From 22051ae18461396f16b3c627fe38e79c4c44c0f9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 31 Aug 2023 16:58:26 +0200 Subject: [PATCH 01/11] Qakbot uninstaller --- .../proc_creation_win_fbi_qbot_cleanup.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml diff --git a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml new file mode 100644 index 00000000000..79543552dcf --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml @@ -0,0 +1,32 @@ +title: QBot Uninstaller Execution +id: bc309b7a-3c29-4937-a4a3-e232473f9168 +status: experimental +description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet +references: + - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources + - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community + - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community +author: Florian Roth (Nextron Systems) +date: 2023/08/30 +tags: + - qakbot +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\QbotUninstall.exe' + - Hashes|contains: + - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' + - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' + - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' + - sha256: + - '559cae635f0d870652b9482ef436b31d4bb1a5a0f51750836f328d749291d0b6' + - '855eb5481f77dde5ad8fa6e9d953d4aebc280dddf9461144b16ed62817cc5071' + - 'fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0' + - imphash: 'e772c815072311d6fb8c3390743e6be5' + condition: selection +falsepositives: + - Unlikely +level: high + From 97b87a64fa766d0d818e2a20bdbc38f5472da7c7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 31 Aug 2023 17:18:46 +0200 Subject: [PATCH 02/11] Apply suggestions from code review --- .../process_creation/proc_creation_win_fbi_qbot_cleanup.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml index 79543552dcf..42b572f0ce2 100644 --- a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml @@ -20,11 +20,7 @@ detection: - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' - - sha256: - - '559cae635f0d870652b9482ef436b31d4bb1a5a0f51750836f328d749291d0b6' - - '855eb5481f77dde5ad8fa6e9d953d4aebc280dddf9461144b16ed62817cc5071' - - 'fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0' - - imphash: 'e772c815072311d6fb8c3390743e6be5' + - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5 condition: selection falsepositives: - Unlikely From 829bfbf3b46265313df976b8be45e25522a605c4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 31 Aug 2023 17:19:05 +0200 Subject: [PATCH 03/11] Update rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml --- .../process_creation/proc_creation_win_fbi_qbot_cleanup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml index 42b572f0ce2..8a95d6fe541 100644 --- a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml @@ -20,7 +20,7 @@ detection: - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' - - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5 + - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' condition: selection falsepositives: - Unlikely From 6d456c004e76d970ae3a52eeddfc8097050e8c73 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 31 Aug 2023 17:26:00 +0200 Subject: [PATCH 04/11] feat: update Qakbot rules --- rules-emerging-threats/2023/Malware/Qakbot/README.md | 2 ++ ...creation_win_malware_qakbot_uninstaller_cleanup.yml | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) rename rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml => rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml (91%) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/README.md b/rules-emerging-threats/2023/Malware/Qakbot/README.md index 2e50a2b2e88..a858b4bda03 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/README.md +++ b/rules-emerging-threats/2023/Malware/Qakbot/README.md @@ -8,6 +8,7 @@ You can find more information on the threat in the following articles: - [Qakbot - malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) - [Qakbot- pr0xylife](https://github.com/pr0xylife/Qakbot/) +- [DOCUMENTS AND RESOURCES RELATED TO THE DISRUPTION OF THE QAKBOT MALWARE AND BOTNET](https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources) ## Rules @@ -15,3 +16,4 @@ You can find more information on the threat in the following articles: - [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml) - [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml) - [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml) +- [Qakbot Uninstaller Execution](./proc_creation_win_malware_qakbot_uninstaller_cleanup.yml) diff --git a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml rename to rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 8a95d6fe541..7c18a07969c 100644 --- a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -1,4 +1,4 @@ -title: QBot Uninstaller Execution +title: Qakbot Uninstaller Execution id: bc309b7a-3c29-4937-a4a3-e232473f9168 status: experimental description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet @@ -7,9 +7,10 @@ references: - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community author: Florian Roth (Nextron Systems) -date: 2023/08/30 +date: 2023/08/31 tags: - - qakbot + - detection.emerging_threats + - attack.execution logsource: category: process_creation product: windows @@ -17,12 +18,11 @@ detection: selection: - Image|endswith: '\QbotUninstall.exe' - Hashes|contains: + - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' - - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' condition: selection falsepositives: - Unlikely level: high - From 90c9e508dedb09b47365c3de48cebab9ad27bd66 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 1 Sep 2023 10:51:49 +0200 Subject: [PATCH 05/11] update --- .../proc_creation_win_fbi_qbot_cleanup.