From da151809fd84a9fbd6247819daa4a75e78fe900a Mon Sep 17 00:00:00 2001
From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com>
Date: Mon, 28 Oct 2024 22:05:17 +0300
Subject: [PATCH] Add new artifacts to detect abusing of Windows Utilities

---
 .../signatures/windows/windows_utilities.py   | 99 +++++++++++++++++++
 1 file changed, 99 insertions(+)

diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py
index 98307c08..36613d17 100644
--- a/modules/signatures/windows/windows_utilities.py
+++ b/modules/signatures/windows/windows_utilities.py
@@ -895,3 +895,102 @@ def run(self):
                 return True
 
         return False
+
+class UsesMicrosoftHTMLHelpExecutable(Signature):
+    name = "uses_Microsoft_HTML_Help_Executable"
+    description = "Uses Microsoft HTML Help Executable for executing PE files"
+    severity = 3
+    categories = ["evasion", "execution"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1566", "T1218.001"]
+    references = ["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+                  "https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/"]
+
+    filter_apinames = set(["NtCreateFile", "CreateProcessInternalW"])
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+        if pname == "hh.exe":
+            if call["api"] == "NtCreateFile":
+                fileName = self.get_argument(call, "FileName")
+                if ".exe" in fileName:
+                    self.detected = True
+                    return
+            if call["api"] == "CreateProcessInternalW":
+                cmdline = self.get_argument(call, "CommandLine")
+                lower = cmdline.lower()
+                if ".exe" in lower:
+                    self.detected = True
+                    return
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False
+
+class PotentialWebShellViaScreenConnectServer(Signature):
+    name = "potential_WebShell_Via_ScreenConnectServer"
+    description = "Uses ScreenConnect for executing scripts"
+    severity = 3
+    categories = ["evasion", "execution"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1566", "T1218.001"]
+    references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/initial_access_potential_webshell_via_screenconnect_server.toml"]
+
+    filter_apinames = set(["CreateProcessInternalW"])
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+        if pname == "screenConnect.service.exe":
+            if call["api"] == "CreateProcessInternalW":
+                cmdline = self.get_argument(call, "CommandLine")
+                lower = cmdline.lower()
+                if any(process in lower for process in ["cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe"]):
+                    self.detected = True
+                    return
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False
+
+class PotentialLateralMovementViaSMBEXEC(Signature):
+    name = "Potential_Lateral_Movement_Via_SMBEXEC"
+    description = "Attempts to execute a service via Windows Command Shell which may indicate lateral movement attempt"
+    severity = 3
+    categories = ["evasion", "execution"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1059"]
+    references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows\lateral_movement_potential_lateral_movement_via_smbexec.toml"]
+
+    filter_apinames = set(["CreateProcessInternalW"])
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+        if pname == "services.exe":
+            if call["api"] == "CreateProcessInternalW":
+                cmdline = self.get_argument(call, "CommandLine")
+                lower = cmdline.lower()
+                if any(process in lower for process in ["cmd.exe"]) and any(arg in lower for arg in ["/q", "echo", ".bat", "del"]):
+                    self.detected = True
+                    return
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False
\ No newline at end of file