Merge PR #4888 from @nasbench - Add multiple new rules, updates and f…

…ixes

fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language

---------

Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r

rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml → deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml

@@ -1,12 +1,12 @@
 title: Potential Persistence Via COM Hijacking From Suspicious Locations
 id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
-status: experimental
-description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location
+status: deprecated
+description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/28
-modified: 2023/09/28
+modified: 2024/07/16
 tags:
     - attack.persistence
     - attack.t1546.015

rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml

@@ -0,0 +1,33 @@
+title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
+id: 6c7defa9-69f8-4c34-b815-41fce3931754
+status: experimental
+description: |
+    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
+references:
+    - https://www.tenable.com/security/research/tra-2023-11
+    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
+    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
+author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain
+date: 2024/06/25
+tags:
+    - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.1389
+logsource:
+    category: proxy
+detection:
+    selection_uri:
+        cs-method:
+            - 'GET'
+            - 'POST'
+        cs-uri|contains|all:
+            - '/cgi-bin/luci/;stok=/locale'
+            - 'form=country'
+    selection_keyword:
+        - 'operation=write'
+        - 'country=$('
+    condition: all of selection_*
+falsepositives:
+    - Vulnerability Scanners
+level: medium

rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml

@@ -8,6 +8,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024/04/23
+modified: 2024/07/11
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -28,8 +29,8 @@ detection:
             - 'C:\ProgramData\UbiSoft\v'
             - 'C:\ProgramData\Steam\v'
         TargetFilename|contains:
-            - '\pnms003.inf_'
-            - '\pnms009.inf_'
+            - '\prnms003.inf_'
+            - '\prnms009.inf_'
     selection_programdata_main:
         TargetFilename|startswith: 'C:\ProgramData\'
     selection_programdata_files_1:

rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml

@@ -1,9 +1,9 @@
 title: Creation of an Executable by an Executable
 id: 297afac9-5d02-4138-8c58-b977bac60556
 status: experimental
-description: Detects the creation of an executable by another executable
+description: Detects the creation of an executable by another executable.
 references:
-    - Malware Sandbox
+    - Internal Research
 author: frack113
 date: 2022/03/09
 modified: 2023/11/06

rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml → rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml

@@ -2,20 +2,21 @@ title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 id: cfed2f44-16df-4bf3-833a-79405198b277
 status: test
 description: |
-    Detects dllhost initiating a network connection to a non-local IP address.
+    Detects Dllhost.EXE initiating a network connection to a non-local IP address.
     Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
     An initial baseline is recommended before deployment.
 references:
     - https://redcanary.com/blog/child-processes/
     - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: bartblaze
 date: 2020/07/13
-modified: 2024/03/12
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218
     - attack.execution
     - attack.t1559.001
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows
@@ -42,6 +43,7 @@ detection:
             - '51.103.0.0/16' # Microsoft Corporation
             - '51.104.0.0/15' # Microsoft Corporation
             - '52.224.0.0/11'  # Microsoft Corporation
+            - '150.171.0.0/19'  # Microsoft Corporation
             - '204.79.197.0/24' # Microsoft Corporation'
     condition: selection and not 1 of filter_main_*
 falsepositives:

rules/windows/network_connection/net_connection_win_msiexec_http.yml → rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml

@@ -2,17 +2,19 @@ title: Msiexec.EXE Initiated Network Connection Over HTTP
 id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
 status: test
 description: |
-    Detects an initiated network connection by "Msiexec.exe" over port 80 or 443.
+    Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
     Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
+    Use this rule to hunt for potentially anomalous or suspicious communications.
 references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 author: frack113
 date: 2022/01/16
-modified: 2024/02/01
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218.007
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows
@@ -25,5 +27,5 @@ detection:
             - 443
     condition: selection
 falsepositives:
-    - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required.
-level: high
+    - Likely
+level: low

rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml

@@ -0,0 +1,56 @@
+title: Potential Shellcode Injection
+id: 250ae82f-736e-4844-a68b-0b5e8cc887da
+status: test
+description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
+references:
+    - https://github.com/EmpireProject/PSInject
+author: Bhabesh Raj
+date: 2022/03/11
+modified: 2024/07/02
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
+    - detection.threat_hunting
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        GrantedAccess:
+            - '0x147a'
+            - '0x1f3fff'
+        CallTrace|contains: 'UNKNOWN'
+    filter_main_wmiprvse:
+        SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
+        TargetImage: 'C:\Windows\system32\lsass.exe'
+    filter_optional_dell_folders:
+        # If dell software is installed we get matches like these
+        # Example 1:
+        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 2:
+        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 3:
+        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   GrantedAccess: 0x1F3FFF
+        SourceImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+        TargetImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+    filter_optional_dell_specifc:
+        SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
+        TargetImage: 'C:\Windows\Explorer.EXE'
+    filter_optional_visual_studio:
+        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml

@@ -6,9 +6,11 @@ references:
     - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/03/10
+modified: 2024/07/16
 tags:
     - attack.collection
     - attack.t1560.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -30,4 +32,4 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate activity is expected since extracting files with a password can be common in some environment.
-level: medium
+level: low

rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml

@@ -1,15 +1,18 @@
 title: Potentially Suspicious PowerShell Child Processes
 id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 status: test
-description: Detects potentially suspicious child processes spawned by PowerShell
+description: |
+    Detects potentially suspicious child processes spawned by PowerShell.
+    Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
 references:
     - https://twitter.com/ankit_anubhav/status/1518835408502620162
 author: Florian Roth (Nextron Systems), Tim Shelton
 date: 2022/04/26
-modified: 2023/05/30
+modified: 2024/07/16
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -38,7 +41,19 @@ detection:
     filter_optional_amazon:
         ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
         CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
-    condition: selection and not 1 of filter_optional_*
+    filter_main_certutil_verify_store:
+        Image|endswith: '\certutil.exe'
+        CommandLine|contains: '-verifystore '
+    filter_main_wmic:
+        Image|endswith: '\wmic.exe'
+        CommandLine|contains:
+            - 'qfe list'
+            - 'diskdrive '
+            - 'csproduct '
+            - 'computersystem '
+            - ' os '
+            - ''
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed.
-level: high
+    - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
+level: medium

rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml

@@ -1,18 +1,19 @@
-title: Suspicious Call by Ordinal
+title: DLL Call by Ordinal Via Rundll32.EXE
 id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
 status: stable
-description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
+description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
 references:
     - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
     - https://github.com/Neo23x0/DLLRunner
     - https://twitter.com/cyb3rops/status/1186631731543236608
     - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
 author: Florian Roth (Nextron Systems)
 date: 2019/10/22
-modified: 2023/02/09
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218.011
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -26,11 +27,11 @@ detection:
             - ', #'
             - '.dll #'  # Sysmon removes , in its log
             - '.ocx #'  # HermeticWizard
-    filter_edge:
+    filter_optional_edge:
         CommandLine|contains|all:
             - 'EDGEHTML.dll'
             - '#141'
-    filter_vsbuild_dll:
+    filter_optional_vsbuild_dll:
         ParentImage|contains:
             - '\Msbuild\Current\Bin\'
             - '\VC\Tools\MSVC\'
@@ -40,8 +41,8 @@ detection:
             - '\FileTracker32.dll",#1'
             - '\FileTracker64.dll,#1'
             - '\FileTracker64.dll",#1'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Windows control panel elements have been identified as source (mmc)
-level: high
+    - False positives depend on scripts and administrative tools used in the monitored environment.
+    - Windows control panel elements have been identified as source (mmc).
+level: medium

rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml

@@ -1,7 +1,9 @@
-title: Suspicious Execution From GUID Like Folder Names
+title: Potential Suspicious Execution From GUID Like Folder Names
 id: 90b63c33-2b97-4631-a011-ceb0f47b77c3
 status: test
-description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks
+description: |
+    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
+    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
 references:
     - https://twitter.com/Kostastsale/status/1565257924204986369
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -10,6 +12,7 @@ modified: 2023/03/02
 tags:
     - attack.defense_evasion
     - attack.t1027
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -27,15 +30,19 @@ detection:
         CommandLine|contains|all:
             - '\{'
             - '}\'
-    filter:
+    filter_main_image_guid:
         Image|contains|all:
             - '\{'
             - '}\'
-    filter_null:
+    filter_main_null:
         Image: null
-    filter_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
+    filter_main_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
         Image: 'C:\Windows\System32\drvinst.exe'
+    filter_main_msiexec:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
     condition: all of selection_* and not 1 of filter*
 falsepositives:
     - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly
-level: medium
+level: low

rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml

@@ -0,0 +1,24 @@
+title: Windows LAPS Credential Dump From Entra ID
+id: a4b25073-8947-489c-a8dd-93b41c23f26d
+status: experimental
+description: Detects when an account dumps the LAPS password from Entra ID.
+references:
+    - https://twitter.com/NathanMcNulty/status/1785051227568632263
+    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
+    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
+author: andrewdanis
+date: 2024/06/26
+tags:
+    - attack.t1098.005
+logsource:
+    product: azure
+    service: auditlogs
+detection:
+    selection:
+        category: 'Device'
+        activityType|contains: 'Recover device local administrator password'
+        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
+    condition: selection
+falsepositives:
+    - Approved activity performed by an Administrator.
+level: high