Skip to content

Commit

Permalink
Sigma Rule Update (2023-10-11 20:07:18) (#504)
Browse files Browse the repository at this point in the history
Co-authored-by: hach1yon <[email protected]>
  • Loading branch information
github-actions[bot] and hach1yon authored Oct 11, 2023
1 parent 09dba13 commit acdff06
Show file tree
Hide file tree
Showing 8 changed files with 302 additions and 0 deletions.
32 changes: 32 additions & 0 deletions sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: experimental
description: Detects failed logon attempts from clients to MSSQL server.
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023/10/11
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
tags:
- attack.credential_access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
application:
Channel: Application
selection:
Provider_Name: MSSQLSERVER
EventID: 18456
condition: application and selection
falsepositives:
- This event could stem from users changing an account's password that's used
to authenticate via a job or an automated process. Investigate the source
of such events and mitigate them
level: low
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
status: experimental
description: Detects failed logon attempts from clients with external network IP to
an MSSQL server. This can be a sign of a bruteforce attack.
author: j4son
date: 2023/10/11
references:
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
tags:
- attack.credential_access
- attack.t1110
logsource:
product: windows
service: application
definition: 'Requirements: Must enable MSSQL authentication.'
detection:
application:
Channel: Application
selection:
Provider_Name: MSSQLSERVER
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.'
- 'CLIENT: 172.16.'
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.'
- 'CLIENT: 127.'
- 'CLIENT: 169.254.'
condition: application and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
title: BlueSky Ransomware Artefacts
id: eee8311f-a752-44f0-bf2f-6b007db16300
status: experimental
description: Detect access to files and shares with names and extensions used by BlueSky
ransomware which could indicate a current or previous encryption attempt.
references:
- https://unit42.paloaltonetworks.com/bluesky-ransomware/
author: j4son
date: 2023/05/23
tags:
- attack.impact
- attack.t1486
logsource:
product: windows
service: security
detection:
security:
Channel: Security
selection_access_eid:
EventID:
- 4663
- 4656
selection_access_data:
- ObjectName|endswith: .bluesky
- ObjectName|contains: DECRYPT FILES BLUESKY
selection_share_eid:
EventID: 5145
selection_share_data:
- RelativeTargetName|endswith: .bluesky
- RelativeTargetName|contains: DECRYPT FILES BLUESKY
condition: security and (all of selection_access_* or all of selection_share_*)
falsepositives:
- Unknown
level: high
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: experimental
description: 'Detects command line containing reference to the "::$index_allocation"
stream, which can be used as a technique to prevent access to folders or files
from tooling such as "explorer.exe" or "cmd.exe"
'
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023/10/09
tags:
- attack.defense_evasion
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
CommandLine|contains: ::$index_allocation
condition: process_creation and selection
falsepositives:
- Unlikely
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
title: Certificate Use With No Strong Mapping
id: 993c2665-e6ef-40e3-a62a-e1a97686af79
status: experimental
description: 'Detects a user certificate that was valid but could not be mapped to
a user in a strong way (such as via explicit mapping, key trust mapping, or a
SID)
This could be a sign of exploitation of the elevation of privilege vulnerabilities
(CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows
certificate spoofing by not requiring a strong mapping.
Events where the AccountName and CN of the Subject do not match, or where the
CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
'
references:
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
author: '@br4dy5'
date: 2023/10/09
tags:
- attack.privilege_escalation
logsource:
product: windows
service: system
detection:
system:
Channel: System
selection:
Provider_Name: Kerberos-Key-Distribution-Center
EventID:
- 39
- 41
condition: system and selection
falsepositives:
- If prevalent in the environment, filter on events where the AccountName and
CN of the Subject do not reference the same user
- If prevalent in the environment, filter on CNs that end in a dollar sign indicating
it is a machine name
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: experimental
description: Detects suspicious ".hta" file creation in the startup folder by Foxit
Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023/10/11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023.27363
- sysmon
logsource:
product: windows
category: file_event
detection:
file_event:
EventID: 11
Channel: Microsoft-Windows-Sysmon/Operational
selection:
Image|endswith: \FoxitPDFReader.exe
TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\
TargetFilename|endswith: .hta
condition: file_event and selection
falsepositives:
- Unknown
level: high
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: experimental
description: 'Detects the creation of hidden file/folder with the "::$index_allocation"
stream. Which can be used as a technique to prevent access to folder and files
from tooling such as "explorer.exe" and "cmd.exe"
'
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023/10/09
tags:
- attack.defense_evasion
- attack.t1564.004
- sysmon
logsource:
product: windows
category: file_event
detection:
file_event:
EventID: 11
Channel: Microsoft-Windows-Sysmon/Operational
selection:
TargetFilename|contains: ::$index_allocation
condition: file_event and selection
falsepositives:
- Unlikely
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: experimental
description: 'Detects command line containing reference to the "::$index_allocation"
stream, which can be used as a technique to prevent access to folders or files
from tooling such as "explorer.exe" or "cmd.exe"
'
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023/10/09
tags:
- attack.defense_evasion
- attack.t1564.004
- sysmon
logsource:
product: windows
category: process_creation
detection:
process_creation:
EventID: 1
Channel: Microsoft-Windows-Sysmon/Operational
selection:
CommandLine|contains: ::$index_allocation
condition: process_creation and selection
falsepositives:
- Unlikely
level: medium
ruletype: Sigma

0 comments on commit acdff06

Please sign in to comment.