From 7692e0b34c5ac58e09c9d202ea4a9aa309c6a633 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 20:05:54 +0000 Subject: [PATCH] Sigma Rule Update (2023-10-23 20:05:45) (#513) Co-authored-by: hach1yon --- ... => proc_creation_win_certoc_download.yml} | 14 +++- ...creation_win_certoc_download_direct_ip.yml | 34 ++++++++ ...eation_win_certutil_download_direct_ip.yml | 5 +- ...ation_win_curl_download_direct_ip_exec.yml | 83 ++++++++++++++++++ ...rl_download_direct_ip_susp_extensions.yml} | 57 ++++++++----- ...desktopimgdownldr_remote_file_download.yml | 2 +- ...wnloadwrapper_arbitrary_file_download.yml} | 24 +++--- ...win_office_exec_from_trusted_locations.yml | 3 +- ...oc_creation_win_setspn_spn_enumeration.yml | 6 +- ...sysinternals_susp_psexec_paexec_flags.yml} | 0 ...emote_thread_win_uncommon_source_image.yml | 43 +++++----- ...emote_thread_win_uncommon_target_image.yml | 30 +++---- ...ge_load_apt_lazarus_side_load_activity.yml | 41 +++++++++ ...elete_win_zone_identifier_ads_uncommon.yml | 2 + ...n_adsi_cache_creation_by_uncommon_tool.yml | 55 ++++++++++++ .../file_event_win_creation_system_file.yml | 6 +- ...in_powershell_module_uncommon_creation.yml | 3 +- ...licy_test_creation_by_uncommon_process.yml | 2 + .../file_event_win_susp_adsi_cache_usage.yml | 53 ------------ ...le_event_win_susp_lnk_double_extension.yml | 12 +-- ...file_event_win_susp_powershell_profile.yml | 9 +- ...created_powershell_alternate_host_pipe.yml | 49 +++++------ ... => proc_creation_win_certoc_download.yml} | 14 +++- ...creation_win_certoc_download_direct_ip.yml | 35 ++++++++ ...eation_win_certutil_download_direct_ip.yml | 5 +- ...ation_win_curl_download_direct_ip_exec.yml | 84 +++++++++++++++++++ ...rl_download_direct_ip_susp_extensions.yml} | 57 ++++++++----- ...desktopimgdownldr_remote_file_download.yml | 2 +- ...wnloadwrapper_arbitrary_file_download.yml} | 24 +++--- ...win_office_exec_from_trusted_locations.yml | 3 +- ...oc_creation_win_setspn_spn_enumeration.yml | 6 +- ...sysinternals_susp_psexec_paexec_flags.yml} | 0 32 files changed, 540 insertions(+), 223 deletions(-) rename sigma/builtin/process_creation/{proc_creation_win_lolbin_certoc_download.yml => proc_creation_win_certoc_download.yml} (67%) create mode 100644 sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml rename sigma/builtin/process_creation/{proc_creation_win_curl_download_direct_ip.yml => proc_creation_win_curl_download_direct_ip_susp_extensions.yml} (83%) rename sigma/builtin/process_creation/{proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml => proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml} (54%) rename sigma/builtin/process_creation/{proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml => proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml} (100%) create mode 100644 sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml create mode 100644 sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml delete mode 100644 sigma/sysmon/file/file_event/file_event_win_susp_adsi_cache_usage.yml rename sigma/sysmon/process_creation/{proc_creation_win_lolbin_certoc_download.yml => proc_creation_win_certoc_download.yml} (68%) create mode 100644 sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml rename sigma/sysmon/process_creation/{proc_creation_win_curl_download_direct_ip.yml => proc_creation_win_curl_download_direct_ip_susp_extensions.yml} (83%) rename sigma/sysmon/process_creation/{proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml => proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml} (55%) rename sigma/sysmon/process_creation/{proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml => proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml} (100%) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_certoc_download.