Sigma Rule Update (2023-11-14 20:06:20) (#531)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml

@@ -0,0 +1,53 @@
+title: Uncommon Child Process Of Appvlp.EXE
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+status: test
+description: 'Detects uncommon child processes of Appvlp.EXE
+
+    Appvlp or the Application Virtualization Utility is included with Microsoft Office.
+    Attackers are able to abuse "AppVLP" to execute shell commands.
+
+    Normally, this binary is used for Application Virtualization, but it can also
+    be abused to circumvent the ASR file path rule folder
+
+    or to mark a file as a system file.
+
+    '
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
+author: Sreeman
+date: 2020/03/13
+modified: 2023/11/09
+tags:
+    - attack.t1218
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        ParentProcessName|endswith: \appvlp.exe
+    filter_main_generic:
+        NewProcessName|endswith:
+            - :\Windows\SysWOW64\rundll32.exe
+            - :\Windows\System32\rundll32.exe
+    filter_optional_office_msoasb:
+        NewProcessName|contains: :\Program Files\Microsoft Office
+        NewProcessName|endswith: \msoasb.exe
+    filter_optional_office_skype:
+        NewProcessName|contains|all:
+            - :\Program Files\Microsoft Office
+            - \SkypeSrv\
+        NewProcessName|endswith: \SKYPESERVER.EXE
+    filter_optional_office_msouc:
+        NewProcessName|contains: :\Program Files\Microsoft Office
+        NewProcessName|endswith: \MSOUC.EXE
+    condition: process_creation and (selection and not 1 of filter_main_* and not
+        1 of filter_optional_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml

@@ -1,4 +1,4 @@
-title: File Download From Browser Process Via Inline Link
+title: File Download From Browser Process Via Inline URL
 id: 94771a71-ba41-4b6e-a757-b531372eaab6
 status: test
 description: Detects execution of a browser process with a URL argument pointing to
@@ -10,7 +10,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/11
-modified: 2023/04/06
+modified: 2023/11/09
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -29,14 +29,16 @@ detection:
             - \opera.exe
             - \vivaldi.exe
     selection_http:
-        CommandLine|contains: ' http'
-    selection_ext:
-        CommandLine|contains:
+        CommandLine|contains: http
+    selection_extensions:
+        CommandLine|endswith:
+            - .7z
             - .dat
             - .dll
             - .exe
             - .hta
             - .ps1
+            - .psm1
             - .txt
             - .vbe
             - .vbs

sigma/builtin/process_creation/proc_creation_win_susp_calc.yml → sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml

@@ -1,13 +1,16 @@
 title: Suspicious Calculator Usage
 id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
 status: test
-description: Detects suspicious use of 'calc.exe' with command line parameters or
-    in a suspicious directory, which is likely caused by some PoC or detection evasion
+description: 'Detects suspicious use of ''calc.exe'' with command line parameters
+    or in a suspicious directory, which is likely caused by some PoC or detection
+    evasion.
+
+    '
 references:
     - https://twitter.com/ItsReallyNick/status/1094080242686312448
 author: Florian Roth (Nextron Systems)
 date: 2019/02/09
-modified: 2022/11/07
+modified: 2023/11/09
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -22,12 +25,12 @@ detection:
         CommandLine|contains: '\calc.exe '
     selection_2:
         NewProcessName|endswith: \calc.exe
-    filter_2:
-        NewProcessName|startswith:
-            - C:\Windows\System32\
-            - C:\Windows\SysWOW64\
-            - C:\Windows\WinSxS\
-    condition: process_creation and (selection_1 or ( selection_2 and not filter_2
+    filter_main_known_locations:
+        NewProcessName|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+            - :\Windows\WinSxS\
+    condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations
         ))
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_lolbin_ieexec_download.yml → sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml

@@ -1,11 +1,12 @@
-title: Abusing IEExec To Download Payloads
+title: File Download And Execution Via IEExec.EXE
 id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
 status: test
-description: Detects execution of the IEExec utility to download payloads
+description: Detects execution of the IEExec utility to download and execute files
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/05/16
+modified: 2023/11/09
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -16,14 +17,14 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    lolbas:
+    selection_img:
         -   NewProcessName|endswith: \IEExec.exe
         -   OriginalFileName: IEExec.exe
-    remote:
+    selection_cli:
         CommandLine|contains:
-            - https://
             - http://
-    condition: process_creation and (lolbas and remote)
+            - https://
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml

@@ -0,0 +1,35 @@
+title: Arbitrary File Download Via IMEWDBLD.EXE
+id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
+related:
+    -   id: 8d7e392e-9b28-49e1-831d-5949c6281228
+        type: derived
+status: experimental
+description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
+    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
+author: Swachchhanda Shrawan Poudel
+date: 2023/11/09
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \IMEWDBLD.exe
+        -   OriginalFileName: imewdbld.exe
+    selection_cli:
+        CommandLine|contains:
+            - http://
+            - https://
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_lolbin_installutil_download.yml → sigma/builtin/process_creation/proc_creation_win_installutil_download.yml

@@ -1,12 +1,15 @@
-title: Suspicious Execution of InstallUtil To Download
+title: File Download Via InstallUtil.EXE
 id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc
 status: test
-description: Detects the use the .NET InstallUtil.exe application in order to download
-    arbitrary files. The files will be written to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\
+description: 'Detects use of .NET InstallUtil.exe in order to download arbitrary files.
+    The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
+
+    '
 references:
     - https://github.com/LOLBAS-Project/LOLBAS/pull/239
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/19
+modified: 2023/11/09
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -22,9 +25,9 @@ detection:
         -   OriginalFileName: InstallUtil.exe
     selection_cli:
         CommandLine|contains:
+            - ftp://
             - http://
             - https://
-            - ftp://
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml → sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml

@@ -1,12 +1,13 @@
-title: Windows Defender Download Activity
+title: File Download Via Windows Defender MpCmpRun.EXE
 id: 46123129-1024-423e-9fae-43af4a0fa9a5
 status: test
-description: Detect the use of Windows Defender to download payloads
+description: Detects the use of Windows Defender MpCmdRun.EXE to download files
 references:
     - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
     - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
 author: Matthew Matchen
 date: 2020/09/04
+modified: 2023/11/09
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -19,16 +20,16 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection1:
+    selection_img:
+        -   OriginalFileName: MpCmdRun.exe
+        -   NewProcessName|endswith: \MpCmdRun.exe
         -   CommandLine|contains: MpCmdRun.exe
         -   Description: Microsoft Malware Protection Command Line Utility
-    selection2:
+    selection_cli:
         CommandLine|contains|all:
             - DownloadFile
             - url
-    condition: process_creation and (all of selection*)
-fields:
-    - CommandLine
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml

@@ -0,0 +1,31 @@
+title: Arbitrary File Download Via MSEDGE_PROXY.EXE
+id: e84d89c4-f544-41ca-a6af-4b92fd38b023
+status: experimental
+description: Detects usage of "msedge_proxy.exe" to download arbitrary files
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
+author: Swachchhanda Shrawan Poudel
+date: 2023/11/09
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \msedge_proxy.exe
+        -   OriginalFileName: msedge_proxy.exe
+    selection_cli:
+        CommandLine|contains:
+            - http://
+            - https://
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_lolbin_msohtmed_download.yml → sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml

@@ -1,11 +1,12 @@
-title: Download Arbitrary Files Via MSOHTMED.EXE
+title: Arbitrary File Download Via MSOHTMED.EXE
 id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d
 status: test
 description: Detects usage of "MSOHTMED" to download arbitrary files
 references:
     - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/19
+modified: 2023/11/09
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -22,10 +23,10 @@ detection:
         -   OriginalFileName: MsoHtmEd.exe
     selection_cli:
         CommandLine|contains:
+            - ftp://
             - http://
             - https://
-            - ftp://
-    condition: process_creation and (all of selection*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: medium

sigma/builtin/process_creation/proc_creation_win_lolbin_mspub_download.yml → sigma/builtin/process_creation/proc_creation_win_mspub_download.yml

@@ -24,10 +24,10 @@ detection:
         -   OriginalFileName: MSPUB.exe
     selection_cli:
         CommandLine|contains:
+            - ftp://
             - http://
             - https://
-            - ftp://
-    condition: process_creation and (all of selection*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: medium