Merge pull request #574 from Yamato-Security/rules/auto-sigma-update-…

…1705715314 [Auto] Sigma Update report(2024-01-20 01:48:33)
Yamato-Security · Jan 20, 2024 · 7fde4ca · 7fde4ca
2 parents a7038b5 + 3e19428
commit 7fde4ca
Show file tree

Hide file tree

Showing 8,113 changed files with 203,691 additions and 30,213 deletions.
diff --git a/sigma/builtin/application/Other/win_av_relevant_match.yml b/sigma/builtin/application/Other/win_av_relevant_match.yml
@@ -1,8 +1,7 @@
 title: Relevant Anti-Virus Signature Keywords In Application Log
 id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
 status: test
-description: Detects potentially highly relevant antivirus events in the application
-    log based on known virus signature names and malware keywords.
+description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
 references:
     - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
     - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
@@ -84,13 +83,20 @@ detection:
         - TeslaCrypt
         - Valyria
         - Webshell
+        # - 'FRP.'
+        # - 'PWS.'
+        # - 'PWSX'
+        # - 'Razy'
+        # - 'Ryuk'
+        # - 'Locker'
+        # - 'Potato'
     filter_optional_generic:
         - Keygen
         - Crack
         - anti_ransomware_service.exe
         - cyber-protect-service.exe
     filter_optional_information:
-        Level: 4
+        Level: 4  # Information level
     filter_optional_restartmanager:
         Provider_Name: Microsoft-Windows-RestartManager
     condition: application and (keywords and not 1 of filter_optional_*)

diff --git a/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml
@@ -1,11 +1,10 @@
 title: Microsoft Malware Protection Engine Crash
 id: 545a5da6-f103-4919-a519-e9aec1026ee4
 related:
-    -   id: 6c82cf5c-090d-4d57-9188-533577631108
-        type: similar
+    - id: 6c82cf5c-090d-4d57-9188-533577631108
+      type: similar
 status: experimental
-description: This rule detects a suspicious crash of the Microsoft Malware Protection
-    Engine
+description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
@@ -19,6 +18,7 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application

diff --git a/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml
@@ -1,9 +1,7 @@
 title: Potential Credential Dumping Via WER - Application
 id: a18e0862-127b-43ca-be12-1a542c75c7c5
 status: test
-description: Detects Windows error reporting event where the process that crashed
-    is lsass. This could be the cause of an intentional crash by techniques such as
-    Lsass-Shtinkering to dump credential
+description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
 references:
     - https://github.com/deepinstinct/Lsass-Shtinkering
     - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
@@ -23,7 +21,7 @@ detection:
         Provider_Name: Application Error
         EventID: 1000
         AppName: lsass.exe
-        ExceptionCode: c0000001
+        ExceptionCode: c0000001   # STATUS_UNSUCCESSFUL
     condition: application and selection
 falsepositives:
     - Rare legitimate crashing of the lsass process

diff --git a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml
@@ -13,6 +13,7 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application

diff --git a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
@@ -1,8 +1,7 @@
 title: Dump Ntds.dit To Suspicious Location
 id: 94dc4390-6b7c-4784-8ffc-335334404650
 status: test
-description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious
-    location
+description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
 references:
     - https://twitter.com/mgreen27/status/1558223256704122882
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
@@ -14,15 +13,17 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application
     selection_root:
         Provider_Name: ESENT
-        EventID: 325
+        EventID: 325 # New Database Created
         Data|contains: ntds.dit
     selection_paths:
         Data|contains:
+            # Add more locations that you don't use in your env or that are just suspicious
             - :\ntds.dit
             - \Appdata\
             - \Desktop\

diff --git a/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml
@@ -1,20 +1,15 @@
 title: Audit CVE Event
 id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
 status: test
-description: 'Detects events generated by user-mode applications when they call the
-    CveEventWrite API when a known vulnerability is trying to be exploited.
-
-    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI
-    vulnerability.
-
+description: |
+    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
+    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
     Unfortunately, that is about the only instance of CVEs being written to this log.
-
-    '
 references:
     - https://twitter.com/VM_vivisector/status/1217190929330655232
     - https://twitter.com/DidierStevens/status/1217533958096924676
     - https://twitter.com/FlemmingRiis/status/1217147415482060800
-    - https://www.youtube.com/watch?v=ebmW42YYveI
+    - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
     - https://nullsec.us/windows-event-log-audit-cve/
 author: Florian Roth (Nextron Systems), Zach Mathis
 date: 2020/01/15

diff --git a/...crosoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/...crosoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml
@@ -1,8 +1,7 @@
 title: Restricted Software Access By SRP
 id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
 status: test
-description: Detects restricted access to applications by the Software Restriction
-    Policies (SRP) policy
+description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
 references:
     - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
     - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
@@ -20,11 +19,11 @@ detection:
     selection:
         Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies
         EventID:
-            - 865
-            - 866
-            - 867
-            - 868
-            - 882
+            - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
+            - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
+            - 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
+            - 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
+            - 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
     condition: application and selection
 falsepositives:
     - Unknown

diff --git a/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml b/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml
@@ -22,5 +22,6 @@ detection:
     condition: application and selection
 falsepositives:
     - Unknown
+# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
 level: low
 ruletype: Sigma
diff --git a/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
@@ -12,6 +12,7 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application
@@ -21,19 +22,20 @@ detection:
             - 1040
             - 1042
         Data|contains:
+            # Add more suspicious paths
             - :\Windows\TEMP\
             - \\\\
             - \Desktop\
             - \PerfLogs\
             - \Users\Public\
+            # - '\AppData\Local\Temp\'  # too many FPs
+            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
     filter_winget:
         Data|contains: \AppData\Local\Temp\WinGet\
     filter_updhealthtools:
         Data|contains: C:\Windows\TEMP\UpdHealthTools.msi
     condition: application and (selection and not 1 of filter_*)
 falsepositives:
-    - False positives may occur if you allow installation from folders such as the
-        desktop, the public folder or remote shares. A baseline is required before
-        production use.
+    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
 level: medium
 ruletype: Sigma
diff --git a/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml b/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml
@@ -14,6 +14,7 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application

diff --git a/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml
@@ -1,8 +1,7 @@
 title: Atera Agent Installation
 id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
 status: test
-description: Detects successful installation of Atera Remote Monitoring & Management
-    (RMM) agent as recently found to be used by Conti operators
+description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
 references:
     - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
 author: Bhabesh Raj

diff --git a/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml
@@ -1,8 +1,7 @@
 title: MSSQL Add Account To Sysadmin Role
 id: 08200f85-2678-463e-9c32-88dce2f073d1
 status: test
-description: Detects when an attacker tries to backdoor the MSSQL server by adding
-    a backdoor account to the sysadmin fixed server role
+description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
 references:
     - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -12,8 +11,8 @@ tags:
 logsource:
     product: windows
     service: application
-    definition: MSSQL audit policy must be enabled in order to receive this event
-        in the application log
+    definition: MSSQL audit policy must be enabled in order to receive this event in the application log
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application

diff --git a/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml
@@ -1,8 +1,7 @@
 title: MSSQL Disable Audit Settings
 id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
 status: test
-description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER
-    AUDIT" transaction in order to delete or disable audit logs on the server
+description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
 references:
     - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
     - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
@@ -14,8 +13,8 @@ tags:
 logsource:
     product: windows
     service: application
-    definition: MSSQL audit policy must be enabled in order to receive this event
-        in the application log
+    definition: MSSQL audit policy must be enabled in order to receive this event in the application log
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application
@@ -27,7 +26,6 @@ detection:
             - statement:DROP SERVER AUDIT
     condition: application and selection
 falsepositives:
-    - This event should only fire when an administrator is modifying the audit policy.
-        Which should be a rare occurrence once it's set up
+    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
 level: high
 ruletype: Sigma
diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml
@@ -1,8 +1,8 @@
 title: MSSQL Server Failed Logon
 id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
 related:
-    -   id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
-        type: similar
+    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
+      type: similar
 status: experimental
 description: Detects failed logon attempts from clients to MSSQL server.
 author: Nasreddine Bencherchali (Nextron Systems), j4son
@@ -25,8 +25,6 @@ detection:
         EventID: 18456
     condition: application and selection
 falsepositives:
-    - This event could stem from users changing an account's password that's used
-        to authenticate via a job or an automated process. Investigate the source
-        of such events and mitigate them
+    - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
 level: low
 ruletype: Sigma
diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
@@ -1,11 +1,10 @@
 title: MSSQL Server Failed Logon From External Network
 id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
 related:
-    -   id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
-        type: similar
+    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
+      type: similar
 status: experimental
-description: Detects failed logon attempts from clients with external network IP to
-    an MSSQL server. This can be a sign of a bruteforce attack.
+description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
 author: j4son
 date: 2023/10/11
 references:
@@ -26,8 +25,8 @@ detection:
         EventID: 18456
     filter_main_local_ips:
         Data|contains:
-            - 'CLIENT: 10.'
-            - 'CLIENT: 172.16.'
+            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
+            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
             - 'CLIENT: 172.17.'
             - 'CLIENT: 172.18.'
             - 'CLIENT: 172.19.'
@@ -43,9 +42,9 @@ detection:
             - 'CLIENT: 172.29.'
             - 'CLIENT: 172.30.'
             - 'CLIENT: 172.31.'
-            - 'CLIENT: 192.168.'
-            - 'CLIENT: 127.'
-            - 'CLIENT: 169.254.'
+            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
+            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
+            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
     condition: application and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown

diff --git a/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml
@@ -1,9 +1,7 @@
 title: MSSQL SPProcoption Set
 id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
 status: test
-description: Detects when the a stored procedure is set or cleared for automatic execution
-    in MSSQL. A stored procedure that is set to automatic execution runs every time
-    an instance of SQL Server is started
+description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
 references:
     - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
     - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
@@ -14,8 +12,8 @@ tags:
 logsource:
     product: windows
     service: application
-    definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled
-        in order to receive this event in the application log
+    definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application

diff --git a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml
@@ -1,8 +1,7 @@
 title: MSSQL XPCmdshell Suspicious Execution
 id: 7f103213-a04e-4d59-8261-213dddf22314
 status: test
-description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute
-    commands
+description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
 references:
     - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
     - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
@@ -13,15 +12,16 @@ tags:
 logsource:
     product: windows
     service: application
-    definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in
-        order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)
+    definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application
     selection:
         Provider_Name: MSSQLSERVER
         EventID: 33205
         Data|contains|all:
+            # You can modify this to include specific commands
             - object_name:xp_cmdshell
             - statement:EXEC
     condition: application and selection

diff --git a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml
@@ -12,6 +12,7 @@ tags:
 logsource:
     product: windows
     service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
 detection:
     application:
         Channel: Application
@@ -22,7 +23,6 @@ detection:
     condition: application and selection
 falsepositives:
     - Legitimate enable/disable of the setting
-    - Note that since the event contain the change for both values. This means that
-        this will trigger on both enable and disable
+    - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
 level: high
 ruletype: Sigma