small update and rule split

SigmaHQ · Nov 28, 2023 · 09ddc25 · 09ddc25
1 parent 781f882
commit 09ddc25
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 26 deletions.
diff --git a/...oad/image_load_dll_rstrtmgr_susp_load.yml → ...age_load_dll_rstrtmgr_suspicious_load.yml b/...oad/image_load_dll_rstrtmgr_susp_load.yml → ...age_load_dll_rstrtmgr_suspicious_load.yml
@@ -1,17 +1,20 @@
-title: Load Of RstrtMgr DLL From Suspicious Process
+title: Load Of RstrtMgr.DLL By A Suspicious Process
 id: b48492dc-c5ef-4572-8dff-32bc241c15c8
+related:
+    - id: 3669afd2-9891-4534-a626-e5cf03810a61
+      type: derived
 status: experimental
 description: |
-    Detects the load of RstrtMgr DLL (Restart Manager) by suspicious processes.
+    Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
     This librairy has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (Conti Ransomware, Cactus Ransomware). It has also been seen recently in the BiBi wiper for Windows.
     It could also be used for anti-analysis purposes by shut downing specific processes.
 references:
+    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
     - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
     - https://www.swascan.com/cactus-ransomware-malware-analysis/
     - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
 author: Luc Génaux
-date: 2023/11/22
-modified: 2023/11/22
+date: 2023/11/28
 tags:
     - attack.impact
     - attack.defense_evasion
@@ -21,30 +24,27 @@ logsource:
     category: image_load
     product: windows
 detection:
-    selection:
+    selection_img:
         - ImageLoaded|endswith: '\RstrtMgr.dll'
         - OriginalFileName: 'RstrtMgr.dll'
-    filter_explorer:
-        Image: 'C:\Windows\explorer.exe'
-    filter_system32:
-        Image|startswith: 'C:\Windows\System32\'
-        Image|endswith:
-            - '\msiexec.exe'
-            - '\taskhostw.exe'
-    filter_tiworker:
-        Image|startswith: 'C:\Windows\WinSxS\'
-        Image|endswith: '\TiWorker.exe'
-    filter_software_installation:
-        Image|startswith: 'C:\Users\'
-        Image|contains|all:
-            - '\AppData\Local\Temp\is-'
-            - '.tmp\'
-        Image|endswith: '.tmp'
-    condition: selection and not 1 of filter*
-fields:
-    - Image
-    - ProcessGuid
+    selection_folders_1:
+        Details|contains:
+            # Note: increase coverage by adding more suspicious paths
+            - ':\Perflogs\'
+            - ':\Users\Public\'
+            - '\Temporary Internet'
+    selection_folders_2:
+        - Details|contains:
+              - ':\Users\'
+              - '\Favorites\'
+        - Details|contains:
+              - ':\Users\'
+              - '\Favourites\'
+        - Details|contains:
+              - ':\Users\'
+              - '\Contacts\'
+    condition: selection_img and 1 of selection_folders_*
 falsepositives:
     - Other legitimate Windows processes not currently listed
     - Processes related to software installation
-level: medium
+level: high
diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml
@@ -0,0 +1,56 @@
+title: Load Of RstrtMgr.DLL By An Uncommon Process
+id: 3669afd2-9891-4534-a626-e5cf03810a61
+related:
+    - id: b48492dc-c5ef-4572-8dff-32bc241c15c8
+      type: derived
+status: experimental
+description: |
+    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
+    This librairy has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (Conti Ransomware, Cactus Ransomware). It has also been seen recently in the BiBi wiper for Windows.
+    It could also be used for anti-analysis purposes by shut downing specific processes.
+references:
+    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
+    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
+    - https://www.swascan.com/cactus-ransomware-malware-analysis/
+    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
+author: Luc Génaux
+date: 2023/11/28
+tags:
+    - attack.impact
+    - attack.defense_evasion
+    - attack.t1486
+    - attack.t1562.001
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        - ImageLoaded|endswith: '\RstrtMgr.dll'
+        - OriginalFileName: 'RstrtMgr.dll'
+    filter_main_generic:
+        Image|contains:
+            - ':\$WINDOWS.~BT\'
+            - ':\$WinREAgent\'
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\ProgramData\'
+            - ':\Windows\explorer.exe'
+            - ':\Windows\SoftwareDistribution\'
+            - ':\Windows\SysNative\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
+            - ':\WUDownloadCache\'
+    filter_main_user_software_installations:
+        Image|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Temp\is-'
+            - '.tmp\'
+        Image|endswith: '.tmp'
+    filter_main_admin_software_installations:
+        Image|contains: ':\Windows\Temp\'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Other legitimate Windows processes not currently listed
+    - Processes related to software installation
+level: low