Sigma Rule Update (2023-10-30 20:07:30) (#519)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Oct 30, 2023 · 4dbf60b · 4dbf60b
1 parent fa9cb93
commit 4dbf60b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 14 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
@@ -9,7 +9,7 @@ references:
     - https://twitter.com/fr0s7_/status/1712780207105404948
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
-modified: 2023/10/24
+modified: 2023/10/29
 tags:
     - attack.discovery
 logsource:
@@ -37,12 +37,15 @@ detection:
             - http://%
             - '%2e'
     selection_ip_3:
-        -   CommandLine|re: https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}(?!.)
-        -   CommandLine|re: https?:\/\/[0-9]{1,3}\.[0-9]{1,8}(?!.)
-        -   CommandLine|re: https?:\/\/[0-9]{1,10}(?!.)
-        -   CommandLine|re: https?:\/\/(0[0-9]{1,11}\.){3}0[0-9]{1,11}
-        -   CommandLine|re: https?:\/\/0[0-9]{1,11}(?!.)
-    condition: process_creation and (selection_command and 1 of selection_ip_*)
+        -   CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}
+        -   CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,8}
+        -   CommandLine|re: https?://[0-9]{1,10}
+        -   CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}
+        -   CommandLine|re: https?://0[0-9]{1,11}
+    filter_main_valid_ip:
+        CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}
+    condition: process_creation and (selection_command and 1 of selection_ip_* and
+        not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: medium

diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
@@ -9,7 +9,7 @@ references:
     - https://twitter.com/fr0s7_/status/1712780207105404948
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
-modified: 2023/10/24
+modified: 2023/10/29
 tags:
     - attack.discovery
     - sysmon
@@ -38,12 +38,15 @@ detection:
             - http://%
             - '%2e'
     selection_ip_3:
-        -   CommandLine|re: https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}(?!.)
-        -   CommandLine|re: https?:\/\/[0-9]{1,3}\.[0-9]{1,8}(?!.)
-        -   CommandLine|re: https?:\/\/[0-9]{1,10}(?!.)
-        -   CommandLine|re: https?:\/\/(0[0-9]{1,11}\.){3}0[0-9]{1,11}
-        -   CommandLine|re: https?:\/\/0[0-9]{1,11}(?!.)
-    condition: process_creation and (selection_command and 1 of selection_ip_*)
+        -   CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}
+        -   CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,8}
+        -   CommandLine|re: https?://[0-9]{1,10}
+        -   CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}
+        -   CommandLine|re: https?://0[0-9]{1,11}
+    filter_main_valid_ip:
+        CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}
+    condition: process_creation and (selection_command and 1 of selection_ip_* and
+        not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: medium