diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md index e0c9da89f4c..2da3d26e54f 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md @@ -13,3 +13,14 @@ You can find more information on the threat in the following articles: - [Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise - By Nextron Systems](https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/) - [Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack - By Kaspersky](https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/) - [Elastic users protected from SUDDENICON’s supply chain attack - By Elastic](https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack) + +## Rules + +- [Potential Compromised 3CXDesktopApp Beaconing Activity - DNS](./dns_query_win_malware_3cx_compromise.yml) +- [Malicious DLL Load By Compromised 3CXDesktopApp](./image_load_malware_3cx_compromise_susp_dll.yml) +- [Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon](./net_connection_win_malware_3cx_compromise_beaconing_activity.yml) +- [Potential Compromised 3CXDesktopApp Execution](./proc_creation_win_malware_3cx_compromise_execution.yml) +- [Potential Suspicious Child Process Of 3CXDesktopApp](./proc_creation_win_malware_3cx_compromise_susp_children.yml) +- [Potential Compromised 3CXDesktopApp Update Activity](./proc_creation_win_malware_3cx_compromise_susp_update.yml) +- [Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy](./proxy_malware_3cx_compromise_c2_beacon_activity.yml) +- [Potential Compromised 3CXDesktopApp ICO C2 File Download](./proxy_malware_3cx_compromise_susp_ico_requests.yml) diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/README.md b/rules-emerging-threats/2023/TA/Diamond-Sleet/README.md new file mode 100644 index 00000000000..e94eb7938b2 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/README.md @@ -0,0 +1,18 @@ +# Diamond Sleet APT + +## Summary + +Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. + +You can find more information on the threat in the following articles: + +- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/) + +## Rules + +- [Diamond Sleet APT DNS Communication Indicators](./dns_query_win_apt_diamond_steel_indicators.yml) +- [Diamond Sleet APT File Creation Indicators](./file_event_win_apt_diamond_sleet_indicators.yml) +- [Diamond Sleet APT DLL Sideloading Indicators](./image_load_apt_diamond_sleet_side_load.yml) +- [Diamond Sleet APT Process Activity Indicators](./proc_creation_win_apt_diamond_sleet_indicators.yml) +- [Diamond Sleet APT Scheduled Task Creation - Registry](./registry_event_apt_diamond_sleet_scheduled_task.yml) +- [Diamond Sleet APT Scheduled Task Creation](./win_security_apt_diamond_sleet_scheduled_task.yml) diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml new file mode 100644 index 00000000000..dd8eea66367 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -0,0 +1,25 @@ +title: Diamond Sleet APT DNS Communication Indicators +id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f +status: experimental +description: Detects DNS queries related to Diamond Sleet APT activity +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.command_and_control + - detection.emerging_threats +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: + - '3dkit.org' + - 'dersmarketim.com' + - 'galerielamy.com' + - 'olidhealth.com' + condition: selection +falsepositives: + - Might generate some false positive if triggered by a user during investigation for example. +level: high diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml new file mode 100644 index 00000000000..6c3bc997cc8 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -0,0 +1,28 @@ +title: Diamond Sleet APT File Creation Indicators +id: e1212b32-55ff-4dfb-a595-62b572248056 +status: experimental +description: Detects file creation activity that is related to Diamond Sleet APT activity +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: + - ':\ProgramData\4800-84DC-063A6A41C5C' + - ':\ProgramData\clip.exe' + - ':\ProgramData\DSROLE.dll' + - ':\ProgramData\Forest64.exe' + - ':\ProgramData\readme.md' + - ':\ProgramData\Version.dll' + - ':\ProgramData\wsmprovhost.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml new file mode 100644 index 00000000000..feed15f302b --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -0,0 +1,26 @@ +title: Diamond Sleet APT DLL Sideloading Indicators +id: d1b65d98-37d7-4ff6-b139-2d87c1af3042 +status: experimental +description: Detects DLL sideloading activity seen used by Diamond Sleet APT +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.defense_evasion + - attack.t1574.002 + - detection.emerging_threats +logsource: + product: windows + category: image_load +detection: + selection_1: + Image|endswith: ':\ProgramData\clip.exe' + ImageLoaded|endswith: ':\ProgramData\Version.dll' + selection_2: + Image|endswith: ':\ProgramData\wsmprovhost.exe' + ImageLoaded|endswith: ':\ProgramData\DSROLE.dll' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml new file mode 100644 index 00000000000..c1bbf8fb41f --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -0,0 +1,21 @@ +title: Diamond Sleet APT Process Activity Indicators +id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 +status: experimental +description: Detects process creation activity indicators related to Diamond Sleet APT +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: ' uTYNkfKxHiZrx3KJ' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml new file mode 100644 index 00000000000..583e61a8a76 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -0,0 +1,25 @@ +title: Diamond Sleet APT Scheduled Task Creation - Registry +id: 9f9f92ba-5300-43a4-b435-87d1ee571688 +status: experimental +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.defense_evasion + - attack.t1562 + - detection.emerging_threats +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' + - 'Windows TeamCity Settings User Interface' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml new file mode 100644 index 00000000000..7f9df765bd0 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -0,0 +1,28 @@ +title: Diamond Sleet APT Scheduled Task Creation +id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d +status: experimental +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 + - detection.emerging_threats +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + TaskName: '\Windows TeamCity Settings User Interface' + TaskContent|contains: 'uTYNkfKxHiZrx3KJ' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/README.md b/rules-emerging-threats/2023/TA/Onyx-Sleet/README.md new file mode 100644 index 00000000000..ac4167f75b9 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/README.md @@ -0,0 +1,11 @@ +# Onyx Sleet APT + +## Summary + +Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. + +- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/) + +## Rules + +- [Onyx Sleet APT File Creation Indicators](./file_event_win_apt_onyx_sleet_indicators.yml) diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml new file mode 100644 index 00000000000..078b4e92ba2 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -0,0 +1,21 @@ +title: Onyx Sleet APT File Creation Indicators +id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b +status: experimental +description: Detects file creation activity that is related to Onyx Sleet APT activity +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 22c45a0a9ff..77c56db45ec 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/05/16 +modified: 2023/10/24 tags: - attack.defense_evasion - attack.persistence @@ -449,6 +449,9 @@ detection: - 'C:\Windows\SoftwareDistribution\' - 'C:\Windows\SystemTemp\' - 'C:\$WINDOWS.~BT\' + filter_main_defender: + Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\' + Image|endswith: '\version.dll' filter_optional_office_appvpolicy: Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'