sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Winscp rule from Akira Ransomware report

Open frack113 opened this issue 1 year ago • 1 comments

Summary of the Pull Request

Winscp rule from https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry

Winscp can be use with "-" or "/" 😄

Changelog

new: Winscp Launch From Uncommon Folder new: Winscp CLI Command To Open Connexion

Example Log Event

<EventData>
  <Data>Sigma rule match found: Winscp CLI Command To Open Connexion (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Winscp CLI Command To Open Connexion</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities</Data> 
  <Data>Rule_FalsePositives: undef</Data> 
  <Data>Rule_Id: c1477deb-37cf-4439-9ffb-44499acb89d0</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2024/07/30</Data> 
  <Data>Rule_Path: sigma-rules\proc_creation_win_winscp.yml</Data> 
  <Data>Rule_References: https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>CommandLine: "C:\Program Files (x86)\WinSCP\WinSCP.exe" /console=6.3.4 /consoleinstance=_12092_931 "/command" "open sftp://[email protected]:37654"</Data> 
  <Data>Company: Martin Prikryl</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Description: WinSCP: SFTP, FTP, WebDAV, S3 and SCP client</Data> 
  <Data>DirectoryTableBase: 0xE0E6000</Data> 
  <Data>EventID: 1</Data> 
  <Data>Execution_ProcessID: 12092</Data> 
  <Data>Execution_ThreadID: 6352</Data> 
  <Data>ExitStatus: 259</Data> 
  <Data>FileAge: 00d00h40m52s</Data> 
  <Data>FileCreationDate: 2024-07-30T17:38:58</Data> 
  <Data>FileVersion: 6.3.4.14955</Data> 
  <Data>Flags: 2</Data> 
  <Data>GrandparentCommandLine: "C:\Windows\System32\cmd.exe"</Data> 
  <Data>GrandparentImage: C:\Windows\System32\cmd.exe</Data> 
  <Data>GrandparentProcessId: 8112</Data> 
  <Data>Hashes: MD5=262797240A3056FB82E8299E23CB651E,SHA1=C1F271E5CED7A5BADF62042AB882584E45AEAB37,SHA256=47204338F0E092057024C9186F228C02417E917777F3E841D52B58251A956A74,IMPHASH=FB2CFDF855B58AFCE6D00A81ADADCD74</Data> 
  <Data>Image: C:\Program Files (x86)\WinSCP\WinSCP.exe</Data> 
  <Data>ImageFileName: WinSCP.exe</Data> 
  <Data>IntegrityLevel: Low</Data> 
  <Data>Keywords: 0x0</Data> 
  <Data>Level: 0</Data> 
  <Data>Match_Strings: /command in CommandLine, 'open ' in CommandLine, \WinSCP.exe in Image, winscp.exe in OriginalFileName</Data> 
  <Data>Opcode: 1</Data> 
  <Data>OriginalFileName: winscp.exe</Data> 
  <Data>ParentCommandLine: winscp.com /command "open sftp://[email protected]:37654"</Data> 
  <Data>ParentId: 0x2F3C</Data> 
  <Data>ParentImage: C:\Program Files (x86)\WinSCP\WinSCP.com</Data> 
  <Data>ParentProcessId: 12092</Data> 
  <Data>ParentUser: LAB\frack113</Data> 
  <Data>ProcessId: 1772</Data> 
  <Data>ProcessTree: C:\Windows\explorer.exe|C:\Windows\System32\cmd.exe|C:\Program Files (x86)\WinSCP\WinSCP.com|C:\Program Files (x86)\WinSCP\WinSCP.exe</Data> 
  <Data>Product: WinSCP</Data> 
  <Data>Provider_Guid: {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}</Data> 
  <Data>Provider_Name: SystemTraceProvider-Process</Data> 
  <Data>SessionId: 1</Data> 
  <Data>Task: 0</Data> 
  <Data>TimeCreated_SystemTime: 2024-07-30T18:19:50.2126857+02:00</Data> 
  <Data>Timestamp: 2024-06-17T14:00:02</Data> 
  <Data>UniqueProcessKey: 0xFFFFB804CBA53100</Data> 
  <Data>User: LAB\frack113</Data> 
  <Data>UserSID: \\LAB\frack113</Data> 
  <Data>UtcTime: 2024-07-30 16:19:50</Data> 
  <Data>Version: 4</Data> 
  <Data>Winversion: 22631</Data> 
  </EventData>

