Sigma Rule Update (2023-10-18 20:07:16) (#510)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/category/antivirus/av_hacktool.yml

@@ -80,9 +80,6 @@ detection:
                 - FastReverseProxy
                 - PWDump
     condition: antivirus and selection
-fields:
-    - FileName
-    - User
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/category/antivirus/av_password_dumper.yml

@@ -57,9 +57,6 @@ detection:
                 - PWSX
                 - PWS.
     condition: antivirus and selection
-fields:
-    - FileName
-    - User
 falsepositives:
     - Unlikely
 level: critical

sigma/builtin/category/antivirus/av_webshell.yml

@@ -100,9 +100,6 @@ detection:
                 - PShlSpy
                 - C99shell
     condition: antivirus and selection
-fields:
-    - FileName
-    - User
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml

@@ -34,9 +34,6 @@ detection:
     selection_img:
         NewProcessName|endswith: Temp\winwsh.exe
     condition: process_creation and (1 of selection_*)
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -9,7 +9,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2023/09/13
+modified: 2023/10/18
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -34,6 +34,7 @@ detection:
                 - wevtutil.exe
                 - C:\WINDOWS\system32\wevtutil.exe
                 - C:\Windows\System32\WerFault.exe
+                - C:\Windows\System32\WerFaultSecure.ex
         -   NewProcessName|endswith: \AppData\Local\Temp\Sysmon.exe
     filter_main_null:
         NewProcessName: null

sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml

@@ -1,10 +1,15 @@
 title: DarkGate - Autoit3.EXE Execution Parameters
 id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
 status: experimental
-description: "Detects execution of the legitimate Autoit3 utility from a suspicious\
-    \ parent process. AutoIt3.exe is used within \nthe DarkGate infection chain to\
-    \ execute shellcode that performs process injection and connects to the DarkGate\
-    \ \ncommand-and-control server.\n"
+description: 'Detects execution of the legitimate Autoit3 utility from a suspicious
+    parent process. AutoIt3.exe is used within
+
+    the DarkGate infection chain to execute shellcode that performs process injection
+    and connects to the DarkGate
+
+    command-and-control server.
+
+    '
 references:
     - https://github.security.telekom.com/2023/08/darkgate-loader.html
     - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware

sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml

@@ -4,10 +4,15 @@ related:
     -   id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
         type: derived
 status: test
-description: "focuses on trivial artifacts observed in variants of prevalent offensive\
-    \ ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,\
-    \ Powersploit, and other attack payloads \nthat often undergo minimal changes\
-    \ by attackers due to bad opsec.\n"
+description: 'focuses on trivial artifacts observed in variants of prevalent offensive
+    ps1 payloads, including
+
+    Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other
+    attack payloads
+
+    that often undergo minimal changes by attackers due to bad opsec.
+
+    '
 references:
     - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
     - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/

sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml

@@ -8,7 +8,7 @@ references:
 author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community,
     Nasreddine Bencherchali
 date: 2017/11/27
-modified: 2023/01/10
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -80,6 +80,7 @@ detection:
         -   NewProcessName:
                 - C:\Windows\explorer.exe
                 - C:\Program Files\PowerShell\7\pwsh.exe
+                - C:\Program Files\PowerShell\7-preview\pwsh.exe
     filter_wsl_windowsapps:
         NewProcessName|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux
         NewProcessName|endswith: \wsl.exe

sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml

@@ -1,10 +1,15 @@
 title: Tasks Folder Evasion
 id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
 status: test
-description: "The Tasks folder in system32 and syswow64 are globally writable paths.\n\
-    Adversaries can take advantage of this and load or influence any script hosts\
-    \ or ANY .NET Application \nin Tasks to load and execute a custom assembly into\
-    \ cscript, wscript, regsvr32, mshta, eventvwr\n"
+description: 'The Tasks folder in system32 and syswow64 are globally writable paths.
+
+    Adversaries can take advantage of this and load or influence any script hosts
+    or ANY .NET Application
+
+    in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32,
+    mshta, eventvwr
+
+    '
 references:
     - https://twitter.com/subTee/status/1216465628946563073
     - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26

sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml

@@ -31,10 +31,5 @@ detection:
     condition: registry_event and (selection and not filter)
 falsepositives:
     - Unknown
-fields:
-    - EventID
-    - Image
-    - TargetObject
-    - NewName
 level: medium
 ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml

@@ -72,11 +72,6 @@ detection:
             - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
         Image|endswith: \OfficeClickToRun.exe
     condition: registry_set and (main_selection and not 1 of filter_*)
-fields:
-    - SecurityID
-    - ObjectName
-    - OldValueType
-    - NewValueType
 falsepositives:
     - Legitimate software automatically (mostly, during installation) sets up autorun
         keys for legitimate reason

sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml

@@ -144,11 +144,6 @@ detection:
         TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything
         Details|endswith: \Everything\Everything.exe" -startup
     condition: registry_set and (all of current_version_* and not 1 of filter_*)
-fields:
-    - SecurityID
-    - ObjectName
-    - OldValueType
-    - NewValueType
 falsepositives:
     - Legitimate software automatically (mostly, during installation) sets up autorun
         keys for legitimate reason

sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml

@@ -0,0 +1,29 @@
+title: PowerShell Script Execution Policy Enabled
+id: 8218c875-90b9-42e2-b60d-0b0069816d10
+related:
+    -   id: fad91067-08c5-4d1a-8d8c-d96a21b37814
+        type: derived
+status: experimental
+description: Detects the enabling of the PowerShell script execution policy. Once
+    enabled, this policy allows scripts to be executed.
+references:
+    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
+author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
+date: 2023/10/18
+tags:
+    - attack.execution
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts
+        Details: DWORD (0x00000001)
+    condition: registry_set and selection
+falsepositives:
+    - Likely
+level: low
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml

@@ -14,7 +14,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/11
-modified: 2023/08/17
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
 logsource:
@@ -32,11 +32,11 @@ detection:
             - Bypass
             - RemoteSigned
             - Unrestricted
-    filter_svchost:
-        Image|startswith:
-            - C:\Windows\System32\
-            - C:\Windows\SysWOW64\
-    condition: registry_set and (selection and not 1 of filter_*)
+    filter_main_svchost:
+        Image|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+    condition: registry_set and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: medium

sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml

@@ -0,0 +1,62 @@
+title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
+id: ce2c44b5-a6ac-412a-afba-9e89326fa972
+related:
+    -   id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
+        type: similar
+status: experimental
+description: 'Detects execution of regsvr32 with the silent flag and no other flags
+    on a DLL located in an uncommon or potentially suspicious location.
+
+    When Regsvr32 is called in such a way, it implicitly calls the DLL export function
+    ''DllRegisterServer''.
+
+    '
+references:
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
+    - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
+    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
+    - https://ss64.com/nt/regsvr32.html
+author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/17
+tags:
+    - attack.execution
+    - attack.t1218
+    - detection.threat_hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_image:
+        -   NewProcessName|endswith: \regsvr32.exe
+        -   OriginalFileName: REGSVR32.EXE
+    selection_cmdline:
+        CommandLine|contains:
+            - ' /s '
+            - ' /e '
+    filter_main_paths:
+        -   CommandLine|contains:
+                - :\Program Files (x86)
+                - :\Program Files\
+                - :\Windows\System32\
+                - :\Windows\SysWOW64\
+        -   CurrentDirectory|contains:
+                - :\Program Files (x86)
+                - :\Program Files\
+                - :\Windows\System32\
+                - :\Windows\SysWOW64\
+    filter_main_other_flags:
+        CommandLine|contains:
+            - ' /i:'
+            - '/U '
+    filter_main_rpcproxy:
+        ParentCommandLine|endswith: :\Windows\System32\RpcProxy\RpcProxy.dll
+        CommandLine: regsvr32 /s rpcproxy.dll
+    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+falsepositives:
+    - Legitimate usage as part of application installation, but less likely from e.g.
+        temporary paths.
+level: medium
+ruletype: Sigma

sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml

@@ -0,0 +1,47 @@
+title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
+id: d81a9fc6-55db-4461-b962-0e78fea5b0ad
+related:
+    -   id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
+        type: similar
+status: experimental
+description: 'Detects when the DLL export function ''DllRegisterServer'' is called
+    in the commandline by Rundll32 explicitly where the DLL is located in a non-standard
+    path.
+
+    '
+references:
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
+    - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
+    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
+author: Andreas Braathen (mnemonic.io)
+date: 2023/10/17
+tags:
+    - attack.execution
+    - attack.t1218
+    - detection.threat_hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_image:
+        -   NewProcessName|endswith: \rundll32.exe
+        -   OriginalFileName: RUNDLL32.EXE
+    selection_cmdline:
+        CommandLine|contains: DllRegisterServer
+    filter_main_legit_paths:
+        CommandLine|contains:
+            - :\Program Files (x86)
+            - :\Program Files\
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+falsepositives:
+    - Legitimate usage as part of application installation, but less likely from e.g.
+        temporary paths.
+    - Not every instance is considered malicious, but this rule will capture the malicious
+        usages.
+level: medium
+ruletype: Sigma

sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml

@@ -35,9 +35,6 @@ detection:
     selection_img:
         Image|endswith: Temp\winwsh.exe
     condition: process_creation and (1 of selection_*)
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Unlikely
 level: high

sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml

@@ -2,7 +2,7 @@ title: CVE-2021-26858 Exchange Exploitation
 id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
 status: test
 description: "Detects possible successful exploitation for vulnerability described\
-    \ in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by\
+    \ in CVE-2021-26858 by looking for\ncreation of non-standard files on disk by\
     \ Exchange Server\u2019s Unified Messaging service\nwhich could indicate dropping\
     \ web shells or other malicious content\n"
 references:

sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -9,7 +9,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2023/09/13
+modified: 2023/10/18
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -35,6 +35,7 @@ detection:
                 - wevtutil.exe
                 - C:\WINDOWS\system32\wevtutil.exe
                 - C:\Windows\System32\WerFault.exe
+                - C:\Windows\System32\WerFaultSecure.ex
         -   Image|endswith: \AppData\Local\Temp\Sysmon.exe
     filter_main_null:
         Image: null

sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml

@@ -1,12 +1,18 @@
 title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
 id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
 status: experimental
-description: "Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious\
-    \ processes used to create Autoit3.exe. \nThis activity has been associated with\
-    \ DarkGate malware, which uses Autoit3.exe to execute shellcode that performs\
-    \ \nprocess injection and connects to the DarkGate command-and-control server.\
-    \ Curl, KeyScramblerLogon, and these other \nprocesses consitute non-standard\
-    \ and suspicious ways to retrieve the Autoit3 executable.\n"
+description: 'Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious
+    processes used to create Autoit3.exe.
+
+    This activity has been associated with DarkGate malware, which uses Autoit3.exe
+    to execute shellcode that performs
+
+    process injection and connects to the DarkGate command-and-control server. Curl,
+    KeyScramblerLogon, and these other
+
+    processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
+
+    '
 references:
     - https://github.security.telekom.com/2023/08/darkgate-loader.html
     - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware