Skip to content

Commit

Permalink
Sigma Rule Update (2023-10-05 20:07:26) (#502)
Browse files Browse the repository at this point in the history
Co-authored-by: hach1yon <[email protected]>
  • Loading branch information
github-actions[bot] and hach1yon authored Oct 5, 2023
1 parent 7f1d5e3 commit c3b6199
Show file tree
Hide file tree
Showing 14 changed files with 518 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: Detects command execution via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
application:
Channel: Application
selection:
Provider_Name: ScreenConnect
EventID: 200
Data|contains: Executed command of length
condition: application and selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: Detects file being transferred via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
application:
Channel: Application
selection:
Provider_Name: ScreenConnect
EventID: 201
Data|contains: Transferred files with action
condition: application and selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
title: Suspicious AddinUtil.EXE CommandLine Execution
id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
status: experimental
description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
payload.
'
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike),
Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection_img:
- NewProcessName|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
selection_susp_1_flags:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_susp_1_paths:
CommandLine|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
selection_susp_2:
CommandLine|contains:
- -AddInRoot:.
- -AddInRoot:"."
- -PipelineRoot:.
- -PipelineRoot:"."
CurrentDirectory|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
condition: process_creation and (selection_img and (all of selection_susp_1_*
or selection_susp_2))
falsepositives:
- Unknown
level: high
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
title: Uncommon Child Process Of AddinUtil.EXE
id: b5746143-59d6-4603-8d06-acbd60e166ee
status: experimental
description: 'Detects uncommon child processes of the Add-In deployment cache updating
utility (AddInutil.exe) which could be a sign of potential abuse of the binary
to proxy execution via a custom Addins.Store payload.
'
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
ParentProcessName|endswith: \addinutil.exe
filter_main_werfault:
NewProcessName|endswith:
- :\Windows\System32\conhost.exe
- :\Windows\System32\werfault.exe
- :\Windows\SysWOW64\werfault.exe
condition: process_creation and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
title: Uncommon AddinUtil.EXE CommandLine Execution
id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a
status: experimental
description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
payload.
'
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection_img:
- NewProcessName|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
selection_cli:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
filter_main_addinroot:
CommandLine|contains:
- -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
condition: process_creation and (all of selection_* and not 1 of filter_main_*)
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
title: AddinUtil.EXE Execution From Uncommon Directory
id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
status: experimental
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
from a non-standard directory.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
- NewProcessName|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
filter_main_legit_location:
NewProcessName|contains:
- :\Windows\Microsoft.NET\Framework\
- :\Windows\Microsoft.NET\Framework64\
- :\Windows\WinSxS\
condition: process_creation and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: experimental
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection_parent:
ParentProcessName|endswith: \ScreenConnect.ClientService.exe
selection_img:
- NewProcessName|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_cli:
CommandLine|contains: \TEMP\ScreenConnect\
condition: process_creation and (all of selection_*)
falsepositives:
- Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily
used.
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: 'Detects the creation of files in a specific location by ScreenConnect
RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These
binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\"
before execution.
'
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
- sysmon
logsource:
category: file_event
product: windows
detection:
file_event:
EventID: 11
Channel: Microsoft-Windows-Sysmon/Operational
selection:
Image|endswith: \ScreenConnect.WindowsClient.exe
TargetFilename|contains: \Documents\ConnectWiseControl\Temp\
condition: file_event and selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
ruletype: Sigma
28 changes: 28 additions & 0 deletions sigma/sysmon/network_connection/net_connection_win_addinutil.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
title: Network Connection Initiated By AddinUtil.EXE
id: 5205613d-2a63-4412-a895-3a2458b587b3
status: experimental
description: Detects network connections made by the Add-In deployment cache updating
utility (AddInutil.exe), which could indicate command and control communication.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
- sysmon
logsource:
category: network_connection
product: windows
detection:
network_connection:
EventID: 3
Channel: Microsoft-Windows-Sysmon/Operational
selection:
Initiated: 'true'
Image|endswith: \addinutil.exe
condition: network_connection and selection
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
title: Suspicious AddinUtil.EXE CommandLine Execution
id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
status: experimental
description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
payload.
'
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike),
Tony Latteri (@TheLatteri)
date: 2023/09/18
tags:
- attack.defense_evasion
- attack.t1218
- sysmon
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 1
Channel: Microsoft-Windows-Sysmon/Operational
selection_img:
- Image|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
selection_susp_1_flags:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_susp_1_paths:
CommandLine|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
selection_susp_2:
CommandLine|contains:
- -AddInRoot:.
- -AddInRoot:"."
- -PipelineRoot:.
- -PipelineRoot:"."
CurrentDirectory|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
condition: process_creation and (selection_img and (all of selection_susp_1_*
or selection_susp_2))
falsepositives:
- Unknown
level: high
ruletype: Sigma
Loading

0 comments on commit c3b6199

Please sign in to comment.