Merge PR #4522 from @X-Junior - updating multiple rules

update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
update: Malware User Agent - add new user agents

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

Author: 3 people

rules/web/proxy_generic/proxy_ua_malware.yml

@@ -22,7 +22,7 @@ logsource:
 detection:
     selection:
         c-useragent:
-        # RATs
+            # RATs
             - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
             - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
             - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
@@ -31,9 +31,9 @@ detection:
             - '*<|>*' # Houdini / Iniduoh / njRAT
             - 'nsis_inetc (mozilla)' # ZeroAccess
             - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
-        # Ghost419 https://goo.gl/rW1yvZ
+            # Ghost419 https://goo.gl/rW1yvZ
             - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
-        # Malware
+            # Malware
             - '*zeroup*' # W32/Renos.Downloader
             - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
             - '* adlib/*' # https://goo.gl/gcAHoh
@@ -59,20 +59,20 @@ detection:
             - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs
             - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
             - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
-        # Ursnif
+            # Ursnif
             - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
             - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
-        # Emotet
+            # Emotet
             - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
-        # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
+            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
             - 'Mozilla/5.0 (Windows NT 6.1)'
             - 'AppleWebkit/587.38 (KHTML, like Gecko)'
             - 'Chrome/91.0.4472.77'
             - 'Safari/537.36'
             - 'Edge/91.0.864.37'
             - 'Firefox/89.0'
             - 'Gecko/20100101'
-        # Others
+            # Others
             - '* pxyscand*'
             - '* asd'
             - '* mdms'
@@ -120,13 +120,21 @@ detection:
             - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
             - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
             - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
+            - 'DuckTales' # Racoon Stealer
+            - 'Zadanie' # Racoon Stealer
+            - 'GunnaWunnaBlueTips' # Racoon Stealer
+            - 'Xlmst' # Racoon Stealer
+            - 'GeekingToTheMoon' # Racoon Stealer
+            - 'SunShineMoonLight' # Racoon Stealer
+            - 'BunnyRequester' # BunnyStealer
+            - 'BunnyTasks' # BunnyStealer
+            - 'BunnyStealer' # BunnyStealer
+            - 'BunnyLoader_Dropper' # BunnyStealer
+            - 'BunnyLoader' # BunnyStealer
+            - 'BunnyShell' # BunnyStealer
             - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
             - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
     condition: selection
-fields:
-    - ClientIP
-    - c-uri
-    - c-useragent
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml

@@ -8,21 +8,40 @@ references:
     - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
     - https://twitter.com/gN3mes1s/status/1206874118282448897
     - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2019/08/24
-modified: 2023/08/02
+modified: 2023/10/27
 tags:
     - attack.defense_evasion
     - attack.t1027.004
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
         Image|endswith: '\csc.exe'
+    selection_susp_location_1:
         CommandLine|contains:
+            - ':\Perflogs\'
+            - ':\Users\Public\'
             - '\AppData\Local\Temp\' # User execution
+            - '\Temporary Internet'
             - '\Windows\Temp\' # Admin execution
+    selection_susp_location_2:
+        - CommandLine|contains|all:
+              - ':\Users\'
+              - '\Favorites\'
+        - CommandLine|contains|all:
+              - ':\Users\'
+              - '\Favourites\'
+        - CommandLine|contains|all:
+              - ':\Users\'
+              - '\Contacts\'
+        - CommandLine|contains|all:
+              - ':\Users\'
+              - '\Pictures\'
+    selection_susp_location_3:
+        CommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
     filter_main_programfiles:
         # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
         ParentImage|startswith:
@@ -44,7 +63,7 @@ detection:
             - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
             - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
             - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
-    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+    condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
     - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962

rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

@@ -5,9 +5,10 @@ description: Detects a potentially suspicious parent of "csc.exe", which could b
 references:
     - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
     - https://reaqta.com/2017/11/short-journey-darkvnc/
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 date: 2019/02/11
-modified: 2023/08/02
+modified: 2023/10/27
 tags:
     - attack.execution
     - attack.t1059.005
@@ -25,7 +26,11 @@ detection:
     selection_parent_generic:
         ParentImage|endswith:
             - '\cscript.exe'
+            - '\excel.exe'
             - '\mshta.exe'
+            - '\onenote.exe'
+            - '\outlook.exe'
+            - '\powerpnt.exe'
             - '\winword.exe'
             - '\wscript.exe'
     selection_parent_powershell:
@@ -38,8 +43,9 @@ detection:
     selection_parent_susp_location:
         - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
         - ParentCommandLine|contains:
-              - ':\Users\Public\'
               - ':\PerfLogs\'
+              - ':\Users\Public\'
+              - ':\Windows\Temp\'
               - '\Temporary Internet'
         - ParentCommandLine|contains|all:
               - ':\Users\'
@@ -53,6 +59,19 @@ detection:
         - ParentCommandLine|contains|all:
               - ':\Users\'
               - '\Pictures\'
+    filter_main_programfiles:
+        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
+        ParentImage|startswith:
+            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
+            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
+    filter_main_sdiagnhost:
+        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
+    filter_main_w3p:
+        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
+    filter_optional_chocolatey:
+        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
+    filter_optional_defender:
+        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
     filter_optional_ansible:
         # Note: As ansible is widely used we exclude it with this generic filter.
         # A better option would be to filter based on script content basis or other marker while hunting
@@ -61,7 +80,7 @@ detection:
             - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
             - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
             - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
-    condition: selection_img and 1 of selection_parent_* and not 1 of filter_optional_*
+    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml

@@ -8,7 +8,7 @@ references:
     - https://twitter.com/fr0s7_/status/1712780207105404948
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
-modified: 2023/10/29
+modified: 2023/11/06
 tags:
     - attack.discovery
 logsource:
@@ -25,6 +25,7 @@ detection:
             - 'DownloadString'
     selection_ip_1:
         CommandLine|contains:
+            - ' 0x'
             - '//0x'
             - '.0x'
             - '.00x'
@@ -34,17 +35,19 @@ detection:
             - '%2e'
     selection_ip_3:
         # http://81.4.31754
-        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}'
+        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
         # http://81.293898
-        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,8}'
+        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
         # http://1359248394
-        - CommandLine|re: 'https?://[0-9]{1,10}'
+        - CommandLine|re: 'https?://0[0-9]{3,11}'
         # http://0121.04.0174.012
         - CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
         # http://012101076012
         - CommandLine|re: 'https?://0[0-9]{1,11}'
+        # For octal format
+        - CommandLine|re: ' [0-7]{7,13}'
     filter_main_valid_ip:
-        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}'
+        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
     condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml

@@ -1,12 +1,13 @@
 title: Obfuscated IP Via CLI
 id: 56d19cb4-6414-4769-9644-1ed35ffbb148
-status: test
-description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline
+status: experimental
+description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
 references:
     - https://h.43z.one/ipconverter/
     - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
+modified: 2023/11/06
 tags:
     - attack.discovery
 logsource:
@@ -17,10 +18,32 @@ detection:
         Image|endswith:
             - '\ping.exe'
             - '\arp.exe'
-    selection_ip:
-        - CommandLine|contains: ' 0x' # For hex format
-        - CommandLine|re: ' [0-9]{7,13}' # For octal format
-    condition: all of selection*
+    selection_ip_1:
+        CommandLine|contains:
+            - ' 0x'
+            - '//0x'
+            - '.0x'
+            - '.00x'
+    selection_ip_2:
+        CommandLine|contains|all:
+            - 'http://%'
+            - '%2e'
+    selection_ip_3:
+        # http://81.4.31754
+        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
+        # http://81.293898
+        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
+        # http://1359248394
+        - CommandLine|re: 'https?://0[0-9]{3,11}'
+        # http://0121.04.0174.012
+        - CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
+        # http://012101076012
+        - CommandLine|re: 'https?://0[0-9]{1,11}'
+        # For octal format
+        - CommandLine|re: ' [0-7]{7,13}'
+    filter_main_valid_ip:
+        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
+    condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium