Sigma Rule Update (2024-12-02 20:14:17) (#787)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 2, 2024 · 6eb5574 · 6eb5574
1 parent 2b622bc
commit 6eb5574
Show file tree

Hide file tree

Showing 57 changed files with 238 additions and 151 deletions.
diff --git a/.../emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/.../emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml
@@ -10,7 +10,7 @@ references:
     - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
 author: Florian Roth (Nextron Systems)
 date: 2019-11-20
-modified: 2022-05-27
+modified: 2024-12-01
 tags:
     - attack.privilege-escalation
     - attack.t1068
@@ -23,17 +23,18 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection:
+    selection_img:
         CommandLine|contains: ' http'
         ParentProcessName|endswith: \consent.exe
         NewProcessName|endswith: \iexplore.exe
-    rights1:
-        MandatoryLabel: S-1-16-16384
-    rights2:
-        SubjectUserName|contains: # covers many language settings
-            - AUTHORI
-            - AUTORI
-    condition: process_creation and (selection and ( rights1 or rights2 ))
+    selection_rights:
+        - MandatoryLabel:
+              - S-1-16-16384
+              - None
+        - SubjectUserName|contains: # covers many language settings
+              - AUTHORI
+              - AUTORI
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: critical

diff --git a/...merging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/...merging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml
@@ -12,7 +12,7 @@ references:
     - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
 author: Florian Roth (Nextron Systems)
 date: 2021-11-22
-modified: 2023-02-13
+modified: 2024-12-01
 tags:
     - attack.privilege-escalation
     - attack.t1068
@@ -36,7 +36,9 @@ detection:
               - pwsh.dll
     selection_parent:
         ParentProcessName|endswith: \elevation_service.exe
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

diff --git a/...xploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/...xploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml
@@ -10,7 +10,7 @@ references:
     - https://streamable.com/q2dsji
 author: Florian Roth (Nextron Systems), Maxime Thiebaut
 date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
 tags:
     - attack.privilege-escalation
     - attack.t1553
@@ -24,10 +24,12 @@ detection:
         Channel: Security
     selection:
         ParentProcessName|endswith: \RazerInstaller.exe
-        MandatoryLabel: S-1-16-16384
-    filter:
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
+    filter_main_razer:
         NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\
-    condition: process_creation and (selection and not filter)
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
 level: high

diff --git a/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml b/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml
@@ -11,6 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
 author: frack113
 date: 2022-12-09
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.t1202
@@ -26,7 +27,9 @@ detection:
             - conhost.exe
             - '0xffffffff'
             - -ForceV1
-        MandatoryLabel: S-1-16-12288
+        MandatoryLabel:
+            - S-1-16-12288
+            - None
     condition: process_creation and selection
 falsepositives:
     - Very Likely, including launching cmd.exe via Run As Administrator

diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml
@@ -13,7 +13,7 @@ references:
     - https://twitter.com/_st0pp3r_/status/1583914244344799235
 author: frack113
 date: 2022-01-16
-modified: 2024-03-13
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.t1218.007
@@ -45,7 +45,9 @@ detection:
         ParentProcessName|startswith: C:\Windows\Temp\
     filter_ccm:
         ParentProcessName: C:\Windows\CCM\Ccm32BitLauncher.exe
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     condition: process_creation and (all of selection_* and not 1 of filter_*)
 falsepositives:
     - WindowsApps installing updates via the quiet flag

diff --git a/...ltin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/...ltin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml
@@ -10,7 +10,7 @@ references:
     - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
 author: Teymur Kheirkhabarov
 date: 2019-10-26
-modified: 2023-01-30
+modified: 2024-12-01
 tags:
     - attack.privilege-escalation
     - attack.t1574.011
@@ -29,7 +29,9 @@ detection:
             - \ImagePath
             - \FailureCommand
             - \ServiceDll
-        MandatoryLabel: S-1-16-8192
+        MandatoryLabel:
+            - S-1-16-8192
+            - None
     condition: process_creation and selection
 falsepositives:
     - Unknown

diff --git a/...a/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/...a/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
@@ -10,7 +10,7 @@ references:
     - https://pentestlab.blog/2017/03/30/weak-service-permissions/
 author: Teymur Kheirkhabarov
 date: 2019-10-26
-modified: 2022-07-14
+modified: 2024-12-01
 tags:
     - attack.persistence
     - attack.defense-evasion
@@ -25,7 +25,9 @@ detection:
         Channel: Security
     scbynonadmin:
         NewProcessName|endswith: \sc.exe
-        MandatoryLabel: S-1-16-8192
+        MandatoryLabel:
+            - S-1-16-8192
+            - None
     selection_binpath:
         CommandLine|contains|all:
             - config

diff --git a/...builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/...builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml
@@ -10,6 +10,7 @@ references:
     - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
 author: Swachchhanda Shrawan Poudel, Elastic (idea)
 date: 2023-04-20
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -36,7 +37,9 @@ detection:
     filter_main_extension_xml:
         CommandLine|contains: .xml
     filter_main_system_process:
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     filter_main_rundll32:
         ParentCommandLine|contains|all:
             - :\WINDOWS\Installer\MSI

