Merge PR #4774 from @nasbench - Fix and update multiple rules

nasbench · phantinuss · web-flow · commit f0395b815bcf · 2024-03-26T19:09:21.000+01:00
fix: EVTX Created In Uncommon Location - Reduce level and remove filters fix: Files With System Process Name In Unsuspected Locations - Add additional paths fix: New RUN Key Pointing to Suspicious Folder new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection new: MaxMpxCt Registry Value Changed update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml
@@ -0,0 +1,32 @@
+title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
+id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
+status: experimental
+description: |
+    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
+    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
+references:
+    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
+    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/03/20
+tags:
+    - attack.initial_access
+    - cve.2024.1212
+logsource:
+    category: webserver
+detection:
+    selection_path:
+        cs-method: 'GET'
+        cs-uri-stem|contains|all:
+            - '/access/set'
+            - 'param=enableapi'
+            - 'value=1'
+    selection_keywords:
+        - 'Basic Jz'
+        - 'Basic c7'
+        - 'Basic nO'
+        - "Basic ';"
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml
@@ -4,15 +4,18 @@ related:
     - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
       type: similar
 status: test
-description: Detects the use of the redirection character ">" to redicrect information in commandline
+description: |
+    Detects the use of the redirection character ">" to redirect information on the command line.
+    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
 references:
     - https://ss64.com/nt/syntax-redirection.html
 author: frack113
 date: 2022/01/22
-modified: 2023/03/07
+modified: 2024/03/19
 tags:
     - attack.discovery
     - attack.t1082
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -22,12 +25,12 @@ detection:
         - Image|endswith: '\cmd.exe'
     selection_cli:
         CommandLine|contains: '>'
-    filter_idm_extension:
+    filter_optional_idm_extension:
         CommandLine|contains:
             - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
             - 'chrome-extension://'
             - '\\.\pipe\chrome.nativeMessaging'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
 level: low
diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml
@@ -1,12 +1,15 @@
 title: EVTX Created In Uncommon Location
 id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
 status: experimental
-description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
+description: |
+    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
+    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
+    Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
 references:
     - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
 author: D3F7A5105
 date: 2023/01/02
-modified: 2023/07/13
+modified: 2024/03/26
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -18,15 +21,12 @@ detection:
     selection:
         TargetFilename|endswith: '.evtx'
     filter_main_path:
-        TargetFilename|contains: ':\Windows\System32\winevt\Logs\'
+        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
     filter_main_baseimage:
-        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\'
+        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
         TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
-    filter_main_generic_img:
-        Image|endswith:
-            - ':\Windows\explorer.exe'
-            - ':\Windows\system32\dllhost.exe'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Administrator or backup activity
-level: high
+    - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
@@ -3,11 +3,12 @@ id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
 status: test
 description: |
     Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
+    It is highly recommended to perform an initial baseline before using this rule in production.
 references:
     - Internal Research
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/26
-modified: 2023/11/10
+modified: 2024/03/18
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -89,48 +90,38 @@ detection:
             - '\WSReset.exe'
             - '\WUDFHost.exe'
             - '\WWAHost.exe'
-    filter_main_dism_tiworker:
+    filter_main_generic:
+        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
         TargetFilename|contains:
-            - ':\Windows\SoftwareDistribution\'
-            - ':\Windows\System32\'
-            - ':\Windows\SysWOW64\'
-            - ':\Windows\WinSxS\'
             - '\SystemRoot\System32\'
-        Image|endswith:
-            - '\Windows\System32\dism.exe'
-            - '\TiWorker.exe'
-    filter_main_setuphost:
-        TargetFilename|contains: ':\$WINDOWS.~BT\'
-        Image|endswith: ':\$WINDOWS.~BT\Sources\SetupHost.exe'
-    filter_main_wbengine:
-        TargetFilename|endswith: '\RuntimeBroker.exe'
-        Image|endswith: ':\Windows\system32\wbengine.exe'
+            - 'C:\$WINDOWS.~BT\'
+            - 'C:\$WinREAgent\'
+            - 'C:\Windows\SoftwareDistribution\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+            - 'C:\Windows\uus\'
     filter_main_svchost:
-        Image|endswith: ':\Windows\system32\svchost.exe'
-        TargetFilename|contains:
-            - ':\Windows\SoftwareDistribution\Download\'
-            - ':\Program Files\WindowsApps\'
+        Image|endswith: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains: 'C:\Program Files\WindowsApps\'
     filter_main_wuauclt:
-        Image|endswith: ':\Windows\System32\wuauclt.exe'
+        Image|endswith: 'C:\Windows\System32\wuauclt.exe'
     filter_main_explorer:
-        TargetFilename|endswith: ':\Windows\explorer.exe'
+        TargetFilename|endswith: 'C:\Windows\explorer.exe'
     filter_main_msiexec:
         # This filter handles system processes who are updated/installed using misexec.
-        Image|endswith: ':\WINDOWS\system32\msiexec.exe'
+        Image|endswith: 'C:\WINDOWS\system32\msiexec.exe'
         # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
         TargetFilename|endswith:
-            - ':\Program Files\PowerShell\7\pwsh.exe'
-            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
+            - 'C:\Program Files\PowerShell\7\pwsh.exe'
+            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
     filter_main_healtray:
-        TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
+        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
         TargetFilename|endswith: '\SecurityHealthSystray.exe'
         Image|endswith: '\SecurityHealthSetup.exe'
-    filter_main_wuaucltcore:
-        Image|contains: ':\Windows\uus\'
-        Image|endswith: '\wuaucltcore.exe'
-        TargetFilename|contains: ':\$WinREAgent\'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - System processes copied outside their default folders for testing purposes
     - Third party software naming their software with the same names as the processes mentioned here
-level: high
+# Note: Upgrade to high after an initial baseline to your environement.
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
@@ -1,17 +1,19 @@
-title: Suspicious CMD Shell Output Redirect
+title: Potentially Suspicious CMD Shell Output Redirect
 id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
 related:
     - id: aa2efee7-34dd-446e-8a37-40790a66efd7
       type: derived
     - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
       type: similar
 status: experimental
-description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location
+description: |
+    Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
+    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
 references:
     - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
-modified: 2023/05/15
+modified: 2024/03/19
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -24,24 +26,18 @@ detection:
         - OriginalFileName: 'Cmd.Exe'
     selection_cli_1:
         CommandLine|contains:
-            # Add more suspicious locations as you find them
-            # The space from the start is missing to cover append operations ">>"
-            - '> \Users\Public\'
-            - '> %APPDATA%\'
-            - '> %TEMP%\'
-            - '> %TMP%\'
-            - '> %USERPROFILE%\'
-            - '> C:\Temp\'
-            - '> C:\Users\Public\'
-            - '> C:\Windows\Temp\'
-            - '>\Users\Public\'
-            - '>%APPDATA%\'
-            - '>%TEMP%\'
-            - '>%TMP%\'
-            - '>%USERPROFILE%\'
-            - '>C:\Temp\'
-            - '>C:\Users\Public\'
-            - '>C:\Windows\Temp\'
+            # Note: Add more suspicious locations as you find them
+            # Note: The space from the start is missing to cover append operations ">>"
+            # Note: We use the "?" to account for both a single and a double quote
+            # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
+            - '>?%APPDATA%\'
+            - '>?%TEMP%\'
+            - '>?%TMP%\'
+            - '>?%USERPROFILE%\'
+            - '>?C:\ProgramData\'
+            - '>?C:\Temp\'
+            - '>?C:\Users\Public\'
+            - '>?C:\Windows\Temp\'
     selection_cli_2:
         CommandLine|contains:
             - ' >'
diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml
@@ -9,6 +9,7 @@ references:
     - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/02
+modified: 2024/03/19
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -17,7 +18,7 @@ logsource:
     product: windows
 detection:
     selection_img:
-        - Image|endswith: 'reg.exe'
+        - Image|endswith: '\reg.exe'
         - OriginalFileName: 'reg.exe'
     selection_safeboot:
         CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml
@@ -8,7 +8,7 @@ references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2023/12/21
+modified: 2024/03/19
 tags:
     - attack.execution
     - attack.t1053.005
@@ -47,6 +47,10 @@ detection:
             - 'mshta.exe http'
     selection_anomaly_1:
         CommandLine|contains:
+            - ':\ProgramData\'
+            - ':\Temp\'
+            - ':\Tmp\'
+            - ':\Users\Public\'
             - ':\Windows\Temp\'
             - '\AppData\'
             - '%AppData%'
diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml
@@ -1,4 +1,4 @@
-title: Office Macros Auto-Enabled
+title: Office Macros Warning Disabled
 id: 91239011-fe3c-4b54-9f24-15c86bb65913
 related:
     - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
@@ -11,7 +11,7 @@ references:
     - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/22
-modified: 2023/08/17
+modified: 2024/03/19
 tags:
     - attack.defense_evasion
     - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml
@@ -0,0 +1,27 @@
+title: MaxMpxCt Registry Value Changed
+id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
+status: experimental
+description: |
+    Detects changes to the "MaxMpxCt" registry value.
+    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
+    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
+references:
+    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
+    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
+    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
+    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/03/19
+tags:
+    - attack.defense_evasion
+    - attack.t1070.005
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
@@ -6,7 +6,7 @@ references:
     - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
 date: 2018/08/25
-modified: 2023/12/11
+modified: 2024/03/18
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -33,9 +33,12 @@ detection:
               - '%Public%\'
               - 'wscript'
               - 'cscript'
-    condition: all of selection_*
-fields:
-    - Image
+    filter_main_windows_update:
+        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
+        Details|contains|all:
+            - 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
+            - 'C:\Windows\Temp\'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Software using weird folders for updates
 level: high
