From acdff06ec575ca10a7856a7b8676e5e91448aacb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Oct 2023 20:07:27 +0000 Subject: [PATCH] Sigma Rule Update (2023-10-11 20:07:18) (#504) Co-authored-by: hach1yon --- .../mssqlserver/win_mssql_failed_logon.yml | 32 +++++++++++ ...sql_failed_logon_from_external_network.yml | 53 +++++++++++++++++++ ...re_bluesky_ransomware_files_indicators.yml | 35 ++++++++++++ ...n_win_susp_hidden_dir_index_allocation.yml | 36 +++++++++++++ ...stem_kdcsvc_cert_use_no_strong_mapping.yml | 40 ++++++++++++++ ...ile_event_win_cve_2023_27363_foxit_rce.yml | 32 +++++++++++ ...t_win_susp_hidden_dir_index_allocation.yml | 37 +++++++++++++ ...n_win_susp_hidden_dir_index_allocation.yml | 37 +++++++++++++ 8 files changed, 302 insertions(+) create mode 100644 sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml create mode 100644 sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml create mode 100644 sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml create mode 100644 sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml create mode 100644 sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml create mode 100644 sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml create mode 100644 sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml new file mode 100644 index 000000000..fe64372b6 --- /dev/null +++ b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -0,0 +1,32 @@ +title: MSSQL Server Failed Logon +id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 +related: + - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d + type: similar +status: experimental +description: Detects failed logon attempts from clients to MSSQL server. +author: Nasreddine Bencherchali (Nextron Systems), j4son +date: 2023/10/11 +references: + - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ + - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: application + definition: 'Requirements: Must enable MSSQL authentication.' +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 18456 + condition: application and selection +falsepositives: + - This event could stem from users changing an account's password that's used + to authenticate via a job or an automated process. Investigate the source + of such events and mitigate them +level: low +ruletype: Sigma diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml new file mode 100644 index 000000000..2081e72e8 --- /dev/null +++ b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -0,0 +1,53 @@ +title: MSSQL Server Failed Logon From External Network +id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d +related: + - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 + type: similar +status: experimental +description: Detects failed logon attempts from clients with external network IP to + an MSSQL server. This can be a sign of a bruteforce attack. +author: j4son +date: 2023/10/11 +references: + - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ + - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: application + definition: 'Requirements: Must enable MSSQL authentication.' +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 18456 + filter_main_local_ips: + Data|contains: + - 'CLIENT: 10.' + - 'CLIENT: 172.16.' + - 'CLIENT: 172.17.' + - 'CLIENT: 172.18.' + - 'CLIENT: 172.19.' + - 'CLIENT: 172.20.' + - 'CLIENT: 172.21.' + - 'CLIENT: 172.22.' + - 'CLIENT: 172.23.' + - 'CLIENT: 172.24.' + - 'CLIENT: 172.25.' + - 'CLIENT: 172.26.' + - 'CLIENT: 172.27.' + - 'CLIENT: 172.28.' + - 'CLIENT: 172.29.' + - 'CLIENT: 172.30.' + - 'CLIENT: 172.31.' + - 'CLIENT: 192.168.' + - 'CLIENT: 127.' + - 'CLIENT: 169.254.' + condition: application and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml new file mode 100644 index 000000000..1720052f3 --- /dev/null +++ b/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -0,0 +1,35 @@ +title: BlueSky Ransomware Artefacts +id: eee8311f-a752-44f0-bf2f-6b007db16300 +status: experimental +description: Detect access to files and shares with names and extensions used by BlueSky + ransomware which could indicate a current or previous encryption attempt. +references: + - https://unit42.paloaltonetworks.com/bluesky-ransomware/ +author: j4son +date: 2023/05/23 +tags: + - attack.impact + - attack.t1486 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection_access_eid: + EventID: + - 4663 + - 4656 + selection_access_data: + - ObjectName|endswith: .bluesky + - ObjectName|contains: DECRYPT FILES BLUESKY + selection_share_eid: + EventID: 5145 + selection_share_data: + - RelativeTargetName|endswith: .bluesky + - RelativeTargetName|contains: DECRYPT FILES BLUESKY + condition: security and (all of selection_access_* or all of selection_share_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml new file mode 100644 index 000000000..0f0c73d43 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -0,0 +1,36 @@ +title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI +id: 0900463c-b33b-49a8-be1d-552a3b553dae +related: + - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 + type: similar +status: experimental +description: 'Detects command line containing reference to the "::$index_allocation" + stream, which can be used as a technique to prevent access to folders or files + from tooling such as "explorer.exe" or "cmd.exe" + + ' +references: + - https://twitter.com/pfiatde/status/1681977680688738305 + - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ + - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ + - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 +author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) +date: 2023/10/09 +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: ::$index_allocation + condition: process_creation and selection +falsepositives: + - Unlikely +level: medium +ruletype: Sigma diff --git a/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml new file mode 100644 index 000000000..1a216a9f2 --- /dev/null +++ b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -0,0 +1,40 @@ +title: Certificate Use With No Strong Mapping +id: 993c2665-e6ef-40e3-a62a-e1a97686af79 +status: experimental +description: 'Detects a user certificate that was valid but could not be mapped to + a user in a strong way (such as via explicit mapping, key trust mapping, or a + SID) + + This could be a sign of exploitation of the elevation of privilege vulnerabilities + (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows + certificate spoofing by not requiring a strong mapping. + + Events where the AccountName and CN of the Subject do not match, or where the + CN ends in a dollar sign indicating a machine, may indicate certificate spoofing. + + ' +references: + - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 +author: '@br4dy5' +date: 2023/10/09 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Kerberos-Key-Distribution-Center + EventID: + - 39 + - 41 + condition: system and selection +falsepositives: + - If prevalent in the environment, filter on events where the AccountName and + CN of the Subject do not reference the same user + - If prevalent in the environment, filter on CNs that end in a dollar sign indicating + it is a machine name +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml new file mode 100644 index 000000000..b94a4b502 --- /dev/null +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -0,0 +1,32 @@ +title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader +id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 +status: experimental +description: Detects suspicious ".hta" file creation in the startup folder by Foxit + Reader. This can be an indication of CVE-2023-27363 exploitation. +references: + - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 + - https://www.zerodayinitiative.com/advisories/ZDI-23-491/ + - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ +author: Gregory +date: 2023/10/11 +tags: + - attack.persistence + - attack.t1505.001 + - cve.2023.27363 + - sysmon +logsource: + product: windows + category: file_event +detection: + file_event: + EventID: 11 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Image|endswith: \FoxitPDFReader.exe + TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\ + TargetFilename|endswith: .hta + condition: file_event and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml new file mode 100644 index 000000000..cb9edb339 --- /dev/null +++ b/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -0,0 +1,37 @@ +title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream +id: a8f866e1-bdd4-425e-a27a-37619238d9c7 +related: + - id: 0900463c-b33b-49a8-be1d-552a3b553dae + type: similar +status: experimental +description: 'Detects the creation of hidden file/folder with the "::$index_allocation" + stream. Which can be used as a technique to prevent access to folder and files + from tooling such as "explorer.exe" and "cmd.exe" + + ' +references: + - https://twitter.com/pfiatde/status/1681977680688738305 + - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ + - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ + - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 +author: Scoubi (@ScoubiMtl) +date: 2023/10/09 +tags: + - attack.defense_evasion + - attack.t1564.004 + - sysmon +logsource: + product: windows + category: file_event +detection: + file_event: + EventID: 11 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetFilename|contains: ::$index_allocation + condition: file_event and selection +falsepositives: + - Unlikely +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml new file mode 100644 index 000000000..0db6ce174 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -0,0 +1,37 @@ +title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI +id: 0900463c-b33b-49a8-be1d-552a3b553dae +related: + - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 + type: similar +status: experimental +description: 'Detects command line containing reference to the "::$index_allocation" + stream, which can be used as a technique to prevent access to folders or files + from tooling such as "explorer.exe" or "cmd.exe" + + ' +references: + - https://twitter.com/pfiatde/status/1681977680688738305 + - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ + - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/ + - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 +author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) +date: 2023/10/09 +tags: + - attack.defense_evasion + - attack.t1564.004 + - sysmon +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + CommandLine|contains: ::$index_allocation + condition: process_creation and selection +falsepositives: + - Unlikely +level: medium +ruletype: Sigma