Merge pull request #1 from Neo23x0/master (fetch upstream)

fetch upstream
2024-11-08 10:13:57 +00:00 · 2020-01-20 14:18:48 +02:00 · 2020-01-20 14:18:48 +02:00 · ffcc2dc049
commit ffcc2dc049
parent 5ef64e4e99 5f1e933b93
4 changed files with 110 additions and 5 deletions
--- a/rules/apt/apt_gallium.yml
+++ b/rules/apt/apt_gallium.yml
@ -0,0 +1,58 @@
+action: global
+title: GALLIUM artefacts
+id: 440a56bf-7873-4439-940a-1c8a671073c2
+status: experimental
+description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
+author: Tim Burrell
+references:
+    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+tags:
+    - attack.credential_access
+    - attack.command_and_control
+falsepositives:
+    - unknown
+level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    exec_selection:
+        Hashes:
+            - '*53a44c2396d15c3a03723fa5e5db54cafd527635*'
+            - '*9c5e496921e3bc882dc40694f1dcc3746a75db19*'
+            - '*aeb573accfd95758550cf30bf04f389a92922844*'
+            - '*79ef78a797403a4ed1a616c68e07fff868a8650a*'
+            - '*4f6f38b4cec35e895d91c052b1f5a83d665c2196*'
+            - '*1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d*'
+            - '*e841a63e47361a572db9a7334af459ddca11347a*'
+            - '*c28f606df28a9bc8df75a4d5e5837fc5522dd34d*'
+            - '*2e94b305d6812a9f96e6781c888e48c7fb157b6b*'
+            - '*dd44133716b8a241957b912fa6a02efde3ce3025*'
+            - '*8793bf166cb89eb55f0593404e4e933ab605e803*'
+            - '*a39b57032dbb2335499a51e13470a7cd5d86b138*'
+            - '*41cc2b15c662bc001c0eb92f6cc222934f0beeea*'
+            - '*d209430d6af54792371174e70e27dd11d3def7a7*'
+            - '*1c6452026c56efd2c94cea7e0f671eb55515edb0*'
+            - '*c6b41d3afdcdcaf9f442bbe772f5da871801fd5a*'
+            - '*4923d460e22fbbf165bbbaba168e5a46b8157d9f*'
+            - '*f201504bd96e81d0d350c3a8332593ee1c9e09de*'
+            - '*ddd2db1127632a2a52943a2fe516a2e7d05d70d2*'
+    condition: exec_selection
+---
+logsource:
+    product: windows
+    service: dns-server
+detection:
+    c2_selection:
+        EventID: 257
+        QNAME: 
+            - 'asyspy256.ddns.net'
+            - 'hotkillmail9sddcc.ddns.net'
+            - 'rosaf112.ddns.net'
+            - 'cvdfhjh1231.myftp.biz'
+            - 'sz2016rose.ddns.net'
+            - 'dffwescwer4325.myftp.biz'
+            - 'cvdfhjh1231.ddns.net'
+    condition: c2_selection
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@ -6,21 +6,20 @@ references:
    - https://support.citrix.com/article/CTX267027
    - https://isc.sans.edu/diary/25686
    - https://twitter.com/mpgn_x64/status/1216787131210829826
+    - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/01/13
+modified: 2020/01/15
 logsource:
    category: webserver
-    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'
+    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
    selection:
        c-uri-path: 
            - '*/../vpns/*'
            - '*/vpns/cfg/smb.conf'
-            - '*/vpns/portal/scripts/newbm.pl*'
-            - '*/vpns/portal/scripts/rmbm.pl*'
-            - '*/vpns/portal/scripts/picktheme.pl*'
+            - '*/vpns/portal/scripts/*.pl*'
    condition: selection
 fields:
    - client_ip
--- a/rules/windows/builtin/win_audit_cve.yml
+++ b/rules/windows/builtin/win_audit_cve.yml
@ -0,0 +1,23 @@
+title: Audit CVE Event
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+status: experimental
+description: Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
+references:
+    - https://twitter.com/mattifestation/status/1217179698008068096
+    - https://twitter.com/VM_vivisector/status/1217190929330655232
+    - https://twitter.com/davisrichardg/status/1217517547576348673
+    - https://twitter.com/DidierStevens/status/1217533958096924676
+    - https://twitter.com/FlemmingRiis/status/1217147415482060800
+author: Florian Roth
+date: 2020/01/15
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Source: 'Microsoft-Windows-Audit-CVE'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+
--- a/rules/windows/sysmon/sysmon_invoke_phantom.yml
+++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml
@ -0,0 +1,25 @@
+title: Suspect svchost memory access
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+status: experimental
+description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
+author: Tim Burrell
+references:
+    - https://github.com/hlldz/Invoke-Phant0m
+    - https://twitter.com/timbmsft/status/900724491076214784
+tags:
+    - attack.t1089
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 10
+        TargetImage: '*\windows\system32\svchost.exe'
+        GrantedAccess: '0x1f3fff'
+        CallTrace:
+         - '*unknown*'
+    condition: selection
+falsepositives:
+    - unknown
+level: high