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml index 79543552dcf..e767667bc73 100644 --- a/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_fbi_qbot_cleanup.yml @@ -8,6 +8,7 @@ references: - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community author: Florian Roth (Nextron Systems) date: 2023/08/30 +changes: 2023/09/01 tags: - qakbot logsource: @@ -17,14 +18,12 @@ detection: selection: - Image|endswith: '\QbotUninstall.exe' - Hashes|contains: + - 'SHA256=7CDEE5A583EACF24B1F142413AABB4E556CCF4EF3A4764AD084C1526CC90E117' + - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180' - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0' - - sha256: - - '559cae635f0d870652b9482ef436b31d4bb1a5a0f51750836f328d749291d0b6' - - '855eb5481f77dde5ad8fa6e9d953d4aebc280dddf9461144b16ed62817cc5071' - - 'fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0' - - imphash: 'e772c815072311d6fb8c3390743e6be5' + - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' condition: selection falsepositives: - Unlikely From 6c93b5e26ef7c2321bf428287714a5912bf77dd6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 1 Sep 2023 10:56:26 +0200 Subject: [PATCH 06/11] fix: removed shellcode rule --- .../proc_creation_win_malware_qakbot_uninstaller_cleanup.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 5dd4591111b..ae0c321978c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -20,7 +20,6 @@ detection: - Image|endswith: '\QbotUninstall.exe' - Hashes|contains: - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5' - - 'SHA256=7CDEE5A583EACF24B1F142413AABB4E556CCF4EF3A4764AD084C1526CC90E117' - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180' - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6' - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071' From ce0a765a9bba750794177707e32d8f248dcfbbfd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Sep 2023 18:44:48 +0200 Subject: [PATCH 07/11] PPLBlade dump --- rules/windows/file/file_event/file_event_win_lsass_dump.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index a16e60360b5..d1264d26b6c 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -14,7 +14,7 @@ references: - https://github.com/CCob/MirrorDump author: Florian Roth (Nextron Systems) date: 2021/11/15 -modified: 2023/05/17 +modified: 2023/09/05 tags: - attack.credential_access - attack.t1003.001 @@ -30,6 +30,7 @@ detection: - '\Andrew.dmp' - '\Coredump.dmp' - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump + - '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade selection2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp From 496e6d6e37af07fee081de0c47a05843dcbcba75 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 13 Sep 2023 16:26:33 +0200 Subject: [PATCH 08/11] fix: Sysmon suspicious process parent --- .../proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 2d07d62bb4a..afa2218dc81 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -8,7 +8,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) date: 2022/11/10 -modified: 2022/12/30 +modified: 2023/09/13 tags: - attack.privilege_escalation - attack.t1068 @@ -31,7 +31,9 @@ detection: - 'C:\WINDOWS\system32\wevtutil.exe' - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. - condition: selection and not filter + filter_null: + Image: null + condition: selection and not 1 of filter* falsepositives: - Unknown level: high From 0b43ab630cd12f6bd88cde9680a6cf7df3ea88b5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:38:09 +0200 Subject: [PATCH 09/11] Update file_event_win_lsass_default_dump_file_names.yml --- .../file_event/file_event_win_lsass_default_dump_file_names.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index 2405e0bca10..526eaa2eb51 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -33,7 +33,7 @@ detection: - '\Coredump.dmp' - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump - '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade - selection2: + selection_2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp - '\lsassdump' From ce2201ad559a99c042f0b009b93754e7902119e6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:38:48 +0200 Subject: [PATCH 10/11] Update proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml --- .../proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index afa2218dc81..b4e0fafebfb 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -22,7 +22,7 @@ detection: ParentImage|endswith: - '\Sysmon.exe' - '\Sysmon64.exe' - filter: + filter_main_generic: - Image: - 'C:\Windows\Sysmon.exe' - 'C:\Windows\Sysmon64.exe' @@ -31,9 +31,9 @@ detection: - 'C:\WINDOWS\system32\wevtutil.exe' - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. - filter_null: + filter_main_null: Image: null - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high From e48101e3f1623aa340cec88ab745112a530aa975 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 29 Sep 2023 09:44:13 +0200 Subject: [PATCH 11/11] new: renamed curl execution --- .../proc_creation_win_renamed_curl.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_curl.yml diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml new file mode 100644 index 00000000000..0532fb722bd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -0,0 +1,28 @@ +title: Renamed Curl Execution +id: 77b2c64f-5390-4a71-9d8d-a0488a920e42 +status: experimental +description: Detects the execution of a renamed curl.exe binary, a technique often used by attackers to bypass security controls. Monitoring for such activity aids in quickly detecting potential unauthorized or malicious actions involving data transfer. +references: + - https://curl.se/ +author: Florian Roth (Nextron Systems) +date: 2023/09/29 +tags: + - attack.t1105 + - attack.t1570 + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + - OriginalFileName: 'curl.exe' + - Description: 'The curl executable' # there are case-varied versions of this but Sigma is case-insensitive + - Company: + - 'curl, https://curl.se/' # there are case-varied versions of this but Sigma is case-insensitive + - 'curl, https://curl.haxx.se/' # there are case-varied versions of this but Sigma is case-insensitive + filter: + Image|contains: '\curl' + condition: selection and not filter +falsepositives: + - It's common for certain software to rename and use curl for legitimate purposes, so this can occasionally lead to false positives +level: medium