diff --git a/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
 author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
 date: 2021-07-11
-modified: 2023-02-09
+modified: 2024-12-01
 tags:
     - attack.execution
     - attack.t1203
@@ -24,7 +24,9 @@ detection:
         Channel: Security
     spoolsv:
         ParentProcessName|endswith: \spoolsv.exe
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     suspicious_unrestricted:
         NewProcessName|endswith:
             - \gpupdate.exe

diff --git a/...tin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/...tin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml
@@ -9,7 +9,7 @@ references:
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020-10-13
-modified: 2023-03-23
+modified: 2024-12-01
 tags:
     - attack.privilege-escalation
     - attack.t1548.002
@@ -31,7 +31,9 @@ detection:
         NewProcessName|endswith: tmp
     selection_image_2:
         NewProcessName|endswith: \msiexec.exe
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     filter_installer:
         ParentProcessName: C:\Windows\System32\services.exe
     filter_repair:

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml
@@ -9,7 +9,7 @@ references:
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
 author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 date: 2020-10-05
-modified: 2022-07-07
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.t1112
@@ -20,30 +20,27 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    reg:
-        CommandLine|contains|all:
-            - 'reg '
-            - add
-    powershell:
-        CommandLine|contains:
-            - powershell
-            - set-itemproperty
-            - ' sp '
-            - new-itemproperty
-    select_data:
+    selection_cli:
+        - CommandLine|contains|all:
+              - 'reg '
+              - add
+        - CommandLine|contains:
+              - powershell
+              - set-itemproperty
+              - ' sp '
+              - new-itemproperty
+    selection_data:
         CommandLine|contains|all:
             - ControlSet
             - Services
         CommandLine|contains:
             - ImagePath
             - FailureCommand
             - ServiceDLL
-        MandatoryLabel: S-1-16-8192
-    condition: process_creation and ((reg or powershell) and select_data)
-fields:
-    - MandatoryLabel
-    - EventID
-    - CommandLine
+        MandatoryLabel:
+            - S-1-16-8192
+            - None
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown
 level: high

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -10,7 +10,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021-12-20
-modified: 2024-11-11
+modified: 2024-12-01
 tags:
     - attack.credential-access
     - attack.defense-evasion
@@ -26,7 +26,9 @@ detection:
         EventID: 4688
         Channel: Security
     selection:
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
         SubjectUserName|contains: # covers many language settings
             - AUTHORI
             - AUTORI

diff --git a/...a/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/...a/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml
@@ -37,11 +37,6 @@ detection:
             - 'qwsu '
             - 'uwdqs '
     condition: process_creation and (all of selection*)
-fields:
-    - MandatoryLabel
-    - Product
-    - Description
-    - CommandLine
 falsepositives:
     - System administrator Usage
 level: medium

diff --git a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml
@@ -9,6 +9,7 @@ references:
     - https://twitter.com/Moti_B/status/909449115477659651
 author: '@juju4'
 date: 2022-12-27
+modified: 2024-12-01
 tags:
     - attack.execution
 logsource:
@@ -22,7 +23,9 @@ detection:
         - NewProcessName|endswith: \tscon.exe
         - OriginalFileName: tscon.exe
     selection_integrity:
-        MandatoryLabel: S-1-16-16384
+        MandatoryLabel:
+            - S-1-16-16384
+            - None
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Administrative activity

diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml
@@ -11,7 +11,7 @@ references:
     - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
 author: Christian Burkard (Nextron Systems)
 date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
         MandatoryLabel:
             - S-1-16-12288
             - S-1-16-16384
+            - None
+            - None
     condition: process_creation and selection
 falsepositives:
     - Unknown

diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/hfiref0x/UACME
 author: Christian Burkard (Nextron Systems)
 date: 2021-08-31
-modified: 2022-10-09
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.privilege-escalation
@@ -25,6 +25,8 @@ detection:
         MandatoryLabel:
             - S-1-16-12288
             - S-1-16-16384
+            - None
+            - None
         NewProcessName: C:\Windows\System32\ComputerDefaults.exe
     filter:
         ParentProcessName|contains:

diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/hfiref0x/UACME
 author: Christian Burkard (Nextron Systems)
 date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.privilege-escalation
@@ -27,6 +27,8 @@ detection:
         MandatoryLabel:
             - S-1-16-12288
             - S-1-16-16384
+            - None
+            - None
     condition: process_creation and selection
 falsepositives:
     - Unknown

diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/hfiref0x/UACME
 author: Christian Burkard (Nextron Systems)
 date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
 tags:
     - attack.defense-evasion
     - attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
         MandatoryLabel:
             - S-1-16-12288
             - S-1-16-16384
+            - None
+            - None
     condition: process_creation and selection
 falsepositives:
     - Unknown