From cf63e087aaea6835a5b53f296eafefb5dbb83072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marta=20G=C3=B3mez?= Date: Thu, 21 Jan 2021 13:12:50 +0100 Subject: [PATCH 1/2] Fix syntax errors in yaml parsing --- rules/filedroppedbyeqnedt32exe.yml | 12 ++++++------ rules/get2downloader.yml | 2 +- rules/koadicpostexploitationrootkit.yml | 6 +++--- ...powershelldownloadingfilefromurlshortenersite.yml | 12 ++++++------ rules/powershelllaunchregsvr32.yml | 6 +++--- rules/powershellsleepandlaunchexecutable.yml | 6 +++--- rules/remcos.yml | 4 ++-- rules/shedulehiddenpowershellscript.yml | 6 +++--- ...downloadfileintotemplocationfromwordpresssite.yml | 6 +++--- 9 files changed, 30 insertions(+), 30 deletions(-) diff --git a/rules/filedroppedbyeqnedt32exe.yml b/rules/filedroppedbyeqnedt32exe.yml index 212eb92..e848039 100644 --- a/rules/filedroppedbyeqnedt32exe.yml +++ b/rules/filedroppedbyeqnedt32exe.yml @@ -15,11 +15,11 @@ detection: EventID: 11 Image: '*\EQUATION\EQNEDT32.EXE*' TargetFilename: - - '*\\*.exe*' - - '*\\*.dll*' - - '*\\*.vbs*' - - '*\\*.js*' - - '*\\*.hta*' - - '*\\*.bat*' + - '*\\*.exe*' + - '*\\*.dll*' + - '*\\*.vbs*' + - '*\\*.js*' + - '*\\*.hta*' + - '*\\*.bat*' condition: selection level: critical diff --git a/rules/get2downloader.yml b/rules/get2downloader.yml index 22039b2..7252203 100644 --- a/rules/get2downloader.yml +++ b/rules/get2downloader.yml @@ -3,7 +3,7 @@ status: experimental description: Get2 downloader associated with TA505 author: Joe Security references: - -https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader + - https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader id: 200003 threatname: Get2Downloader behaviorgroup: 2 diff --git a/rules/koadicpostexploitationrootkit.yml b/rules/koadicpostexploitationrootkit.yml index af45a17..d4eeb2a 100644 --- a/rules/koadicpostexploitationrootkit.yml +++ b/rules/koadicpostexploitationrootkit.yml @@ -13,9 +13,9 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - - *chcp 437 & schtasks /query /tn K0adic* - - *chcp 437 & schtasks /create /tn K0adic* + - '*chcp 437 & schtasks /query /tn K0adic*' + - '*chcp 437 & schtasks /create /tn K0adic*' condition: selection level: critical diff --git a/rules/powershelldownloadingfilefromurlshortenersite.yml b/rules/powershelldownloadingfilefromurlshortenersite.yml index 3854878..557fefa 100644 --- a/rules/powershelldownloadingfilefromurlshortenersite.yml +++ b/rules/powershelldownloadingfilefromurlshortenersite.yml @@ -13,7 +13,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - '*powershell*downloadfile*/tinyurl.*' - '*powershell*downloadfile*/bitly.*' @@ -25,11 +25,11 @@ detection: - '*powershell*new-object net.*https://shorturl.*' - '*powershell*new-object net.*https://rebrandly.*' - '*powershell*new-object net.*https://cutt.*' - - '*powershell*net.web*https://tinyurl.* - - '*powershell*net.web*https://bitly.* - - '*powershell*net.web*https://shorturl.* - - '*powershell*net.web*https://rebrandly.* + - '*powershell*net.web*https://tinyurl.*' + - '*powershell*net.web*https://bitly.*' + - '*powershell*net.web*https://shorturl.*' + - '*powershell*net.web*https://rebrandly.*' - '*powershell*net.web*https://cutt.*' - + condition: selection level: critical diff --git a/rules/powershelllaunchregsvr32.yml b/rules/powershelllaunchregsvr32.yml index a4835a5..84a2437 100644 --- a/rules/powershelllaunchregsvr32.yml +++ b/rules/powershelllaunchregsvr32.yml @@ -4,7 +4,7 @@ description: Powershell launch regsvr32 author: Joe Security date: 2020-03-10 id: 200062 -threatname: +threatname: behaviorgroup: 7 classification: 8 mitreattack: @@ -13,8 +13,8 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - - *powershell*regsvr32* + - '*powershell*regsvr32*' condition: selection level: critical diff --git a/rules/powershellsleepandlaunchexecutable.yml b/rules/powershellsleepandlaunchexecutable.yml index 4f03d22..3e4ad59 100644 --- a/rules/powershellsleepandlaunchexecutable.yml +++ b/rules/powershellsleepandlaunchexecutable.yml @@ -4,7 +4,7 @@ description: Powershell sleep and launch executable author: Joe Security date: 2020-03-17 id: 200065 -threatname: +threatname: behaviorgroup: 5 classification: 8 mitreattack: @@ -13,8 +13,8 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - - *powershell -c sleep -s *;saps *.exe* + - '*powershell -c sleep -s *;saps *.exe*' condition: selection level: critical diff --git a/rules/remcos.yml b/rules/remcos.yml index 15b8c4f..578eff8 100644 --- a/rules/remcos.yml +++ b/rules/remcos.yml @@ -15,10 +15,10 @@ detection: EventID: 11 TargetFilename: - '*\AppData\Roaming\remcos\logs*.dat*' - + selection1: EventID: 13 TargetObject: - - '*\Software\Remcos*exepath*' + - '*\Software\Remcos*exepath*' condition: selection or selection1 level: critical \ No newline at end of file diff --git a/rules/shedulehiddenpowershellscript.yml b/rules/shedulehiddenpowershellscript.yml index 67d66a3..34e2abd 100644 --- a/rules/shedulehiddenpowershellscript.yml +++ b/rules/shedulehiddenpowershellscript.yml @@ -4,7 +4,7 @@ description: Shedule hidden powershell script author: Joe Security date: 2020-03-12 id: 200063 -threatname: +threatname: behaviorgroup: 2 classification: 8 mitreattack: @@ -13,8 +13,8 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - - *schtasks.exe*/create*powershell*hidden* + - '*schtasks.exe*/create*powershell*hidden*' condition: selection level: critical diff --git a/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml b/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml index d8f6acb..6adc1fe 100644 --- a/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml +++ b/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml @@ -4,7 +4,7 @@ description: Wscript download file into temp location from wordpress site author: Joe Security date: 2020-03-10 id: 200061 -threatname: +threatname: behaviorgroup: 10 classification: 1 mitreattack: @@ -13,8 +13,8 @@ logsource: category: process_creation product: windows detection: - selection: + selection: CommandLine: - - *cmd /c wscript.exe *\AppData\Local\Temp*/wp-data/* + - '*cmd /c wscript.exe *\AppData\Local\Temp*/wp-data/*' condition: selection level: critical From e5bc7d1509fb54150cc94bd0a071f2c6cc1e90da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marta=20G=C3=B3mez?= Date: Tue, 26 Jan 2021 12:49:23 +0100 Subject: [PATCH 2/2] Remove tab characters --- rules/nanocore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/nanocore.yml b/rules/nanocore.yml index f6642ad..b339262 100644 --- a/rules/nanocore.yml +++ b/rules/nanocore.yml @@ -13,6 +13,6 @@ logsource: detection: selection: EventID: 11 - TargetFilename: '*\AppData\Roaming\\*-*-*-*-*\run.dat*' + TargetFilename: '*\AppData\Roaming\\*-*-*-*-*\run.dat*' condition: selection level: critical