feat: more updates

SigmaHQ · May 5, 2023 · f1cd74e · f1cd74e
1 parent bd0a9e2
commit f1cd74e
Show file tree

Hide file tree

Showing 27 changed files with 230 additions and 132 deletions.
diff --git a/..._thread_win_susp_remote_thread_target.yml → ..._thread_win_susp_remote_thread_target.yml b/..._thread_win_susp_remote_thread_target.yml → ..._thread_win_susp_remote_thread_target.yml
@@ -1,6 +1,6 @@
 title: Suspicious Remote Thread Target
 id: f016c716-754a-467f-a39e-63c06f773987
-status: experimental
+status: deprecated
 description: |
   Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
   This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
@@ -9,7 +9,7 @@ references:
     - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/25
-modified: 2022/08/29
+modified: 2023/05/05
 logsource:
     product: windows
     category: create_remote_thread

diff --git a/...e_event/file_event_win_moriya_rootkit.yml → ...Rootkit/file_event_win_moriya_rootkit.yml b/...e_event/file_event_win_moriya_rootkit.yml → ...Rootkit/file_event_win_moriya_rootkit.yml
@@ -1,15 +1,15 @@
-title: Moriya Rootkit
+title: Moriya Rootkit File Created
 id: a1507d71-0b60-44f6-b17c-bf53220fdd88
 related:
     - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
       type: derived
 status: test
-description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
+description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
 references:
     - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
 author: Bhabesh Raj
 date: 2021/05/06
-modified: 2022/10/09
+modified: 2023/05/05
 tags:
     - attack.persistence
     - attack.privilege_escalation

diff --git a/...e_event_win_malware_pingback_backdoor.yml → ...e_event_win_malware_pingback_backdoor.yml b/...e_event_win_malware_pingback_backdoor.yml → ...e_event_win_malware_pingback_backdoor.yml
diff --git a/...ad/create_remote_thread_win_bumblebee.yml → ...e_remote_thread_win_malware_bumblebee.yml b/...ad/create_remote_thread_win_bumblebee.yml → ...e_remote_thread_win_malware_bumblebee.yml
@@ -1,4 +1,4 @@
-title: Bumblebee Remote Thread Creation
+title: Potential Bumblebee Remote Thread Creation
 id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
 status: experimental
 description: Detects remote thread injection events based on action seen used by bumblebee

diff --git a/rules-emerging-threats/2023/TA/FIN7/README.md b/rules-emerging-threats/2023/TA/FIN7/README.md
@@ -2,12 +2,15 @@
 
 ## Summary
 
-Withsecure labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.
+WithSecure Labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.
 
 You can find more information on the threat in the following articles:
 
 - [FIN7 tradecraft seen in attacks against Veeam backup servers](https://labs.withsecure.com/publications/fin7-target-veeam-servers)
 
 ## Rules
 
-- 
+- [Potential APT FIN7 Related PowerShell Script Created](./file_event_win_apt_fin7_powershell_scripts_naming_convention.yml)
+- [Potential APT FIN7 POWERHOLD Execution](./posh_ps_apt_fin7_powerhold.yml)
+- [Potential POWERTRASH Script Execution](./posh_ps_apt_fin7_powertrash_execution.yml)
+- [Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity](./proc_creation_win_apt_fin7_powertrash_lateral_movement.yml)
diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
@@ -1,4 +1,4 @@
-title: FIN7 POWERHOLD Execution
+title: Potential APT FIN7 POWERHOLD Execution
 id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
 status: test
 description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

diff --git a/...-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/...-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
@@ -1,4 +1,4 @@
-title: Potential FIN7 Reconnaissance/POWERTRASH Related Activity
+title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
 id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
 status: experimental
 description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution

diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml
@@ -5,9 +5,10 @@ description: Detects issues with Windows Defender Real-Time Protection features
 references:
     - Internal Research
     - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
-    - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346
+    - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes)
 author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)
 date: 2023/03/28
+modified: 2023/05/05
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -19,7 +20,12 @@ detection:
         EventID:
             - 3002 # Real-Time Protection feature has encountered an error and failed
             - 3007 # Real-time Protection feature has restarted
-    condition: selection
+    filter_optional_network_inspection:
+        Feature_Name: '%%886' # Network Inspection System
+        Reason:
+            - '%%892' # The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the device.
+            - '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required
 level: medium
diff --git a/.../create_remote_thread_win_cactustorch.yml → ...te_remote_thread_win_hktl_cactustorch.yml b/.../create_remote_thread_win_cactustorch.yml → ...te_remote_thread_win_hktl_cactustorch.yml
@@ -1,17 +1,17 @@
-title: CACTUSTORCH Remote Thread Creation
+title: HackTool - CACTUSTORCH Remote Thread Creation
 id: 2e4e488a-6164-4811-9ea1-f960c7359c40
 status: test
 description: Detects remote thread creation from CACTUSTORCH as described in references.
 references:
-    - https://twitter.com/SBousseaden/status/1090588499517079552
+    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
     - https://github.com/mdsecactivebreach/CACTUSTORCH
 author: '@SBousseaden (detection), Thomas Patzke (rule)'
 date: 2019/02/01
-modified: 2022/12/25
+modified: 2023/05/05
 tags:
     - attack.defense_evasion
-    - attack.t1055.012
     - attack.execution
+    - attack.t1055.012
     - attack.t1059.005
     - attack.t1059.007
     - attack.t1218.005

diff --git a/...ad_win_cobaltstrike_process_injection.yml → ...e_remote_thread_win_hktl_cobaltstrike.yml b/...ad_win_cobaltstrike_process_injection.yml → ...e_remote_thread_win_hktl_cobaltstrike.yml
@@ -1,13 +1,13 @@
-title: CobaltStrike Process Injection
+title: HackTool - Potential CobaltStrike Process Injection
 id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
 status: test
-description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
+description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 references:
     - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
     - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
 date: 2018/11/30
-modified: 2022/12/25
+modified: 2023/05/05
 tags:
     - attack.defense_evasion
     - attack.t1055.001

diff --git a/...te_thread_win_password_dumper_keepass.yml → ...read/create_remote_thread_win_keepass.yml b/...te_thread_win_password_dumper_keepass.yml → ...read/create_remote_thread_win_keepass.yml
@@ -1,13 +1,14 @@
-title: KeePass Password Dumping
+title: Remote Thread Created In KeePass.EXE
 id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
 status: experimental
-description: Detects remote thread creation in KeePass.exe indicating password dumping activity
+description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
 references:
     - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
     - https://github.com/denandz/KeeFarce
     - https://github.com/GhostPack/KeeThief
 author: Timon Hackenjos
 date: 2022/04/22
+modified: 2023/05/05
 tags:
     - attack.credential_access
     - attack.t1555.005

diff --git a/...eate_remote_thread_win_powershell_crt.yml → ..._remote_thread_win_powershell_generic.yml b/...eate_remote_thread_win_powershell_crt.yml → ..._remote_thread_win_powershell_generic.yml
diff --git a/...api_in_powershell_credentials_dumping.yml → ...te_remote_thread_win_powershell_lsass.yml b/...api_in_powershell_credentials_dumping.yml → ...te_remote_thread_win_powershell_lsass.yml
diff --git a/...te_thread_win_powershell_crt_rundll32.yml → ...te_thread_win_powershell_susp_targets.yml b/...te_thread_win_powershell_crt_rundll32.yml → ...te_thread_win_powershell_susp_targets.yml
diff --git a/..._thread_win_susp_remote_thread_source.yml → ...mote_thread_win_uncommon_source_image.yml b/..._thread_win_susp_remote_thread_source.yml → ...mote_thread_win_uncommon_source_image.yml
@@ -1,16 +1,13 @@
-title: Suspicious Remote Thread Source
+title: Remote Thread Creation By Uncommon Source Image
 id: 66d31e5f-52d6-40a4-9615-002d3789a119
 status: experimental
-description: |
-  Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
-  This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
-  It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
+description: Detects uncommon processes creating remote threads
 references:
     - Personal research, statistical analysis
     - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019/10/27
-modified: 2023/03/09
+modified: 2023/05/05
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -22,8 +19,8 @@ detection:
     selection:
         SourceImage|endswith:
             - '\bash.exe'
-            - '\cvtres.exe'
             - '\cscript.exe'
+            - '\cvtres.exe'
             - '\defrag.exe'
             - '\dnx.exe'
             - '\esentutl.exe'
@@ -41,7 +38,7 @@ detection:
             - '\lync.exe'
             - '\makecab.exe'
             - '\mDNSResponder.exe'
-            - '\monitoringhost.exe'
+            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
             - '\msbuild.exe'
             - '\mshta.exe'
             - '\msiexec.exe'
@@ -66,56 +63,42 @@ detection:
             - '\w3wp.exe'
             - '\winlogon.exe'
             - '\winscp.exe'
-            - '\wmic.exe'
             - '\winword.exe'
+            - '\wmic.exe'
             - '\wscript.exe'
     filter_vs:
         - SourceImage|contains: 'Visual Studio'
         - SourceParentImage|contains: '\Programs\Microsoft VS Code\'
-    filter2:
+    filter_main_winlogon_1:
         SourceImage: 'C:\Windows\System32\winlogon.exe'
         TargetImage:
             - 'C:\Windows\System32\services.exe' # happens on Windows 7
             - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
             - 'C:\Windows\System32\csrss.exe' # multiple OS
-    filter2b:
+    filter_main_winlogon_2:
         SourceImage: 'C:\Windows\System32\winlogon.exe'
         TargetParentImage: 'System'
         TargetParentProcessId: 4
-    filter3:
+    filter_main_provtool:
         SourceImage: 'C:\Windows\System32\provtool.exe'
         TargetParentProcessId: 0
-    filter4:
-        SourceImage|endswith: '\git.exe'
-        TargetImage|endswith:
-            - '\git.exe'
-            - 'C:\Windows\System32\conhost.exe'
-    filter5:
+    filter_main_vssvc:
         SourceImage: 'C:\Windows\System32\VSSVC.exe'
         TargetImage: 'System'
-    filter_powershell:
-        SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
-    filter_schtasks_conhost:
+    filter_main_schtasks_conhost:
         SourceImage:
             - 'C:\Windows\System32\schtasks.exe'
             - 'C:\Windows\SysWOW64\schtasks.exe'
         TargetImage: 'C:\Windows\System32\conhost.exe'
-    filter_nvidia:
+    filter_optional_nvidia:
         SourceImage: 'C:\Windows\explorer.exe'
         TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
-    #filter_powerpnt:
+    #filter_optional_powerpnt:
     #    # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
     #    SourceImage|contains: '\Microsoft Office\'
     #    SourceImage|endswith: '\POWERPNT.EXE'
     #    TargetImage: 'C:\Windows\System32\csrss.exe'
-    condition: selection and not 1 of filter*
-fields:
-    - ComputerName
-    - User
-    - SourceImage
-    - TargetImage
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high
-notes:
-    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
diff --git a/...create_remote_thread_win_susp_targets.yml → ...mote_thread_win_uncommon_target_image.yml b/...create_remote_thread_win_susp_targets.yml → ...mote_thread_win_uncommon_target_image.yml
@@ -1,12 +1,15 @@
-title: Remote Thread Creation in Suspicious Targets
+title: Remote Thread Creation In Uncommon Target Image
 id: a1a144b7-5c9b-4853-a559-2172be8d4a03
+related:
+    - id: f016c716-754a-467f-a39e-63c06f773987
+      type: obsoletes
 status: experimental
-description: Detects a remote thread creation in suspicious target images
+description: Detects uncommon target processes for remote thread creation
 references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2022/09/29
+modified: 2023/05/05
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -17,20 +20,24 @@ logsource:
 detection:
     selection:
         TargetImage|endswith:
-            - '\mspaint.exe'
             - '\calc.exe'
+            - '\calculator.exe'
+            - '\explorer.exe'
+            - '\mspaint.exe'
             - '\notepad.exe'
+            - '\ping.exe'
             - '\sethc.exe'
-            - '\write.exe'
+            - '\spoolsv.exe'
             - '\wordpad.exe'
-            - '\explorer.exe'
-    filter:
+            - '\write.exe'
+    filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
-    filter_programfiles:
-        SourceImage|startswith:
-            - 'C:\Program Files\'
-            - 'C:\Program Files (x86)\'
-    condition: selection and not 1 of filter*
+    filter_optional_aurora_2:
+        SourceImage|contains: 'unknown process'
+    filter_main_spoolsv:
+        SourceImage: 'C:\Windows\System32\csrss.exe'
+        TargetImage: 'C:\Windows\System32\spoolsv.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
@@ -34,15 +34,15 @@ detection:
             - '\UsageLogs\svchost.exe.log'
             - '\UsageLogs\wscript.exe.log'
             - '\UsageLogs\wmic.exe.log'
-    filter_rundll:
+    filter_main_rundll32:
         # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
         ParentImage|endswith: '\MsiExec.exe'
         ParentCommandLine|contains: ' -Embedding'
         Image|endswith: '\rundll32.exe'
         CommandLine|contains|all:
             - 'Temp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml
@@ -0,0 +1,21 @@
+title: NTDS.DIT Created
+id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
+status: experimental
+description: Detects creation of a file named "ntds.dit" (Active Directory Database)
+references:
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: 'ntds.dit'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low