[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Winscp rule from Akira Ransomware report #4939

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Winscp rule from Akira Ransomware report #4939

wants to merge 3 commits into from

Conversation

frack113
Copy link
Member

Summary of the Pull Request

Winscp rule from https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry

Winscp can be use with "-" or "/" 😄

Changelog

new: Winscp Launch From Uncommon Folder
new: Winscp CLI Command To Open Connexion

Example Log Event

<EventData>
  <Data>Sigma rule match found: Winscp CLI Command To Open Connexion (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Winscp CLI Command To Open Connexion</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities</Data> 
  <Data>Rule_FalsePositives: undef</Data> 
  <Data>Rule_Id: c1477deb-37cf-4439-9ffb-44499acb89d0</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2024/07/30</Data> 
  <Data>Rule_Path: sigma-rules\proc_creation_win_winscp.yml</Data> 
  <Data>Rule_References: https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>CommandLine: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /console=6.3.4 /consoleinstance=_12092_931 "/command" "open sftp://datadatauser@127.0.0.1:37654"</Data> 
  <Data>Company: Martin Prikryl</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Description: WinSCP: SFTP, FTP, WebDAV, S3 and SCP client</Data> 
  <Data>DirectoryTableBase: 0xE0E6000</Data> 
  <Data>EventID: 1</Data> 
  <Data>Execution_ProcessID: 12092</Data> 
  <Data>Execution_ThreadID: 6352</Data> 
  <Data>ExitStatus: 259</Data> 
  <Data>FileAge: 00d00h40m52s</Data> 
  <Data>FileCreationDate: 2024-07-30T17:38:58</Data> 
  <Data>FileVersion: 6.3.4.14955</Data> 
  <Data>Flags: 2</Data> 
  <Data>GrandparentCommandLine: "C:\Windows\System32\cmd.exe"</Data> 
  <Data>GrandparentImage: C:\Windows\System32\cmd.exe</Data> 
  <Data>GrandparentProcessId: 8112</Data> 
  <Data>Hashes: MD5=262797240A3056FB82E8299E23CB651E,SHA1=C1F271E5CED7A5BADF62042AB882584E45AEAB37,SHA256=47204338F0E092057024C9186F228C02417E917777F3E841D52B58251A956A74,IMPHASH=FB2CFDF855B58AFCE6D00A81ADADCD74</Data> 
  <Data>Image: C:\Program Files (x86)\WinSCP\WinSCP.exe</Data> 
  <Data>ImageFileName: WinSCP.exe</Data> 
  <Data>IntegrityLevel: Low</Data> 
  <Data>Keywords: 0x0</Data> 
  <Data>Level: 0</Data> 
  <Data>Match_Strings: /command in CommandLine, 'open ' in CommandLine, \WinSCP.exe in Image, winscp.exe in OriginalFileName</Data> 
  <Data>Opcode: 1</Data> 
  <Data>OriginalFileName: winscp.exe</Data> 
  <Data>ParentCommandLine: winscp.com /command "open sftp://datadatauser@127.0.0.1:37654"</Data> 
  <Data>ParentId: 0x2F3C</Data> 
  <Data>ParentImage: C:\Program Files (x86)\WinSCP\WinSCP.com</Data> 
  <Data>ParentProcessId: 12092</Data> 
  <Data>ParentUser: LAB\frack113</Data> 
  <Data>ProcessId: 1772</Data> 
  <Data>ProcessTree: C:\Windows\explorer.exe|C:\Windows\System32\cmd.exe|C:\Program Files (x86)\WinSCP\WinSCP.com|C:\Program Files (x86)\WinSCP\WinSCP.exe</Data> 
  <Data>Product: WinSCP</Data> 
  <Data>Provider_Guid: {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}</Data> 
  <Data>Provider_Name: SystemTraceProvider-Process</Data> 
  <Data>SessionId: 1</Data> 
  <Data>Task: 0</Data> 
  <Data>TimeCreated_SystemTime: 2024-07-30T18:19:50.2126857+02:00</Data> 
  <Data>Timestamp: 2024-06-17T14:00:02</Data> 
  <Data>UniqueProcessKey: 0xFFFFB804CBA53100</Data> 
  <Data>User: LAB\frack113</Data> 
  <Data>UserSID: \\LAB\frack113</Data> 
  <Data>UtcTime: 2024-07-30 16:19:50</Data> 
  <Data>Version: 4</Data> 
  <Data>Winversion: 22631</Data> 
  </EventData>
<EventData>
 <Data>Sigma rule match found: Winscp Launch From Uncommon Folder (see Details tab for more information)</Data> 
 <Data>Module: Sigma</Data> 
 <Data>Rule_Title: Winscp Launch From Uncommon Folder</Data> 
