From 137f390a5a31f0d49e1e05d719f73f05e4a67ecb Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 10 Dec 2024 09:23:04 +0100
Subject: [PATCH 1/5] add: Huntress Labs Cleo exploitation rules

---
 ...n_proc_creation_cleo_exploitation_2024.yml | 34 +++++++++++++++++++
 ...ation_suspicious_powershell_from_javaw.yml | 34 +++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
 create mode 100644 rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml

diff --git a/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml b/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
new file mode 100644
index 00000000000..b872e0afc8b
--- /dev/null
+++ b/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
@@ -0,0 +1,34 @@
+title: Possible Cleo MFT Exploitation 2024
+id: f007b877-02e3-45b7-8501-1b78c2864029
+status: experimental
+description: Detects Powershell spawned from Cleo software.  Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+date: 2024-12-09
+tags:
+    - attack.execution
+    - attack.t1190
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\javaw.exe'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'powershell'
+            - ' -NonInteractive'
+            - ' -noni '
+            - ' -enc '
+            - ' -EncodedCommand'
+        ParentCommandLine|contains:
+            - 'VLTrader'
+            - 'lexicom'
+            - 'Harmony'
+            - 'VersaLex'
+
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
new file mode 100644
index 00000000000..3a753bb2a74
--- /dev/null
+++ b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
@@ -0,0 +1,34 @@
+title: Javaw Spawning Suspicious Powershell Commands
+id: a0ec945f-2328-40e9-96f6-27dadf72861b
+status: experimental
+description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.
+author: Chad Hudson, Matt Anderson
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+date: 2024-12-09
+tags:
+    - attack.t1059.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith:
+            - '\javaw.exe'
+        Image|endswith:
+            - '\cmd.exe'
+    cmdline:
+        CommandLine|contains:
+            - ' -nop'
+            - ' -noni'
+            - ' -NonInteractive'
+            - ' -w hidden '
+            - ' -windowstyle hidden*'
+            - '(New-Object Net.WebClient).Download*'
+            - ' -enc '
+            - ' -EncodedCommand '
+    powershell:
+        CommandLine|contains: powershell
+    condition: selection and cmdline and powershell
+falsepositives:
+    - Unknown

From c7eec6484624bd4ffa3a61c411d011c85077ed45 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 10 Dec 2024 09:25:45 +0100
Subject: [PATCH 2/5] fix: missing level

---
 .../win_proc_creation_suspicious_powershell_from_javaw.yml     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
index 3a753bb2a74..deba934b564 100644
--- a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
+++ b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
@@ -31,4 +31,5 @@ detection:
         CommandLine|contains: powershell
     condition: selection and cmdline and powershell
 falsepositives:
-    - Unknown
+    - Legitimate software may also use these commands
+level: high

From 9118f111a49fe6a8502fb1fb23911545c4578aa8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 10 Dec 2024 09:36:54 +0100
Subject: [PATCH 3/5] fix: some issues with the Huntress rules

---
 ....yml => web_exploit_creation_cleo_exploitation_2024.yml} | 0
 .../win_proc_creation_suspicious_powershell_from_javaw.yml  | 6 ++----
 2 files changed, 2 insertions(+), 4 deletions(-)
 rename rules-emerging-threats/2024/Exploits/cleo-software/{win_proc_creation_cleo_exploitation_2024.yml => web_exploit_creation_cleo_exploitation_2024.yml} (100%)

diff --git a/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml b/rules-emerging-threats/2024/Exploits/cleo-software/web_exploit_creation_cleo_exploitation_2024.yml
similarity index 100%
rename from rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
rename to rules-emerging-threats/2024/Exploits/cleo-software/web_exploit_creation_cleo_exploitation_2024.yml
diff --git a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
index deba934b564..6372da2f4e6 100644
--- a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
+++ b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
@@ -13,10 +13,8 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith:
-            - '\javaw.exe'
-        Image|endswith:
-            - '\cmd.exe'
+        ParentImage|endswith: '\javaw.exe'
+        Image|endswith: '\cmd.exe'
     cmdline:
         CommandLine|contains:
             - ' -nop'

From 0b2846efa8c0bd280db80e76ef5e9f0e80125f5c Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nasreddineb@splunk.com>
Date: Sat, 14 Dec 2024 22:36:54 +0200
Subject: [PATCH 4/5] updates

---
 ...ation_win_exploit_cve_2024_50623_cleo.yml} | 23 +++++++------
 ..._webshell_recon_commands_and_processes.yml | 16 +++++++--
 ...ation_suspicious_powershell_from_javaw.yml | 33 -------------------
 3 files changed, 25 insertions(+), 47 deletions(-)
 rename rules-emerging-threats/2024/Exploits/{cleo-software/web_exploit_creation_cleo_exploitation_2024.yml => CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml} (73%)
 delete mode 100644 rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml

diff --git a/rules-emerging-threats/2024/Exploits/cleo-software/web_exploit_creation_cleo_exploitation_2024.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
similarity index 73%
rename from rules-emerging-threats/2024/Exploits/cleo-software/web_exploit_creation_cleo_exploitation_2024.yml
rename to rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
index b872e0afc8b..25819befa9f 100644
--- a/rules-emerging-threats/2024/Exploits/cleo-software/web_exploit_creation_cleo_exploitation_2024.yml
+++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
@@ -1,10 +1,11 @@
-title: Possible Cleo MFT Exploitation 2024
+title: Potential Cleo MFT Exploitation 2024
 id: f007b877-02e3-45b7-8501-1b78c2864029
 status: experimental
-description: Detects Powershell spawned from Cleo software.  Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
-author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+description: |
+    Detects Powershell spawned from Cleo software.  Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
 references:
     - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
 date: 2024-12-09
 tags:
     - attack.execution
@@ -15,20 +16,18 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\javaw.exe'
+        ParentCommandLine|contains:
+            - 'Harmony'
+            - 'lexicom'
+            - 'VersaLex'
+            - 'VLTrader'
         Image|endswith: '\cmd.exe'
         CommandLine|contains:
             - 'powershell'
-            - ' -NonInteractive'
-            - ' -noni '
             - ' -enc '
             - ' -EncodedCommand'
-        ParentCommandLine|contains:
-            - 'VLTrader'
-            - 'lexicom'
-            - 'Harmony'
-            - 'VersaLex'
-
+            - '.Download'
     condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml
index 96feead4ecc..b2ee15af63b 100644
--- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml
@@ -5,9 +5,10 @@ description: Detects certain command line parameters often used during reconnais
 references:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
     - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 date: 2017-01-01
-modified: 2022-05-13
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -58,6 +59,17 @@ detection:
     selection_susp_wmic_utility:
         OriginalFileName: 'wmic.exe'
         CommandLine|contains: ' /node:'
+    selection_susp_powershell_cli:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        CommandLine|contains:
+            - ' -enc '
+            - ' -EncodedCommand '
+            - ' -w hidden '
+            - ' -windowstyle hidden'
+            - '.WebClient).Download'
     selection_susp_misc_discovery_binaries:
         - Image|endswith:
               - '\dsquery.exe'
diff --git a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
deleted file mode 100644
index 6372da2f4e6..00000000000
--- a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Javaw Spawning Suspicious Powershell Commands
-id: a0ec945f-2328-40e9-96f6-27dadf72861b
-status: experimental
-description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.
-author: Chad Hudson, Matt Anderson
-references:
-    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
-date: 2024-12-09
-tags:
-    - attack.t1059.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage|endswith: '\javaw.exe'
-        Image|endswith: '\cmd.exe'
-    cmdline:
-        CommandLine|contains:
-            - ' -nop'
-            - ' -noni'
-            - ' -NonInteractive'
-            - ' -w hidden '
-            - ' -windowstyle hidden*'
-            - '(New-Object Net.WebClient).Download*'
-            - ' -enc '
-            - ' -EncodedCommand '
-    powershell:
-        CommandLine|contains: powershell
-    condition: selection and cmdline and powershell
-falsepositives:
-    - Legitimate software may also use these commands
-level: high

From 0540ebc1bdc262e0e1a304b8772be9043243f082 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nasreddineb@splunk.com>
Date: Sat, 14 Dec 2024 22:37:09 +0200
Subject: [PATCH 5/5] Update proc_creation_win_exploit_cve_2024_50623_cleo.yml

---
 .../proc_creation_win_exploit_cve_2024_50623_cleo.yml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
index 25819befa9f..d6b0692c907 100644
--- a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
+++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml
@@ -1,8 +1,8 @@
-title: Potential Cleo MFT Exploitation 2024
+title: CVE-2024-50623 Exploitation Attempt - Cleo
 id: f007b877-02e3-45b7-8501-1b78c2864029
 status: experimental
 description: |
-    Detects Powershell spawned from Cleo software.  Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
+    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
 references:
     - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
 author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson