Sigma Rule Update (2023-12-11 20:08:06) (#545)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 11, 2023 · c89c9ad · c89c9ad
1 parent 035c7d1
commit c89c9ad
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 10 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -7,6 +7,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
 logsource:
@@ -35,12 +36,18 @@ detection:
             - 'gc '
             - 'cat '
             - 'type '
+            - ReadAllBytes
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - \*.lnk
-            - -Recurse
-            - '-Skip '
+        -   CommandLine|contains|all:
+                - ' ^| '
+                - \*.lnk
+                - -Recurse
+                - '-Skip '
+        -   CommandLine|contains|all:
+                - ' -ExpandProperty '
+                - \*.lnk
+                - WriteAllBytes
+                - ' .length '
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unlikely

diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -7,6 +7,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
     - sysmon
@@ -36,12 +37,18 @@ detection:
             - 'gc '
             - 'cat '
             - 'type '
+            - ReadAllBytes
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - \*.lnk
-            - -Recurse
-            - '-Skip '
+        -   CommandLine|contains|all:
+                - ' ^| '
+                - \*.lnk
+                - -Recurse
+                - '-Skip '
+        -   CommandLine|contains|all:
+                - ' -ExpandProperty '
+                - \*.lnk
+                - WriteAllBytes
+                - ' .length '
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unlikely