Sigma Rule Update (2024-12-01 20:14:43) (#785)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 1, 2024 · 502f806 · 502f806
1 parent 79d034c
commit 502f806
Show file tree

Hide file tree

Showing 62 changed files with 265 additions and 71 deletions.
diff --git a/...23/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/...23/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
       type: derived
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:
     - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

diff --git a/...tin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/...tin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml
@@ -3,7 +3,7 @@ id: 4d7c1d43-5e75-8d5e-69ed-1a208dd23249
 related:
     - id: 698d4431-514f-4c82-af4d-cf573872a9f5
       type: derived
-status: experimental
+status: test
 description: |
     Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
     The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

diff --git a/...ing-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/...ing-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
@@ -3,7 +3,7 @@ id: 36b7b5cb-6442-2a32-49bd-894a5b3ece4e
 related:
     - id: d8937fe7-42d5-4b4d-8178-e089c908f63f
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
     The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries

diff --git a/...ts/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/...ts/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml
@@ -3,7 +3,7 @@ id: 465c812b-bb1a-4652-0a2a-5e9216ae9b5b
 related:
     - id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
       type: derived
-status: experimental
+status: test
 description: |
     Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
 references:

diff --git a/...ging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/...ging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
@@ -3,7 +3,7 @@ id: ad6cf96f-fa18-2ab2-281f-bbffecb4ab3a
 related:
     - id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
       type: derived
-status: experimental
+status: test
 description: Detects process creation activity related to Peach Sandstorm APT
 references:
     - https://twitter.com/MsftSecIntel/status/1737895710169628824

diff --git a/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml
@@ -3,7 +3,7 @@ id: 3623c339-f1c5-67f2-a5a2-ddb078d75f69
 related:
     - id: 79609c82-a488-426e-abcf-9f341a39365d
       type: derived
-status: experimental
+status: test
 description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 references:
     - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

diff --git a/sigma/builtin/network_connection/net_connection_win_adws_unusual_connection.yml b/sigma/builtin/network_connection/net_connection_win_adws_unusual_connection.yml
@@ -3,7 +3,7 @@ id: b2c34a06-251e-87ee-2d3e-fae878185d34
 related:
     - id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
       type: derived
-status: experimental
+status: test
 description: |
     Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
 references:

diff --git a/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml
@@ -3,7 +3,7 @@ id: e3cb371f-ecf2-9b45-e6ff-67bb63f48a48
 related:
     - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
       type: derived
-status: experimental
+status: test
 description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
 references:
     - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html

diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpmove.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpmove.yml
@@ -3,7 +3,7 @@ id: a7c815fc-1c17-fb9b-3993-9508f7fe6f3f
 related:
     - id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
 references:

diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_soaphound_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_soaphound_execution.yml
@@ -3,7 +3,7 @@ id: 5c3a9984-9934-58ca-15e5-cc96b8da7455
 related:
     - id: e92a4287-e072-4a40-9739-370c106bb750
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
 references:

diff --git a/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
       type: derived
-status: experimental
+status: test
 description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
 references:
     - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/

diff --git a/sigma/builtin/process_creation/proc_creation_win_mode_codepage_russian.yml b/sigma/builtin/process_creation/proc_creation_win_mode_codepage_russian.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 12fbff88-16b5-4b42-9754-cd001a789fb3
       type: derived
-status: experimental
+status: test
 description: |
     Detects a CodePage modification using the "mode.com" utility to Russian language.
     This behavior has been used by threat actors behind Dharma ransomware.

diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
       type: derived
-status: experimental
+status: test
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 references:
     - https://adsecurity.org/?p=2921

diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
       type: derived
-status: experimental
+status: test
 description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
 references:
     - https://github.com/vletoux/pingcastle

diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: b37998de-a70b-4f33-b219-ec36bf433dc0
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
 references:

diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml
@@ -3,6 +3,8 @@ id: 915fc7ae-b034-c5e8-9b05-e19566db49fb
 related:
     - id: 36c5146c-d127-4f85-8e21-01bf62355d5a
       type: obsolete
+    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+      type: similar
     - id: d87bd452-6da1-456e-8155-7dc988157b7d
       type: derived
 status: test
@@ -27,16 +29,16 @@ detection:
         CommandLine|contains: ShellExec_RunDLL
     selection_suspcli:
         CommandLine|contains:
-            # Add more LOLBINs and Susp Paths
-            - regsvr32
-            - msiexec
-            - \Users\Public\
-            - odbcconf
+            # Note: The ordinal number may differ depending on the DLL version
             - \Desktop\
             - \Temp\
-            - Invoke-
-            - iex
+            - \Users\Public\
             - comspec
+            - iex
+            - Invoke-
+            - msiexec
+            - odbcconf
+            - regsvr32
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

