updates

rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml

@@ -9,7 +9,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-06-28
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -38,6 +38,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml

@@ -12,7 +12,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -40,6 +40,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml

@@ -11,7 +11,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022-08-24
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.defense-evasion
     - attack.s0139
@@ -39,6 +39,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml

@@ -16,7 +16,7 @@ references:
     - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022-08-17
-modified: 2024-10-18
+modified: 2024-10-21
 tags:
     - attack.command-and-control
     - attack.t1102
@@ -58,6 +58,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'reddit.com'
@@ -76,7 +77,6 @@ detection:
             - 'wetransfer.com'
             - 'workers.dev'
             - 'youtube.com'
-            - 'pixeldrain.com'
     # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
     # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
     filter_main_chrome:

rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml

@@ -13,7 +13,7 @@ references:
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2018-08-30
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.command-and-control
     - attack.t1105
@@ -57,6 +57,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-05
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.execution
 logsource:
@@ -36,6 +36,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml

@@ -9,7 +9,7 @@ references:
     - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-02-23
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.execution
 logsource:
@@ -43,6 +43,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml

@@ -8,7 +8,8 @@ related:
     - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
       type: obsolete
 status: test
-description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
+description: |
+    Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
 references:
     - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
     - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
@@ -17,7 +18,7 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-10-18
+modified: 2024-10-21
 tags:
     - attack.defense-evasion
     - attack.t1489

rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml

@@ -8,7 +8,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-05
-modified: 2024-08-22
+modified: 2024-10-21
 tags:
     - attack.execution
 logsource:
@@ -37,6 +37,7 @@ detection:
             - 'pastebin.com'
             - 'pastebin.pl'
             - 'pastetext.net'
+            - 'pixeldrain.com'
             - 'privatlab.com'
             - 'privatlab.net'
             - 'send.exploit.in'

rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml

@@ -29,12 +29,12 @@ detection:
     selection_target_builtin_clsid:
         TargetObject|contains:
             # Note: Add other legitimate CLSID
-            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
             - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
+            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
             - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
             - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
+            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
             - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
-            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
             - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
     selection_susp_location_1:
         Details|contains: