Merge pull request #309 from jmlynch/master

added rules for renamed wscript, cscript and paexec. Added two direct…
2024-11-08 02:08:54 +00:00 · 2019-04-17 23:59:27 +02:00 · 2019-04-17 23:59:27 +02:00 · f78413deab
commit f78413deab
parent 0a960ed3cd 4808f49e0d
3 changed files with 68 additions and 0 deletions
--- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@ -0,0 +1,35 @@
+title: MS Office Product Spawning Exe in User Dir 
+status: experimental
+description: Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
+references:
+    - sha256: 23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
+    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign 
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1059
+    - attack.t1202
+    - FIN7
+author: Jason Lynch 
+date: 2019/04/02
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage:
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+            - '*\POWERPNT.exe'
+            - '*\MSPUB.exe'
+            - '*\VISIO.exe'
+            - '*\OUTLOOK.EXE'
+        Image:
+            - 'C:\users\*.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: high
--- a/rules/windows/process_creation/win_renamed_paexec.yml
+++ b/rules/windows/process_creation/win_renamed_paexec.yml
@ -0,0 +1,31 @@
+title: Execution of Renamed PaExec 
+status: experimental
+description: Detects execution of renamed paexec via imphash and executable product string 
+references:
+    - sha256: 01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc 
+    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - FIN7
+date: 2019/04/17
+author: Jason Lynch 
+falsepositives:
+    - Unknown imphashes
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Product:
+            - '*PAExec*'
+    selection2:
+        Imphash:
+            - 11D40A7B7876288F919AB819CC2D9802
+            - 6444f8a34e99b8f7d9647de66aabe516
+            - dfd6aa3f7b2b1035b76b718f1ddc689f
+            - 1a6cca4d5460b1710a12dea39e4a592c
+    filter1:
+        Image: '*paexec*'
+    condition: (selection1 and selection2) and not filter1
--- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
@ -18,6 +18,8 @@ detection:
            - '*\Users\All Users\\*'
            - '*\Users\Default\\*'
            - '*\Users\Public\\*'
+            - '*\Users\Contacts\\*'
+            - '*\Users\Searches\\*' 
            - 'C:\Perflogs\\*'
            - '*\config\systemprofile\\*'
            - '*\Windows\Fonts\\*'