332229af
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -0,0 +1,22 @@
+title: Suspicious Csc.exe Source File Folder 
+description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
+status: experimental
+references:
+    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
+    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
+author: Florian Roth
+date: 2019/08/24
+tags:
+    - attack.defense_evasion
+    - attack.t1500
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\csc.exe'
+        CommandLine: '*\AppData\*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high

From 70a26a6132dd50539f4c53b5f3a94622d90b6f93 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 24 Aug 2019 13:58:54 +0200
Subject: [PATCH 3/7] fix: fixed MITRE tags

---
 rules/windows/process_creation/win_encoded_frombase64string.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml
index c66b16a5..68361d6e 100644
--- a/rules/windows/process_creation/win_encoded_frombase64string.yml
+++ b/rules/windows/process_creation/win_encoded_frombase64string.yml
@@ -7,6 +7,7 @@ tags:
     - attack.t1086
     - attack.t1140
     - attack.execution
+    - attack.defense_evasion
 logsource:
     category: process_creation
     product: windows

From 59a6a0c523928c301d3bdcb1be108922be366533 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Sun, 25 Aug 2019 10:13:11 +0200
Subject: [PATCH 4/7] Added ATT&CK technique to rule test

---
 tests/test_rules.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_rules.py b/tests/test_rules.py
index ef59c9b3..98b7f751 100755
--- a/tests/test_rules.py
+++ b/tests/test_rules.py
@@ -12,7 +12,7 @@ import yaml
 import re
 
 class TestRules(unittest.TestCase):
-    MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102"]
+    MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102", "t1500"]
     MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list
     MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control"]
     MITRE_GROUPS =  ["g0018", "g0006", "g0005", "g0023", "g0025", "g0026", "g0073", "g0007", "g0016", "g0022", "g0013", "g0050", "g0064", "g0067", "g0001", "g0063", "g0060", "g0008", "g0058", "g0003", "g0080", "g0052", "g0070", "g0012", "g0079", "g0009", "g0035", "g0074", "g0017", "g0031", "g0066", "g0020", "g0051", "g0053", "g0037", "g0046", "g0061", "g0047", "g0036", "g0078", "g0043", "g0072", "g0004", "g0032", "g0077", "g0065", "g0030", "g0059", "g0045", "g0002", "g0021", "g0069", "g0019", "g0055", "g0014", "g0049", "g0071", "g0040", "g0011", "g0068", "g0033", "g0056", "g0024", "g0075", "g0048", "g0034", "g0029", "g0054", "g0038", "g0041", "g0039", "g0062", "g0015", "g0028", "g0027", "g0076", "g0010", "g0044"]

From d42a51372d6bd19b2cb3d8123b6b05fe297b5937 Mon Sep 17 00:00:00 2001
From: weev3 <weev3@outlook.com>
Date: Tue, 27 Aug 2019 14:55:55 +0630
Subject: [PATCH 5/7] Control Panel Item, MITRE_ID=T1196

---
 .../sysmon/sysmon_control_panel_item.yml      | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_control_panel_item.yml

diff --git a/rules/windows/sysmon/sysmon_control_panel_item.yml b/rules/windows/sysmon/sysmon_control_panel_item.yml
new file mode 100644
index 00000000..a8519b69
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_control_panel_item.yml
@@ -0,0 +1,24 @@
+title: Control Panel Items
+status: stable
+description: Control Panel Items T1196
+reference: https://attack.mitre.org/techniques/T1196/
+tags: 
+  - attack.execution
+  - attack.t1196
+  - attack.defense_evation
+author: Kyaw Min Thein
+date: 2019/08/27
+level: critical
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    CommandLine:
+      - '*.cpl'
+  filter:
+    CommandLine:
+      - '*\System32\*'
+  condition: selection and not filter
+falsepositives:
+  - No

From 6b7cd941970e2323a474cb123d206a00ed200bff Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Aug 2019 12:23:42 +0200
Subject: [PATCH 6/7] Changes

---
 rules/windows/sysmon/sysmon_control_panel_item.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_control_panel_item.yml b/rules/windows/sysmon/sysmon_control_panel_item.yml
index a8519b69..850e6054 100644
--- a/rules/windows/sysmon/sysmon_control_panel_item.yml
+++ b/rules/windows/sysmon/sysmon_control_panel_item.yml
@@ -1,7 +1,8 @@
 title: Control Panel Items
-status: stable
-description: Control Panel Items T1196
-reference: https://attack.mitre.org/techniques/T1196/
+status: experimental
+description: Detects the use of a control panel item (.cpl) outside of the System32 folder
+reference: 
+  - https://attack.mitre.org/techniques/T1196/
 tags: 
   - attack.execution
   - attack.t1196
@@ -14,11 +15,11 @@ logsource:
   service: sysmon
 detection:
   selection:
-    CommandLine:
-      - '*.cpl'
+    CommandLine: '*.cpl'
   filter:
     CommandLine:
       - '*\System32\*'
+      - '*%System%*'
   condition: selection and not filter
 falsepositives:
-  - No
+  - Unknown

From ca2019b57f67a1eadd0686e5c0ed389e0e71dd9f Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Aug 2019 12:32:56 +0200
Subject: [PATCH 7/7] fix: typo in MITRE tag

---
 rules/windows/sysmon/sysmon_control_panel_item.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_control_panel_item.yml b/rules/windows/sysmon/sysmon_control_panel_item.yml
index 850e6054..6edabc77 100644
--- a/rules/windows/sysmon/sysmon_control_panel_item.yml
+++ b/rules/windows/sysmon/sysmon_control_panel_item.yml
@@ -6,7 +6,7 @@ reference:
 tags: 
   - attack.execution
   - attack.t1196
-  - attack.defense_evation
+  - attack.defense_evasion
 author: Kyaw Min Thein
 date: 2019/08/27
 level: critical