diff --git a/.../builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml b/.../builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml
@@ -0,0 +1,74 @@
+title: Suspicious ShellExec_RunDLL Call Via Ordinal
+id: afe56692-d76f-5259-cd59-c1032f5cf01b
+related:
+    - id: d87bd452-6da1-456e-8155-7dc988157b7d
+      type: derived
+    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+      type: derived
+status: experimental
+description: |
+    Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
+    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
+references:
+    - https://redcanary.com/blog/raspberry-robin/
+    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
+    - https://github.com/SigmaHQ/sigma/issues/1009
+    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
+author: Swachchhanda Shrawan Poudel
+date: 2024-12-01
+tags:
+    - attack.defense-evasion
+    - attack.t1218.011
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_parent_img:
+        ParentCommandLine|contains: SHELL32.DLL
+    selection_parent_ordinal:
+        ParentCommandLine|contains:
+            # Note: The ordinal number may differ depending on the DLL version
+            # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
+            - '#568'
+            - '#570'
+            - '#572'
+            - '#576'
+    selection_susp_cli_parent:
+        # Note: Add additional binaries and suspicious paths to increase coverage
+        - ParentCommandLine|contains:
+              - comspec
+              - iex
+              - Invoke-
+              - msiexec
+              - odbcconf
+              - regsvr32
+        - ParentCommandLine|contains:
+              - \Desktop\
+              - \ProgramData\
+              - \Temp\
+              - \Users\Public\
+    selection_susp_child_img:
+        NewProcessName|endswith:
+            - \bash.exe
+            - \bitsadmin.exe
+            - \cmd.exe
+            - \cscript.exe
+            - \curl.exe
+            - \mshta.exe
+            - \msiexec.exe
+            - \msxsl.exe
+            - \odbcconf.exe
+            - \powershell.exe
+            - \pwsh.exe
+            - \regsvr32.exe
+            - \schtasks.exe
+            - \wmic.exe
+            - \wscript.exe
+    condition: process_creation and (all of selection_parent_* and 1 of selection_susp_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_volume.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_volume.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: c79da740-5030-45ec-a2e0-479e824a562c
       type: derived
-status: experimental
+status: test
 description: |
     An adversary might use WMI to discover information about the system, such as the volume name, size,
     free space, and other disk information. This can be done using the `wmic` command-line utility and has been

diff --git a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_dropper.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: cea72823-df4d-4567-950c-0b579eaf0846
       type: derived
-status: experimental
+status: test
 description: Detects wscript/cscript executions of scripts located in user directories
 references:
     - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -13,9 +13,10 @@ references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
     - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
     - https://blog.talosintelligence.com/uat-5647-romcom/
+    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2024-10-18
+modified: 2024-11-19
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -40,6 +41,8 @@ detection:
             - \{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\
             - \{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\
             - \{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\
+            - \{7849596a-48ea-486e-8937-a2a3009f31a9}\
+            - \{0b91a74b-ad7c-4a9d-b563-29eef9167172}\
     selection_susp_location_1:
         NewValue|contains:
             # Note: Add more suspicious paths and locations

diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml
@@ -3,7 +3,7 @@ id: a6f5fcfd-58a6-fb93-b548-3772adf366b9
 related:
     - id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06
       type: derived
-status: experimental
+status: test
 description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
 references:
     - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/

diff --git a/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml
@@ -3,7 +3,7 @@ id: 764518e5-4160-b679-1946-cbd0e76705da
 related:
     - id: bacf58c6-e199-4040-a94f-95dea0f1e45a
       type: derived
-status: experimental
+status: test
 description: |
     Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
     Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

diff --git a/sigma/builtin/security/win_security_hktl_edr_silencer.yml b/sigma/builtin/security/win_security_hktl_edr_silencer.yml
@@ -3,7 +3,7 @@ id: 4d56e133-40b5-5b28-07b5-bab0913fc338
 related:
     - id: 98054878-5eab-434c-85d4-72d4e5a3361b
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
 references:

diff --git a/sigma/builtin/threat-hunting/firewall_as/win_firewall_as_change_rule.yml b/sigma/builtin/threat-hunting/firewall_as/win_firewall_as_change_rule.yml
@@ -3,7 +3,7 @@ id: 5d551ac6-b825-b536-7ec6-75339fc57a25
 related:
     - id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
       type: derived
-status: experimental
+status: test
 description: Detects when a rule has been modified in the Windows firewall exception list
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

diff --git a/sigma/builtin/threat-hunting/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/sigma/builtin/threat-hunting/network_connection/net_connection_win_dfsvc_uncommon_ports.yml
@@ -3,7 +3,7 @@ id: 4255ccee-f954-7d80-4281-d5a5fe9ea9f7
 related:
     - id: 4c5fba4a-9ef6-4f16-823d-606246054741
       type: derived
-status: experimental
+status: test
 description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_iexpress_execution.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_iexpress_execution.yml
@@ -3,7 +3,7 @@ id: bc8a6370-9950-1a63-7ece-7feed9d18e57
 related:
     - id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
       type: derived
-status: experimental
+status: test
 description: |
     Detects the "iexpress.exe" utility creating self-extracting packages.
     Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.

diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_mode_codepage_change.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_mode_codepage_change.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
       type: derived
-status: experimental
+status: test
 description: |
     Detects a CodePage modification using the "mode.com" utility.
     This behavior has been used by threat actors behind Dharma ransomware.

diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
       type: derived
-status: experimental
+status: test
 description: |
     Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
 references:

diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml
@@ -5,7 +5,7 @@ related:
       type: derived
     - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
       type: derived
-status: experimental
+status: test
 description: |
     Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
     including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,

diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml
@@ -3,7 +3,7 @@ id: fde2d7f3-b0b3-aec1-47ad-53912b9c089a
 related:
     - id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
       type: derived
-status: experimental
+status: test
 description: |
     Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
     This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

diff --git a/...23/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/...23/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
       type: derived
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:
     - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

diff --git a/...ing-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/...ing-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml
@@ -3,7 +3,7 @@ id: 8dd44f90-754a-923f-5ade-f8938064900b
 related:
     - id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
       type: derived
-status: experimental
+status: test
 description: |
     Detects the execution of rundll32 that leads to an external network connection.
     The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

diff --git a/...mon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/...mon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml
@@ -3,7 +3,7 @@ id: 6d13ab27-1510-b3ec-126b-d447b6493b50
 related:
     - id: 698d4431-514f-4c82-af4d-cf573872a9f5
       type: derived
-status: experimental
+status: test
 description: |
     Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
     The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).