Sigma Rule Update (2024-10-28 20:15:07) (#758)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml

@@ -1,4 +1,4 @@
-title: Suspicious Schtasks From Env Var Folder
+title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
 id: 4e18ea92-76c9-f5f4-1980-ea4c976954af
 related:
     - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
@@ -10,9 +10,10 @@ description: Detects Schtask creations that point to a suspicious folder or an e
 references:
     - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
     - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
+    - https://blog.talosintelligence.com/gophish-powerrat-dcrat/
 author: Florian Roth (Nextron Systems)
 date: 2022-02-21
-modified: 2023-11-30
+modified: 2024-10-28
 tags:
     - attack.execution
     - attack.t1053.005
@@ -23,38 +24,40 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection1_create:
+    selection_1_create:
         CommandLine|contains: ' /create '
         NewProcessName|endswith: \schtasks.exe
-    selection1_all_folders:
+    selection_1_all_folders:
         CommandLine|contains:
             - :\Perflogs
+            - :\Users\All Users\
+            - :\Users\Default\
+            - :\Users\Public
             - :\Windows\Temp
             - \AppData\Local\
             - \AppData\Roaming\
-            - \Users\Public
             - '%AppData%'
             - '%Public%'
-    selection2_parent:
+    selection_2_parent:
         ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule
-    selection2_some_folders:
+    selection_2_some_folders:
         CommandLine|contains:
             - :\Perflogs
             - :\Windows\Temp
             - \Users\Public
             - '%Public%'
-    filter_mixed:
-        - CommandLine|contains:
-              - update_task.xml
-              - /Create /TN TVInstallRestore /TR
+    filter_optional_other:
         - ParentCommandLine|contains: unattended.ini
-    filter_avira_install:
+        - CommandLine|contains: update_task.xml
+    filter_optional_team_viewer:
+        CommandLine|contains: /Create /TN TVInstallRestore /TR
+    filter_optional_avira_install:
         # Comment out this filter if you dont use AVIRA
         CommandLine|contains|all:
             - /Create /Xml "C:\Users\
             - \AppData\Local\Temp\.CR.
             - Avira_Security_Installation.xml
-    filter_avira_other:
+    filter_optional_avira_other:
         # Comment out this filter if you dont use AVIRA
         CommandLine|contains|all:
             - /Create /F /TN
@@ -66,12 +69,12 @@ detection:
             - .tmp\WatchdogServiceControlManagerTimeout.xml
             - .tmp\SystrayAutostart.xml
             - .tmp\MaintenanceTask.xml
-    filter_klite_codec:
+    filter_optional_klite_codec:
         CommandLine|contains|all:
             - \AppData\Local\Temp\
             - '/Create /TN "klcp_update" /XML '
             - \klcp_update_task.xml
-    condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*)
+    condition: process_creation and (( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*)
 falsepositives:
     - Benign scheduled tasks creations or executions that happen often during software installations
     - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders

sigma/builtin/threat-hunting/security/win_security_file_access_browser_credential.yml

@@ -0,0 +1,61 @@
+title: Access To Browser Credential Files By Uncommon Applications - Security
+id: 7619b716-8052-6323-d9c7-87923ef591e6
+related:
+    - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
+      type: similar
+    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
+      type: derived
+status: experimental
+description: |
+    Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
+references:
+    - https://ipurple.team/2024/09/10/browser-stored-credentials/
+author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali
+date: 2024-10-21
+tags:
+    - attack.credential-access
+    - attack.t1555.003
+    - detection.threat-hunting
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.'
+detection:
+    security:
+        Channel: Security
+    selection_eid:
+        EventID: 4663
+        ObjectType: File
+        # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.
+        AccessMask: '0x1'
+    selection_browser_chromium:
+        ObjectName|contains:
+            - \User Data\Default\Login Data
+            - \User Data\Local State
+            - \User Data\Default\Network\Cookies
+    selection_browser_firefox:
+        FileName|endswith:
+            - \cookies.sqlite
+            - \places.sqlite
+            - release\key3.db    # Firefox
+            - release\key4.db    # Firefox
+            - release\logins.json   # Firefox
+    filter_main_system:
+        ProcessName: System
+    filter_main_generic:
+        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
+        ProcessName|startswith:
+            - C:\Program Files (x86)\
+            - C:\Program Files\
+            - C:\Windows\system32\
+            - C:\Windows\SysWOW64\
+    filter_optional_defender:
+        ProcessName|startswith: C:\ProgramData\Microsoft\Windows Defender\
+        ProcessName|endswith:
+            - \MpCopyAccelerator.exe
+            - \MsMpEng.exe
+    condition: security and (selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*)
+falsepositives:
+    - Unknown
+level: low
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml

@@ -1,4 +1,4 @@
-title: Suspicious Schtasks From Env Var Folder
+title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
 id: b924f48e-7962-6bf7-2d54-33233aa67b1b
 related:
     - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
@@ -10,9 +10,10 @@ description: Detects Schtask creations that point to a suspicious folder or an e
 references:
     - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
     - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
+    - https://blog.talosintelligence.com/gophish-powerrat-dcrat/
 author: Florian Roth (Nextron Systems)
 date: 2022-02-21
-modified: 2023-11-30
+modified: 2024-10-28
 tags:
     - attack.execution
     - attack.t1053.005
@@ -24,38 +25,40 @@ detection:
     process_creation:
         EventID: 1
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection1_create:
+    selection_1_create:
         Image|endswith: \schtasks.exe
         CommandLine|contains: ' /create '
-    selection1_all_folders:
+    selection_1_all_folders:
         CommandLine|contains:
             - :\Perflogs
+            - :\Users\All Users\
+            - :\Users\Default\
+            - :\Users\Public
             - :\Windows\Temp
             - \AppData\Local\
             - \AppData\Roaming\
-            - \Users\Public
             - '%AppData%'
             - '%Public%'
-    selection2_parent:
+    selection_2_parent:
         ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule
-    selection2_some_folders:
+    selection_2_some_folders:
         CommandLine|contains:
             - :\Perflogs
             - :\Windows\Temp
             - \Users\Public
             - '%Public%'
-    filter_mixed:
-        - CommandLine|contains:
-              - update_task.xml
-              - /Create /TN TVInstallRestore /TR
+    filter_optional_other:
         - ParentCommandLine|contains: unattended.ini
-    filter_avira_install:
+        - CommandLine|contains: update_task.xml
+    filter_optional_team_viewer:
+        CommandLine|contains: /Create /TN TVInstallRestore /TR
+    filter_optional_avira_install:
         # Comment out this filter if you dont use AVIRA
         CommandLine|contains|all:
             - /Create /Xml "C:\Users\
             - \AppData\Local\Temp\.CR.
             - Avira_Security_Installation.xml
-    filter_avira_other:
+    filter_optional_avira_other:
         # Comment out this filter if you dont use AVIRA
         CommandLine|contains|all:
             - /Create /F /TN
@@ -67,12 +70,12 @@ detection:
             - .tmp\WatchdogServiceControlManagerTimeout.xml
             - .tmp\SystrayAutostart.xml
             - .tmp\MaintenanceTask.xml
-    filter_klite_codec:
+    filter_optional_klite_codec:
         CommandLine|contains|all:
             - \AppData\Local\Temp\
             - '/Create /TN "klcp_update" /XML '
             - \klcp_update_task.xml
-    condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*)
+    condition: process_creation and (( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*)
 falsepositives:
     - Benign scheduled tasks creations or executions that happen often during software installations
     - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders