From d99249c9b73277f1ed09a75ef0cffa1035acc52a Mon Sep 17 00:00:00 2001
From: ForensicITGuy <tmlambert13@gmail.com>
Date: Sat, 18 May 2019 01:19:31 -0500
Subject: [PATCH] Analytics for rundll32 with malware CLIs

---
 .../T1085-rundll32-frameworkpos-exec.toml     | 19 +++++++++++++++++++
 .../T1085-rundll32-kwampirs-exec.toml         | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 eqllib/analytics/execution/T1085-rundll32-frameworkpos-exec.toml
 create mode 100644 eqllib/analytics/execution/T1085-rundll32-kwampirs-exec.toml

diff --git a/eqllib/analytics/execution/T1085-rundll32-frameworkpos-exec.toml b/eqllib/analytics/execution/T1085-rundll32-frameworkpos-exec.toml
new file mode 100644
index 0000000..0b7cd14
--- /dev/null
+++ b/eqllib/analytics/execution/T1085-rundll32-frameworkpos-exec.toml
@@ -0,0 +1,19 @@
+[analytic.metadata]
+categories = ["detect"]
+confidence = "high"
+contributors = ["Tony Lambert"]
+created_date = "05/17/2019"
+description = "Identifies execution of rundll32.exe executing a FrameworkPOS DLL."
+id = "afa52dc8-7932-11e9-8f5c-d46d6d62a49e"
+name = "FrameworkPOS DLL Execution"
+os = ["windows"]
+tactics = ["Execution"]
+references = ["https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/"]
+techniques = ["T1085"]
+updated_date = "05/17/2019"
+
+[analytic]
+query = '''
+process where subtype.create and
+  process_name == "rundll32.exe" and command_line == "*workerInstance*"
+'''
\ No newline at end of file
diff --git a/eqllib/analytics/execution/T1085-rundll32-kwampirs-exec.toml b/eqllib/analytics/execution/T1085-rundll32-kwampirs-exec.toml
new file mode 100644
index 0000000..32582e6
--- /dev/null
+++ b/eqllib/analytics/execution/T1085-rundll32-kwampirs-exec.toml
@@ -0,0 +1,19 @@
+[analytic.metadata]
+categories = ["detect"]
+confidence = "high"
+contributors = ["Tony Lambert"]
+created_date = "05/17/2019"
+description = "Identifies execution of rundll32.exe executing an Orangework Kwampirs trojan DLL."
+id = "b7b7a888-7932-11e9-8f5c-d46d6d62a49e"
+name = "Orangeworm Kwampirs DLL Execution"
+os = ["windows"]
+tactics = ["Execution"]
+references = ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"]
+techniques = ["T1085"]
+updated_date = "05/17/2019"
+
+[analytic]
+query = '''
+process where subtype.create and
+  process_name == "rundll32.exe" and command_line == "*controltrace*"
+'''
\ No newline at end of file