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml similarity index 67% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_certoc_download.yml rename to sigma/builtin/process_creation/proc_creation_win_certoc_download.yml index 5959485fe..b18f0d73e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_certoc_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml @@ -1,11 +1,15 @@ -title: Suspicious File Download via CertOC.exe +title: File Download via CertOC.EXE id: 70ad0861-d1fe-491c-a45f-fa48148a300d +related: + - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a + type: similar status: test -description: Detects when a user downloads file by using CertOC.exe +description: Detects when a user downloads a file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -20,9 +24,11 @@ detection: - NewProcessName|endswith: \certoc.exe - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: -GetCACAPS + CommandLine|contains|all: + - -GetCACAPS + - http condition: process_creation and (all of selection*) falsepositives: - Unknown -level: high +level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml new file mode 100644 index 000000000..0be9505b3 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -0,0 +1,34 @@ +title: File Download From IP Based URL Via CertOC.EXE +id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a +related: + - id: 70ad0861-d1fe-491c-a45f-fa48148a300d + type: similar +status: experimental +description: Detects when a user downloads a file from an IP based URL using CertOC.exe +references: + - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.command_and_control + - attack.execution + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \certoc.exe + - OriginalFileName: CertOC.exe + selection_ip: + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + selection_cli: + CommandLine|contains: -GetCACAPS + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml index c505fbd70..bdeba5c98 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -14,6 +14,7 @@ references: - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ + - https://twitter.com/_JohnHammond/status/1708910264261980634 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 tags: @@ -44,9 +45,9 @@ detection: - ://7 - ://8 - ://9 - filter_seven_zip: + filter_main_seven_zip: CommandLine|contains: ://7- - condition: process_creation and (all of selection_* and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml new file mode 100644 index 000000000..349f31c38 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -0,0 +1,83 @@ +title: File Download From IP URL Via Curl.EXE +id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 +related: + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + type: similar +status: experimental +description: Detects file downloads directly from IP address URL using curl.exe +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe + selection_ip: + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + selection_http: + CommandLine|contains: http + selection_flag: + CommandLine|contains: + - ' -O' + - --remote-name + - --output + filter_main_ext: + CommandLine|endswith: + - .bat + - .bat" + - .dat + - .dat" + - .dll + - .dll" + - .exe + - .exe" + - .gif + - .gif" + - .hta + - .hta" + - .jpeg + - .jpeg" + - .log + - .log" + - .msi + - .msi" + - .png + - .png" + - .ps1 + - .ps1" + - .psm1 + - .psm1" + - .vbe + - .vbe" + - .vbs + - .vbs" + - .bat' + - .dat' + - .dll' + - .exe' + - .gif' + - .hta' + - .jpeg' + - .log' + - .msi' + - .png' + - .ps1' + - .psm1' + - .vbe' + - .vbs' + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml similarity index 83% rename from sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip.yml rename to sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 67aac9948..938f0ec05 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -6,6 +6,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/27 tags: @@ -31,36 +32,48 @@ detection: - --output selection_ext: CommandLine|endswith: - - .ps1 - - .ps1' - - .ps1" - - .dat - - .dat' - - .dat" - - .msi - - .msi' - - .msi" - .bat - - .bat' - .bat" + - .dat + - .dat" + - .dll + - .dll" - .exe - - .exe' - .exe" - - .vbs - - .vbs' - - .vbs" - - .vbe - - .vbe' - - .vbe" + - .gif + - .gif" - .hta - - .hta' - .hta" - - .dll - - .dll' - - .dll" + - .jpeg + - .jpeg" + - .log + - .log" + - .msi + - .msi" + - .png + - .png" + - .ps1 + - .ps1" - .psm1 - - .psm1' - .psm1" + - .vbe + - .vbe" + - .vbs + - .vbs" + - .bat' + - .dat' + - .dll' + - .exe' + - .gif' + - .hta' + - .jpeg' + - .log' + - .msi' + - .png' + - .ps1' + - .psm1' + - .vbe' + - .vbs' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 03cff035f..779041ba6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -1,4 +1,4 @@ -title: Remote File Download via Desktopimgdownldr Utility +title: Remote File Download Via Desktopimgdownldr Utility id: 214641c2-c579-4ecb-8427-0cf19df6842e status: test description: Detects the desktopimgdownldr utility being used to download a remote diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml