Sigma Rule Update (2023-12-04 20:07:16) (#543)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml

@@ -0,0 +1,54 @@
+title: HackTool - WinPwn Execution - ScriptBlock
+id: 851fd622-b675-4d26-b803-14bc7baa517a
+related:
+    -   id: d557dc06-62e8-4468-a8e8-7984124908ce
+        type: similar
+status: experimental
+description: 'Detects scriptblock text keywords indicative of potential usge of the
+    tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
+
+    '
+author: Swachchhanda Shrawan Poudel
+date: 2023/12/04
+references:
+    - https://github.com/S3cur3Th1sSh1t/WinPwn
+    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.t1046
+    - attack.t1082
+    - attack.t1106
+    - attack.t1518
+    - attack.t1548.002
+    - attack.t1552.001
+    - attack.t1555
+    - attack.t1555.003
+logsource:
+    category: ps_script
+    product: windows
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    ps_script:
+        EventID: 4104
+        Channel:
+            - Microsoft-Windows-PowerShell/Operational
+            - PowerShellCore/Operational
+    selection:
+        ScriptBlockText|contains:
+            - Offline_Winpwn
+            - 'WinPwn '
+            - WinPwn.exe
+            - WinPwn.ps1
+    condition: ps_script and selection
+falsepositives:
+    - As the script block is a blob of text. False positive may occur with scripts
+        that contain the keyword as a reference or simply use it for detection.
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml

@@ -52,8 +52,8 @@ detection:
                 - \sambaPipe_windows.exe
                 - \smbclient_windows.exe
                 - \smbserver_windows.exe
-                - \sniffer_windows.exe
                 - \sniff_windows.exe
+                - \sniffer_windows.exe
                 - \split_windows.exe
                 - \ticketer_windows.exe
     condition: process_creation and selection

sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml

@@ -24,12 +24,12 @@ detection:
     selection_img:
         -   OriginalFileName: winPEAS.exe
         -   NewProcessName|endswith:
-                - \winPEASany.exe
                 - \winPEASany_ofs.exe
-                - \winPEASx64.exe
+                - \winPEASany.exe
                 - \winPEASx64_ofs.exe
-                - \winPEASx86.exe
+                - \winPEASx64.exe
                 - \winPEASx86_ofs.exe
+                - \winPEASx86.exe
     selection_cli_option:
         CommandLine|contains:
             - ' applicationsinfo'

sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml

@@ -0,0 +1,50 @@
+title: HackTool - WinPwn Execution
+id: d557dc06-62e8-4468-a8e8-7984124908ce
+related:
+    -   id: 851fd622-b675-4d26-b803-14bc7baa517a
+        type: similar
+status: experimental
+description: 'Detects commandline keywords indicative of potential usge of the tool
+    WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
+
+    '
+author: Swachchhanda Shrawan Poudel
+date: 2023/12/04
+references:
+    - https://github.com/S3cur3Th1sSh1t/WinPwn
+    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
+    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
+    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
+    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.discovery
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.t1046
+    - attack.t1082
+    - attack.t1106
+    - attack.t1518
+    - attack.t1548.002
+    - attack.t1552.001
+    - attack.t1555
+    - attack.t1555.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains:
+            - Offline_Winpwn
+            - 'WinPwn '
+            - WinPwn.exe
+            - WinPwn.ps1
+    condition: process_creation and selection
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml

@@ -52,10 +52,6 @@ detection:
             - .msi
             - .vbs
     condition: process_creation and (all of selection_*)
-fields:
-    - CommandLine
-    - ParentProcess
-    - CommandLine
 falsepositives:
     - Unknown
 level: medium

sigma/sysmon/process_access/proc_access_win_cred_dump_lsass_access.yml → sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml

@@ -1,6 +1,6 @@
 title: Credential Dumping Tools Accessing LSASS Memory
 id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
-status: experimental
+status: deprecated
 description: Detects processes requesting access to LSASS memory via suspicious access
     masks. This is typical for credentials dumping tools
 references:
@@ -12,7 +12,7 @@ author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, T
     Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
     oscd.community
 date: 2017/02/16
-modified: 2023/03/22
+modified: 2023/11/30
 tags:
     - attack.credential_access
     - attack.t1003.001

sigma/sysmon/process_access/proc_access_win_malware_verclsid_shellcode.yml → sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml

@@ -12,28 +12,30 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1055
+    - detection.emerging_threats
     - sysmon
 logsource:
     category: process_access
     product: windows
-    definition: 'Use the following config to generate the necessary Event ID 10 Process
-        Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
-        onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+    definition: 'Requirements: The following config is required to generate the necessary
+        Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace
+        condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace
+        condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
     process_access:
         EventID: 10
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection:
+    selection_target:
         TargetImage|endswith: \verclsid.exe
         GrantedAccess: '0x1FFFFF'
-    combination1:
+    selection_calltrace_1:
         CallTrace|contains|all:
             - '|UNKNOWN('
             - VBE7.DLL
-    combination2:
+    selection_calltrace_2:
         SourceImage|contains: \Microsoft Office\
         CallTrace|contains: '|UNKNOWN'
-    condition: process_access and (selection and 1 of combination*)
+    condition: process_access and (selection_target and 1 of selection_calltrace_*)
 falsepositives:
     - Unknown
 level: high

sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml

@@ -27,10 +27,6 @@ detection:
     selection:
         CallTrace|contains: cmlua.dll
     condition: process_access and selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Details
 falsepositives:
     - Legitimate CMSTP use (unlikely in modern enterprise environments)
 level: high

sigma/sysmon/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml → sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml

