Sigma Rule Update (2023-08-10 20:06:48) (#475)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
Yamato-Security · Aug 10, 2023 · 2943682 · 2943682
1 parent b2ef3f0
commit 2943682
Show file tree

Hide file tree

Showing 44 changed files with 746 additions and 211 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml
@@ -0,0 +1,33 @@
+title: File Decryption Using Gpg4win
+id: 037dcd71-33a8-4392-bb01-293c94663e5a
+status: experimental
+description: Detects usage of Gpg4win to decrypt files
+references:
+    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
+    - https://www.gpg4win.de/documentation.html
+    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/09
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_metadata:
+        -   NewProcessName|endswith:
+                - \gpg.exe
+                - \gpg2.exe
+        -   Description: "GnuPG\u2019s OpenPGP tool"
+    selection_cli:
+        CommandLine|contains|all:
+            - ' -d '
+            - passphrase
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml
@@ -0,0 +1,33 @@
+title: File Encryption Using Gpg4win
+id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
+status: experimental
+description: Detects usage of Gpg4win to encrypt files
+references:
+    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
+    - https://www.gpg4win.de/documentation.html
+    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/09
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_metadata:
+        -   NewProcessName|endswith:
+                - \gpg.exe
+                - \gpg2.exe
+        -   Description: "GnuPG\u2019s OpenPGP tool"
+    selection_cli:
+        CommandLine|contains|all:
+            - ' -c '
+            - passphrase
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml
@@ -0,0 +1,35 @@
+title: Portable Gpg.EXE Execution
+id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
+status: experimental
+description: Detects the execution of "gpg.exe" from uncommon location. Often used
+    by ransomware and loaders to decrypt/encrypt data.
+references:
+    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
+    - https://securelist.com/locked-out/68960/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/06
+tags:
+    - attack.impact
+    - attack.t1486
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        -   NewProcessName|endswith:
+                - \gpg.exe
+                - \gpg2.exe
+        -   OriginalFileName: gpg.exe
+        -   Description: "GnuPG\u2019s OpenPGP tool"
+    filter_main_legit_location:
+        NewProcessName|contains:
+            - :\Program Files (x86)\GnuPG\bin\
+            - :\Program Files (x86)\GNU\GnuPG\bin\
+            - :\Program Files (x86)\Gpg4win\bin\
+    condition: process_creation and (selection and not 1 of filter_main_*)
+level: high
+ruletype: Sigma
diff --git a/.../proc_creation_win_gpg4win_susp_usage.yml → ...oc_creation_win_gpg4win_susp_location.yml b/.../proc_creation_win_gpg4win_susp_usage.yml → ...oc_creation_win_gpg4win_susp_location.yml
@@ -1,15 +1,16 @@
-title: Gpg4Win Decrypt Files From Suspicious Locations
+title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
 id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
 status: experimental
-description: Detects usage of the Gpg4win to decrypt files located in suspicious locations
-    from CLI
+description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially
+    suspicious locations.
 references:
     - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
+    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/11/30
+modified: 2023/08/09
 tags:
-    - attack.command_and_control
-    - attack.t1219
+    - attack.execution
 logsource:
     category: process_creation
     product: windows
@@ -18,19 +19,23 @@ detection:
         EventID: 4688
         Channel: Security
     selection_metadata:
-        -   NewProcessName|endswith: \gpg2.exe
+        -   NewProcessName|endswith:
+                - \gpg.exe
+                - \gpg2.exe
         -   Product: GNU Privacy Guard (GnuPG)
-        -   Company: g10 Code GmbH
+        -   Description: "GnuPG\u2019s OpenPGP tool"
     selection_cli:
         CommandLine|contains: -passphrase
     selection_paths:
         CommandLine|contains:
+            - :\PerfLogs\
+            - :\Temp\
+            - :\Users\Public\
+            - :\Windows\Temp\
+            - \AppData\Local\Temp\
             - \AppData\Roaming\
-            - C:\Perflogs\
-            - C:\Windows\Temp\
-            - C:\temp
     condition: process_creation and (all of selection_*)
 falsepositives:
-    - Legitimate use
-level: medium
+    - Unknown
+level: high
 ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml
@@ -1,13 +1,16 @@
-title: DLL Sideloading by Microsoft Defender
+title: Potential Mpclient.DLL Sideloading Via Defender Binaries
 id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
+related:
+    -   id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
+        type: similar
 status: experimental
-description: Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe)
-    from the non-default directory which may be an attempt to sideload arbitrary DLL
+description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes
+    ("MpCmdRun" and "NisSrv") from their non-default directory.
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 author: Bhabesh Raj
 date: 2022/08/01
-modified: 2022/08/09
+modified: 2023/08/04
 tags:
     - attack.defense_evasion
     - attack.t1574.002
@@ -19,15 +22,18 @@ detection:
         EventID: 4688
         Channel: Security
     selection:
-        NewProcessName|endswith: \MpCmdRun.exe
-    legit_path:
+        NewProcessName|endswith:
+            - \MpCmdRun.exe
+            - \NisSrv.exe
+    filter_main_known_locations:
         NewProcessName|startswith:
+            - C:\Program Files (x86)\Windows Defender\
+            - C:\Program Files\Microsoft Security Client\
             - C:\Program Files\Windows Defender\
             - C:\ProgramData\Microsoft\Windows Defender\Platform\
-            - C:\Windows\winsxs\
-            - C:\Program Files\Microsoft Security Client\MpCmdRun.exe
-    condition: process_creation and (selection and not legit_path)
+            - C:\Windows\WinSxS\
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
 ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml
@@ -0,0 +1,28 @@
+title: Renamed Gpg.EXE Execution
+id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
+status: experimental
+description: Detects the execution of a renamed "gpg.exe". Often used by ransomware
+    and loaders to decrypt/encrypt data.
+references:
+    - https://securelist.com/locked-out/68960/
+author: Nasreddine Bencherchali (Nextron Systems), frack113
+date: 2023/08/09
+tags:
+    - attack.impact
+    - attack.t1486
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        OriginalFileName: gpg.exe
+    filter_main_img:
+        NewProcessName|endswith:
+            - \gpg.exe
+            - \gpg2.exe
+    condition: process_creation and (selection and not 1 of filter_main_*)
+level: high
+ruletype: Sigma
diff --git a/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml
@@ -0,0 +1,33 @@
+title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
+id: ac1c92b4-ac81-405a-9978-4604d78cc47e
+status: experimental
+description: Detects execution of "VSDiagnostics.exe" with the "start" command in
+    order to launch and proxy arbitrary binaries.
+references:
+    - https://twitter.com/0xBoku/status/1679200664013135872
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/03
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \VSDiagnostics.exe
+        -   OriginalFileName: VSDiagnostics.exe
+    selection_cli_start:
+        CommandLine|contains: start
+    selection_cli_launch:
+        CommandLine|contains:
+            - ' /launch:'
+            - ' -launch:'
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate usage for tracing and diagnostics purposes
+level: medium
+ruletype: Sigma
diff --git a/sigma/builtin/security/win_security_mal_creddumper.yml b/sigma/builtin/security/win_security_mal_creddumper.yml
@@ -33,13 +33,13 @@ detection:
     selection:
         EventID: 4697
         ServiceFileName|contains:
-            - fgexec
-            - dumpsvc
             - cachedump
-            - mimidrv
+            - dumpsvc
+            - fgexec
             - gsecdump
-            - servpw
+            - mimidrv
             - pwdump
+            - servpw
     condition: security and selection
 falsepositives:
     - Legitimate Administrator using credential dumping tool for password recovery

diff --git a/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml b/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml
@@ -10,7 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: "J\xE1n Tren\u010Dansk\xFD, frack113"
 date: 2020/07/28
-modified: 2022/08/01
+modified: 2023/08/08
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -26,10 +26,12 @@ detection:
         param1:
             - Windows Defender Antivirus Service
             - Service antivirus Microsoft Defender
-        param2: stopped
+        param2:
+            - stopped
+            - "arr\xEAt\xE9"
     condition: system and selection
 falsepositives:
     - Administrator actions
     - Auto updates of Windows Defender causes restarts
-level: low
+level: medium
 ruletype: Sigma
diff --git a/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml
@@ -29,13 +29,13 @@ detection:
         Provider_Name: Service Control Manager
         EventID: 7045
         ImagePath|contains:
-            - fgexec
-            - dumpsvc
             - cachedump
-            - mimidrv
+            - dumpsvc
+            - fgexec
             - gsecdump
-            - servpw
+            - mimidrv
             - pwdump
+            - servpw
     condition: system and selection
 falsepositives:
     - Legitimate Administrator using credential dumping tool for password recovery

diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml
@@ -0,0 +1,28 @@
+title: CSExec Service Installation
+id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
+status: experimental
+description: Detects CSExec service installation and execution events
+references:
+    - https://github.com/malcomvetter/CSExec
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/07
+tags:
+    - attack.execution
+    - attack.t1569.002
+logsource:
+    product: windows
+    service: system
+detection:
+    system:
+        Channel: System
+    selection_eid:
+        Provider_Name: Service Control Manager
+        EventID: 7045
+    selection_service:
+        -   ServiceName: csexecsvc
+        -   ImagePath|endswith: \csexecsvc.exe
+    condition: system and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma