Sigma Rule Update (2024-11-01 20:14:54) (#760)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

@@ -3,7 +3,7 @@ id: 2386a20f-b877-d41b-4f24-5561a8b788d2
 related:
     - id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
     Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.

sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
       type: derived
-status: experimental
+status: test
 description: Hunts for known SVR-specific scheduled task names
 author: CISA
 references:

sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
       type: derived
-status: experimental
+status: test
 description: Hunts for known SVR-specific scheduled task names
 author: CISA
 references:

sigma/builtin/network_connection/net_connection_win_wordpad_uncommon_ports.yml

@@ -3,7 +3,7 @@ id: 510d0486-0545-9178-93cb-5f5a8c75930b
 related:
     - id: 786cdae8-fefb-4eb2-9227-04e34060db01
       type: derived
-status: experimental
+status: test
 description: |
     Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
     This might indicate potential process injection activity from a beacon or similar mechanisms.

sigma/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml

@@ -3,7 +3,7 @@ id: c757a371-d2db-6f87-21a1-9951c4a5e35a
 related:
     - id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of the "cloudflared" binary from a non standard location.
 references:

sigma/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 222129f7-f4dc-4568-b0d2-22440a9639ba
       type: derived
-status: experimental
+status: test
 description: |
     Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
     The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.

sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml

@@ -3,7 +3,7 @@ id: fc4ecc21-82a9-f983-5331-c9e94cfc7cfd
 related:
     - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
       type: derived
-status: experimental
+status: test
 description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
 references:
     - https://github.com/cloudflare/cloudflared

sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml

@@ -3,7 +3,7 @@ id: 0fea9c26-5302-3b51-7884-b9ed47e74157
 related:
     - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
       type: derived
-status: experimental
+status: test
 description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
 references:
     - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group

sigma/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml

@@ -3,7 +3,7 @@ id: 36f17029-664a-9448-86bb-81a24da07e7e
 related:
     - id: 7dc2dedd-7603-461a-bc13-15803d132355
       type: derived
-status: experimental
+status: test
 description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
 references:
     - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/

sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml

@@ -3,7 +3,7 @@ id: 47beff1b-e312-3476-6c22-0805b517fa1f
 related:
     - id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
       type: derived
-status: experimental
+status: test
 description: Detects commandline arguments for executing a child process via dotnet-trace.exe
 references:
     - https://twitter.com/bohops/status/1740022869198037480

sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml

@@ -3,7 +3,7 @@ id: b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3
 related:
     - id: eb2d07d4-49cb-4523-801a-da002df36602
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
 references:

sigma/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml

@@ -3,7 +3,7 @@ id: af675749-89e4-ecbe-08aa-846a61be3500
 related:
     - id: 0e4164da-94bc-450d-a7be-a4b176179f1f
       type: derived
-status: experimental
+status: test
 description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules

sigma/builtin/process_creation/proc_creation_win_pua_process_hacker.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 811e0002-b13b-4a15-9d00-a613fce66e42
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
     Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.

sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml

@@ -3,7 +3,7 @@ id: d9100b89-baa5-8f0b-5a28-90217fe41a0f
 related:
     - id: afe52666-401e-4a02-b4ff-5d128990b8cb
       type: derived
-status: experimental
+status: test
 description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography

sigma/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 8cbc9475-8d05-4e27-9c32-df960716c701
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
     This is a common technique used by malware to change the desktop background to a ransom note or other image.

sigma/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml

@@ -3,7 +3,7 @@ id: c4597337-053d-373e-4faa-cc0e1796fde6
 related:
     - id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0
       type: derived
-status: experimental
+status: test
 description: Detects the execution of a renamed "cloudflared" binary.
 references:
     - https://github.com/cloudflare/cloudflared/releases

sigma/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
       type: derived
-status: experimental
+status: test
 description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
 references:
     - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

sigma/builtin/process_creation/proc_creation_win_tar_compression.yml

@@ -3,7 +3,7 @@ id: eae2fe25-e367-9c8d-111c-fe4507f8e1be
 related:
     - id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "tar.exe" in order to create a compressed file.
     Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

sigma/builtin/process_creation/proc_creation_win_tar_extraction.yml

@@ -3,7 +3,7 @@ id: 740e34bc-7ca6-ebba-db66-9b466f9c7558
 related:
     - id: bf361876-6620-407a-812f-bfe11e51e924
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "tar.exe" in order to extract compressed file.
     Adversaries may abuse various utilities in order to decompress data to avoid detection.

sigma/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml

@@ -3,7 +3,7 @@ id: d1521b48-cb82-dd9a-0d90-4e3a69b29fb2
 related:
     - id: d2eb17db-1d39-41dc-b57f-301f6512fa75
       type: derived
-status: experimental
+status: test
 description: |
     Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
     The database might contain authentication tokens and other sensitive information about the logged in accounts.

sigma/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 9d5a1274-922a-49d0-87f3-8c653483b909
       type: derived
-status: experimental
+status: test
 description: |
     Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
     including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,

sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml

@@ -3,7 +3,7 @@ id: 70fe889c-0d1e-71e8-542d-a7ca05a0fef6
 related:
     - id: b6676963-0353-4f88-90f5-36c20d443c6a
       type: derived
-status: experimental
+status: test
 description: |
     Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
     Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

sigma/builtin/registry/registry_set/registry_set_desktop_background_change.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
       type: derived
-status: experimental
+status: test
 description: |
     Detects registry value settings that would replace the user's desktop background.
     This is a common technique used by malware to change the desktop background to a ransom note or other image.

sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml

@@ -3,7 +3,7 @@ id: 536c7bf1-8834-bffb-665e-b945d9a1894b
 related:
     - id: b86852fb-4c77-48f9-8519-eb1b2c308b59
       type: derived
-status: experimental
+status: test
 description: |
     Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
     This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.

sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml

@@ -9,7 +9,7 @@ related:
       type: similar
     - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
       type: derived
-status: experimental
+status: test
 description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
 references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3

sigma/builtin/registry/registry_set/registry_set_runmru_susp_command_execution.yml

@@ -0,0 +1,57 @@
+title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
+id: d22a2c0b-fd48-300f-ba44-d6881df81aab
+related:
+    - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
+      type: derived
+    - id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
+      type: derived
+status: test
+description: |
+    Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
+    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
+references:
+    - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
+    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+    - https://www.forensafe.com/blogs/runmrukey.html
+    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
+author: Ahmed Farouk, Nasreddine Bencherchali
+date: 2024-11-01
+tags:
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection_key:
+        ObjectName|contains: \Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+    selection_powershell_command:
+        NewValue|contains:
+            - powershell
+            - pwsh
+    selection_powershell_susp_keywords:
+        NewValue|contains:
+            - ' -e '
+            - ' -ec '
+            - ' -en '
+            - ' -enc '
+            - ' -enco'
+            - ftp
+            - Hidden
+            - http
+            - iex
+            - Invoke-
+    selection_wmic_command:
+        NewValue|contains: wmic
+    selection_wmic_susp_keywords:
+        NewValue|contains:
+            - shadowcopy
+            - process call create
+    condition: registry_set and (selection_key and (all of selection_powershell_* or all of selection_wmic_*))
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: c420410f-c2d8-4010-856b-dffe21866437
       type: derived
-status: experimental
+status: test
 description: |
     Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
     By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

sigma/builtin/security/win_security_hktl_nofilter.yml

@@ -3,7 +3,7 @@ id: 22d4af9f-97d9-4827-7209-c451ff7f43c6
 related:
     - id: 7b14c76a-c602-4ae6-9717-eff868153fc0
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
 references:

sigma/builtin/security/win_security_susp_lsass_dump_generic.yml

@@ -3,7 +3,7 @@ id: c7f94c63-6fb7-9686-e2c2-2298c9f56ca9
 related:
     - id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
       type: derived
-status: experimental
+status: test
 description: Detects process handle on LSASS process with certain access mask
 references:
     - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html

sigma/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml → sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_send_mailmessage.yml

@@ -1,21 +1,23 @@
-title: Powershell Exfiltration Over SMTP
+title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
 id: 87face0d-1383-7cc4-2da9-2a5da8b81325
 related:
     - id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
       type: derived
 status: test
 description: |
-    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
-    The data may also be sent to an alternate network location from the main command and control server.
+    Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
+    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
     - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
 date: 2022-09-26
+modified: 2024-11-01
 tags:
     - attack.exfiltration
     - attack.t1048.003
+    - detection.threat-hunting
 logsource:
     product: windows
     category: ps_script
@@ -27,11 +29,9 @@ detection:
             - Microsoft-Windows-PowerShell/Operational
             - PowerShellCore/Operational
     selection:
-        ScriptBlockText|contains: Send-MailMessage
-    filter:
-        ScriptBlockText|contains: CmdletsToExport
-    condition: ps_script and (selection and not filter)
+        ScriptBlockText|contains: Send-MailMessage*-Attachments
+    condition: ps_script and selection
 falsepositives:
-    - Legitimate script
+    - Unknown
 level: medium
 ruletype: Sigma