Merge PR #4961 from @tsale - Add multiples rules and updates

fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags 
---------

Co-authored-by: nasbench <[email protected]>

Author: tsale

Diff for: rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml

@@ -0,0 +1,38 @@
+title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
+id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
+status: experimental
+description: Detects the execution of the commonly used ZeroLogon PoC executable.
+references:
+    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
+    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
+author: '@Kostastsale, @TheDFIRReport'
+date: 2022-02-12
+tags:
+    - attack.execution
+    - attack.lateral-movement
+    - attack.t1210
+    - cve.2020-1472
+    - detection.emerging-threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_main:
+        ParentImage|endswith: '\cmd.exe'
+        Image|endswith:
+            - '\cool.exe'
+            - '\zero.exe'
+        CommandLine|contains|all:
+            - 'Administrator'
+            - '-c'
+    selection_payloads_1:
+        CommandLine|contains|all:
+            - 'taskkill'
+            - '/f'
+            - '/im'
+    selection_payloads_2:
+        CommandLine|contains: 'powershell'
+    condition: selection_main and 1 of selection_payloads_*
+falsepositives:
+    - Unknown
+level: high

Diff for: rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml

@@ -0,0 +1,30 @@
+title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
+id: 3eb91f0a-0060-424a-a676-59f5fdd75610
+status: experimental
+description: |
+    Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
+references:
+    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
+    - https://twitter.com/TheDFIRReport/status/1482078434327244805
+    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
+author: '@kostastsale'
+date: 2022-01-14
+tags:
+    - attack.initial-access
+    - attack.t1190
+    - cve.2021-44228
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\ws_TomcatService.exe'
+    filter_main_shells:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml

@@ -0,0 +1,33 @@
+title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
+id: 5660d8db-6e25-411f-b92f-094420168a5d
+status: experimental
+description: |
+    Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
+    As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
+references:
+    - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
+    - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
+author: '@kostastsale'
+date: 2022-04-25
+tags:
+    - attack.execution
+    - attack.initial-access
+    - attack.t1059.006
+    - attack.t1190
+    - cve.2022-22954
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\prunsrv.exe'
+    selection_payload_pwsh:
+        Image|endswith: '\powershell.exe'
+    selection_payload_cmd:
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains: '/c powershell'
+    condition: selection_parent and 1 of selection_payload_*
+falsepositives:
+    - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
+level: medium

Diff for: rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml

@@ -8,9 +8,9 @@ description: |
 references:
     - https://github.com/kagancapar/CVE-2022-29072
     - https://twitter.com/kagancapar/status/1515219358234161153
-author: frack113
+author: frack113, @kostastsale
 date: 2022-04-17
-modified: 2023-02-07
+modified: 2024-08-15
 tags:
     - attack.execution
     - cve.2022-29072
@@ -19,19 +19,29 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection_img:
-        - Image|endswith: '\cmd.exe'
-        - OriginalFileName: 'Cmd.Exe'
     selection_parent:
         ParentImage|endswith: '\7zFM.exe'
-    filter_bat:
-        CommandLine|contains:
-            - ' /c '
-            - ' /k '
-            - ' /r '
-    filter_null:
+    selection_img:
+        - Image|endswith:
+              - '\cmd.exe'
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'Cmd.Exe'
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+    filter_main_extensions_and_flags:
+        - CommandLine|contains:
+              - ' /c '
+              - ' /k '
+              - ' /r '
+        - CommandLine|endswith:
+              - '.bat'
+              - '.cmd'
+              - '.ps1'
+    filter_main_null:
         CommandLine: null
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: high

Diff for: rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml

@@ -0,0 +1,31 @@
+title: ChromeLoader Malware Execution
+id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
+status: experimental
+description: Detects execution of ChromeLoader malware via a registered scheduled task
+references:
+    - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
+    - https://twitter.com/th3_protoCOL/status/1480621526764322817
+    - https://twitter.com/Kostastsale/status/1480716528421011458
+    - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
+author: '@kostastsale'
+date: 2022-01-10
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1053.005
+    - attack.t1059.001
+    - attack.t1176
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\powershell.exe'
+        ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
+        CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
+        Image|endswith: '\chrome.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml

@@ -0,0 +1,38 @@
+title: Emotet Loader Execution Via .LNK File
+id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
+status: experimental
+description: |
+    Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
+    The ".lnk" file was delivered via phishing campaign.
+references:
+    - https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
+    - https://twitter.com/Cryptolaemus1/status/1517634855940632576
+    - https://tria.ge/220422-1pw1pscfdl/
+    - https://tria.ge/220422-1nnmyagdf2/
+author: '@kostastsale'
+date: 2022-04-22
+modified: 2024-08-15
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\explorer.exe'
+            - '\powershell.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+        CommandLine|contains|all:
+            - 'findstr'
+            - '.vbs'
+            - '.lnk'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml

@@ -0,0 +1,40 @@
+title: Raspberry Robin Subsequent Execution of Commands
+id: d52d2e87-eb03-4fac-961d-eb616da79788
+related:
+    - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
+      type: similar
+status: experimental
+description: Detects raspberry robin subsequent execution of commands.
+references:
+    - https://redcanary.com/blog/raspberry-robin/
+author: '@kostastsale'
+date: 2022-05-06
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\fodhelper.exe'
+        Image|endswith:
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+        CommandLine|contains|all:
+            - 'odbcconf.exe'
+            - 'regsvr'
+            - 'shellexec_rundll'
+        CommandLine|contains:
+            - 'installdriver'
+            - 'setfiledsndir'
+            - 'vkipdse'
+        CommandLine|endswith|windash:
+            - '/a'
+            - '/f'
+            - '/s'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml

@@ -0,0 +1,40 @@
+title: Raspberry Robin Initial Execution From External Drive
+id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
+related:
+    - id: d52d2e87-eb03-4fac-961d-eb616da79788
+      type: similar
+status: experimental
+description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
+references:
+    - https://redcanary.com/blog/raspberry-robin/
+author: '@kostastsale'
+date: 2022-05-06
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\cmd.exe'
+        ParentCommandLine|contains: '/r'
+        ParentCommandLine|endswith:
+            - '.bin'
+            - '.ico'
+            - '.lnk'
+            - '.lo'
+            - '.sv'
+            - '.usb'
+    selection_child_img:
+        Image|endswith: '\msiexec.exe'
+        CommandLine|contains|windash: '/q'
+    selection_child_http:
+        CommandLine|contains:
+            - 'http:'
+            - 'https:'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml

@@ -0,0 +1,36 @@
+title: Serpent Backdoor Payload Execution Via Scheduled Task
+id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
+status: experimental
+description: |
+    Detects post exploitation execution technique of the Serpent backdoor.
+    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
+    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
+references:
+    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
+author: '@kostastsale'
+date: 2022-03-21
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1053.005
+    - attack.t1059.006
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+        CommandLine|contains|all:
+            - '[System/EventID='
+            - '/create'
+            - '/delete'
+            - '/ec'
+            - '/so'
+            - '/tn run'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

Diff for: rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml

@@ -0,0 +1,40 @@
+title: FakeUpdates/SocGholish Activity
+id: 97805087-93ab-4203-b5cb-287cda6aecaa
+status: experimental
+description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
+references:
+    - https://twitter.com/th3_protoCOL/status/1536788652889497600
+    - https://twitter.com/1ZRR4H/status/1537501582727778304
+author: '@kostastsale'
+date: 2022-06-16
+modified: 2024-08-23
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\wscript.exe'
+        ParentCommandLine|contains|all:
+            - '\AppData\Local\Temp'
+            - '.zip'
+            - 'update'
+            - '.js'
+        ParentCommandLine|contains:
+            - 'Chrome'
+            - 'Edge'
+            - 'Firefox'
+            - 'Opera'
+            - 'Brave' # Not seen in campaigns
+            - 'Vivaldi' # Not seen in campaigns
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high