Sigma Rule Update (2023-11-20 20:08:06) (#536)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Nov 20, 2023 · 273462e · 273462e
1 parent 3bffc96
commit 273462e
Show file tree

Hide file tree

Showing 14 changed files with 431 additions and 102 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2023/10/11
+modified: 2023/11/14
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -56,9 +56,6 @@ detection:
             - C:\Windows\Installer\MSI
             - .tmp
             - zzzzInvokeManagedCustomActionOutOfProc
-        CommandLine|contains:
-            - Avira.OE.Setup
-            - FindOldJetBrainsProduct
     condition: process_creation and (selection and not 1 of filter_*)
 fields:
     - NewProcessName

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml
@@ -0,0 +1,79 @@
+title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
+id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
+related:
+    -   id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
+        type: derived
+status: experimental
+description: 'Detects execution of different log query utilities to search and dump
+    the content of specific event logs or look for specific event IDs.
+
+    '
+references:
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
+    - https://www.group-ib.com/blog/apt41-world-tour-2021/
+    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
+    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2022/09/09
+modified: 2023/11/20
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1552
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_wmi:
+        CommandLine|contains|all:
+            - Select
+            - Win32_NTLogEvent
+    selection_wevtutil_img:
+        -   NewProcessName|endswith: \wevtutil.exe
+        -   OriginalFileName: wevtutil.exe
+    selection_wevtutil_cli:
+        CommandLine|contains:
+            - ' qe '
+            - ' query-events '
+    selection_wmic_img:
+        -   NewProcessName|endswith: \wevtutil.exe
+        -   OriginalFileName: wevtutil.exe
+    selection_wmic_cli:
+        CommandLine|contains: ' ntevent'
+    selection_cmdlet:
+        CommandLine|contains:
+            - 'Get-WinEvent '
+            - 'get-eventlog '
+    selection_logs_name:
+        CommandLine|contains:
+            - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+            - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational
+            - Security
+    selection_logs_eid:
+        CommandLine|contains:
+            - -InstanceId 4624
+            - System[EventID=4624]
+            - EventCode=?4624?
+            - EventIdentifier=?4624?
+            - -InstanceId 4778
+            - System[EventID=4778]
+            - EventCode=?4778?
+            - EventIdentifier=?4778?
+            - -InstanceId 25
+            - System[EventID=25]
+            - EventCode=?25?
+            - EventIdentifier=?25?
+    condition: process_creation and (1 of selection_logs_* and (selection_wmi or all
+        of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet))
+falsepositives:
+    - Legitimate usage of the utility by administrators to query the event log
+level: medium
+ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_wevtutil_recon.yml b/sigma/builtin/process_creation/proc_creation_win_wevtutil_recon.yml
diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml
@@ -7,9 +7,11 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
     - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
     - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
-author: frack113, Nasreddine Bencherchali
+    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
+    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
+author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
 date: 2022/03/18
-modified: 2023/08/17
+modified: 2023/11/20
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -22,21 +24,23 @@ detection:
         Channel: Security
     selection_set_1:
         TargetObject|endswith:
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
             - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
-            - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD
             - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL
             - SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter
-            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword
-            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation
-            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
+            - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD
         Details: DWORD (0x00000001)
     selection_set_0:
         TargetObject|endswith:
-            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon
             - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+            - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon
             - SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled
-            - \SYSTEM\CurrentControlSet\Control\Storage\Write Protection
-            - \SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
+            - SYSTEM\CurrentControlSet\Control\Storage\Write Protection
+            - SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect
         Details: DWORD (0x00000000)
     condition: registry_set and (1 of selection_set_*)
 falsepositives:

diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml
@@ -0,0 +1,55 @@
+title: EventLog Query Requests By Builtin Utilities
+id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
+related:
+    -   id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
+        type: derived
+status: experimental
+description: 'Detect attempts to query the contents of the event log using command
+    line utilities. Attackers use this technique in order to look for sensitive information
+    in the logs such as passwords, usernames, IPs, etc.
+
+    '
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
+    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
+    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/20
+tags:
+    - attack.t1552
+    - attack.credential_access
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_wmi:
+        CommandLine|contains|all:
+            - Select
+            - Win32_NTLogEvent
+    selection_wevtutil_img:
+        -   NewProcessName|endswith: \wevtutil.exe
+        -   OriginalFileName: wevtutil.exe
+    selection_wevtutil_cli:
+        CommandLine|contains:
+            - ' qe '
+            - ' query-events '
+    selection_wmic_img:
+        -   NewProcessName|endswith: \wevtutil.exe
+        -   OriginalFileName: wevtutil.exe
+    selection_wmic_cli:
+        CommandLine|contains: ' ntevent'
+    selection_cmdlet:
+        CommandLine|contains:
+            - 'Get-WinEvent '
+            - 'get-eventlog '
+    condition: process_creation and (selection_wmi or all of selection_wevtutil_*
+        or all of selection_wmic_* or selection_cmdlet)
+falsepositives:
+    - Legitimate log access by administrators or troubleshooting tools
+level: medium
+ruletype: Sigma
diff --git a/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml b/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml
@@ -0,0 +1,39 @@
+title: DNS Query To Devtunnels Domain
+id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+related:
+    -   id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+        type: similar
+    -   id: 4b657234-038e-4ad5-997c-4be42340bce4
+        type: similar
+    -   id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+        type: similar
+status: experimental
+description: 'Detects DNS query requests to Devtunnels domains. Attackers can abuse
+    that feature to establish a reverse shell or persistence on a machine.
+
+    '
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: citron_ninja
+date: 2023/10/25
+modified: 2023/11/20
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - sysmon
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    dns_query:
+        EventID: 22
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        QueryName|endswith: .devtunnels.ms
+    condition: dns_query and selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
+ruletype: Sigma
diff --git a/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml b/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml
@@ -1,17 +1,24 @@
-title: DNS Query To Devtunnels And VsCode Tunnels
+title: DNS Query To Visual Studio Code Tunnels Domain
 id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+related:
+    -   id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+        type: similar
+    -   id: 4b657234-038e-4ad5-997c-4be42340bce4
+        type: similar
+    -   id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+        type: similar
 status: experimental
-description: 'Detects DNS query to Devtunnels and Visual Studio Code tunnel domains.
-    Attackers can be abuse these features to establish a reverse shell.
+description: 'Detects DNS query requests to Visual Studio Code tunnel domains. Attackers
+    can abuse that feature to establish a reverse shell or persistence on a machine.
 
     '
 references:
     - https://ipfyx.fr/post/visual-studio-code-tunnel/
     - https://badoption.eu/blog/2023/01/31/code_c2.html
-    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
-    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/vscode-data-exfiltration
 author: citron_ninja
 date: 2023/10/25
+modified: 2023/11/20
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -24,11 +31,9 @@ detection:
         EventID: 22
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
-        QueryName|endswith:
-            - .tunnels.api.visualstudio.com
-            - .devtunnels.ms
+        QueryName|endswith: .tunnels.api.visualstudio.com
     condition: dns_query and selection
 falsepositives:
-    - Legitimate use of Visual Studio Code tunnel will also trigger this
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
 level: medium
 ruletype: Sigma
diff --git a/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml
@@ -0,0 +1,40 @@
+title: Network Connection Initiated To DevTunnels Domain
+id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+related:
+    -   id: 4b657234-038e-4ad5-997c-4be42340bce4
+        type: similar
+    -   id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+        type: similar
+    -   id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+        type: similar
+status: experimental
+description: 'Detects network connections to Devtunnels domains initiated by a process
+    on a system. Attackers can abuse that feature to establish a reverse shell or
+    persistence on a machine.
+
+    '
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+    - sysmon
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    network_connection:
+        EventID: 3
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: .devtunnels.ms
+    condition: network_connection and selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
+ruletype: Sigma
diff --git a/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml
@@ -0,0 +1,40 @@
+title: Network Connection Initiated To Visual Studio Code Tunnels Domain
+id: 4b657234-038e-4ad5-997c-4be42340bce4
+related:
+    -   id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+        type: similar
+    -   id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+        type: similar
+    -   id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+        type: similar
+status: experimental
+description: 'Detects network connections to Visual Studio Code tunnel domains initiated
+    by a process on a system. Attackers can abuse that feature to establish a reverse
+    shell or persistence on a machine.
+
+    '
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://cydefops.com/vscode-data-exfiltration
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+    - sysmon
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    network_connection:
+        EventID: 3
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: .tunnels.api.visualstudio.com
+    condition: network_connection and selection
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
+level: medium
+ruletype: Sigma