Sigma Rule Update (2023-10-23 20:05:45) (#513)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_lolbin_certoc_download.yml → sigma/builtin/process_creation/proc_creation_win_certoc_download.yml

@@ -1,11 +1,15 @@
-title: Suspicious File Download via CertOC.exe
+title: File Download via CertOC.EXE
 id: 70ad0861-d1fe-491c-a45f-fa48148a300d
+related:
+    -   id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
+        type: similar
 status: test
-description: Detects when a user downloads file by using CertOC.exe
+description: Detects when a user downloads a file by using CertOC.exe
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/05/16
+modified: 2023/10/18
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -20,9 +24,11 @@ detection:
         -   NewProcessName|endswith: \certoc.exe
         -   OriginalFileName: CertOC.exe
     selection_cli:
-        CommandLine|contains: -GetCACAPS
+        CommandLine|contains|all:
+            - -GetCACAPS
+            - http
     condition: process_creation and (all of selection*)
 falsepositives:
     - Unknown
-level: high
+level: medium
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml

@@ -0,0 +1,34 @@
+title: File Download From IP Based URL Via CertOC.EXE
+id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
+related:
+    -   id: 70ad0861-d1fe-491c-a45f-fa48148a300d
+        type: similar
+status: experimental
+description: Detects when a user downloads a file from an IP based URL using CertOC.exe
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/18
+tags:
+    - attack.command_and_control
+    - attack.execution
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \certoc.exe
+        -   OriginalFileName: CertOC.exe
+    selection_ip:
+        CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
+    selection_cli:
+        CommandLine|contains: -GetCACAPS
+    condition: process_creation and (all of selection*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml

@@ -14,6 +14,7 @@ references:
     - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
     - https://twitter.com/egre55/status/1087685529016193025
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+    - https://twitter.com/_JohnHammond/status/1708910264261980634
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
 tags:
@@ -44,9 +45,9 @@ detection:
             - ://7
             - ://8
             - ://9
-    filter_seven_zip:
+    filter_main_seven_zip:
         CommandLine|contains: ://7-
-    condition: process_creation and (all of selection_* and not 1 of filter_*)
+    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml

@@ -0,0 +1,83 @@
+title: File Download From IP URL Via Curl.EXE
+id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
+related:
+    -   id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
+        type: similar
+status: experimental
+description: Detects file downloads directly from IP address URL using curl.exe
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/18
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \curl.exe
+        -   OriginalFileName: curl.exe
+    selection_ip:
+        CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
+    selection_http:
+        CommandLine|contains: http
+    selection_flag:
+        CommandLine|contains:
+            - ' -O'
+            - --remote-name
+            - --output
+    filter_main_ext:
+        CommandLine|endswith:
+            - .bat
+            - .bat"
+            - .dat
+            - .dat"
+            - .dll
+            - .dll"
+            - .exe
+            - .exe"
+            - .gif
+            - .gif"
+            - .hta
+            - .hta"
+            - .jpeg
+            - .jpeg"
+            - .log
+            - .log"
+            - .msi
+            - .msi"
+            - .png
+            - .png"
+            - .ps1
+            - .ps1"
+            - .psm1
+            - .psm1"
+            - .vbe
+            - .vbe"
+            - .vbs
+            - .vbs"
+            - .bat'
+            - .dat'
+            - .dll'
+            - .exe'
+            - .gif'
+            - .hta'
+            - .jpeg'
+            - .log'
+            - .msi'
+            - .png'
+            - .ps1'
+            - .psm1'
+            - .vbe'
+            - .vbs'
+    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip.yml → sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml

@@ -6,6 +6,7 @@ description: Detects potentially suspicious file downloads directly from IP addr
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/07/27
 tags:
@@ -31,36 +32,48 @@ detection:
             - --output
     selection_ext:
         CommandLine|endswith:
-            - .ps1
-            - .ps1'
-            - .ps1"
-            - .dat
-            - .dat'
-            - .dat"
-            - .msi
-            - .msi'
-            - .msi"
             - .bat
-            - .bat'
             - .bat"
+            - .dat
+            - .dat"
+            - .dll
+            - .dll"
             - .exe
-            - .exe'
             - .exe"
-            - .vbs
-            - .vbs'
-            - .vbs"
-            - .vbe
-            - .vbe'
-            - .vbe"
+            - .gif
+            - .gif"
             - .hta
-            - .hta'
             - .hta"
-            - .dll
-            - .dll'
-            - .dll"
+            - .jpeg
+            - .jpeg"
+            - .log
+            - .log"
+            - .msi
+            - .msi"
+            - .png
+            - .png"
+            - .ps1
+            - .ps1"
             - .psm1
-            - .psm1'
             - .psm1"
+            - .vbe
+            - .vbe"
+            - .vbs
+            - .vbs"
+            - .bat'
+            - .dat'
+            - .dll'
+            - .exe'
+            - .gif'
+            - .hta'
+            - .jpeg'
+            - .log'
+            - .msi'
+            - .png'
+            - .ps1'
+            - .psm1'
+            - .vbe'
+            - .vbs'
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml

@@ -1,4 +1,4 @@
-title: Remote File Download via Desktopimgdownldr Utility
+title: Remote File Download Via Desktopimgdownldr Utility
 id: 214641c2-c579-4ecb-8427-0cf19df6842e
 status: test
 description: Detects the desktopimgdownldr utility being used to download a remote

sigma/builtin/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml → sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml

@@ -1,13 +1,13 @@
-title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+title: Arbitrary File Download Via GfxDownloadWrapper.EXE
 id: eee00933-a761-4cd0-be70-c42fe91731e7
 status: test
-description: Detects when GfxDownloadWrapper.exe downloads file from non standard
-    URL
+description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument
+    to download file.
 references:
     - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
-modified: 2022/01/06
+modified: 2023/10/18
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -18,16 +18,14 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    image_path:
+    selection:
+        CommandLine|contains:
+            - http://
+            - https://
         NewProcessName|endswith: \GfxDownloadWrapper.exe
-    filter:
-        CommandLine|contains: gameplayapi.intel.com
-        ParentProcessName|endswith:
-            - \GfxDownloadWrapper.exe
-            - \igfxEM.exe
-    condition: process_creation and (image_path and not filter)
-fields:
-    - CommandLine
+    filter_main_known_urls:
+        CommandLine|contains: https://gameplayapi.intel.com/
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: medium

sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml

@@ -11,6 +11,7 @@ references:
     - https://twitter.com/_JohnHammond/status/1588155401752788994
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
+modified: 2023/10/18
 tags:
     - attack.defense_evasion
     - attack.t1202
@@ -38,8 +39,6 @@ detection:
         CommandLine|contains:
             - \AppData\Roaming\Microsoft\Templates
             - \AppData\Roaming\Microsoft\Word\Startup\
-            - \Microsoft Office (x86)\root\Templates\
-            - \Microsoft Office (x86)\Templates\
             - \Microsoft Office\root\Templates\
             - \Microsoft Office\Templates\
     filter_main_dotx:

sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml

@@ -7,7 +7,7 @@ references:
     - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
 author: Markus Neis, keepwatch
 date: 2018/11/14
-modified: 2023/02/13
+modified: 2023/10/23
 tags:
     - attack.credential_access
     - attack.t1558.003
@@ -25,7 +25,9 @@ detection:
                 - Query or reset the computer
                 - SPN attribute
     selection_cli:
-        CommandLine|contains: -q
+        CommandLine|contains:
+            - ' -q '
+            - ' /q '
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Administration activity

sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml

@@ -69,33 +69,32 @@ detection:
             - \wmic.exe
             - \wscript.exe
     filter_main_winlogon_1:
-        SourceImage: C:\Windows\System32\winlogon.exe
-        TargetImage:
-            - C:\Windows\System32\services.exe
-            - C:\Windows\System32\wininit.exe
-            - C:\Windows\System32\csrss.exe
+        SourceImage|endswith: :\Windows\System32\winlogon.exe
+        TargetImage|endswith:
+            - :\Windows\System32\services.exe
+            - :\Windows\System32\wininit.exe
+            - :\Windows\System32\csrss.exe
     filter_main_winlogon_2:
         SourceImage: C:\Windows\System32\winlogon.exe
         TargetParentImage: System
         TargetParentProcessId: 4
-    filter_main_provtool:
-        SourceImage: C:\Windows\System32\provtool.exe
-        TargetParentProcessId: 0
-    filter_main_vssvc:
-        SourceImage: C:\Windows\System32\VSSVC.exe
-        TargetImage: System
     filter_main_schtasks_conhost:
-        SourceImage:
-            - C:\Windows\System32\schtasks.exe
-            - C:\Windows\SysWOW64\schtasks.exe
-        TargetImage: C:\Windows\System32\conhost.exe
-    filter_main_mmc:
-        SourceImage: C:\Windows\explorer.exe
-        TargetImage: C:\Windows\System32\mmc.exe
-    filter_optional_nvidia:
-        SourceImage: C:\Windows\explorer.exe
-        TargetImage: C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA
-            GeForce Experience.exe
+        SourceImage|endswith:
+            - :\Windows\System32\schtasks.exe
+            - :\Windows\SysWOW64\schtasks.exe
+        TargetImage|endswith: :\Windows\System32\conhost.exe
+    filter_main_explorer:
+        SourceImage|endswith: :\Windows\explorer.exe
+        TargetImage|endswith:
+            - :\Windows\System32\mmc.exe
+            - :\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA
+                GeForce Experience.exe
+    filter_main_system:
+        TargetImage: System
+    filter_optional_powerpnt:
+        SourceImage|contains: \Microsoft Office\
+        SourceImage|endswith: \POWERPNT.EXE
+        TargetImage|endswith: :\Windows\System32\csrss.exe
     condition: create_remote_thread and (selection and not 1 of filter_main_* and
         not 1 of filter_optional_*)
 falsepositives: