From 52e39113b97decb9f36c63652c29dddc1151c517 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Sat, 28 Oct 2023 12:55:32 +0200
Subject: [PATCH] Merge PR #4503 from @nasbench - Multiple Updates & Fixes

fix: Suspicious Sysmon as Execution Parent - Typo and restructure
update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
update: Antivirus Relevant File Paths Alerts
update: Dump Ntds.dit To Suspicious Location
update: MSI Installation From Suspicious Locations
update: PowerShell Profile Modification - Reduce rule level to medium
update: Obfuscated IP Download Activity

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../av_printernightmare_cve_2021_34527.yml    |  8 +---
 ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 20 +++++-----
 .../category/antivirus/av_relevant_files.yml  | 12 +++---
 ...win_esent_ntdsutil_abuse_susp_location.yml |  9 +++--
 .../win_msi_install_from_susp_locations.yml   | 14 +++----
 ...file_event_win_susp_powershell_profile.yml |  4 +-
 ...eation_win_susp_obfuscated_ip_download.yml | 38 +++++++++++++------
 7 files changed, 58 insertions(+), 47 deletions(-)
 rename {rules/category/antivirus => rules-emerging-threats/2021/Exploits/CVE-2021-1675}/av_printernightmare_cve_2021_34527.yml (86%)

diff --git a/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml
similarity index 86%
rename from rules/category/antivirus/av_printernightmare_cve_2021_34527.yml
rename to rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml
index bca05181439..6fb8305303b 100644
--- a/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml
+++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml
@@ -8,7 +8,7 @@ references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 author: Sittikorn S, Nuttakorn T, Tim Shelton
 date: 2021/07/01
-modified: 2022/03/22
+modified: 2023/10/23
 tags:
     - attack.privilege_escalation
     - attack.t1055
@@ -16,14 +16,10 @@ logsource:
     category: antivirus
 detection:
     selection:
-        Filename|contains: 'C:\Windows\System32\spool\drivers\x64\'
+        Filename|contains: ':\Windows\System32\spool\drivers\x64\'
     keywords:
         - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
     condition: selection and not keywords
-fields:
-    - Signature
-    - Filename
-    - ComputerName
 falsepositives:
     - Unlikely, or pending PSP analysis
 level: critical
diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
index 84fc5ff1958..0b02f74d85f 100644
--- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
+++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
@@ -8,7 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2023/10/18
+modified: 2023/10/23
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -23,15 +23,15 @@ detection:
             - '\Sysmon.exe'
             - '\Sysmon64.exe'
     filter_main_generic:
-        - Image:
-              - 'C:\Windows\Sysmon.exe'
-              - 'C:\Windows\Sysmon64.exe'
-              - 'C:\Windows\System32\conhost.exe'
-              - 'wevtutil.exe'
-              - 'C:\WINDOWS\system32\wevtutil.exe'
-              - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
-              - 'C:\Windows\System32\WerFaultSecure.ex' # When Sysmon crashes
-        - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
+        Image|contains:
+            - ':\Windows\Sysmon.exe'
+            - ':\Windows\Sysmon64.exe'
+            - ':\Windows\System32\conhost.exe'
+            - ':\Windows\System32\WerFault.exe' # When Sysmon crashes
+            - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
+            - ':\Windows\System32\wevtutil.exe'
+            - ':\Windows\SysWOW64\wevtutil.exe'
+            - '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     filter_main_null:
         Image: null
     condition: selection and not 1 of filter_main_*
diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml
index 20a172f025d..3183350b0b3 100644
--- a/rules/category/antivirus/av_relevant_files.yml
+++ b/rules/category/antivirus/av_relevant_files.yml
@@ -6,7 +6,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018/09/09
-modified: 2023/05/19
+modified: 2023/10/23
 tags:
     - attack.resource_development
     - attack.t1588
@@ -16,11 +16,11 @@ detection:
     selection_path:
         Filename|contains:
             # could be startswith, if there is a better backend handling
-            - 'C:\Windows\'
-            - 'C:\Temp\'
-            - 'C:\PerfLogs\'
-            - 'C:\Users\Public\'
-            - 'C:\Users\Default\'
+            - ':\Windows\'
+            - ':\Temp\'
+            - ':\PerfLogs\'
+            - ':\Users\Public\'
+            - ':\Users\Default\'
             # true 'contains' matches:
             - '\Client\'
             - '\tsclient\'
diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
index 4f4411bd0d2..b1d5215ff84 100644
--- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
+++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
@@ -7,6 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
+modified: 2023/10/23
 tags:
     - attack.execution
 logsource:
@@ -21,13 +22,13 @@ detection:
     selection_paths:
         Data|contains:
             # Add more locations that you don't use in your env or that are just suspicious
-            - '\Users\Public\'
-            - '\Perflogs\'
-            - '\Temp\'
+            - ':\ntds.dit'
             - '\Appdata\'
             - '\Desktop\'
             - '\Downloads\'
-            - 'C:\ntds.dit'
+            - '\Perflogs\'
+            - '\Temp\'
+            - '\Users\Public\'
     condition: all of selection_*
 falsepositives:
     - Legitimate backup operation/creating shadow copies
diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
index f245187043e..85b1848faa6 100644
--- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
+++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
@@ -6,7 +6,7 @@ references:
     - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/31
-modified: 2022/10/18
+modified: 2023/10/23
 tags:
     - attack.execution
 logsource:
@@ -21,18 +21,18 @@ detection:
             - 1042
         Data|contains:
             # Add more suspicious paths
-            - '\Users\Public\'
-            - '\PerfLogs\'
+            - ':\Windows\TEMP\'
+            - '\\\\'
             - '\Desktop\'
-            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
+            - '\PerfLogs\'
+            - '\Users\Public\'
             # - '\AppData\Local\Temp\'  # too many FPs
-            - 'C:\Windows\TEMP\'
-            - '\\\\'
+            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
     filter_winget:
         Data|contains: '\AppData\Local\Temp\WinGet\'
     filter_updhealthtools:
         Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares
+    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
index c05041827e8..a6960507e7d 100644
--- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
@@ -7,7 +7,7 @@ references:
     - https://persistence-info.github.io/Data/powershellprofile.html
 author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/24
-modified: 2023/10/18
+modified: 2023/10/23
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - System administrator creating Powershell profile manually
-level: high
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
index a8bf724a024..9006d9d1dd6 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
@@ -1,19 +1,21 @@
-title: Obfuscated IP Download
+title: Obfuscated IP Download Activity
 id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
 status: test
 description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
 references:
     - https://h.43z.one/ipconverter/
     - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
-author: Florian Roth (Nextron Systems)
+    - https://twitter.com/fr0s7_/status/1712780207105404948
+author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
+modified: 2023/10/24
 tags:
     - attack.discovery
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_img:
+    selection_command:
         CommandLine|contains:
             - 'Invoke-WebRequest'
             - 'iwr '
@@ -21,15 +23,27 @@ detection:
             - 'curl '
             - 'DownloadFile'
             - 'DownloadString'
-    selection_ip:
-        - CommandLine|contains:
-              - '//0x'
-              - '.0x'
-              - '.00x'
-        - CommandLine|contains|all:
-              - 'http://%'
-              - '%2e'
-    condition: all of selection*
+    selection_ip_1:
+        CommandLine|contains:
+            - '//0x'
+            - '.0x'
+            - '.00x'
+    selection_ip_2:
+        CommandLine|contains|all:
+            - 'http://%'
+            - '%2e'
+    selection_ip_3:
+        # http://81.4.31754
+        - CommandLine|re: 'https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}(?!.)'
+        # http://81.293898
+        - CommandLine|re: 'https?:\/\/[0-9]{1,3}\.[0-9]{1,8}(?!.)'
+        # http://1359248394
+        - CommandLine|re: 'https?:\/\/[0-9]{1,10}(?!.)'
+        # http://0121.04.0174.012
+        - CommandLine|re: 'https?:\/\/(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
+        # http://012101076012
+        - CommandLine|re: 'https?:\/\/0[0-9]{1,11}(?!.)'
+    condition: selection_command and 1 of selection_ip_*
 falsepositives:
     - Unknown
 level: medium