Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: update browsers selections and filters
- Loading branch information
Showing
8 changed files
with
252 additions
and
110 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 16 additions & 9 deletions
25
rules/windows/file/file_event/file_event_win_mal_vhd_download.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,34 +1,41 @@ | ||
title: Suspicious VHD Image Download From Browser | ||
id: 8468111a-ef07-4654-903b-b863a80bbc95 | ||
status: test | ||
description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls | ||
description: | | ||
Detects creation of ".vhd"/".vhdx" files by browser processes. | ||
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. | ||
references: | ||
- https://redcanary.com/blog/intelligence-insights-october-2021/ | ||
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ | ||
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ | ||
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | ||
date: 2021/10/25 | ||
modified: 2022/06/02 | ||
modified: 2023/04/18 | ||
tags: | ||
- attack.resource_development | ||
- attack.t1587.001 | ||
logsource: | ||
category: file_event | ||
product: windows | ||
definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename> <!--vhd files for ZLoader and lazarus malware vectors -->" | ||
detection: | ||
selection: | ||
Image|endswith: | ||
- '\brave.exe' | ||
- '\chrome.exe' | ||
- '\firefox.exe' | ||
- '\microsoftedge.exe' | ||
- '\microsoftedgecp.exe' | ||
- '\iexplore.exe' | ||
- '\maxthon.exe' | ||
- '\MicrosoftEdge.exe' | ||
- '\msedge.exe' | ||
- '\iexplorer.exe' | ||
- '\brave.exe' | ||
- '\msedgewebview2.exe' | ||
- '\opera.exe' | ||
TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier | ||
- '\safari.exe' | ||
- '\seamonkey.exe' | ||
- '\vivaldi.exe' | ||
- '\whale.exe' | ||
# We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier" | ||
TargetFilename|contains: '.vhd' | ||
condition: selection | ||
falsepositives: | ||
- Legitimate user creation | ||
- Legitimate downloads of ".vhd" files would also trigger this | ||
level: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.