<EventData>
 <Data>Sigma rule match found: Winscp Launch From Uncommon Folder (see Details tab for more information)</Data> 
 <Data>Module: Sigma</Data> 
 <Data>Rule_Title: Winscp Launch From Uncommon Folder</Data> 
 <Data>Rule_Author: frack113</Data> 
 <Data>Rule_Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities</Data> 
 <Data>Rule_FalsePositives: undef</Data> 
 <Data>Rule_Id: 7674f8ef-7141-4cf0-a311-ee359264c64c</Data> 
 <Data>Rule_Level: medium</Data> 
 <Data>Rule_Modified: 2024/07/30</Data> 
 <Data>Rule_Path: sigma-rules\proc_creation_win_winscp_portable.yml</Data> 
 <Data>Rule_References: https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry</Data> 
 <Data>Rule_Sigtype: custom</Data> 
 <Data>Company: Martin Prikryl</Data> 
 <Data>Computer: Win11</Data> 
 <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
 <Data>CreateTime: 2024-07-30T16:53:33.839038500Z</Data> 
 <Data>Description: WinSCP: SFTP, FTP, WebDAV, S3 and SCP client</Data> 
 <Data>EventID: 1</Data> 
 <Data>Execution_ProcessID: 6472</Data> 
 <Data>Execution_ThreadID: 13664</Data> 
 <Data>FileAge: 00d00h00m07s</Data> 
 <Data>FileCreationDate: 2024-07-30T18:47:55</Data> 
 <Data>FileVersion: 6.3.4.14955</Data> 
 <Data>Flags: 0</Data> 
 <Data>Hashes: MD5=262797240A3056FB82E8299E23CB651E,SHA1=C1F271E5CED7A5BADF62042AB882584E45AEAB37,SHA256=47204338F0E092057024C9186F228C02417E917777F3E841D52B58251A956A74,IMPHASH=FB2CFDF855B58AFCE6D00A81ADADCD74</Data> 
 <Data>Image: C:\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>ImageChecksum: 0x15F9620</Data> 
 <Data>ImageFileName: WinSCP.exe</Data> 
 <Data>ImageName: \Device\HarddiskVolume3\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>IntegrityLevel: Low</Data> 
 <Data>Keywords: 0x8000000000000010</Data> 
 <Data>Level: 4</Data> 
 <Data>MandatoryLabel: S-1-16-8192</Data> 
 <Data>Match_Strings: \WinSCP.exe in Image, winscp.exe in OriginalFileName</Data> 
 <Data>Opcode: 1</Data> 
 <Data>OriginalFileName: winscp.exe</Data> 
 <Data>ParentCommandLine: C:\WINDOWS\Explorer.EXE</Data> 
 <Data>ParentImage: C:\Windows\explorer.exe</Data> 
 <Data>ParentProcessId: 6472</Data> 
 <Data>ParentProcessSequenceNumber: 166</Data> 
 <Data>ParentSpoofed: yes</Data> 
 <Data>ParentUser: LAB\frack113</Data> 
 <Data>ProcessId: 7152</Data> 
 <Data>ProcessSequenceNumber: 1955</Data> 
 <Data>ProcessTokenElevationType: 1</Data> 
 <Data>ProcessTokenIsElevated: 0</Data> 
 <Data>ProcessTree: C:\Windows\explorer.exe|C:\Tests\WinSCP\WinSCP.exe</Data> 
 <Data>Product: WinSCP</Data> 
 <Data>Provider_Guid: {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}</Data> 
 <Data>Provider_Name: Microsoft-Windows-Kernel-Process</Data> 
 <Data>Security_UserID: S-1-5-21-888117185-644776935-3477416708-1103</Data> 
 <Data>SessionID: 1</Data> 
 <Data>Task: 1</Data> 
 <Data>TimeCreated_SystemTime: 2024-07-30T18:53:33.900066+02:00</Data> 
 <Data>TimeDateStamp: 0x66702542</Data> 
 <Data>Timestamp: 2024-06-17T14:00:02</Data> 
 <Data>User: LAB\frack113</Data> 
 <Data>UtcTime: 2024-07-30 16:53:33</Data> 
 <Data>Version: 3</Data> 
 <Data>Winversion: 22631</Data> 
 </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar Jul 30 '24 17:07 frack113

  • Winscp can be used as a portable exe so the rule uncommon location, can't be a detection but at best threat hunting
  • Same goes with the command open rule. You can't say any command open is a "medium" event

nasbench avatar Jul 31 '24 08:07 nasbench