feat: new rules, updates and fp fixes (#4162)

rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml → rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml

@@ -1,12 +1,12 @@
-title: PowerShell Base64 Encoded Shellcode
+title: Potential PowerShell Base64 Encoded Shellcode
 id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
-status: stable
-description: Detects Base64 encoded Shellcode
+status: deprecated
+description: Detects potential powershell Base64 encoded Shellcode
 references:
     - https://twitter.com/cyb3rops/status/1063072865992523776
 author: Florian Roth (Nextron Systems)
 date: 2018/11/17
-modified: 2023/01/26
+modified: 2023/04/06
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -21,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: critical
+level: medium

rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml

@@ -0,0 +1,49 @@
+title: Potential CVE-2023-23397 Exploitation Attempt - SMB
+id: de96b824-02b0-4241-9356-7e9b47f04bac
+status: experimental
+description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/05
+tags:
+    - attack.exfiltration
+    - cve.2023.23397
+logsource:
+    product: windows
+    service: smbclient-connectivity
+detection:
+    selection:
+        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
+        EventID:
+            #- 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
+            - 30803 # Failed to establish a network connection.
+            - 30804 # A network connection was disconnected.
+            - 30806 # The client re-established its session to the server.
+            #- 31001 # Error (Doesn't contain the "ServerAddress" field)
+    filter_main_local_ips:
+        ServerAddress|startswith:
+            - '10.' #10.0.0.0/8
+            - '192.168.' #192.168.0.0/16
+            - '172.16.' #172.16.0.0/12
+            - '172.17.'
+            - '172.18.'
+            - '172.19.'
+            - '172.20.'
+            - '172.21.'
+            - '172.22.'
+            - '172.23.'
+            - '172.24.'
+            - '172.25.'
+            - '172.26.'
+            - '172.27.'
+            - '172.28.'
+            - '172.29.'
+            - '172.30.'
+            - '172.31.'
+            - '127.' #127.0.0.0/8
+            - '169.254.' #169.254.0.0/16
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
+level: medium

rules/windows/file/file_event/file_event_win_bloodhound_collection.yml

@@ -6,7 +6,7 @@ references:
     - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
 author: C.J. May
 date: 2022/08/09
-modified: 2023/02/13
+modified: 2023/03/29
 tags:
     - attack.discovery
     - attack.t1087.001
@@ -20,25 +20,21 @@ logsource:
     product: windows
     category: file_event
 detection:
-    selection_1:
+    selection:
         TargetFilename|endswith:
-            - '_BloodHound.zip'
+            - 'BloodHound.zip'
             - '_computers.json'
             - '_containers.json'
             - '_domains.json'
             - '_gpos.json'
             - '_groups.json'
             - '_ous.json'
             - '_users.json'
-    selection_2:
-        TargetFilename|contains|all:
-            - 'BloodHound'
-            - '.zip'
-    filter_ms_winapps:
+    filter_optional_ms_winapps:
         Image|endswith: '\svchost.exe'
         TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
         TargetFilename|endswith: '\pocket_containers.json'
-    condition: 1 of selection_* and not 1 of filter_*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
+    - Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise
 level: high

rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml

@@ -1,44 +1,43 @@
-title: Windows Shell File Write to Suspicious Folder
+title: Windows Shell/Scripting Application File Write to Suspicious Folder
 id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
 status: experimental
-description: Detects a Windows executable that writes files to suspicious folders
+description: Detects Windows shells and scripting applications that write files to suspicious folders
 references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2021/11/20
-modified: 2023/01/05
+modified: 2023/03/29
 logsource:
     category: file_event
     product: windows
 detection:
-    selection_shells:
+    selection_1:
         Image|endswith:
+            - '\bash.exe'
             - '\cmd.exe'
+            - '\cscript.exe'
+            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
             - '\powershell.exe'
             - '\pwsh.exe'
-            - '\wscript.exe'
-            - '\cscript.exe'
             - '\sh.exe'
-            - '\bash.exe'
-            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
+            - '\wscript.exe'
         TargetFilename|startswith:
-            - 'C:\Users\Public'
-            - 'C:\PerfLogs'
-    selection_program:
+            - 'C:\PerfLogs\'
+            - 'C:\Users\Public\'
+    selection_2:
         Image|endswith:
-            - '\schtasks.exe'
-            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
-            - '\mshta.exe'
-            # - '\rundll32.exe'
+            - '\certutil.exe'
             - '\forfiles.exe'
+            - '\mshta.exe'
+            #- '\rundll32.exe' # Potential FP
+            - '\schtasks.exe'
             - '\scriptrunner.exe'
-            - '\certutil.exe'
+            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
         TargetFilename|contains:
-            - 'C:\Users\Public'
-            - 'C:\PerfLogs'
-            - '\AppData\'
-            - 'C:\Windows\Temp'
-    condition: 1 of selection*
+            - 'C:\PerfLogs\'
+            - 'C:\Users\Public\'
+            - 'C:\Windows\Temp\'
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml

@@ -9,16 +9,17 @@ references:
     - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/04
+modified: 2023/04/03
 tags:
     - attack.defense_evasion
     - attack.t1562.001
 logsource:
     product: windows
-    service: powershell
+    category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockLogging|contains:
+        ScriptBlockText|contains:
             - "if(0){{{0}}}' -f $(0 -as [char]) +"
             - "#<NULL>"
     condition: selection

rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml

@@ -6,7 +6,7 @@ references:
     - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2022/10/05
+modified: 2023/04/03
 tags:
     - attack.execution
     - attack.t1059.001
@@ -19,7 +19,7 @@ tags:
     - attack.s0363
 logsource:
     product: windows
-    service: powershell
+    category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     empire:

rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml

@@ -10,7 +10,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
 date: 2021/11/27
-modified: 2023/03/28
+modified: 2023/04/11
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -96,10 +96,12 @@ detection:
             - '\AppData\Local\Temp\'
             - '\vs_bootstrapper_'
         GrantedAccess: '0x1410'
-    filter_optional_chrome:
+    filter_optional_chrome_update:
         SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
         SourceImage|endswith: '.tmp\GoogleUpdate.exe'
-        GrantedAccess: '0x410'
+        GrantedAccess:
+            - '0x410'
+            - '0x1410'
     filter_optional_keybase:
         SourceImage|startswith: 'C:\Users\'
         SourceImage|endswith: \AppData\Local\Keybase\keybase.exe

rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml

@@ -17,21 +17,21 @@ detection:
     selection:
         Image|endswith: '\conhost.exe'
         ParentImage|endswith:
-            - '\svchost.exe'
-            - '\lsass.exe'
-            - '\services.exe'
-            - '\smss.exe'
-            - '\winlogon.exe'
             - '\explorer.exe'
+            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
+            # - '\ctfmon.exe'  # Seen several times in a testing environment
             # - '\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
-            - '\rundll32.exe'
+            - '\lsass.exe'
             - '\regsvr32.exe'
-            - '\userinit.exe'
-            - '\wininit.exe'
+            - '\rundll32.exe'
+            - '\services.exe'
+            - '\smss.exe'
             - '\spoolsv.exe'
+            - '\svchost.exe'
+            - '\userinit.exe'
             # - '\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
-            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
-            # - '\ctfmon.exe'  # Seen several times in a testing environment
+            - '\wininit.exe'
+            - '\winlogon.exe'
     filter_main_svchost:
         ParentCommandLine|contains:
             - '-k apphost -s AppHostSvc'

rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
-modified: 2023/03/30
+modified: 2023/04/11
 tags:
     - attack.execution
     - attack.t1218
@@ -41,7 +41,11 @@ detection:
         ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
         CommandLine|contains: 'C:\Windows\TEMP\'
         CommandLine|endswith: '.mof'
-    condition: all of selection_* and not 1 of filter_main_*
+    filter_optional_null_parent:
+        # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provder.
+        CommandLine|contains: 'C:\Windows\TEMP\'
+        CommandLine|endswith: '.mof'
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml

@@ -5,9 +5,10 @@ description: Detects audio capture via PowerShell Cmdlet.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
     - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
-author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+    - https://github.com/frgnca/AudioDeviceCmdlets
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2023/04/06
 tags:
     - attack.collection
     - attack.t1123
@@ -16,7 +17,12 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
+        CommandLine|contains:
+            - 'WindowsAudioDevice-Powershell-Cmdlet'
+            - 'Toggle-AudioDevice'
+            - 'Get-AudioDevice '
+            - 'Set-AudioDevice '
+            - 'Write-AudioDevice '
     condition: selection
 falsepositives:
     - Legitimate audio capture by legitimate user.

rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml

@@ -6,25 +6,26 @@ references:
     - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
 author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
 date: 2018/09/03
-modified: 2021/03/02
+modified: 2023/04/06
 tags:
     - attack.execution
     - attack.t1059.001
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cli_enc:
         CommandLine|contains: ' -e' # covers -en and -enc
-    selection2:
-        CommandLine|contains: ' JAB'
-    selection3:
-        CommandLine|contains|all:
-            - ' -w'
-            - ' hidden '
-    selection4:
+    selection_cli_content:
         CommandLine|contains:
-            - ' BA^J'
+            - ' JAB'
             - ' SUVYI'
             - ' SQBFAFgA'
             - ' aQBlAHgA'
@@ -33,11 +34,11 @@ detection:
             - ' IAB'
             - ' UwB'
             - ' cwB'
-    selection5:
-        CommandLine|contains: '.exe -ENCOD '
-    falsepositive1:
-        CommandLine|contains|all:
-            - ' -ExecutionPolicy'
-            - 'remotesigned '
-    condition: ((selection and selection2) or (selection and selection2 and selection3) or (selection and selection4) or selection5) and not falsepositive1
+    selection_standalone:
+        CommandLine|contains:
+            - '.exe -ENCOD '
+            - ' BA^J e-' # Reversed
+    filter_optional_remote_signed:
+        CommandLine|contains: ' -ExecutionPolicy remotesigned '
+    condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
 level: high