Sigma Rule Update (2023-10-04 20:07:22) (#501)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml

@@ -8,6 +8,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/16
+modified: 2023/09/12
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -28,5 +29,5 @@ detection:
     condition: appmodel_runtime and selection
 falsepositives:
     - Legitimate usage of the applications from the Windows Store
-level: medium
+level: low
 ruletype: Sigma

sigma/builtin/dns_client/win_dns_client_mega_nz.yml

@@ -1,10 +1,10 @@
-title: DNS Query for MEGA.io Upload Domain - DNS Client
+title: DNS Query To MEGA Hosting Website - DNS Client
 id: 66474410-b883-415f-9f8d-75345a0a66a6
 related:
     -   id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
         type: similar
 status: test
-description: Detects DNS queries for subdomains used for upload to MEGA.io
+description: Detects DNS queries for subdomains related to MEGA sharing website
 references:
     - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -26,5 +26,5 @@ detection:
     condition: dns_client and selection
 falsepositives:
     - Legitimate DNS queries and usage of Mega
-level: high
+level: medium
 ruletype: Sigma

sigma/builtin/dns_client/win_dns_client_ufile_io.yml

@@ -1,15 +1,16 @@
-title: DNS Query for Ufile.io Upload Domain - DNS Client
+title: DNS Query To Ufile.io - DNS Client
 id: 090ffaad-c01a-4879-850c-6d57da98452d
 related:
     -   id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
         type: similar
 status: experimental
-description: Detects DNS queries to "ufile.io". Which is often abused by malware for
-    upload and exfiltration
+description: Detects DNS queries to "ufile.io", which was seen abused by malware and
+    threat actors as a method for data exfiltration
 references:
     - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/16
+modified: 2023/09/18
 tags:
     - attack.exfiltration
     - attack.t1567.002
@@ -26,6 +27,7 @@ detection:
         QueryName|contains: ufile.io
     condition: dns_client and selection
 falsepositives:
-    - Legitimate DNS queries and usage of Ufile
-level: high
+    - DNS queries for "ufile" are not malicious by nature necessarily. Investigate
+        the source to determine the necessary actions to take
+level: low
 ruletype: Sigma

sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml

@@ -7,7 +7,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 author: Florian Roth (Nextron Systems)
 date: 2021/01/22
-modified: 2022/12/18
+modified: 2023/09/12
 tags:
     - attack.execution
     - attack.t1059.001
@@ -19,33 +19,39 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection_1:
-        CommandLine|contains: 7z.exe a -v500m -mx9 -r0 -p
-    selection_2:
+    selection_generic_1:
+        CommandLine|contains:
+            - 7z.exe a -v500m -mx9 -r0 -p
+            - 7z.exe a -mx9 -r0 -p
+        CommandLine|contains|all:
+            - .zip
+            - .txt
+    selection_generic_2:
+        CommandLine|contains:
+            - 7z.exe a -v500m -mx9 -r0 -p
+            - 7z.exe a -mx9 -r0 -p
+        CommandLine|contains|all:
+            - .zip
+            - .log
+    selection_generic_3:
         ParentCommandLine|contains|all:
             - wscript.exe
             - .vbs
         CommandLine|contains|all:
             - rundll32.exe
             - C:\Windows
             - .dll,Tk_
-    selection_3:
-        ParentCommandLine|contains: C:\Windows
+    selection_generic_4:
+        ParentCommandLine|contains:
+            - C:\Windows
+            - .dll
         CommandLine|contains: 'cmd.exe /C '
         ParentProcessName|endswith: \rundll32.exe
-    selection_4:
-        CommandLine|contains|all:
-            - rundll32 c:\windows\
-            - '.dll '
-    specific1:
+    selection_generic_5:
+        CommandLine: ''
         ParentProcessName|endswith: \rundll32.exe
         NewProcessName|endswith: \dllhost.exe
-    filter1:
-        CommandLine:
-            - ' '
-            - ''
-    condition: process_creation and (1 of selection_* or ( specific1 and not filter1
-        ))
+    condition: process_creation and (1 of selection_generic_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml

@@ -0,0 +1,33 @@
+title: DarkGate User Created Via Net.EXE
+id: bf906d7b-7070-4642-8383-e404cf26eba5
+status: experimental
+description: Detects creation of local users via the net.exe command with the name
+    of "DarkGate"
+references:
+    - Internal Research
+author: X__Junior (Nextron Systems)
+date: 2023/08/27
+tags:
+    - attack.persistence
+    - attack.t1136.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains|all:
+            - user
+            - add
+            - DarkGate
+            - SafeMode
+        NewProcessName|endswith:
+            - \net.exe
+            - \net1.exe
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml

@@ -10,7 +10,7 @@ references:
     - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/27
-modified: 2023/08/31
+modified: 2023/09/12
 tags:
     - attack.collection
     - attack.t1560.001
@@ -34,6 +34,7 @@ detection:
         CommandLine|contains:
             - .dmp
             - .dump
+            - .hdmp
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears

sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml

@@ -1,5 +1,8 @@
 title: Potential Data Stealing Via Chromium Headless Debugging
 id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
+related:
+    -   id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
+        type: derived
 status: experimental
 description: Detects chromium based browsers starting in headless and debugging mode
     and pointing to a user profile. This could be a sign of data stealing or remote

sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml

@@ -0,0 +1,35 @@
+title: Browser Execution In Headless Mode
+id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
+related:
+    -   id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
+        type: derived
+status: test
+description: Detects execution of Chromium based browser in headless mode
+references:
+    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
+    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/12
+tags:
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains: --headless
+        NewProcessName|endswith:
+            - \brave.exe
+            - \chrome.exe
+            - \msedge.exe
+            - \opera.exe
+            - \vivaldi.exe
+    condition: process_creation and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml

@@ -1,5 +1,8 @@
 title: File Download with Headless Browser
 id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
+related:
+    -   id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
+        type: derived
 status: test
 description: Detects execution of chromium based browser in headless mode using the
     "dump-dom" command line to download files

sigma/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml

@@ -0,0 +1,37 @@
+title: Chromium Browser Headless Execution To Mockbin Like Site
+id: 1c526788-0abe-4713-862f-b520da5e5316
+status: experimental
+description: Detects the execution of a Chromium based browser process with the "headless"
+    flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate
+    data).
+references:
+    - https://www.zscaler.com/blogs/security-research/steal-it-campaign
+author: X__Junior (Nextron Systems)
+date: 2023/09/11
+tags:
+    - attack.execution
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        NewProcessName|endswith:
+            - \brave.exe
+            - \chrome.exe
+            - \msedge.exe
+            - \opera.exe
+            - \vivaldi.exe
+    selection_headless:
+        CommandLine|contains: --headless
+    selection_url:
+        CommandLine|contains:
+            - ://run.mocky
+            - ://mockbin
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml

@@ -9,7 +9,7 @@ references:
     - https://www.mandiant.com/resources/blog/lnk-between-browsers
 author: Aedan Russell, frack113, X__Junior (Nextron Systems)
 date: 2022/06/19
-modified: 2023/05/02
+modified: 2023/09/28
 tags:
     - attack.persistence
     - attack.t1176
@@ -21,9 +21,7 @@ detection:
         EventID: 4688
         Channel: Security
     selection:
-        CommandLine|contains|all:
-            - --load-extension=
-            - \AppData\Local\
+        CommandLine|contains: --load-extension=
         ParentProcessName|endswith:
             - \cmd.exe
             - \cscript.exe

sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml

@@ -0,0 +1,48 @@
+title: File Download From Browser Process Via Inline Link
+id: 94771a71-ba41-4b6e-a757-b531372eaab6
+status: test
+description: Detects execution of a browser process with a URL argument pointing to
+    a file with a potentially interesting extension. This can be abused to download
+    arbitrary files or to hide from the user for example by launching the browser
+    in a minimized state.
+references:
+    - https://twitter.com/mrd0x/status/1478116126005641220
+    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2022/01/11
+modified: 2023/04/06
+tags:
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        NewProcessName|endswith:
+            - \brave.exe
+            - \chrome.exe
+            - \msedge.exe
+            - \opera.exe
+            - \vivaldi.exe
+    selection_http:
+        CommandLine|contains: ' http'
+    selection_ext:
+        CommandLine|contains:
+            - .dat
+            - .dll
+            - .exe
+            - .hta
+            - .ps1
+            - .txt
+            - .vbe
+            - .vbs
+            - .zip
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml

@@ -1,5 +1,8 @@
 title: Browser Started with Remote Debugging
 id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
+related:
+    -   id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
+        type: derived
 status: experimental
 description: Detects browsers starting with the remote debugging flags. Which is a
     technique often used to perform browser injection attacks