new sigma rules related to lummac and RATs behaviors observed ITW

new sigma rules related to lummac and RATs behaviors observed ITW through VirusTotal
SigmaHQ · Dec 11, 2024 · 3e91b08 · 3e91b08
1 parent ee821b8
commit 3e91b08
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/rules/windows/file/file_event/file_event_win_creation_configuration_rats.yml b/rules/windows/file/file_event/file_event_win_creation_configuration_rats.yml
@@ -0,0 +1,33 @@
+title: File Creation Related To RAT Clients
+id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
+status: test
+description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
+references:
+    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
+    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-11-15
+tags:
+    - attack.execution
+logsource:
+    category: file_event
+    product: windows
+detection:
+    # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
+    # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
+    selection_required:
+        TargetFilename|contains: '\AppData\Roaming\'
+    selection_variants:
+        TargetFilename|endswith:
+            - '\datalogs.conf'
+            - '\hvnc.conf'
+            - '\dcrat.conf'
+        TargetFilename|contains:
+            - '\mydata\'
+            - '\datalogs\'
+            - '\hvnc\'
+            - '\dcrat\'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate software creating a file with the same name
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_more_vbc_lummac.yml b/rules/windows/process_creation/proc_creation_win_more_vbc_lummac.yml
@@ -0,0 +1,28 @@
+title: Detect The Execution Of More.com And Vbc.exe Related to Lummac Stealer
+id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
+status: test
+description: Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.
+references:
+    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
+    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
+    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-11-14
+tags:
+    - attack.defense-evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
+    selection_parent:
+        - ParentImage|endswith: '\more.com'
+        - OriginalFileName: 'MORE.COM'
+    selection_child:
+        - Image|endswith: '\vbc.exe'
+        - OriginalFileName: 'vbc.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high