diff --git a/rules_windows_generic_full.json b/rules_windows_generic_full.json index 91eed2b..af631ff 100755 --- a/rules_windows_generic_full.json +++ b/rules_windows_generic_full.json @@ -9880,6 +9880,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -31177,6 +31197,25 @@ ], "filename": "create_remote_thread_win_susp_uncommon_target_image.yml" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\')" + ], + "filename": "create_remote_thread_win_susp_target_shell_application.yml" + }, { "title": "HackTool - Potential CobaltStrike Process Injection", "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", diff --git a/rules_windows_generic_medium.json b/rules_windows_generic_medium.json index 9e01c3c..720d3b6 100755 --- a/rules_windows_generic_medium.json +++ b/rules_windows_generic_medium.json @@ -9616,6 +9616,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -28432,6 +28452,25 @@ ], "filename": "create_remote_thread_win_susp_uncommon_target_image.yml" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\')" + ], + "filename": "create_remote_thread_win_susp_target_shell_application.yml" + }, { "title": "HackTool - Potential CobaltStrike Process Injection", "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", diff --git a/rules_windows_generic_pysigma.json b/rules_windows_generic_pysigma.json index 26e9f63..2f15169 100644 --- a/rules_windows_generic_pysigma.json +++ b/rules_windows_generic_pysigma.json @@ -34401,6 +34401,26 @@ ], "filename": "" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Forest Blizzard APT - JavaScript Constrained File Creation", "id": "ec7c4e9b-9bc9-47c7-a32f-b53b598da642", @@ -43146,6 +43166,25 @@ ], "filename": "" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'" + ], + "filename": "" + }, { "title": "Remote Thread Creation By Uncommon Source Image", "id": "66d31e5f-52d6-40a4-9615-002d3789a119", diff --git a/rules_windows_sysmon_full.json b/rules_windows_sysmon_full.json index 3c303e2..7c93224 100755 --- a/rules_windows_sysmon_full.json +++ b/rules_windows_sysmon_full.json @@ -9880,6 +9880,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -31177,6 +31197,25 @@ ], "filename": "create_remote_thread_win_susp_uncommon_target_image.yml" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + ], + "filename": "create_remote_thread_win_susp_target_shell_application.yml" + }, { "title": "HackTool - Potential CobaltStrike Process Injection", "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", diff --git a/rules_windows_sysmon_medium.json b/rules_windows_sysmon_medium.json index efd4429..fbe134d 100755 --- a/rules_windows_sysmon_medium.json +++ b/rules_windows_sysmon_medium.json @@ -9616,6 +9616,26 @@ ], "filename": "file_event_win_apt_unknown_exploitation_indicators.yml" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "proc_creation_win_apt_fin7_exploitation_indicators.yml" + }, { "title": "DPRK Threat Actor - C2 Communication DNS Indicators", "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f", @@ -28432,6 +28452,25 @@ ], "filename": "create_remote_thread_win_susp_uncommon_target_image.yml" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE (EventID = '8' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + ], + "filename": "create_remote_thread_win_susp_target_shell_application.yml" + }, { "title": "HackTool - Potential CobaltStrike Process Injection", "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", diff --git a/rules_windows_sysmon_pysigma.json b/rules_windows_sysmon_pysigma.json index e7a5e8e..33e0b6b 100644 --- a/rules_windows_sysmon_pysigma.json +++ b/rules_windows_sysmon_pysigma.json @@ -34401,6 +34401,26 @@ ], "filename": "" }, + { + "title": "Potential APT FIN7 Exploitation Activity", + "id": "6676896b-2cce-422d-82af-5a1abe65e241", + "status": "experimental", + "description": "Detects potential APT FIN7 exploitation activity as reported by Google.\nIn order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\n", + "author": "Alex Walston (@4ayymm)", + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((ParentImage LIKE '%\\\\notepad++.exe' ESCAPE '\\' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentImage LIKE '%\\\\rdpinit.exe' ESCAPE '\\' AND Image LIKE '%\\\\notepad++.exe' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Forest Blizzard APT - JavaScript Constrained File Creation", "id": "ec7c4e9b-9bc9-47c7-a32f-b53b598da642", @@ -43146,6 +43166,25 @@ ], "filename": "" }, + { + "title": "Remote Thread Created In Shell Application", + "id": "a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f", + "status": "experimental", + "description": "Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\nIt is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\n", + "author": "Splunk Research Team", + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=8 AND (TargetImage LIKE '%\\\\cmd.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" + ], + "filename": "" + }, { "title": "Remote Thread Creation By Uncommon Source Image", "id": "66d31e5f-52d6-40a4-9615-002d3789a119", diff --git a/sigma b/sigma index 779111a..e1803cb 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 779111a0dd80c510f7e44e6515e7dac929f87231 +Subproject commit e1803cbc8ee57cff51d4490db528820f513ccb1f