diff --git a/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml index e5b73ce9a..873f48cf7 100644 --- a/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -7,9 +7,10 @@ status: test description: Detects NetNTLM downgrade attack references: - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth (Nextron Systems), wagga + - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) date: 2018-03-20 -modified: 2022-11-29 +modified: 2024-12-03 tags: - attack.defense-evasion - attack.t1562.001 @@ -21,17 +22,31 @@ detection: registry_event: EventID: 4657 Channel: Security - selection: + selection_regkey: ObjectName|contains|all: - SYSTEM\ - ControlSet - \Control\Lsa - ObjectName|endswith: - - \lmcompatibilitylevel - - \NtlmMinClientSec - - \RestrictSendingNTLMTraffic - condition: registry_event and selection + selection_value_lmcompatibilitylevel: + ObjectName|endswith: \lmcompatibilitylevel + NewValue: + - DWORD (0x00000000) + - DWORD (0x00000001) + - DWORD (0x00000002) + selection_value_ntlmminclientsec: + ObjectName|endswith: \NtlmMinClientSec + NewValue: + - DWORD (0x00000000) # No Security + - DWORD (0x00000010) # Only Integrity + - DWORD (0x00000020) # Only confidentiality + - DWORD (0x00000030) # Both Integrity and confidentiality + selection_value_restrictsendingntlmtraffic: + # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit). + # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured + # Hence all values should be monitored and investigated + ObjectName|endswith: \RestrictSendingNTLMTraffic + condition: registry_event and (selection_regkey and 1 of selection_value_*) falsepositives: - - Unknown + - Services or tools that set the values to more restrictive values level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index 69730b76e..dd38497d5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -23,7 +23,7 @@ references: - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 date: 2019-06-15 -modified: 2023-08-23 +modified: 2024-12-03 tags: - attack.defense-evasion - attack.t1036.003 @@ -46,8 +46,10 @@ detection: - certutil.exe - cmstp.exe - cscript.exe + - IE4UINIT.EXE - mshta.exe - msiexec.exe + - msxsl.exe - powershell_ise.exe - powershell.exe - psexec.c # old versions of psexec (2016 seen) @@ -65,8 +67,10 @@ detection: - \certutil.exe - \cmstp.exe - \cscript.exe + - \ie4uinit.exe - \mshta.exe - \msiexec.exe + - \msxsl.exe - \powershell_ise.exe - \powershell.exe - \psexec.exe diff --git a/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 5d2bbda23..4a31cbfca 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -7,9 +7,10 @@ status: test description: Detects NetNTLM downgrade attack references: - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth (Nextron Systems), wagga + - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) date: 2018-03-20 -modified: 2022-11-29 +modified: 2024-12-03 tags: - attack.defense-evasion - attack.t1562.001 @@ -25,17 +26,31 @@ detection: - 13 - 14 Channel: Microsoft-Windows-Sysmon/Operational - selection: + selection_regkey: TargetObject|contains|all: - SYSTEM\ - ControlSet - \Control\Lsa - TargetObject|endswith: - - \lmcompatibilitylevel - - \NtlmMinClientSec - - \RestrictSendingNTLMTraffic - condition: registry_event and selection + selection_value_lmcompatibilitylevel: + TargetObject|endswith: \lmcompatibilitylevel + Details: + - DWORD (0x00000000) + - DWORD (0x00000001) + - DWORD (0x00000002) + selection_value_ntlmminclientsec: + TargetObject|endswith: \NtlmMinClientSec + Details: + - DWORD (0x00000000) # No Security + - DWORD (0x00000010) # Only Integrity + - DWORD (0x00000020) # Only confidentiality + - DWORD (0x00000030) # Both Integrity and confidentiality + selection_value_restrictsendingntlmtraffic: + # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit). + # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured + # Hence all values should be monitored and investigated + TargetObject|endswith: \RestrictSendingNTLMTraffic + condition: registry_event and (selection_regkey and 1 of selection_value_*) falsepositives: - - Unknown + - Services or tools that set the values to more restrictive values level: high ruletype: Sigma