diff --git a/sigma/builtin/category/antivirus/av_hacktool.yml b/sigma/builtin/category/antivirus/av_hacktool.yml index 02568289a..981daeb5c 100644 --- a/sigma/builtin/category/antivirus/av_hacktool.yml +++ b/sigma/builtin/category/antivirus/av_hacktool.yml @@ -80,9 +80,6 @@ detection: - FastReverseProxy - PWDump condition: antivirus and selection -fields: - - FileName - - User falsepositives: - Unlikely level: high diff --git a/sigma/builtin/category/antivirus/av_password_dumper.yml b/sigma/builtin/category/antivirus/av_password_dumper.yml index 5f0fb0766..e704e4769 100644 --- a/sigma/builtin/category/antivirus/av_password_dumper.yml +++ b/sigma/builtin/category/antivirus/av_password_dumper.yml @@ -57,9 +57,6 @@ detection: - PWSX - PWS. condition: antivirus and selection -fields: - - FileName - - User falsepositives: - Unlikely level: critical diff --git a/sigma/builtin/category/antivirus/av_webshell.yml b/sigma/builtin/category/antivirus/av_webshell.yml index ba177790d..f7388a5a9 100644 --- a/sigma/builtin/category/antivirus/av_webshell.yml +++ b/sigma/builtin/category/antivirus/av_webshell.yml @@ -100,9 +100,6 @@ detection: - PShlSpy - C99shell condition: antivirus and selection -fields: - - FileName - - User falsepositives: - Unlikely level: high diff --git a/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index dcc5ce17b..60036d28b 100644 --- a/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -34,9 +34,6 @@ detection: selection_img: NewProcessName|endswith: Temp\winwsh.exe condition: process_creation and (1 of selection_*) -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unlikely level: high diff --git a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index fcf7bf7b6..16c1fa3db 100644 --- a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) date: 2022/11/10 -modified: 2023/09/13 +modified: 2023/10/18 tags: - attack.privilege_escalation - attack.t1068 @@ -34,6 +34,7 @@ detection: - wevtutil.exe - C:\WINDOWS\system32\wevtutil.exe - C:\Windows\System32\WerFault.exe + - C:\Windows\System32\WerFaultSecure.ex - NewProcessName|endswith: \AppData\Local\Temp\Sysmon.exe filter_main_null: NewProcessName: null diff --git a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index 6aaa97208..9b3532f76 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,10 +1,15 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d status: experimental -description: "Detects execution of the legitimate Autoit3 utility from a suspicious\ - \ parent process. AutoIt3.exe is used within \nthe DarkGate infection chain to\ - \ execute shellcode that performs process injection and connects to the DarkGate\ - \ \ncommand-and-control server.\n" +description: 'Detects execution of the legitimate Autoit3 utility from a suspicious + parent process. AutoIt3.exe is used within + + the DarkGate infection chain to execute shellcode that performs process injection + and connects to the DarkGate + + command-and-control server. + + ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index e3a83edcb..0727f99ad 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -4,10 +4,15 @@ related: - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 type: derived status: test -description: "focuses on trivial artifacts observed in variants of prevalent offensive\ - \ ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,\ - \ Powersploit, and other attack payloads \nthat often undergo minimal changes\ - \ by attackers due to bad opsec.\n" +description: 'focuses on trivial artifacts observed in variants of prevalent offensive + ps1 payloads, including + + Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other + attack payloads + + that often undergo minimal changes by attackers due to bad opsec. + + ' references: - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 876f524e7..73229d3df 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -8,7 +8,7 @@ references: author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2023/01/10 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036 @@ -80,6 +80,7 @@ detection: - NewProcessName: - C:\Windows\explorer.exe - C:\Program Files\PowerShell\7\pwsh.exe + - C:\Program Files\PowerShell\7-preview\pwsh.exe filter_wsl_windowsapps: NewProcessName|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux NewProcessName|endswith: \wsl.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml index f0cfde3ca..480e26c71 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -1,10 +1,15 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: test -description: "The Tasks folder in system32 and syswow64 are globally writable paths.\n\ - Adversaries can take advantage of this and load or influence any script hosts\ - \ or ANY .NET Application \nin Tasks to load and execute a custom assembly into\ - \ cscript, wscript, regsvr32, mshta, eventvwr\n" +description: 'The Tasks folder in system32 and syswow64 are globally writable paths. + + Adversaries can take advantage of this and load or influence any script hosts + or ANY .NET Application + + in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, + mshta, eventvwr + + ' references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 diff --git a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 9888bf9d2..0bcc40ab8 100644 --- a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -31,10 +31,5 @@ detection: condition: registry_event and (selection and not filter) falsepositives: - Unknown -fields: - - EventID - - Image - - TargetObject - - NewName level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 2cdace66a..ff8d3cf45 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -72,11 +72,6 @@ detection: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ Image|endswith: \OfficeClickToRun.exe condition: registry_set and (main_selection and not 1 of filter_*) -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 9830624c4..c285adaab 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -144,11 +144,6 @@ detection: TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything Details|endswith: \Everything\Everything.exe" -startup condition: registry_set and (all of current_version_* and not 1 of filter_*) -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml new file mode 100644 index 000000000..ef08119fa --- /dev/null +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -0,0 +1,29 @@ +title: PowerShell Script Execution Policy Enabled +id: 8218c875-90b9-42e2-b60d-0b0069816d10 +related: + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 + type: derived +status: experimental +description: Detects the enabling of the PowerShell script execution policy. Once + enabled, this policy allows scripts to be executed. +references: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts +author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +date: 2023/10/18 +tags: + - attack.execution +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts + Details: DWORD (0x00000001) + condition: registry_set and selection +falsepositives: + - Likely +level: low +ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml index fdba81276..98b87646e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 -modified: 2023/08/17 +modified: 2023/10/18 tags: - attack.defense_evasion logsource: @@ -32,11 +32,11 @@ detection: - Bypass - RemoteSigned - Unrestricted - filter_svchost: - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - condition: registry_set and (selection and not 1 of filter_*) + filter_main_svchost: + Image|contains: + - :\Windows\System32\ + - :\Windows\SysWOW64\ + condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml new file mode 100644 index 000000000..85a9b1aa6 --- /dev/null +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -0,0 +1,62 @@ +title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly +id: ce2c44b5-a6ac-412a-afba-9e89326fa972 +related: + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: similar +status: experimental +description: 'Detects execution of regsvr32 with the silent flag and no other flags + on a DLL located in an uncommon or potentially suspicious location. + + When Regsvr32 is called in such a way, it implicitly calls the DLL export function + ''DllRegisterServer''. + + ' +references: + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ + - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection + - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver + - https://ss64.com/nt/regsvr32.html +author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/17 +tags: + - attack.execution + - attack.t1218 + - detection.threat_hunting +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_image: + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE + selection_cmdline: + CommandLine|contains: + - ' /s ' + - ' /e ' + filter_main_paths: + - CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - CurrentDirectory|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + filter_main_other_flags: + CommandLine|contains: + - ' /i:' + - '/U ' + filter_main_rpcproxy: + ParentCommandLine|endswith: :\Windows\System32\RpcProxy\RpcProxy.dll + CommandLine: regsvr32 /s rpcproxy.dll + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate usage as part of application installation, but less likely from e.g. + temporary paths. +level: medium +ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml new file mode 100644 index 000000000..82144b165 --- /dev/null +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -0,0 +1,47 @@ +title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly +id: d81a9fc6-55db-4461-b962-0e78fea5b0ad +related: + - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed + type: similar +status: experimental +description: 'Detects when the DLL export function ''DllRegisterServer'' is called + in the commandline by Rundll32 explicitly where the DLL is located in a non-standard + path. + + ' +references: + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ + - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior + - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver +author: Andreas Braathen (mnemonic.io) +date: 2023/10/17 +tags: + - attack.execution + - attack.t1218 + - detection.threat_hunting +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_image: + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + selection_cmdline: + CommandLine|contains: DllRegisterServer + filter_main_legit_paths: + CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate usage as part of application installation, but less likely from e.g. + temporary paths. + - Not every instance is considered malicious, but this rule will capture the malicious + usages. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index 2ac63317f..b51346e16 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -35,9 +35,6 @@ detection: selection_img: Image|endswith: Temp\winwsh.exe condition: process_creation and (1 of selection_*) -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml index ec8098af0..9f3550cff 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml @@ -2,7 +2,7 @@ title: CVE-2021-26858 Exchange Exploitation id: b06335b3-55ac-4b41-937e-16b7f5d57dfd status: test description: "Detects possible successful exploitation for vulnerability described\ - \ in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by\ + \ in CVE-2021-26858 by looking for\ncreation of non-standard files on disk by\ \ Exchange Server\u2019s Unified Messaging service\nwhich could indicate dropping\ \ web shells or other malicious content\n" references: diff --git a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 7564260b5..b8e130a9d 100644 --- a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) date: 2022/11/10 -modified: 2023/09/13 +modified: 2023/10/18 tags: - attack.privilege_escalation - attack.t1068 @@ -35,6 +35,7 @@ detection: - wevtutil.exe - C:\WINDOWS\system32\wevtutil.exe - C:\Windows\System32\WerFault.exe + - C:\Windows\System32\WerFaultSecure.ex - Image|endswith: \AppData\Local\Temp\Sysmon.exe filter_main_null: Image: null diff --git a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index cea0a9b49..ff4bc533f 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -1,12 +1,18 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 status: experimental -description: "Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious\ - \ processes used to create Autoit3.exe. \nThis activity has been associated with\ - \ DarkGate malware, which uses Autoit3.exe to execute shellcode that performs\ - \ \nprocess injection and connects to the DarkGate command-and-control server.\ - \ Curl, KeyScramblerLogon, and these other \nprocesses consitute non-standard\ - \ and suspicious ways to retrieve the Autoit3 executable.\n" +description: 'Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious + processes used to create Autoit3.exe. + + This activity has been associated with DarkGate malware, which uses Autoit3.exe + to execute shellcode that performs + + process injection and connects to the DarkGate command-and-control server. Curl, + KeyScramblerLogon, and these other + + processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. + + ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware diff --git a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index 56e92ae43..3a84676df 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,10 +1,15 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d status: experimental -description: "Detects execution of the legitimate Autoit3 utility from a suspicious\ - \ parent process. AutoIt3.exe is used within \nthe DarkGate infection chain to\ - \ execute shellcode that performs process injection and connects to the DarkGate\ - \ \ncommand-and-control server.\n" +description: 'Detects execution of the legitimate Autoit3 utility from a suspicious + parent process. AutoIt3.exe is used within + + the DarkGate infection chain to execute shellcode that performs process injection + and connects to the DarkGate + + command-and-control server. + + ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 1cd0fd9ee..b7e450bcd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -8,7 +8,7 @@ references: author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2023/01/10 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036 @@ -81,6 +81,7 @@ detection: - Image: - C:\Windows\explorer.exe - C:\Program Files\PowerShell\7\pwsh.exe + - C:\Program Files\PowerShell\7-preview\pwsh.exe filter_wsl_windowsapps: Image|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux Image|endswith: \wsl.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 04a644aab..42eba1ea0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -1,10 +1,15 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: test -description: "The Tasks folder in system32 and syswow64 are globally writable paths.\n\ - Adversaries can take advantage of this and load or influence any script hosts\ - \ or ANY .NET Application \nin Tasks to load and execute a custom assembly into\ - \ cscript, wscript, regsvr32, mshta, eventvwr\n" +description: 'The Tasks folder in system32 and syswow64 are globally writable paths. + + Adversaries can take advantage of this and load or influence any script hosts + or ANY .NET Application + + in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, + mshta, eventvwr + + ' references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 diff --git a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 4f13a814b..e922eba9c 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -35,10 +35,5 @@ detection: condition: registry_event and (selection and not filter) falsepositives: - Unknown -fields: - - EventID - - Image - - TargetObject - - NewName level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index a1d65e333..a6500843e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -73,11 +73,6 @@ detection: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ Image|endswith: \OfficeClickToRun.exe condition: registry_set and (main_selection and not 1 of filter_*) -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 3aa4f17d5..d1b3d126c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -145,11 +145,6 @@ detection: TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything Details|endswith: \Everything\Everything.exe" -startup condition: registry_set and (all of current_version_* and not 1 of filter_*) -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml new file mode 100644 index 000000000..be481bf29 --- /dev/null +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -0,0 +1,30 @@ +title: PowerShell Script Execution Policy Enabled +id: 8218c875-90b9-42e2-b60d-0b0069816d10 +related: + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 + type: derived +status: experimental +description: Detects the enabling of the PowerShell script execution policy. Once + enabled, this policy allows scripts to be executed. +references: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts +author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +date: 2023/10/18 +tags: + - attack.execution + - sysmon +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 13 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts + Details: DWORD (0x00000001) + condition: registry_set and selection +falsepositives: + - Likely +level: low +ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml index e120caf48..091933fdf 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 -modified: 2023/08/17 +modified: 2023/10/18 tags: - attack.defense_evasion - sysmon @@ -33,11 +33,11 @@ detection: - Bypass - RemoteSigned - Unrestricted - filter_svchost: - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - condition: registry_set and (selection and not 1 of filter_*) + filter_main_svchost: + Image|contains: + - :\Windows\System32\ + - :\Windows\SysWOW64\ + condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml new file mode 100644 index 000000000..dade8d988 --- /dev/null +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -0,0 +1,63 @@ +title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly +id: ce2c44b5-a6ac-412a-afba-9e89326fa972 +related: + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: similar +status: experimental +description: 'Detects execution of regsvr32 with the silent flag and no other flags + on a DLL located in an uncommon or potentially suspicious location. + + When Regsvr32 is called in such a way, it implicitly calls the DLL export function + ''DllRegisterServer''. + + ' +references: + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ + - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection + - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver + - https://ss64.com/nt/regsvr32.html +author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/17 +tags: + - attack.execution + - attack.t1218 + - detection.threat_hunting + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_image: + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE + selection_cmdline: + CommandLine|contains: + - ' /s ' + - ' /e ' + filter_main_paths: + - CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - CurrentDirectory|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + filter_main_other_flags: + CommandLine|contains: + - ' /i:' + - '/U ' + filter_main_rpcproxy: + ParentCommandLine|endswith: :\Windows\System32\RpcProxy\RpcProxy.dll + CommandLine: regsvr32 /s rpcproxy.dll + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate usage as part of application installation, but less likely from e.g. + temporary paths. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml new file mode 100644 index 000000000..13766bd22 --- /dev/null +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -0,0 +1,48 @@ +title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly +id: d81a9fc6-55db-4461-b962-0e78fea5b0ad +related: + - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed + type: similar +status: experimental +description: 'Detects when the DLL export function ''DllRegisterServer'' is called + in the commandline by Rundll32 explicitly where the DLL is located in a non-standard + path. + + ' +references: + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ + - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior + - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver +author: Andreas Braathen (mnemonic.io) +date: 2023/10/17 +tags: + - attack.execution + - attack.t1218 + - detection.threat_hunting + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_image: + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + selection_cmdline: + CommandLine|contains: DllRegisterServer + filter_main_legit_paths: + CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Legitimate usage as part of application installation, but less likely from e.g. + temporary paths. + - Not every instance is considered malicious, but this rule will capture the malicious + usages. +level: medium +ruletype: Sigma