feat: update curl & wget rules

rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml

@@ -0,0 +1,24 @@
+title: Potential Cookies Session Hijacking
+id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
+status: experimental
+description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
+references:
+    - https://curl.se/docs/manpage.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli:
+        - CommandLine|re: '\s-c\s'
+        - CommandLine|contains: '--cookie-jar'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml

@@ -0,0 +1,25 @@
+title: Curl Web Request With Potential Custom User-Agent
+id: 85de1f22-d189-44e4-8239-dc276b45379b
+status: experimental
+description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_header:
+        CommandLine|re: '\s-H\s' # Must be Regex as its case sensitive
+        CommandLine|contains: 'User-Agent:'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml

@@ -0,0 +1,63 @@
+title: Suspicious File Download From Direct IP Via Curl.EXE
+id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
+status: experimental
+description: Detects potential suspicious file download from direct ip domains using curl.exe
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_ip:
+        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    selection_http:
+        CommandLine|contains: 'http'
+    selection_flag:
+        CommandLine|contains:
+            - ' -O'  # covers the alias for --remote-name and --output
+            - '--remote-name'
+            - '--output'
+    selection_ext:
+        CommandLine|endswith:
+            - ".ps1"
+            - ".ps1'"
+            - '.ps1"'
+            - ".dat"
+            - ".dat'"
+            - '.dat"'
+            - ".msi"
+            - ".msi'"
+            - '.msi"'
+            - ".bat"
+            - ".bat'"
+            - '.bat"'
+            - ".exe"
+            - ".exe'"
+            - '.exe"'
+            - ".vbs"
+            - ".vbs'"
+            - '.vbs"'
+            - ".vbe"
+            - ".vbe'"
+            - '.vbe"'
+            - ".hta"
+            - ".hta'"
+            - '.hta"'
+            - ".dll"
+            - ".dll'"
+            - '.dll"'
+            - ".psm1"
+            - ".psm1'"
+            - '.psm1"'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml

@@ -1,7 +1,7 @@
 title: Suspicious File Download From File Sharing Domain Via Curl.EXE
 id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 status: experimental
-description: Detects file download using curl.exe
+description: Detects potential suspicious file download from file sharing domains using curl.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
@@ -18,8 +18,7 @@ detection:
         - Image|endswith: '\curl.exe'
         - OriginalFileName: 'curl.exe'
     selection_websites:
-        - CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
-        - CommandLine|contains:
+        CommandLine|contains:
             - 'anonfiles.com'
             - 'cdn.discordapp.com/attachments/'
             - 'ddns.net'
@@ -54,6 +53,12 @@ detection:
             - ".ps1"
             - ".ps1'"
             - '.ps1"'
+            - ".dat"
+            - ".dat'"
+            - '.dat"'
+            - ".msi"
+            - ".msi'"
+            - '.msi"'
             - ".bat"
             - ".bat'"
             - '.bat"'

rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml

@@ -3,7 +3,7 @@ id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
 status: experimental
 description: Detects execution of "curl.exe" with the "--insecure" flag.
 references:
-    - Internal Research
+    - https://curl.se/docs/manpage.html
 author: X__Junior (Nextron Systems)
 date: 2023/06/30
 tags:

rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml

@@ -0,0 +1,25 @@
+title: Insecure Proxy/DOH Transfer Via Curl.EXE
+id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
+status: experimental
+description: Detects execution of "curl.exe" with the "insecure" flag over Proxy or DOH.
+references:
+    - https://curl.se/docs/manpage.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli:
+        CommandLine|contains:
+            - '--doh-insecure'
+            - '--proxy-insecure'
+    condition: all of selection_*
+falsepositives:
+    - Access to badly maintained internal or development systems
+level: medium

rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml

@@ -0,0 +1,23 @@
+title: Local File Read Using Curl.EXE
+id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
+status: experimental
+description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
+references:
+    - https://curl.se/docs/manpage.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_cli:
+        CommandLine|contains: 'file:///'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml

@@ -6,7 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/02
-modified: 2023/02/02
+modified: 2023/07/27
 tags:
     - attack.execution
     - attack.t1059.001
@@ -36,19 +36,27 @@ detection:
         CommandLine|contains:
             - ' -d ' # Shortest possible version of the --data flag
             - ' --data '
+    selection_wget:
+        Image|endswith: '\wget.exe'
+        CommandLine|contains:
+            - '--post-data'
+            - '--post-file'
     payloads:
         - CommandLine|contains:
-            - 'ToBase64String'
-            - 'whoami'
-            - 'nltest'
-            - 'ifconfig'
+            - 'Get-Content'
+            - 'GetBytes'
             - 'hostname'
+            - 'ifconfig'
+            - 'ipconfig'
             - 'net view'
-            - 'qprocess'
             - 'netstat'
+            - 'nltest'
+            - 'qprocess'
+            - 'sc query'
             - 'systeminfo'
             - 'tasklist'
-            - 'sc query'
+            - 'ToBase64String'
+            - 'whoami'
         - CommandLine|contains|all:
             - 'type '
             - ' > '

rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml

@@ -0,0 +1,60 @@
+title: Suspicious File Download From Direct IP Via Wget.EXE
+id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
+status: experimental
+description: Detects potential suspicious file download from direct ip domains using Wget.exe
+references:
+    - https://www.gnu.org/software/wget/manual/wget.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/27
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wget.exe'
+        - OriginalFileName: 'wget.exe'
+    selection_ip:
+        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    selection_http:
+        CommandLine|contains: 'http'
+    selection_flag:
+        - CommandLine|re: '\s-O\s'
+        - CommandLine|contains: '--output-document'
+    selection_ext:
+        CommandLine|endswith:
+            - ".ps1"
+            - ".ps1'"
+            - '.ps1"'
+            - ".dat"
+            - ".dat'"
+            - '.dat"'
+            - ".msi"
+            - ".msi'"
+            - '.msi"'
+            - ".bat"
+            - ".bat'"
+            - '.bat"'
+            - ".exe"
+            - ".exe'"
+            - '.exe"'
+            - ".vbs"
+            - ".vbs'"
+            - '.vbs"'
+            - ".vbe"
+            - ".vbe'"
+            - '.vbe"'
+            - ".hta"
+            - ".hta'"
+            - '.hta"'
+            - ".dll"
+            - ".dll'"
+            - '.dll"'
+            - ".psm1"
+            - ".psm1'"
+            - '.psm1"'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml

@@ -0,0 +1,84 @@
+title: Suspicious File Download From File Sharing Domain Via Wget.EXE
+id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
+status: experimental
+description: Detects potential suspicious file download from file sharing domains using wget.exe
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+modified: 2023/07/24
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\wget.exe'
+        - OriginalFileName: 'wget.exe'
+    selection_websites:
+        CommandLine|contains:
+            - 'anonfiles.com'
+            - 'cdn.discordapp.com/attachments/'
+            - 'ddns.net'
+            - 'ghostbin.co/'
+            - 'gist.githubusercontent.com'
+            - 'gofile.io'
+            - 'hastebin.com'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'paste.ee'
+            - 'pastebin.com'
+            - 'pastebin.pl'
+            - 'pastetext.net'
+            - 'privatlab.com'
+            - 'privatlab.net'
+            - 'raw.githubusercontent.com'
+            - 'send.exploit.in'
+            - 'sendspace.com'
+            - 'storage.googleapis.com'
+            - 'temp.sh'
+            - 'transfer.sh'
+            - 'ufile.io'
+    selection_http:
+        CommandLine|contains: 'http'
+    selection_flag:
+        - CommandLine|re: '\s-O\s'
+        - CommandLine|contains: '--output-document'
+    selection_ext:
+        CommandLine|endswith:
+            - ".ps1"
+            - ".ps1'"
+            - '.ps1"'
+            - ".dat"
+            - ".dat'"
+            - '.dat"'
+            - ".msi"
+            - ".msi'"
+            - '.msi"'
+            - ".bat"
+            - ".bat'"
+            - '.bat"'
+            - ".exe"
+            - ".exe'"
+            - '.exe"'
+            - ".vbs"
+            - ".vbs'"
+            - '.vbs"'
+            - ".vbe"
+            - ".vbe'"
+            - '.vbe"'
+            - ".hta"
+            - ".hta'"
+            - '.hta"'
+            - ".dll"
+            - ".dll'"
+            - '.dll"'
+            - ".psm1"
+            - ".psm1'"
+            - '.psm1"'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high