Jump to content

Recommended Posts

Hey everyone,

I thought it would be a good idea to create a thread for sharing your own created rules.
Here's one rule which looks for IOCs of StrelaStealer

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <description>
        <name>IOCs of StrelaStealer Usage - [Your ID]</name>
        <category>Office</category>
        <os>Windows</os>
        <severity>90</severity>
        <explanation>
            A JavaScript based stealer to steal Outlook and Thunderbird credentials.
            https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/
        </explanation>
        <maliciousCauses>Files associated with the StrelaStealer have been downloaded and executed.</maliciousCauses>
        <benignCauses>There should be no known beningn causes, since hash collision is very unlikely with SHA256.</benignCauses>
        <recommendedActions>
            1. Review the affected endpoint to see if StrelaStealer associated files were downloaded.
            2. If IOCs were found, clear the endpoint of malicious files.
            3. Change the credentials of the affected user.
        </recommendedActions>
    </description>
    <definition>
        <process>
            <operator type="OR">
                <condition component="Module" property="Sha256" condition="is" value="0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78" />
                <condition component="Module" property="Sha256" condition="is" value="a4cd72aea29e992fcdf808370f3a7c9333458535b86c9a11a1fff20299f837e6" />
                <condition component="Module" property="Sha256" condition="is" value="f2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96" />
                <condition component="Module" property="Sha256" condition="is" value="2385a4dcf8076eb51ad6893624d36ba49beac92f1e681297afbb89cd5be46c57" />
                <condition component="Module" property="Sha256" condition="is" value="b36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800" />
                <condition component="Module" property="Sha256" condition="is" value="00e7bdaa8ff895b3b82a0b9cc8ba1971d6401e9cf575ec44a5bc3adc6bfd0771" />
            </operator>
        </process>
        <operations>
            <operation type="TcpIpConnect">
                <condition component="Network" property="DestinationIpAddressV4" condition="is" value="45.9.74.176" />
            </operation>
        </operations>
    </definition>
    <maliciousTarget name="current" />
    <actions>
        <action name="TriggerDetection" />
        <action name="StoreEvent" />
        <action name="KillProcess" />
        <action name="BlockProcessExecutable" />
        <action name="BlockProcessSuspiciousModules" />
        <action name="ReportIncident" aggregateOn="Computers" />
        <action name="SubmitToLiveGuard" />
    </actions>
</rule>

 

Link to comment
Share on other sites

Posted (edited)

Another rule for an IOC of GrimResource:

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <description>
        <name>IOCs of GrimResource Usage - [Your ID]</name>
        <category>Suspicious Process Creation and Process Manipulation</category>
        <os>Windows</os>
        <severity>90</severity>
        <explanation>
            Execution of arbitrary code in Microsoft Management Console
            https://www.elastic.co/security-labs/grimresource
        </explanation>
        <maliciousCauses>Malicious .msc file tries to exploit an XSS flaw in the apds.dll library to achieve arbitrary code execution.</maliciousCauses>
        <benignCauses>There should be no known beningn causes.</benignCauses>
        <recommendedActions>
            1. Review the affected endpoint to see if an unknown .msc file was downloaded and executed.
            2. If IOCs were found, clear the endpoint of malicious files.
        </recommendedActions>
    </description>
    <definition>
        <process>
            <condition component="FileItem" property="FileName" condition="is" value="mmc.exe" />
        </process>
        <operations>
            <operation type="CreateProcess">
                <condition component="FileItem" property="FileName" condition="is" value="apds.dll" />
            </operation>
        </operations>
    </definition>
    <maliciousTarget name="current" />
    <actions>
        <action name="TriggerDetection" />
        <action name="StoreEvent" />
        <action name="KillProcess" />
        <action name="BlockProcessExecutable" />
        <action name="BlockProcessSuspiciousModules" />
        <action name="ReportIncident" aggregateOn="Computers" />
        <action name="SubmitToLiveGuard" />
    </actions>
</rule>

 

Edited by thae
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...