@@ -1,4 +1,4 @@
-title: CobaltStrike BOF Injection Pattern
+title: HackTool - CobaltStrike BOF Injection Pattern
 id: 09706624-b7f6-455d-9d02-adee024cee1d
 status: test
 description: Detects a typical pattern of a CobaltStrike BOF which inject into other
@@ -8,7 +8,7 @@ references:
     - https://github.com/boku7/spawn
 author: Christian Burkard (Nextron Systems)
 date: 2021/08/04
-modified: 2022/12/31
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1106

sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml

@@ -0,0 +1,116 @@
+title: HackTool - Generic Process Access
+id: d0d2f720-d14f-448d-8242-51ff396a334e
+status: experimental
+description: Detects process access requests from hacktool processes based on their
+    default image name
+references:
+    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
+    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+date: 2023/11/27
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.s0002
+    - sysmon
+logsource:
+    category: process_access
+    product: windows
+detection:
+    process_access:
+        EventID: 10
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        -   SourceImage|endswith:
+                - \Akagi.exe
+                - \Akagi64.exe
+                - \atexec_windows.exe
+                - \Certify.exe
+                - \Certipy.exe
+                - \CoercedPotato.exe
+                - \crackmapexec.exe
+                - \CreateMiniDump.exe
+                - \dcomexec_windows.exe
+                - \dpapi_windows.exe
+                - \findDelegation_windows.exe
+                - \GetADUsers_windows.exe
+                - \GetNPUsers_windows.exe
+                - \getPac_windows.exe
+                - \getST_windows.exe
+                - \getTGT_windows.exe
+                - \GetUserSPNs_windows.exe
+                - \gmer.exe
+                - \hashcat.exe
+                - \htran.exe
+                - \ifmap_windows.exe
+                - \impersonate.exe
+                - \Inveigh.exe
+                - \LocalPotato.exe
+                - \mimikatz_windows.exe
+                - \mimikatz.exe
+                - \netview_windows.exe
+                - \nmapAnswerMachine_windows.exe
+                - \opdump_windows.exe
+                - \PasswordDump.exe
+                - \Potato.exe
+                - \PowerTool.exe
+                - \PowerTool64.exe
+                - \psexec_windows.exe
+                - \PurpleSharp.exe
+                - \pypykatz.exe
+                - \QuarksPwDump.exe
+                - \rdp_check_windows.exe
+                - \Rubeus.exe
+                - \SafetyKatz.exe
+                - \sambaPipe_windows.exe
+                - \SelectMyParent.exe
+                - \SharpChisel.exe
+                - \SharPersist.exe
+                - \SharpEvtMute.exe
+                - \SharpImpersonation.exe
+                - \SharpLDAPmonitor.exe
+                - \SharpLdapWhoami.exe
+                - \SharpUp.exe
+                - \SharpView.exe
+                - \smbclient_windows.exe
+                - \smbserver_windows.exe
+                - \sniff_windows.exe
+                - \sniffer_windows.exe
+                - \split_windows.exe
+                - \SpoolSample.exe
+                - \Stracciatella.exe
+                - \SysmonEOP.exe
+                - \temp\rot.exe
+                - \ticketer_windows.exe
+                - \TruffleSnout.exe
+                - \winPEASany_ofs.exe
+                - \winPEASany.exe
+                - \winPEASx64_ofs.exe
+                - \winPEASx64.exe
+                - \winPEASx86_ofs.exe
+                - \winPEASx86.exe
+                - \xordump.exe
+        -   SourceImage|contains:
+                - \goldenPac
+                - \just_dce_
+                - \karmaSMB
+                - \kintercept
+                - \LocalPotato
+                - \ntlmrelayx
+                - \rpcdump
+                - \samrdump
+                - \secretsdump
+                - \smbexec
+                - \smbrelayx
+                - \wmiexec
+                - \wmipersist
+                - HotPotato
+                - Juicy Potato
+                - JuicyPotato
+                - PetitPotam
+                - RottenPotato
+    condition: process_access and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/sysmon/process_access/proc_access_win_handlekatz_lsass_access.yml → sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml

@@ -1,4 +1,4 @@
-title: HandleKatz Duplicating LSASS Handle
+title: HackTool - HandleKatz Duplicating LSASS Handle
 id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
 status: test
 description: Detects HandleKatz opening LSASS to duplicate its handle to later dump
@@ -7,6 +7,7 @@ references:
     - https://github.com/codewhitesec/HandleKatz
 author: Bhabesh Raj (rule), @thefLinkk
 date: 2022/06/27
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1106
@@ -23,11 +24,10 @@ detection:
     selection:
         TargetImage|endswith: \lsass.exe
         GrantedAccess: '0x1440'
-    call_trace:
         CallTrace|startswith: C:\Windows\System32\ntdll.dll+
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: )
-    condition: process_access and (selection and call_trace)
+    condition: process_access and selection
 falsepositives:
     - Unknown
 level: high

sigma/sysmon/process_access/proc_access_win_littlecorporal_generated_maldoc.yml → sigma/sysmon/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml

@@ -1,12 +1,12 @@
-title: LittleCorporal Generated Maldoc Injection
+title: HackTool - LittleCorporal Generated Maldoc Injection
 id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
 status: test
 description: Detects the process injection of a LittleCorporal generated Maldoc.
 references:
     - https://github.com/connormcgarr/LittleCorporal
 author: Christian Burkard (Nextron Systems)
 date: 2021/08/09
-modified: 2022/06/02
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1204.002