feat: more apt rules updates

rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml → rules-deprecated/windows/proc_creation_win_apt_hurricane_panda.yml

@@ -1,12 +1,12 @@
 title: Hurricane Panda Activity
 id: 0eb2107b-a596-422e-b123-b389d5594ed7
-status: test
+status: deprecated
 description: Detects Hurricane Panda Activity
 references:
     - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 author: Florian Roth (Nextron Systems)
 date: 2019/03/04
-modified: 2021/11/27
+modified: 2023/03/10
 tags:
     - attack.privilege_escalation
     - attack.g0009

rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml → rules-deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml

@@ -1,12 +1,12 @@
 title: Lazarus Activity Apr21
 id: 4a12fa47-c735-4032-a214-6fab5b120670
-status: test
+status: deprecated
 description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
 references:
     - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
 author: Bhabesh Raj
 date: 2021/04/20
-modified: 2022/12/02
+modified: 2023/03/10
 tags:
     - attack.g0032
     - attack.execution
@@ -17,10 +17,10 @@ logsource:
 detection:
     selection_1:
         CommandLine|contains|all:
-            - 'mshta'
+            - 'mshta' # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3
             - '.zip'
     selection_2:
-        ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe'
+        ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe' # Covered by 8a582fe2-0882-4b89-a82a-da6b2dc32937
         Image: 'C:\Windows\System32\mshta.exe'
     selection_3:
         ParentImage|contains: ':\Users\Public\'

rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml → rules-deprecated/windows/proc_creation_win_apt_lazarus_loader.yml

@@ -1,13 +1,13 @@
 title: Lazarus Loaders
 id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
-status: test
+status: deprecated
 description: Detects different loaders as described in various threat reports on Lazarus group activity
 references:
     - https://www.hvs-consulting.de/lazarus-report/
     - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
 author: Florian Roth (Nextron Systems), wagga
 date: 2020/12/23
-modified: 2021/06/27
+modified: 2023/03/10
 tags:
     - attack.g0032
     - attack.execution

rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml → rules-deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml

@@ -1,13 +1,13 @@
 title: DNS Tunnel Technique from MuddyWater
 id: 36222790-0d43-4fe8-86e4-674b27809543
-status: test
+status: deprecated
 description: Detecting DNS tunnel activity for Muddywater actor
 references:
     - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
     - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
 author: '@caliskanfurkan_'
 date: 2020/06/04
-modified: 2022/07/14
+modified: 2023/03/10
 tags:
     - attack.command_and_control
     - attack.t1071.004

rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml

@@ -0,0 +1,37 @@
+title: APT31 Judgement Panda Activity
+id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
+status: test
+description: Detects APT 31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
+references:
+    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
+author: Florian Roth (Nextron Systems)
+date: 2019/02/21
+modified: 2023/03/10
+tags:
+    - attack.lateral_movement
+    - attack.credential_access
+    - attack.g0128
+    - attack.t1003.001
+    - attack.t1560.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_ldifde:
+        CommandLine|contains|all:
+            - 'ldifde'
+            - '-f -n'
+            - 'eprod.ldf'
+    selection_lateral_movement:
+        CommandLine|contains|all:
+            - 'copy \\\\'
+            - 'c$'
+        CommandLine|contains:
+            - '\aaaa\procdump64.exe'
+            - '\aaaa\netsess.exe'
+            - '\aaaa\7za.exe''
+            - '\c$\aaaa\'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml → rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml

@@ -1,12 +1,12 @@
-title: Lazarus Session Highjacker
+title: Lazarus System Binary Masquerading
 id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
 status: test
-description: Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
+description: Detects binaries used by Lazarus group which use system names but are execution and launched from non-default location
 references:
     - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
 author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
 date: 2020/06/03
-modified: 2021/11/27
+modified: 2023/03/10
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -17,12 +17,12 @@ detection:
     selection:
         Image|endswith:
             - '\msdtc.exe'
-            - '\gpvc.exe'
+            - '\gpsvc.exe'
     filter:
         Image|startswith:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
     condition: selection and not filter
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high

rules/windows/process_creation/proc_creation_win_apt_lazarus_group_activity.yml

@@ -0,0 +1,59 @@
+title: Lazarus Group Activity
+id: 24c4d154-05a4-4b99-b57d-9b977472443a
+related:
+    - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
+      type: obsoletes
+status: test
+description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
+references:
+    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
+    - https://www.hvs-consulting.de/lazarus-report/
+author: Florian Roth (Nextron Systems), wagga
+date: 2020/12/23
+modified: 2023/03/10
+tags:
+    - attack.g0032
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_generic:
+        CommandLine|contains:
+            - 'reg.exe save hklm\sam %temp%\~reg_sam.save'
+            - '1q2w3e4r@#$@#$@#$'
+            - ' -hp1q2w3e4 '
+            - '.dat data03 10000 -p '
+    selection_netstat:
+        CommandLine|contains|all:
+            - 'netstat -aon | find '
+            - 'ESTA'
+            - ' > %temp%\~'
+    # Network share discovery
+    selection_network_discovery:
+        CommandLine|contains|all:
+            - '.255 10 C:\ProgramData\IBM\'
+            - '.DAT'
+    selection_persistence:
+        CommandLine|contains|all:
+            - ' /c '
+            - ' -p 0x'
+        CommandLine|contains:
+            - 'C:\ProgramData\'
+            - 'C:\RECYCLER\'
+    selection_rundll32:
+        CommandLine|contains|all:
+            - 'rundll32 '
+            - 'C:\ProgramData\'
+        CommandLine|contains:
+            - '.bin,'
+            - '.tmp,'
+            - '.dat,'
+            - '.io,'
+            - '.ini,'
+            - '.db,'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/process_creation/proc_creation_win_apt_mercury.yml

@@ -1,12 +1,12 @@
-title: MERCURY Command Line Patterns
+title: MERCURY APT Activity
 id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
 status: experimental
-description: Detects suspicious command line patterns as seen being used by MERCURY threat actor
+description: Detects suspicious command line patterns as seen being used by MERCURY APT
 references:
     - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/26
-modified: 2022/09/12
+modified: 2023/03/10
 tags:
     - attack.execution
     - attack.t1059.001
@@ -18,7 +18,7 @@ detection:
     selection_base:
         CommandLine|contains|all:
             - '-exec bypass -w 1 -enc'
-            - 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAaw'  # Start-Job -ScriptBlock
+            - 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA'  # Start-Job -ScriptBlock
     condition: all of selection*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_apt_muddywater_activity.yml

@@ -0,0 +1,39 @@
+title: Potential MuddyWater APT Activity
+id: 36222790-0d43-4fe8-86e4-674b27809543
+status: test
+description: Detecting potential Muddywater APT activity
+references:
+    - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/03/10
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.g0069
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_mshta:
+        CommandLine|contains|all:
+            - 'vbscript:Close(Execute("CreateObject('
+            - 'powershell'
+            - '-w 1 -exec Bypass'
+            - '\ProgramData\'
+    selection_survey:
+        CommandLine|contains|all:
+            - 'Win32_OperatingSystem'
+            - 'Win32_NetworkAdapterConfiguration'
+            - 'root\SecurityCenter2'
+            - '[System.Net.DNS]'
+    selection_pwsh_backdoor:
+        CommandLine|contains|all:
+            - '[Convert]::ToBase64String'
+            - '[System.Text.Encoding]::UTF8.GetString]'
+            - 'GetResponse().GetResponseStream()'
+            - '[System.Net.HttpWebRequest]::Create('
+            - '-bxor '
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml → rules/windows/process_creation/proc_creation_win_malware_ke3chang_tidepool.yml

@@ -1,13 +1,13 @@
-title: Ke3chang Registry Key Modifications
+title: Potential Ke3chang/TidePool Malware Activity
 id: 7b544661-69fc-419f-9a59-82ccc328f205
 status: test
-description: Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
+description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
 references:
-    - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
+    - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
     - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
 author: Markus Neis, Swisscom
 date: 2020/06/18
-modified: 2021/11/27
+modified: 2023/03/10
 tags:
     - attack.g0004
     - attack.defense_evasion
@@ -28,5 +28,5 @@ detection:
             - '-Property DWORD -name IEHarden -value 0 -Force'
     condition: selection
 falsepositives:
-    - Will need to be looked for combinations of those processes
-level: critical
+    - Unknown
+level: high