Sigma Rule Update (2024-09-06 20:13:52) (#714)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

@@ -3,6 +3,8 @@ id: bc5cba6d-bdf9-70db-83d3-ffea696528e5
 related:
     - id: e0552b19-5a83-4222-b141-b36184bb8d79
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
     - id: 584bca0f-3608-4402-80fd-4075ff6072e3
@@ -16,6 +18,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems), Josh Nickels
 date: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -52,6 +55,8 @@ detection:
             # Hyphen alternatives
             - ―   # 0x2015
             - —   # 0x2014
+            # Whitespace that don't work as path separator
+            -     # 0x00A0
             # Other
             - ¯
             - ®

sigma/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml

@@ -1,6 +1,10 @@
 title: Potential Defense Evasion Via Right-to-Left Override
 id: 7d442414-1318-9f2d-6f0c-65ff86c357de
 related:
+    - id: e0552b19-5a83-4222-b141-b36184bb8d79
+      type: derived
+    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
+      type: derived
     - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
       type: derived
 status: test

sigma/builtin/security/win_security_gpo_scheduledtasks.yml

@@ -8,9 +8,10 @@ description: Detect lateral movement using GPO scheduled task, usually used to d
 references:
     - https://twitter.com/menasec1/status/1106899890377052160
     - https://www.secureworks.com/blog/ransomware-as-a-distraction
+    - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
 author: Samir Bousseaden
 date: 2019-04-03
-modified: 2024-08-01
+modified: 2024-09-04
 tags:
     - attack.persistence
     - attack.lateral-movement
@@ -22,15 +23,23 @@ logsource:
 detection:
     security:
         Channel: Security
-    selection:
+    selection_5136:
+        EventID: 5136
+        AttributeLDAPDisplayName:
+            - gPCMachineExtensionNames
+            - gPCUserExtensionNames
+        AttributeValue|contains:
+            - CAB54552-DEEA-4691-817E-ED4A4D1AFC72
+            - AADCED64-746C-4633-A97C-D61349046527
+    selection_5145:
         EventID: 5145
-        ShareName: \\\\\*\\SYSVOL   # looking for the string \\*\SYSVOL
+        ShareName|endswith: \SYSVOL   # looking for the string \\*\SYSVOL
         RelativeTargetName|endswith: ScheduledTasks.xml
         AccessList|contains:
             - WriteData
             - '%%4417'
-    condition: security and selection
+    condition: security and (1 of selection_*)
 falsepositives:
-    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
+    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
 level: high
 ruletype: Sigma

sigma/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml

@@ -0,0 +1,33 @@
+title: Group Policy Abuse for Privilege Addition
+id: 6e3066ef-54e1-9d1b-5bc6-9ae6947ae271
+related:
+    - id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
+      type: derived
+status: experimental
+description: |
+    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
+author: Elastic, Josh Nickels, Marius Rothenbücher
+references:
+    - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
+date: 2024-09-04
+tags:
+    - attack.privilege-escalation
+    - attack.t1484.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID: 5136
+        AttributeLDAPDisplayName: gPCMachineExtensionNames
+        AttributeValue|contains:
+            - 827D319E-6EAC-11D2-A4EA-00C04F79F83A
+            - 803E14A0-B4FB-11D0-A0D0-00A0C90F574B
+    condition: security and selection
+falsepositives:
+    - Users allowed to perform these modifications (user found in field SubjectUserName)
+level: medium
+ruletype: Sigma

sigma/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml

@@ -0,0 +1,47 @@
+title: Startup/Logon Script Added to Group Policy Object
+id: bc613d09-5a80-cad3-6f65-c5020f960511
+related:
+    - id: 123e4e6d-b123-48f8-b261-7214938acaf0
+      type: derived
+status: experimental
+description: |
+    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
+references:
+    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
+author: Elastic, Josh Nickels, Marius Rothenbücher
+date: 2024-09-06
+tags:
+    - attack.privilege-escalation
+    - attack.t1484.001
+    - attack.t1547
+logsource:
+    product: windows
+    service: security
+    definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure
+detection:
+    security:
+        Channel: Security
+    selection_eventid:
+        EventID:
+            - 5136
+            - 5145
+    selection_attributes_main:
+        AttributeLDAPDisplayName:
+            - gPCMachineExtensionNames
+            - gPCUserExtensionNames
+        AttributeValue|contains: 42B5FAAE-6536-11D2-AE5A-0000F87571E3
+    selection_attributes_optional:
+        AttributeValue|contains:
+            - 40B6664F-4972-11D1-A7CA-0000F87571E3
+            - 40B66650-4972-11D1-A7CA-0000F87571E3
+    selection_share:
+        ShareName|endswith: \SYSVOL
+        RelativeTargetName|endswith:
+            - \scripts.ini
+            - \psscripts.ini
+        AccessList|contains: '%%4417'
+    condition: security and (selection_eventid and (all of selection_attributes_* or selection_share))
+falsepositives:
+    - Legitimate execution by system administrators.
+level: medium
+ruletype: Sigma

sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml

@@ -3,6 +3,8 @@ id: 1c28655b-a54c-2619-b61d-1b3307a9d6dd
 related:
     - id: 584bca0f-3608-4402-80fd-4075ff6072e3
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
     - id: e0552b19-5a83-4222-b141-b36184bb8d79
@@ -16,7 +18,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-01-15
-modified: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -41,6 +43,8 @@ detection:
             # Hyphen alternatives
             - ―   # 0x2015
             - —   # 0x2014
+            # Whitespace that don't work as path separator
+            -     # 0x00A0
             # Other
             - ¯
             - ®

sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

@@ -3,6 +3,8 @@ id: bab95f92-e0e8-0fd8-c984-435ae1693ce0
 related:
     - id: e0552b19-5a83-4222-b141-b36184bb8d79
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
     - id: 584bca0f-3608-4402-80fd-4075ff6072e3
@@ -16,6 +18,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems), Josh Nickels
 date: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -52,6 +55,8 @@ detection:
             # Hyphen alternatives
             - ―   # 0x2015
             - —   # 0x2014
+            # Whitespace that don't work as path separator
+            -     # 0x00A0
             # Other
             - ¯
             - ®

sigma/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml

@@ -1,6 +1,10 @@
 title: Potential Defense Evasion Via Right-to-Left Override
 id: 81f8032a-aff8-233a-6ff5-0d431009fe04
 related:
+    - id: e0552b19-5a83-4222-b141-b36184bb8d79
+      type: derived
+    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
+      type: derived
     - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
       type: derived
 status: test

sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml

@@ -3,6 +3,8 @@ id: efe8a84a-0bef-c646-b13a-5a3cbe2b01b9
 related:
     - id: 584bca0f-3608-4402-80fd-4075ff6072e3
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
     - id: e0552b19-5a83-4222-b141-b36184bb8d79
@@ -16,7 +18,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-01-15
-modified: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -41,6 +43,8 @@ detection:
             # Hyphen alternatives
             - ―   # 0x2015
             - —   # 0x2014
+            # Whitespace that don't work as path separator
+            -     # 0x00A0
             # Other
             - ¯
             - ®