-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sigma Rule Update (2023-10-11 20:07:18) (#504)
Co-authored-by: hach1yon <[email protected]>
- Loading branch information
1 parent
09dba13
commit acdff06
Showing
8 changed files
with
302 additions
and
0 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: MSSQL Server Failed Logon | ||
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 | ||
related: | ||
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d | ||
type: similar | ||
status: experimental | ||
description: Detects failed logon attempts from clients to MSSQL server. | ||
author: Nasreddine Bencherchali (Nextron Systems), j4son | ||
date: 2023/10/11 | ||
references: | ||
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ | ||
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html | ||
tags: | ||
- attack.credential_access | ||
- attack.t1110 | ||
logsource: | ||
product: windows | ||
service: application | ||
definition: 'Requirements: Must enable MSSQL authentication.' | ||
detection: | ||
application: | ||
Channel: Application | ||
selection: | ||
Provider_Name: MSSQLSERVER | ||
EventID: 18456 | ||
condition: application and selection | ||
falsepositives: | ||
- This event could stem from users changing an account's password that's used | ||
to authenticate via a job or an automated process. Investigate the source | ||
of such events and mitigate them | ||
level: low | ||
ruletype: Sigma |
53 changes: 53 additions & 0 deletions
53
sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
title: MSSQL Server Failed Logon From External Network | ||
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d | ||
related: | ||
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 | ||
type: similar | ||
status: experimental | ||
description: Detects failed logon attempts from clients with external network IP to | ||
an MSSQL server. This can be a sign of a bruteforce attack. | ||
author: j4son | ||
date: 2023/10/11 | ||
references: | ||
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ | ||
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html | ||
tags: | ||
- attack.credential_access | ||
- attack.t1110 | ||
logsource: | ||
product: windows | ||
service: application | ||
definition: 'Requirements: Must enable MSSQL authentication.' | ||
detection: | ||
application: | ||
Channel: Application | ||
selection: | ||
Provider_Name: MSSQLSERVER | ||
EventID: 18456 | ||
filter_main_local_ips: | ||
Data|contains: | ||
- 'CLIENT: 10.' | ||
- 'CLIENT: 172.16.' | ||
- 'CLIENT: 172.17.' | ||
- 'CLIENT: 172.18.' | ||
- 'CLIENT: 172.19.' | ||
- 'CLIENT: 172.20.' | ||
- 'CLIENT: 172.21.' | ||
- 'CLIENT: 172.22.' | ||
- 'CLIENT: 172.23.' | ||
- 'CLIENT: 172.24.' | ||
- 'CLIENT: 172.25.' | ||
- 'CLIENT: 172.26.' | ||
- 'CLIENT: 172.27.' | ||
- 'CLIENT: 172.28.' | ||
- 'CLIENT: 172.29.' | ||
- 'CLIENT: 172.30.' | ||
- 'CLIENT: 172.31.' | ||
- 'CLIENT: 192.168.' | ||
- 'CLIENT: 127.' | ||
- 'CLIENT: 169.254.' | ||
condition: application and (selection and not 1 of filter_main_*) | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
35 changes: 35 additions & 0 deletions
35
...2/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
title: BlueSky Ransomware Artefacts | ||
id: eee8311f-a752-44f0-bf2f-6b007db16300 | ||
status: experimental | ||
description: Detect access to files and shares with names and extensions used by BlueSky | ||
ransomware which could indicate a current or previous encryption attempt. | ||
references: | ||
- https://unit42.paloaltonetworks.com/bluesky-ransomware/ | ||
author: j4son | ||
date: 2023/05/23 | ||
tags: | ||
- attack.impact | ||
- attack.t1486 | ||
logsource: | ||
product: windows | ||
service: security | ||
detection: | ||
security: | ||
Channel: Security | ||
selection_access_eid: | ||
EventID: | ||
- 4663 | ||
- 4656 | ||
selection_access_data: | ||
- ObjectName|endswith: .bluesky | ||
- ObjectName|contains: DECRYPT FILES BLUESKY | ||
selection_share_eid: | ||
EventID: 5145 | ||
selection_share_data: | ||
- RelativeTargetName|endswith: .bluesky | ||
- RelativeTargetName|contains: DECRYPT FILES BLUESKY | ||
condition: security and (all of selection_access_* or all of selection_share_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
36 changes: 36 additions & 0 deletions
36
sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI | ||
id: 0900463c-b33b-49a8-be1d-552a3b553dae | ||
related: | ||
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7 | ||
type: similar | ||
status: experimental | ||
description: 'Detects command line containing reference to the "::$index_allocation" | ||
stream, which can be used as a technique to prevent access to folders or files | ||
from tooling such as "explorer.exe" or "cmd.exe" | ||
' | ||
references: | ||
- https://twitter.com/pfiatde/status/1681977680688738305 | ||
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ | ||
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ | ||
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation | ||
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 | ||
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) | ||
date: 2023/10/09 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1564.004 | ||
logsource: | ||
product: windows | ||
category: process_creation | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection: | ||
CommandLine|contains: ::$index_allocation | ||
condition: process_creation and selection | ||
falsepositives: | ||
- Unlikely | ||
level: medium | ||
ruletype: Sigma |
40 changes: 40 additions & 0 deletions
40
...windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
title: Certificate Use With No Strong Mapping | ||
id: 993c2665-e6ef-40e3-a62a-e1a97686af79 | ||
status: experimental | ||
description: 'Detects a user certificate that was valid but could not be mapped to | ||
a user in a strong way (such as via explicit mapping, key trust mapping, or a | ||
SID) | ||
This could be a sign of exploitation of the elevation of privilege vulnerabilities | ||
(CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows | ||
certificate spoofing by not requiring a strong mapping. | ||
Events where the AccountName and CN of the Subject do not match, or where the | ||
CN ends in a dollar sign indicating a machine, may indicate certificate spoofing. | ||
' | ||
references: | ||
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 | ||
author: '@br4dy5' | ||
date: 2023/10/09 | ||
tags: | ||
- attack.privilege_escalation | ||
logsource: | ||
product: windows | ||
service: system | ||
detection: | ||
system: | ||
Channel: System | ||
selection: | ||
Provider_Name: Kerberos-Key-Distribution-Center | ||
EventID: | ||
- 39 | ||
- 41 | ||
condition: system and selection | ||
falsepositives: | ||
- If prevalent in the environment, filter on events where the AccountName and | ||
CN of the Subject do not reference the same user | ||
- If prevalent in the environment, filter on CNs that end in a dollar sign indicating | ||
it is a machine name | ||
level: medium | ||
ruletype: Sigma |
32 changes: 32 additions & 0 deletions
32
...emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader | ||
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 | ||
status: experimental | ||
description: Detects suspicious ".hta" file creation in the startup folder by Foxit | ||
Reader. This can be an indication of CVE-2023-27363 exploitation. | ||
references: | ||
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 | ||
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/ | ||
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ | ||
author: Gregory | ||
date: 2023/10/11 | ||
tags: | ||
- attack.persistence | ||
- attack.t1505.001 | ||
- cve.2023.27363 | ||
- sysmon | ||
logsource: | ||
product: windows | ||
category: file_event | ||
detection: | ||
file_event: | ||
EventID: 11 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection: | ||
Image|endswith: \FoxitPDFReader.exe | ||
TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\ | ||
TargetFilename|endswith: .hta | ||
condition: file_event and selection | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
37 changes: 37 additions & 0 deletions
37
sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream | ||
id: a8f866e1-bdd4-425e-a27a-37619238d9c7 | ||
related: | ||
- id: 0900463c-b33b-49a8-be1d-552a3b553dae | ||
type: similar | ||
status: experimental | ||
description: 'Detects the creation of hidden file/folder with the "::$index_allocation" | ||
stream. Which can be used as a technique to prevent access to folder and files | ||
from tooling such as "explorer.exe" and "cmd.exe" | ||
' | ||
references: | ||
- https://twitter.com/pfiatde/status/1681977680688738305 | ||
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ | ||
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ | ||
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation | ||
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 | ||
author: Scoubi (@ScoubiMtl) | ||
date: 2023/10/09 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1564.004 | ||
- sysmon | ||
logsource: | ||
product: windows | ||
category: file_event | ||
detection: | ||
file_event: | ||
EventID: 11 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection: | ||
TargetFilename|contains: ::$index_allocation | ||
condition: file_event and selection | ||
falsepositives: | ||
- Unlikely | ||
level: medium | ||
ruletype: Sigma |
37 changes: 37 additions & 0 deletions
37
sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI | ||
id: 0900463c-b33b-49a8-be1d-552a3b553dae | ||
related: | ||
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7 | ||
type: similar | ||
status: experimental | ||
description: 'Detects command line containing reference to the "::$index_allocation" | ||
stream, which can be used as a technique to prevent access to folders or files | ||
from tooling such as "explorer.exe" or "cmd.exe" | ||
' | ||
references: | ||
- https://twitter.com/pfiatde/status/1681977680688738305 | ||
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ | ||
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ | ||
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation | ||
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 | ||
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) | ||
date: 2023/10/09 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1564.004 | ||
- sysmon | ||
logsource: | ||
product: windows | ||
category: process_creation | ||
detection: | ||
process_creation: | ||
EventID: 1 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection: | ||
CommandLine|contains: ::$index_allocation | ||
condition: process_creation and selection | ||
falsepositives: | ||
- Unlikely | ||
level: medium | ||
ruletype: Sigma |