Sigma Rule Update (2025-01-06 20:13:20) (#803)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml

@@ -3,7 +3,7 @@ id: 7a1d5134-71db-5e78-20af-387288b261fe
 related:
     - id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
       type: derived
-status: experimental
+status: test
 description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 references:
     - https://github.com/pr0xylife/Qakbot/

sigma/builtin/emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
       type: derived
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
     This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

sigma/builtin/emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
       type: derived
-status: experimental
+status: test
 description: |
     This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

sigma/builtin/emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml

@@ -3,7 +3,7 @@ id: 4f3b55b9-3f7f-11c9-08ec-023ffed290a0
 related:
     - id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
     This behavior was observed in multiple Raspberry-Robin variants.

sigma/builtin/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml

@@ -3,7 +3,7 @@ id: a0ecd6f3-309d-3ad0-2231-421f98a89f32
 related:
     - id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
 references:

sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

sigma/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

@@ -3,7 +3,7 @@ id: 3efca659-a57d-a642-952a-5f476a210a07
 related:
     - id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
       type: derived
-status: experimental
+status: test
 description: |
     Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:

sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml

@@ -11,7 +11,7 @@ related:
       type: similar
     - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
     Initial baselining of the allowed extension list is required.

sigma/builtin/process_creation/proc_creation_win_findstr_download.yml

@@ -5,7 +5,7 @@ related:
       type: obsolete
     - id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
 references:

sigma/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml

@@ -5,7 +5,7 @@ related:
       type: obsolete
     - id: 04936b66-3915-43ad-a8e5-809eadfd1141
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 references:

sigma/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml

@@ -3,7 +3,7 @@ id: 57428c1a-2716-80c7-6059-bb8408c50569
 related:
     - id: cc9d3712-6310-4320-b2df-7cb408274d53
       type: derived
-status: experimental
+status: test
 description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
 references:
     - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr

sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml

@@ -7,7 +7,7 @@ related:
       type: obsolete
     - id: 5f03babb-12db-4eec-8c82-7b4cb5580868
       type: derived
-status: experimental
+status: test
 description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
 references:
     - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
       type: derived
-status: experimental
+status: test
 description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml

@@ -3,7 +3,7 @@ id: 2bd79a93-cca3-3280-f400-f38c499e263e
 related:
     - id: 41f407b5-3096-44ea-a74f-96d04fbc41be
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
     Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml

@@ -3,7 +3,7 @@ id: fa02ff62-1ebd-d56a-ffa0-8accc97eeec4
 related:
     - id: b1f73849-6329-4069-bc8f-78a604bb8b23
       type: derived
-status: experimental
+status: test
 description: Detects the execution of a system command via the ScreenConnect RMM service.
 references:
     - https://github.com/SigmaHQ/sigma/pull/4467

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml

@@ -3,7 +3,7 @@ id: e8e1c7ac-50e7-03e1-c3d6-e1192efc4260
 related:
     - id: b19146a3-25d4-41b4-928b-1e2a92641b1b
       type: derived
-status: experimental
+status: test
 description: Detects potential web shell execution from the ScreenConnect server process.
 references:
     - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_simple_help.yml

@@ -3,7 +3,7 @@ id: 2b62781d-0af4-f828-f915-7b0039020526
 related:
     - id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
       type: derived
-status: experimental
+status: test
 description: |
     An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
     These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.

sigma/builtin/process_creation/proc_creation_win_sc_query_interesting_services.yml

@@ -3,7 +3,7 @@ id: 75a50ccd-ba64-66cd-de19-003e2f044761
 related:
     - id: e83e8899-c9b2-483b-b355-5decc942b959
       type: derived
-status: experimental
+status: test
 description: |
     Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
     Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

sigma/builtin/process_creation/proc_creation_win_ssh_port_forward.yml

@@ -3,7 +3,7 @@ id: 9f52bf0b-cd07-33a3-f9c1-6cf08889812a
 related:
     - id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
       type: derived
-status: experimental
+status: test
 description: Detects port forwarding activity via SSH.exe
 references:
     - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

sigma/builtin/process_creation/proc_creation_win_wget_download_susp_locations.yml

@@ -3,7 +3,7 @@ id: 2c2fe733-6ef3-9d44-210c-fb4011ee1944
 related:
     - id: 40aa399c-7b02-4715-8e5f-73572b493f33
       type: derived
-status: experimental
+status: test
 description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
 references:
     - https://www.gnu.org/software/wget/manual/wget.html

sigma/builtin/process_creation/proc_creation_win_whoami_all_execution.yml

@@ -3,7 +3,7 @@ id: 33f733e0-fb92-860f-da22-47ee0186c951
 related:
     - id: c248c896-e412-4279-8c15-1c558067b6fa
       type: derived
-status: experimental
+status: test
 description: Detects the execution of "whoami.exe" with the "/all" flag
 references:
     - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/

sigma/builtin/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml

@@ -3,7 +3,7 @@ id: 8785a0bb-8ec2-c019-4196-7d4d2fb47bd7
 related:
     - id: 6c304b02-06e6-402d-8be4-d5833cdf8198
       type: derived
-status: experimental
+status: test
 description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
 references:
     - https://mrd0x.com/sentinelone-persistence-via-menu-context/

sigma/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml

@@ -3,7 +3,7 @@ id: 817138f1-cfd3-c653-7392-a3c61051a8d3
 related:
     - id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
       type: derived
-status: experimental
+status: test
 description: |
     Detects denied requests by Active Directory Certificate Services.
     Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml

@@ -3,7 +3,7 @@ id: e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6
 related:
     - id: b1e0b3f5-b62e-41be-886a-daffde446ad4
       type: derived
-status: experimental
+status: test
 description: |
     Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
     This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

sigma/builtin/threat-hunting/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml

@@ -7,7 +7,7 @@ related:
       type: derived
     - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
       type: derived
-status: experimental
+status: test
 description: |
     Detects remote binary or command execution via the ScreenConnect Service.
     Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect

sigma/builtin/threat-hunting/registry/registry_set/registry_set_shell_context_menu_tampering.yml

@@ -3,7 +3,7 @@ id: 1ce6a719-c7b0-11e7-2b9f-37facf10d1d4
 related:
     - id: 868df2d1-0939-4562-83a7-27408c4a1ada
       type: derived
-status: experimental
+status: test
 description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
 references:
     - https://mrd0x.com/sentinelone-persistence-via-menu-context/

sigma/sysmon/dns_query/dns_query_win_onelaunch_update_service.yml

@@ -3,7 +3,7 @@ id: 7b62efa9-9b33-2bd0-a96b-545a92437915
 related:
     - id: df68f791-ad95-447f-a271-640a0dab9cf8
       type: derived
-status: experimental
+status: test
 description: |
     Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
     When the OneLaunch application is installed it will attempt to get updates from this domain.

sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml

@@ -3,7 +3,7 @@ id: 6807af48-b057-4add-da91-ea84c8bd033b
 related:
     - id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
       type: derived
-status: experimental
+status: test
 description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 references:
     - https://github.com/pr0xylife/Qakbot/

sigma/sysmon/emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
       type: derived
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
 references:

sigma/sysmon/emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 1a821580-588b-4323-9422-660f7e131020
       type: derived
-status: experimental
+status: test
 description: |
     Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

sigma/sysmon/emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml

@@ -3,7 +3,7 @@ id: dbe2c143-f29e-9625-49c9-5da3025d0699
 related:
     - id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
     This behavior was observed in multiple Raspberry-Robin variants.

sigma/sysmon/emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml

@@ -3,7 +3,7 @@ id: fceb664c-dbdf-2acf-bf98-b7d4a12fc2c8
 related:
     - id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
       type: derived
-status: experimental
+status: test
 description: Detects DNS queries for C2 domains used by DPRK Threat actors.
 references:
     - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2

sigma/sysmon/emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml

@@ -3,7 +3,7 @@ id: 824f9cbc-3d3a-d183-7e1e-c3e1cbad7e11
 related:
     - id: 05164d17-8e11-4d7d-973e-9e4962436b87
       type: derived
-status: experimental
+status: test
 description: |
     Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
 references:

sigma/sysmon/image_load/image_load_susp_unsigned_dll.yml

@@ -3,7 +3,7 @@ id: 2cf29ce1-4c3f-0a50-2325-dc7984a3e2d7
 related:
     - id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
       type: derived
-status: experimental
+status: test
 description: |
     Detects windows utilities loading an unsigned or untrusted DLL.
     Adversaries often abuse those programs to proxy execution of malicious code.

sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml

@@ -3,7 +3,7 @@ id: 6b333847-96a1-7c55-aaf4-74061d3a37f0
 related:
     - id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
       type: derived
-status: experimental
+status: test
 description: |
     Detects process access requests to the LSASS process with specific call trace calls and access masks.
     This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml

@@ -3,7 +3,7 @@ id: 4b0aa79e-235b-069f-608c-2b31582e2a04
 related:
     - id: 7090adee-82e2-4269-bd59-80691e7c6338
       type: derived
-status: experimental
+status: test
 description: Detects use of chcp to look up the system locale value as part of host discovery
 references:
     - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

sigma/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

@@ -3,7 +3,7 @@ id: aed74134-c619-66fc-766f-f537bea761d1
 related:
     - id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
       type: derived
-status: experimental
+status: test
 description: |
     Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:

sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml

@@ -11,7 +11,7 @@ related:
       type: similar
     - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
     Initial baselining of the allowed extension list is required.

sigma/sysmon/process_creation/proc_creation_win_findstr_download.yml

@@ -5,7 +5,7 @@ related:
       type: obsolete
     - id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
 references:

sigma/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml

@@ -5,7 +5,7 @@ related:
       type: obsolete
     - id: 04936b66-3915-43ad-a8e5-809eadfd1141
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 references:

sigma/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml

@@ -3,7 +3,7 @@ id: af640e40-2192-e050-de1a-65a8e3b3c50d
 related:
     - id: cc9d3712-6310-4320-b2df-7cb408274d53
       type: derived
-status: experimental
+status: test
 description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
 references:
     - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr