Merge pull request #622 from Neo23x0/devel

Minor changes, process dump via rundll32 comsvcs.dll

rules/proxy/proxy_ua_apt.yml

@@ -44,6 +44,7 @@ detection:
         - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
         - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
         - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
+        - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
     condition: selection
 fields:
     - ClientIP

rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml

@@ -0,0 +1,26 @@
+title: Process Dump via Rundll32 and Comsvcs.dll
+id: 646ea171-dded-4578-8a4d-65e9822892e3
+description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
+status: experimental
+references:
+    - https://twitter.com/shantanukhande/status/1229348874298388484
+author: Florian Roth
+date: 2020/02/18
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - attack.credential_access
+    - attack.t1003
+    - car.2013-05-009
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - 'comsvcs.dll,#24'
+            - 'comsvcs.dll,MiniDumpW'
+    condition: selection
+falsepositives:
+    - Unlikely, because no one should dump the process memory in that way
+level: high

rules/windows/process_creation/win_susp_procdump.yml

@@ -30,4 +30,4 @@ detection:
 falsepositives:
     - Unlikely, because no one should dump an lsass process memory
     - Another tool that uses the command line switches of Procdump
-level: medium
+level: high