Sigma Rule Update (2024-12-15 20:14:42) (#793)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml

@@ -8,9 +8,10 @@ description: Detects certain command line parameters often used during reconnais
 references:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
     - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 date: 2017-01-01
-modified: 2022-05-13
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -64,6 +65,17 @@ detection:
     selection_susp_wmic_utility:
         OriginalFileName: wmic.exe
         CommandLine|contains: ' /node:'
+    selection_susp_powershell_cli:
+        CommandLine|contains:
+            - ' -enc '
+            - ' -EncodedCommand '
+            - ' -w hidden '
+            - ' -windowstyle hidden'
+            - .WebClient).Download
+        NewProcessName|endswith:
+            - \cmd.exe
+            - \powershell.exe
+            - \pwsh.exe
     selection_susp_misc_discovery_binaries:
         - NewProcessName|endswith:
               - \dsquery.exe

sigma/builtin/threat-hunting/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml

@@ -0,0 +1,36 @@
+title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
+id: 8427e501-af53-a1ba-41a5-0b2d83e199fb
+related:
+    - id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+      type: derived
+status: test
+description: |
+    Detects powershell execution with that make use of to the bxor (Bitwise XOR).
+    Attackers might use as an alternative obfuscation method to Base64 encoded commands.
+    Investigate the CommandLine and process tree to determine if the activity is malicious.
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
+author: Teymur Kheirkhabarov, Harish Segar
+date: 2020-06-29
+modified: 2024-12-11
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: ps_classic_start
+detection:
+    ps_classic_start:
+        EventID: 400
+        Channel: Windows PowerShell
+    selection:
+        Data|contains|all:
+            - HostName=ConsoleHost
+            - ' -bxor '
+    condition: ps_classic_start and selection
+falsepositives:
+    - Unknown
+level: low
+ruletype: Sigma

sigma/sysmon/emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml

@@ -0,0 +1,41 @@
+title: CVE-2024-50623 Exploitation Attempt - Cleo
+id: 9187bdda-948f-a7ce-464d-88216c65bb14
+related:
+    - id: f007b877-02e3-45b7-8501-1b78c2864029
+      type: derived
+status: experimental
+description: |
+    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+date: 2024-12-09
+tags:
+    - attack.execution
+    - attack.t1190
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        ParentImage|endswith: \javaw.exe
+        ParentCommandLine|contains:
+            - Harmony
+            - lexicom
+            - VersaLex
+            - VLTrader
+        Image|endswith: \cmd.exe
+        CommandLine|contains:
+            - powershell
+            - ' -enc '
+            - ' -EncodedCommand'
+            - .Download
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml

@@ -8,9 +8,10 @@ description: Detects certain command line parameters often used during reconnais
 references:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
     - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 date: 2017-01-01
-modified: 2022-05-13
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -65,6 +66,17 @@ detection:
     selection_susp_wmic_utility:
         OriginalFileName: wmic.exe
         CommandLine|contains: ' /node:'
+    selection_susp_powershell_cli:
+        Image|endswith:
+            - \cmd.exe
+            - \powershell.exe
+            - \pwsh.exe
+        CommandLine|contains:
+            - ' -enc '
+            - ' -EncodedCommand '
+            - ' -w hidden '
+            - ' -windowstyle hidden'
+            - .WebClient).Download
     selection_susp_misc_discovery_binaries:
         - Image|endswith:
               - \dsquery.exe