Rules Update

rules_windows_generic_full.json

@@ -9880,6 +9880,26 @@
  ],
  "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml"
+ },
  {
  "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
  "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -31177,6 +31197,25 @@
  ],
  "filename": "create_remote_thread_win_susp_uncommon_target_image.yml"
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\')"
+ ],
+ "filename": "create_remote_thread_win_susp_target_shell_application.yml"
+ },
  {
  "title": "HackTool - Potential CobaltStrike Process Injection",
  "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",

rules_windows_generic_medium.json

@@ -9616,6 +9616,26 @@
  ],
  "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml"
+ },
  {
  "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
  "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -28432,6 +28452,25 @@
  ],
  "filename": "create_remote_thread_win_susp_uncommon_target_image.yml"
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\')"
+ ],
+ "filename": "create_remote_thread_win_susp_target_shell_application.yml"
+ },
  {
  "title": "HackTool - Potential CobaltStrike Process Injection",
  "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",

rules_windows_generic_pysigma.json

@@ -34401,6 +34401,26 @@
  ],
  "filename": ""
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": ""
+ },
  {
  "title": "Forest Blizzard APT - JavaScript Constrained File Creation",
  "id": "ec7c4e9b-9bc9-47c7-a32f-b53b598da642",
@@ -43146,6 +43166,25 @@
  ],
  "filename": ""
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'"
+ ],
+ "filename": ""
+ },
  {
  "title": "Remote Thread Creation By Uncommon Source Image",
  "id": "66d31e5f-52d6-40a4-9615-002d3789a119",

rules_windows_sysmon_full.json

@@ -9880,6 +9880,26 @@
  ],
  "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml"
+ },
  {
  "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
  "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -31177,6 +31197,25 @@
  ],
  "filename": "create_remote_thread_win_susp_uncommon_target_image.yml"
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))"
+ ],
+ "filename": "create_remote_thread_win_susp_target_shell_application.yml"
+ },
  {
  "title": "HackTool - Potential CobaltStrike Process Injection",
  "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",

rules_windows_sysmon_medium.json

@@ -9616,6 +9616,26 @@
  ],
  "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml"
+ },
  {
  "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
  "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -28432,6 +28452,25 @@
  ],
  "filename": "create_remote_thread_win_susp_uncommon_target_image.yml"
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))"
+ ],
+ "filename": "create_remote_thread_win_susp_target_shell_application.yml"
+ },
  {
  "title": "HackTool - Potential CobaltStrike Process Injection",
  "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",

rules_windows_sysmon_pysigma.json

@@ -34401,6 +34401,26 @@
  ],
  "filename": ""
  },
+ {
+ "title": "Potential APT FIN7 Exploitation Activity",
+ "id": "6676896b-2cce-422d-82af-5a1abe65e241",
+ "status": "experimental",
+ "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n",
+ "author": "Alex Walston (@4ayymm)",
+ "tags": [
+ "attack.execution",
+ "attack.t1059.001",
+ "attack.t1059.003"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))"
+ ],
+ "filename": ""
+ },
  {
  "title": "Forest Blizzard APT - JavaScript Constrained File Creation",
  "id": "ec7c4e9b-9bc9-47c7-a32f-b53b598da642",
@@ -43146,6 +43166,25 @@
  ],
  "filename": ""
  },
+ {
+ "title": "Remote Thread Created In Shell Application",
+ "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f",
+ "status": "experimental",
+ "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n",
+ "author": "Splunk Research Team",
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1055"
+ ],
+ "falsepositives": [
+ "Unknown"
+ ],
+ "level": "medium",
+ "rule": [
+ "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=8 AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))"
+ ],
+ "filename": ""
+ },
  {
  "title": "Remote Thread Creation By Uncommon Source Image",
  "id": "66d31e5f-52d6-40a4-9615-002d3789a119",