 <Data>Rule_Author: frack113</Data> 
 <Data>Rule_Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities</Data> 
 <Data>Rule_FalsePositives: undef</Data> 
 <Data>Rule_Id: 7674f8ef-7141-4cf0-a311-ee359264c64c</Data> 
 <Data>Rule_Level: medium</Data> 
 <Data>Rule_Modified: 2024/07/30</Data> 
 <Data>Rule_Path: sigma-rules\proc_creation_win_winscp_portable.yml</Data> 
 <Data>Rule_References: https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry</Data> 
 <Data>Rule_Sigtype: custom</Data> 
 <Data>Company: Martin Prikryl</Data> 
 <Data>Computer: Win11</Data> 
 <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
 <Data>CreateTime: 2024-07-30T16:53:33.839038500Z</Data> 
 <Data>Description: WinSCP: SFTP, FTP, WebDAV, S3 and SCP client</Data> 
 <Data>EventID: 1</Data> 
 <Data>Execution_ProcessID: 6472</Data> 
 <Data>Execution_ThreadID: 13664</Data> 
 <Data>FileAge: 00d00h00m07s</Data> 
 <Data>FileCreationDate: 2024-07-30T18:47:55</Data> 
 <Data>FileVersion: 6.3.4.14955</Data> 
 <Data>Flags: 0</Data> 
 <Data>Hashes: MD5=262797240A3056FB82E8299E23CB651E,SHA1=C1F271E5CED7A5BADF62042AB882584E45AEAB37,SHA256=47204338F0E092057024C9186F228C02417E917777F3E841D52B58251A956A74,IMPHASH=FB2CFDF855B58AFCE6D00A81ADADCD74</Data> 
 <Data>Image: C:\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>ImageChecksum: 0x15F9620</Data> 
 <Data>ImageFileName: WinSCP.exe</Data> 
 <Data>ImageName: \Device\HarddiskVolume3\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>IntegrityLevel: Low</Data> 
 <Data>Keywords: 0x8000000000000010</Data> 
 <Data>Level: 4</Data> 
 <Data>MandatoryLabel: S-1-16-8192</Data> 
 <Data>Match_Strings: \WinSCP.exe in Image, winscp.exe in OriginalFileName</Data> 
 <Data>Opcode: 1</Data> 
 <Data>OriginalFileName: winscp.exe</Data> 
 <Data>ParentCommandLine: C:\WINDOWS\Explorer.EXE</Data> 
 <Data>ParentImage: C:\Windows\explorer.exe</Data> 
 <Data>ParentProcessId: 6472</Data> 
 <Data>ParentProcessSequenceNumber: 166</Data> 
 <Data>ParentSpoofed: yes</Data> 
 <Data>ParentUser: LAB\frack113</Data> 
 <Data>ProcessId: 7152</Data> 
 <Data>ProcessSequenceNumber: 1955</Data> 
 <Data>ProcessTokenElevationType: 1</Data> 
 <Data>ProcessTokenIsElevated: 0</Data> 
 <Data>ProcessTree: C:\Windows\explorer.exe|C:\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>Product: WinSCP</Data> 
 <Data>Provider_Guid: {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}</Data> 
 <Data>Provider_Name: Microsoft-Windows-Kernel-Process</Data> 
 <Data>Security_UserID: S-1-5-21-888117185-644776935-3477416708-1103</Data> 
 <Data>SessionID: 1</Data> 
 <Data>Task: 1</Data> 
 <Data>TimeCreated_SystemTime: 2024-07-30T18:53:33.900066+02:00</Data> 
 <Data>TimeDateStamp: 0x66702542</Data> 
 <Data>Timestamp: 2024-06-17T14:00:02</Data> 
 <Data>User: LAB\frack113</Data> 
 <Data>UtcTime: 2024-07-30 16:53:33</Data> 
 <Data>Version: 3</Data> 
 <Data>Winversion: 22631</Data> 
 </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jul 30, 2024
@nasbench
Copy link
Member
  • Winscp can be used as a portable exe so the rule uncommon location, can't be a detection but at best threat hunting
  • Same goes with the command open rule. You can't say any command open is a "medium" event

@nasbench nasbench added the Work In Progress Some changes are needed label Jul 31, 2024
@nasbench nasbench self-assigned this Jul 31, 2024
@nasbench nasbench self-requested a review July 31, 2024 08:20
@nasbench nasbench marked this pull request as draft July 31, 2024 08:21
@nasbench nasbench marked this pull request as ready for review August 1, 2024 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench Awaiting requested review from nasbench

Assignees

@nasbench nasbench

Labels
Rules Windows Pull request add/update windows related rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frack113 @nasbench