Sigma Rule Update (2024-11-18 20:15:15) (#774)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Nov 18, 2024 · 19b843b · 19b843b
1 parent 3f47cb9
commit 19b843b
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 10 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml b/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml
@@ -10,7 +10,7 @@ references:
     - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 author: Bhabesh Raj, X__Junior (Nextron Systems)
 date: 2021-07-30
-modified: 2024-03-05
+modified: 2024-11-13
 tags:
     - attack.defense-evasion
     - attack.t1218
@@ -27,12 +27,14 @@ detection:
     selection_folders_1:
         CommandLine|contains:
             - :\Perflogs\
+            - :\ProgramData
             - :\Users\Public\
+            - :\Windows\Temp\
+            - \Admin$\
+            - \AppData\Local\Temp\
+            - \AppData\Roaming\
+            - \C$\
             - \Temporary Internet
-            - :\ProgramData
-            - \AppData\Local\Temp
-            - \AppData\Roaming\Temp
-            - :\Windows\Temp
     selection_folders_2:
         - CommandLine|contains|all:
               - :\Users\

diff --git a/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml b/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml
@@ -10,7 +10,7 @@ references:
     - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 author: Bhabesh Raj, X__Junior (Nextron Systems)
 date: 2021-07-30
-modified: 2024-03-05
+modified: 2024-11-13
 tags:
     - attack.defense-evasion
     - attack.t1218
@@ -28,12 +28,14 @@ detection:
     selection_folders_1:
         CommandLine|contains:
             - :\Perflogs\
+            - :\ProgramData
             - :\Users\Public\
+            - :\Windows\Temp\
+            - \Admin$\
+            - \AppData\Local\Temp\
+            - \AppData\Roaming\
+            - \C$\
             - \Temporary Internet
-            - :\ProgramData
-            - \AppData\Local\Temp
-            - \AppData\Roaming\Temp
-            - :\Windows\Temp
     selection_folders_2:
         - CommandLine|contains|all:
               - :\Users\

diff --git a/...a/sysmon/threat-hunting/network_connection/net_connection_win_susp_azurefd_connection.yml b/...a/sysmon/threat-hunting/network_connection/net_connection_win_susp_azurefd_connection.yml
@@ -0,0 +1,56 @@
+title: Potentially Suspicious Azure Front Door Connection
+id: a6d65e8d-6c0d-62c0-50ce-5c133ca90a89
+related:
+    - id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
+      type: derived
+status: experimental
+description: |
+    Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
+    that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
+references:
+    - https://lots-project.com/site/2a2e617a75726566642e6e6574
+    - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
+    - https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
+author: Isaac Dunham
+date: 2024-11-07
+tags:
+    - attack.t1102.002
+    - attack.t1090.004
+    - detection.threat-hunting
+    - sysmon
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    network_connection:
+        EventID: 3
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        DestinationHostname|contains: azurefd.net
+    filter_main_web_browsers:
+        Image|endswith:
+            - brave.exe
+            - chrome.exe
+            - chromium.exe
+            - firefox.exe
+            - msedge.exe
+            - msedgewebview2.exe
+            - opera.exe
+            - vivaldi.exe
+    filter_main_common_talkers:
+        Image|endswith: searchapp.exe   # Windows search service uses signifcant amount of Azure FD
+    filter_main_known_benign_domains:
+        DestinationHostname|contains:
+            - afdxtest.z01.azurefd.net   # used by Cortana; Cisco Umbrella top 1m
+            - fp-afd.azurefd.net   # used by Cortana; Cisco Umbrella top 1m
+            - fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net   # used by Cortana; Cisco Umbrella top 1m
+            - roxy.azurefd.net   # used by Cortana; Cisco Umbrella top 1m
+            - powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net   # Used by VS Code; Cisco Umbrella top 1m
+            - storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net   # Used by Azure Storage Explorer; Cisco Umbrella top 1m
+            - graph.azurefd.net   # MS Graph; Cisco Umbrella top 1m
+    condition: network_connection and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
+    - Organization-specific Azure Front Door endpoints
+level: medium
+ruletype: Sigma