similarity index 54% rename from sigma/builtin/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml rename to sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index a1305d785..1ba4f6a7a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -1,13 +1,13 @@ -title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +title: Arbitrary File Download Via GfxDownloadWrapper.EXE id: eee00933-a761-4cd0-be70-c42fe91731e7 status: test -description: Detects when GfxDownloadWrapper.exe downloads file from non standard - URL +description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument + to download file. references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community date: 2020/10/09 -modified: 2022/01/06 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -18,16 +18,14 @@ detection: process_creation: EventID: 4688 Channel: Security - image_path: + selection: + CommandLine|contains: + - http:// + - https:// NewProcessName|endswith: \GfxDownloadWrapper.exe - filter: - CommandLine|contains: gameplayapi.intel.com - ParentProcessName|endswith: - - \GfxDownloadWrapper.exe - - \igfxEM.exe - condition: process_creation and (image_path and not filter) -fields: - - CommandLine + filter_main_known_urls: + CommandLine|contains: https://gameplayapi.intel.com/ + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index 2997f2479..4936fbf0b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -11,6 +11,7 @@ references: - https://twitter.com/_JohnHammond/status/1588155401752788994 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/21 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1202 @@ -38,8 +39,6 @@ detection: CommandLine|contains: - \AppData\Roaming\Microsoft\Templates - \AppData\Roaming\Microsoft\Word\Startup\ - - \Microsoft Office (x86)\root\Templates\ - - \Microsoft Office (x86)\Templates\ - \Microsoft Office\root\Templates\ - \Microsoft Office\Templates\ filter_main_dotx: diff --git a/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml index 6604ecbe9..24eb5f215 100644 --- a/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -7,7 +7,7 @@ references: - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 author: Markus Neis, keepwatch date: 2018/11/14 -modified: 2023/02/13 +modified: 2023/10/23 tags: - attack.credential_access - attack.t1558.003 @@ -25,7 +25,9 @@ detection: - Query or reset the computer - SPN attribute selection_cli: - CommandLine|contains: -q + CommandLine|contains: + - ' -q ' + - ' /q ' condition: process_creation and (all of selection_*) falsepositives: - Administration activity diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml similarity index 100% rename from sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml rename to sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index f047f835c..963df29dd 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -69,33 +69,32 @@ detection: - \wmic.exe - \wscript.exe filter_main_winlogon_1: - SourceImage: C:\Windows\System32\winlogon.exe - TargetImage: - - C:\Windows\System32\services.exe - - C:\Windows\System32\wininit.exe - - C:\Windows\System32\csrss.exe + SourceImage|endswith: :\Windows\System32\winlogon.exe + TargetImage|endswith: + - :\Windows\System32\services.exe + - :\Windows\System32\wininit.exe + - :\Windows\System32\csrss.exe filter_main_winlogon_2: SourceImage: C:\Windows\System32\winlogon.exe TargetParentImage: System TargetParentProcessId: 4 - filter_main_provtool: - SourceImage: C:\Windows\System32\provtool.exe - TargetParentProcessId: 0 - filter_main_vssvc: - SourceImage: C:\Windows\System32\VSSVC.exe - TargetImage: System filter_main_schtasks_conhost: - SourceImage: - - C:\Windows\System32\schtasks.exe - - C:\Windows\SysWOW64\schtasks.exe - TargetImage: C:\Windows\System32\conhost.exe - filter_main_mmc: - SourceImage: C:\Windows\explorer.exe - TargetImage: C:\Windows\System32\mmc.exe - filter_optional_nvidia: - SourceImage: C:\Windows\explorer.exe - TargetImage: C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA - GeForce Experience.exe + SourceImage|endswith: + - :\Windows\System32\schtasks.exe + - :\Windows\SysWOW64\schtasks.exe + TargetImage|endswith: :\Windows\System32\conhost.exe + filter_main_explorer: + SourceImage|endswith: :\Windows\explorer.exe + TargetImage|endswith: + - :\Windows\System32\mmc.exe + - :\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA + GeForce Experience.exe + filter_main_system: + TargetImage: System + filter_optional_powerpnt: + SourceImage|contains: \Microsoft Office\ + SourceImage|endswith: \POWERPNT.EXE + TargetImage|endswith: :\Windows\System32\csrss.exe condition: create_remote_thread and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml index dbd99f253..5a37c6846 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml @@ -9,7 +9,7 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) date: 2022/03/16 -modified: 2023/07/13 +modified: 2023/10/19 tags: - attack.defense_evasion - attack.privilege_escalation @@ -34,30 +34,30 @@ detection: - \spoolsv.exe - \wordpad.exe - \write.exe - filter_optional_spoolsv: - SourceImage: C:\Windows\System32\csrss.exe - TargetImage: C:\Windows\System32\spoolsv.exe + filter_main_csrss: + SourceImage|endswith: :\Windows\System32\csrss.exe filter_optional_aurora_1: StartFunction: EtwpNotificationThread filter_optional_aurora_2: SourceImage|contains: unknown process filter_optional_vmtoolsd: - SourceImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + SourceImage|endswith: :\Program Files\VMware\VMware Tools\vmtoolsd.exe StartFunction: GetCommandLineW - TargetImage: - - C:\Windows\explorer.exe - - C:\Windows\System32\notepad.exe - - C:\Windows\System32\spoolsv.exe - filter_optional_rundll32: - SourceImage: C:\Windows\System32\rundll32.exe - TargetImage: C:\Windows\explorer.exe + TargetImage|endswith: + - :\Windows\explorer.exe + - :\Windows\System32\notepad.exe + - :\Windows\System32\spoolsv.exe + filter_main_rundll32: + SourceImage|endswith: :\Windows\System32\rundll32.exe + TargetImage|endswith: :\Windows\explorer.exe StartFunction: - LoadLibraryW - FreeLibrary filter_optional_winzip: - SourceImage: C:\Program Files\WinZip\FAHWindow64.exe - TargetImage: C:\Windows\explorer.exe - condition: create_remote_thread and (selection and not 1 of filter_optional_*) + SourceImage|endswith: :\Program Files\WinZip\FAHWindow64.exe + TargetImage|endswith: :\Windows\explorer.exe + condition: create_remote_thread and (selection and not 1 of filter_main_* and + not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml new file mode 100644 index 000000000..ccfbe9d05 --- /dev/null +++ b/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -0,0 +1,41 @@ +title: Lazarus APT DLL Sideloading Activity +id: 24007168-a26b-4049-90d0-ce138e13a5cf +status: experimental +description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in + the case of a Spanish aerospace company +references: + - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ + - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ +author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 + - detection.emerging_threats + - sysmon +logsource: + product: windows + category: image_load +detection: + image_load: + EventID: 7 + Channel: Microsoft-Windows-Sysmon/Operational + selection_mscoree: + Image: C:\ProgramShared\PresentationHost.exe + ImageLoaded: :\ProgramShared\mscoree.dll + selection_colorui: + Image: C:\ProgramData\Adobe\colorcpl.exe + ImageLoaded: C:\ProgramData\Adobe\colorui.dll + selection_mapistub: + Image: C:\ProgramData\Oracle\Java\fixmapi.exe + ImageLoaded: C:\ProgramData\Oracle\Java\mapistub.dll + selection_hid: + Image: C:\ProgramData\Adobe\ARM\tabcal.exe + ImageLoaded: C:\ProgramData\Adobe\ARM\HID.dll + condition: image_load and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 01ced23a7..b7d3d8598 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -12,6 +12,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/09/04 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1070.004 @@ -29,6 +30,7 @@ detection: TargetFilename|endswith: :Zone.Identifier filter_main_generic: Image|endswith: + - :\Program Files\PowerShell\7-preview\pwsh.exe - :\Program Files\PowerShell\7\pwsh.exe - :\Windows\explorer.exe - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml new file mode 100644 index 000000000..16e0a4bfb --- /dev/null +++ b/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -0,0 +1,55 @@ +title: ADSI-Cache File Creation By Uncommon Tool +id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb +status: test +description: Detects the creation of an "Active Directory Schema Cache File" (.sch) + file by an uncommon tool. +references: + - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 + - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ + - https://github.com/fox-it/LDAPFragger +author: xknow @xknow_infosec, Tim Shelton +date: 2019/03/24 +modified: 2023/10/18 +tags: + - attack.t1001.003 + - attack.command_and_control + - sysmon +logsource: + product: windows + category: file_event +detection: + file_event: + EventID: 11 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetFilename|contains: \Local\Microsoft\Windows\SchCache\ + TargetFilename|endswith: .sch + filter_main_generic: + - Image|endswith: + - :\Program Files\Cylance\Desktop\CylanceSvc.exe + - :\Windows\CCM\CcmExec.exe + - :\windows\system32\dllhost.exe + - :\Windows\system32\dsac.exe + - :\Windows\system32\efsui.exe + - :\windows\system32\mmc.exe + - :\windows\system32\svchost.exe + - :\Windows\System32\wbem\WmiPrvSE.exe + - :\windows\system32\WindowsPowerShell\v1.0\powershell.exe + - Image|contains: + - :\Windows\ccmsetup\autoupgrade\ccmsetup + - :\Program Files\SentinelOne\Sentinel Agent + filter_main_office: + Image|contains|all: + - :\Program Files\ + - \Microsoft Office + Image|endswith: \OUTLOOK.EXE + filter_optional_ldapwhoami: + Image|endswith: \LANDesk\LDCLient\ldapwhoami.exe + filter_optional_citrix: + Image|endswith: :\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe + condition: file_event and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +falsepositives: + - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity + by MMC, Powershell, Windows etc. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml b/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml index 05439c2d3..5b6f13f98 100644 --- a/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml @@ -5,7 +5,7 @@ description: Detects the creation of an executable with a system process name in other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 -modified: 2023/10/08 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036.005 @@ -118,7 +118,9 @@ detection: TargetFilename|endswith: :\Windows\explorer.exe filter_main_msiexec: Image|endswith: :\WINDOWS\system32\msiexec.exe - TargetFilename|endswith: :\Program Files\PowerShell\7\pwsh.exe + TargetFilename|endswith: + - :\Program Files\PowerShell\7\pwsh.exe + - :\Program Files\PowerShell\7-preview\pwsh.exe filter_main_healtray: TargetFilename|contains: :\Windows\System32\SecurityHealth\ TargetFilename|endswith: \SecurityHealthSystray.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 2e2845f6d..8867ab06d 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -8,7 +8,7 @@ references: - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/09 -modified: 2023/09/18 +modified: 2023/10/18 tags: - attack.persistence - sysmon @@ -25,6 +25,7 @@ detection: - \PowerShell\7\Modules\ filter_main_pwsh: Image|endswith: + - :\Program Files\PowerShell\7-preview\pwsh.exe - :\Program Files\PowerShell\7\pwsh.exe - :\Windows\System32\poqexec.exe - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index ca59b420b..b33c795cf 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -8,6 +8,7 @@ references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/01 +modified: 2023/10/18 tags: - attack.defense_evasion - sysmon @@ -22,6 +23,7 @@ detection: TargetFilename|contains: __PSScriptPolicyTest_ filter_main_generic: Image|endswith: + - :\Program Files\PowerShell\7-preview\pwsh.exe - :\Program Files\PowerShell\7\pwsh.exe - :\Windows\System32\dsac.exe - :\Windows\System32\ServerManager.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/sigma/sysmon/file/file_event/file_event_win_susp_adsi_cache_usage.yml deleted file mode 100644 index cdcefae68..000000000 --- a/sigma/sysmon/file/file_event/file_event_win_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,53 +0,0 @@ -title: Suspicious ADSI-Cache Usage By Unknown Tool -id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb -status: test -description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect - tools like LDAPFragger. -references: - - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - - https://github.com/fox-it/LDAPFragger -author: xknow @xknow_infosec, Tim Shelton -date: 2019/03/24 -modified: 2023/01/12 -tags: - - attack.t1001.003 - - attack.command_and_control - - sysmon -logsource: - product: windows - category: file_event -detection: - file_event: - EventID: 11 - Channel: Microsoft-Windows-Sysmon/Operational - selection: - TargetFilename|contains: \Local\Microsoft\Windows\SchCache\ - TargetFilename|endswith: .sch - filter_eq: - Image: - - C:\windows\system32\svchost.exe - - C:\windows\system32\dllhost.exe - - C:\windows\system32\mmc.exe - - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe - - C:\Windows\CCM\CcmExec.exe - - C:\Program Files\Cylance\Desktop\CylanceSvc.exe - - C:\Windows\System32\wbem\WmiPrvSE.exe - filter_begins: - Image|startswith: - - C:\Windows\ccmsetup\autoupgrade\ccmsetup - - C:\Program Files\SentinelOne\Sentinel Agent - filter_ends: - Image|endswith: \LANDesk\LDCLient\ldapwhoami.exe - filter_domain_controller: - Image: - - C:\Windows\system32\efsui.exe - - C:\Windows\system32\dsac.exe - filter_citrix: - Image|endswith: :\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe - condition: file_event and (selection and not 1 of filter_*) -falsepositives: - - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity - by MMC, Powershell, Windows etc. -level: high -ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml b/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml index bf17876eb..63f75bc41 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -1,4 +1,4 @@ -title: Suspicious LNK Double Extension File +title: Suspicious LNK Double Extension File Created id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e @@ -17,7 +17,7 @@ references: - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/11/07 -modified: 2023/05/12 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036.007 @@ -42,19 +42,19 @@ detection: - .xlsx. filter_main_recent: TargetFilename|contains: \AppData\Roaming\Microsoft\Windows\Recent\ - filter_optional_office: + filter_optional_office_recent: Image|endswith: - \excel.exe - \powerpnt.exe - \winword.exe TargetFilename|contains: \AppData\Roaming\Microsoft\Office\Recent\ - filter_optional_excel: + filter_optional_office_excel: Image|endswith: \excel.exe TargetFilename|contains: \AppData\Roaming\Microsoft\Excel - filter_optional_powerpoint: + filter_optional_office_powerpoint: Image|endswith: \powerpnt.exe TargetFilename|contains: \AppData\Roaming\Microsoft\PowerPoint - filter_optional_word: + filter_optional_office_word: Image|endswith: \winword.exe TargetFilename|contains: \AppData\Roaming\Microsoft\Word condition: file_event and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml b/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml index 0784c42d3..666038332 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml @@ -6,9 +6,9 @@ description: Detects the creation or modification of a powershell profile which references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html -author: HieuTT35, Nasreddine Bencherchali +author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 -modified: 2022/08/24 +modified: 2023/10/18 tags: - attack.persistence - attack.privilege_escalation @@ -24,10 +24,11 @@ detection: selection: TargetFilename|endswith: - \Microsoft.PowerShell_profile.ps1 - - \WindowsPowerShell\profile.ps1 - \PowerShell\profile.ps1 - - \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 + - \Program Files\PowerShell\7-preview\profile.ps1 - \Program Files\PowerShell\7\profile.ps1 + - \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 + - \WindowsPowerShell\profile.ps1 condition: file_event and selection falsepositives: - System administrator creating Powershell profile manually diff --git a/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index b0659db66..7f03c4476 100644 --- a/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -8,7 +8,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019/09/12 -modified: 2022/10/10 +modified: 2023/10/18 tags: - attack.execution - attack.t1059.001 @@ -30,37 +30,30 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: PipeName|startswith: \PSHost - filter1: - Image|endswith: - - \powershell.exe - - \powershell_ise.exe - - \WINDOWS\System32\sdiagnhost.exe - - \WINDOWS\System32\wsmprovhost.exe - - \Windows\system32\dsac.exe - - \Windows\system32\wbem\wmiprvse.exe - - \ForefrontActiveDirectoryConnector.exe - - c:\windows\system32\inetsrv\w3wp.exe - filter2: - Image: null - filter3: + filter_main_generic: + Image|contains: + - :\Program Files\Citrix\ + - :\Program Files\Microsoft\Exchange Server\ + - :\Program Files\PowerShell\7-preview\pwsh.exe + - :\Program Files\PowerShell\7\pwsh.exe + - :\Windows\system32\dsac.exe + - :\Windows\system32\inetsrv\w3wp.exe + - :\Windows\System32\sdiagnhost.exe + - :\Windows\system32\ServerManager.exe + - :\Windows\system32\wbem\wmiprvse.exe + - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe + - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + - :\Windows\System32\wsmprovhost.exe + - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe + - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe + filter_main_sqlserver: Image|contains|all: - :\Program Files - \Microsoft SQL Server\ Image|endswith: \Tools\Binn\SQLPS.exe - filter4: - Image|startswith: - - C:\Program Files\Citrix\ - - C:\Program Files\Microsoft\Exchange Server\ - filter5: - Image: - - C:\Windows\system32\ServerManager.exe - - C:\Program Files\PowerShell\7\pwsh.exe - condition: pipe_created and (selection and not 1 of filter*) -fields: - - ComputerName - - User - - Image - - PipeName + filter_main_null: + Image: null + condition: pipe_created and (selection and not 1 of filter_main_*) falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_certoc_download.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml similarity index 68% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_certoc_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml index 4ad4d7e45..bb0b78f2f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_certoc_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml @@ -1,11 +1,15 @@ -title: Suspicious File Download via CertOC.exe +title: File Download via CertOC.EXE id: 70ad0861-d1fe-491c-a45f-fa48148a300d +related: + - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a + type: similar status: test -description: Detects when a user downloads file by using CertOC.exe +description: Detects when a user downloads a file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/05/16 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -21,9 +25,11 @@ detection: - Image|endswith: \certoc.exe - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: -GetCACAPS + CommandLine|contains|all: + - -GetCACAPS + - http condition: process_creation and (all of selection*) falsepositives: - Unknown -level: high +level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml new file mode 100644 index 000000000..019b3df61 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -0,0 +1,35 @@ +title: File Download From IP Based URL Via CertOC.EXE +id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a +related: + - id: 70ad0861-d1fe-491c-a45f-fa48148a300d + type: similar +status: experimental +description: Detects when a user downloads a file from an IP based URL using CertOC.exe +references: + - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.command_and_control + - attack.execution + - attack.t1105 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \certoc.exe + - OriginalFileName: CertOC.exe + selection_ip: + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + selection_cli: + CommandLine|contains: -GetCACAPS + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 1e229d24c..b9ad9191d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -14,6 +14,7 @@ references: - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ + - https://twitter.com/_JohnHammond/status/1708910264261980634 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 tags: @@ -45,9 +46,9 @@ detection: - ://7 - ://8 - ://9 - filter_seven_zip: + filter_main_seven_zip: CommandLine|contains: ://7- - condition: process_creation and (all of selection_* and not 1 of filter_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml new file mode 100644 index 000000000..d2c79980c --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -0,0 +1,84 @@ +title: File Download From IP URL Via Curl.EXE +id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 +related: + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + type: similar +status: experimental +description: Detects file downloads directly from IP address URL using curl.exe +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/18 +tags: + - attack.execution + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe + selection_ip: + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + selection_http: + CommandLine|contains: http + selection_flag: + CommandLine|contains: + - ' -O' + - --remote-name + - --output + filter_main_ext: + CommandLine|endswith: + - .bat + - .bat" + - .dat + - .dat" + - .dll + - .dll" + - .exe + - .exe" + - .gif + - .gif" + - .hta + - .hta" + - .jpeg + - .jpeg" + - .log + - .log" + - .msi + - .msi" + - .png + - .png" + - .ps1 + - .ps1" + - .psm1 + - .psm1" + - .vbe + - .vbe" + - .vbs + - .vbs" + - .bat' + - .dat' + - .dll' + - .exe' + - .gif' + - .hta' + - .jpeg' + - .log' + - .msi' + - .png' + - .ps1' + - .psm1' + - .vbe' + - .vbs' + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml similarity index 83% rename from sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip.yml rename to sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 74ad78a12..7948b4112 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -6,6 +6,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/27 tags: @@ -32,36 +33,48 @@ detection: - --output selection_ext: CommandLine|endswith: - - .ps1 - - .ps1' - - .ps1" - - .dat - - .dat' - - .dat" - - .msi - - .msi' - - .msi" - .bat - - .bat' - .bat" + - .dat + - .dat" + - .dll + - .dll" - .exe - - .exe' - .exe" - - .vbs - - .vbs' - - .vbs" - - .vbe - - .vbe' - - .vbe" + - .gif + - .gif" - .hta - - .hta' - .hta" - - .dll - - .dll' - - .dll" + - .jpeg + - .jpeg" + - .log + - .log" + - .msi + - .msi" + - .png + - .png" + - .ps1 + - .ps1" - .psm1 - - .psm1' - .psm1" + - .vbe + - .vbe" + - .vbs + - .vbs" + - .bat' + - .dat' + - .dll' + - .exe' + - .gif' + - .hta' + - .jpeg' + - .log' + - .msi' + - .png' + - .ps1' + - .psm1' + - .vbe' + - .vbs' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index f398458c6..5f4fdba42 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -1,4 +1,4 @@ -title: Remote File Download via Desktopimgdownldr Utility +title: Remote File Download Via Desktopimgdownldr Utility id: 214641c2-c579-4ecb-8427-0cf19df6842e status: test description: Detects the desktopimgdownldr utility being used to download a remote diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml similarity index 55% rename from sigma/sysmon/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml rename to sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index 4b49afb9a..eb9b7a4d4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -1,13 +1,13 @@ -title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +title: Arbitrary File Download Via GfxDownloadWrapper.EXE id: eee00933-a761-4cd0-be70-c42fe91731e7 status: test -description: Detects when GfxDownloadWrapper.exe downloads file from non standard - URL +description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument + to download file. references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community date: 2020/10/09 -modified: 2022/01/06 +modified: 2023/10/18 tags: - attack.command_and_control - attack.t1105 @@ -19,16 +19,14 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - image_path: + selection: Image|endswith: \GfxDownloadWrapper.exe - filter: - CommandLine|contains: gameplayapi.intel.com - ParentImage|endswith: - - \GfxDownloadWrapper.exe - - \igfxEM.exe - condition: process_creation and (image_path and not filter) -fields: - - CommandLine + CommandLine|contains: + - http:// + - https:// + filter_main_known_urls: + CommandLine|contains: https://gameplayapi.intel.com/ + condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index b941d7593..ab38aa7d9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -11,6 +11,7 @@ references: - https://twitter.com/_JohnHammond/status/1588155401752788994 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/21 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1202 @@ -39,8 +40,6 @@ detection: CommandLine|contains: - \AppData\Roaming\Microsoft\Templates - \AppData\Roaming\Microsoft\Word\Startup\ - - \Microsoft Office (x86)\root\Templates\ - - \Microsoft Office (x86)\Templates\ - \Microsoft Office\root\Templates\ - \Microsoft Office\Templates\ filter_main_dotx: diff --git a/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml index bbc1a02e6..571bfbfdc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -7,7 +7,7 @@ references: - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 author: Markus Neis, keepwatch date: 2018/11/14 -modified: 2023/02/13 +modified: 2023/10/23 tags: - attack.credential_access - attack.t1558.003 @@ -26,7 +26,9 @@ detection: - Query or reset the computer - SPN attribute selection_cli: - CommandLine|contains: -q + CommandLine|contains: + - ' -q ' + - ' /q ' condition: process_creation and (all of selection_*) falsepositives: - Administration activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml similarity index 100% rename from sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml rename to sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml