Sigma Rule Update (2024-12-04 20:15:52) (#788)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 4, 2024 · d003bd4 · d003bd4
1 parent 6eb5574
commit d003bd4
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 19 deletions.
diff --git a/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -7,9 +7,10 @@ status: test
 description: Detects NetNTLM downgrade attack
 references:
     - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-author: Florian Roth (Nextron Systems), wagga
+    - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
+author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
 date: 2018-03-20
-modified: 2022-11-29
+modified: 2024-12-03
 tags:
     - attack.defense-evasion
     - attack.t1562.001
@@ -21,17 +22,31 @@ detection:
     registry_event:
         EventID: 4657
         Channel: Security
-    selection:
+    selection_regkey:
         ObjectName|contains|all:
             - SYSTEM\
             - ControlSet
             - \Control\Lsa
-        ObjectName|endswith:
-            - \lmcompatibilitylevel
-            - \NtlmMinClientSec
-            - \RestrictSendingNTLMTraffic
-    condition: registry_event and selection
+    selection_value_lmcompatibilitylevel:
+        ObjectName|endswith: \lmcompatibilitylevel
+        NewValue:
+            - DWORD (0x00000000)
+            - DWORD (0x00000001)
+            - DWORD (0x00000002)
+    selection_value_ntlmminclientsec:
+        ObjectName|endswith: \NtlmMinClientSec
+        NewValue:
+            - DWORD (0x00000000)   # No Security
+            - DWORD (0x00000010)   # Only Integrity
+            - DWORD (0x00000020)   # Only confidentiality
+            - DWORD (0x00000030)   # Both Integrity and confidentiality
+    selection_value_restrictsendingntlmtraffic:
+        # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
+        # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
+        # Hence all values should be monitored and investigated
+        ObjectName|endswith: \RestrictSendingNTLMTraffic
+    condition: registry_event and (selection_regkey and 1 of selection_value_*)
 falsepositives:
-    - Unknown
+    - Services or tools that set the values to more restrictive values
 level: high
 ruletype: Sigma
diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -23,7 +23,7 @@ references:
     - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
 author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
 date: 2019-06-15
-modified: 2023-08-23
+modified: 2024-12-03
 tags:
     - attack.defense-evasion
     - attack.t1036.003
@@ -46,8 +46,10 @@ detection:
               - certutil.exe
               - cmstp.exe
               - cscript.exe
+              - IE4UINIT.EXE
               - mshta.exe
               - msiexec.exe
+              - msxsl.exe
               - powershell_ise.exe
               - powershell.exe
               - psexec.c          # old versions of psexec (2016 seen)
@@ -65,8 +67,10 @@ detection:
             - \certutil.exe
             - \cmstp.exe
             - \cscript.exe
+            - \ie4uinit.exe
             - \mshta.exe
             - \msiexec.exe
+            - \msxsl.exe
             - \powershell_ise.exe
             - \powershell.exe
             - \psexec.exe

diff --git a/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -7,9 +7,10 @@ status: test
 description: Detects NetNTLM downgrade attack
 references:
     - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
-author: Florian Roth (Nextron Systems), wagga
+    - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
+author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
 date: 2018-03-20
-modified: 2022-11-29
+modified: 2024-12-03
 tags:
     - attack.defense-evasion
     - attack.t1562.001
@@ -25,17 +26,31 @@ detection:
             - 13
             - 14
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection:
+    selection_regkey:
         TargetObject|contains|all:
             - SYSTEM\
             - ControlSet
             - \Control\Lsa
-        TargetObject|endswith:
-            - \lmcompatibilitylevel
-            - \NtlmMinClientSec
-            - \RestrictSendingNTLMTraffic
-    condition: registry_event and selection
+    selection_value_lmcompatibilitylevel:
+        TargetObject|endswith: \lmcompatibilitylevel
+        Details:
+            - DWORD (0x00000000)
+            - DWORD (0x00000001)
+            - DWORD (0x00000002)
+    selection_value_ntlmminclientsec:
+        TargetObject|endswith: \NtlmMinClientSec
+        Details:
+            - DWORD (0x00000000)   # No Security
+            - DWORD (0x00000010)   # Only Integrity
+            - DWORD (0x00000020)   # Only confidentiality
+            - DWORD (0x00000030)   # Both Integrity and confidentiality
+    selection_value_restrictsendingntlmtraffic:
+        # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
+        # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
+        # Hence all values should be monitored and investigated
+        TargetObject|endswith: \RestrictSendingNTLMTraffic
+    condition: registry_event and (selection_regkey and 1 of selection_value_*)
 falsepositives:
-    - Unknown
+    - Services or tools that set the values to more restrictive values
 level: high
 ruletype: Sigma