Sigma Rule Update (2024-05-10 20:11:49) (#663)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/firewall_as/win_firewall_as_add_rule.yml

@@ -9,7 +9,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/09/09
+modified: 2024/05/10
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -23,8 +23,9 @@ detection:
         EventID:
             - 2004 # A rule has been added to the Windows Defender Firewall exception list
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
     filter_main_block:
-        Action: 2
+        Action: 2 # Block
     filter_main_generic:
         ApplicationPath|contains:
             - :\Program Files (x86)\
@@ -41,6 +42,7 @@ detection:
         ApplicationPath|contains:
             - :\PerfLogs\
             - :\Temp\
+            - :\Tmp\
             - :\Users\Public\
             - :\Windows\Tasks\
             - :\Windows\Temp\

sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml

@@ -12,7 +12,7 @@ references:
     - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
 author: frack113
 date: 2023/02/26
-modified: 2024/01/22
+modified: 2024/05/10
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -26,15 +26,17 @@ detection:
         EventID:
             - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
         ApplicationPath|contains:
             - :\PerfLogs\
             - :\Temp\
+            - :\Tmp\
             - :\Users\Public\
             - :\Windows\Tasks\
             - :\Windows\Temp\
             - \AppData\Local\Temp\
     filter_main_block:
-        Action: 2
+        Action: 2 # Block
     condition: firewall_as and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown

sigma/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml

@@ -0,0 +1,36 @@
+title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
+id: ac6e5dab-06d1-5064-a91c-0eb6246d22bd
+related:
+    - id: eca81e8d-09e1-4d04-8614-c91f44fd0519
+      type: derived
+status: experimental
+description: |
+    Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
+    This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/05/10
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
+logsource:
+    product: windows
+    service: firewall-as
+detection:
+    firewall_as:
+        Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+    selection:
+        EventID:
+            - 2004 # A rule has been added to the Windows Defender Firewall exception list
+            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
+        Action: 3 # Allow
+        ModifyingApplication|endswith: :\Windows\System32\wbem\WmiPrvSE.exe
+    condition: firewall_as and selection
+falsepositives:
+    - Administrator scripts or activity.
+level: medium
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_uac_disable.yml

@@ -0,0 +1,30 @@
+title: UAC Disabled
+id: 6665e720-ff59-40c7-6fc2-63c2990aef5f
+status: stable
+description: |
+    Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
+author: frack113
+date: 2022/01/05
+modified: 2024/05/10
+tags:
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1548.002
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+        NewValue: DWORD (0x00000000)
+    condition: registry_set and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_uac_disable_notification.yml

@@ -0,0 +1,32 @@
+title: UAC Notification Disabled
+id: 4936b46c-badc-cb8a-54d4-3d0b9502aa8a
+status: experimental
+description: |
+    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
+    UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
+    When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
+    - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/05/10
+tags:
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1548.002
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        ObjectName|contains: \Microsoft\Security Center\UACDisableNotify
+        NewValue: DWORD (0x00000001)
+    condition: registry_set and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml

@@ -0,0 +1,31 @@
+title: UAC Secure Desktop Prompt Disabled
+id: 4475b3bd-9b24-b189-1118-871c5fe3fe17
+status: experimental
+description: |
+    Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
+    The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
+    When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
+author: frack113
+date: 2024/05/10
+tags:
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1548.002
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
+        NewValue: DWORD (0x00000000)
+    condition: registry_set and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml

@@ -0,0 +1,37 @@
+title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
+id: 40fd8a4e-3820-0edf-530e-53785ee863e9
+related:
+    - id: 51483085-0cba-46a8-837e-4416496d6971
+      type: similar
+    - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
+      type: derived
+status: experimental
+description: |
+    Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113
+date: 2024/05/10
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    ps_script:
+        EventID: 4104
+        Channel:
+            - Microsoft-Windows-PowerShell/Operational
+            - PowerShellCore/Operational
+    selection:
+        ScriptBlockText|contains: New-NetFirewallRule*-Action*Allow
+    condition: ps_script and selection
+falsepositives:
+    - Administrator script
+level: low
+ruletype: Sigma

sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml

@@ -0,0 +1,36 @@
+title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
+id: 9a19f541-5164-a71e-b29a-91d7d34d09e6
+status: experimental
+description: |
+    Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113
+date: 2024/05/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_name:
+        - NewProcessName|endswith:
+              - \powershell.exe
+              - \pwsh.exe
+              - \powershell_ise.exe
+        - OriginalFileName:
+              - PowerShell.EXE
+              - pwsh.dll
+    selection_args:
+        CommandLine|contains|all:
+            - 'New-NetFirewallRule '
+            - ' -Action '
+            - allow
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Administrator script
+level: low
+ruletype: Sigma

sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml → sigma/sysmon/registry/registry_set/registry_set_uac_disable.yml

@@ -1,15 +1,20 @@
-title: Disable UAC Using Registry
+title: UAC Disabled
 id: 56aa7436-715f-5aa2-dd48-916fa34bd24a
 related:
+    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
+      type: similar
+    - id: 0d7ceeef-3539-4392-8953-3dc664912714
+      type: similar
     - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
       type: derived
-status: experimental
-description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+status: stable
+description: |
+    Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
+    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
 author: frack113
 date: 2022/01/05
-modified: 2023/08/17
+modified: 2024/05/10
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -23,7 +28,7 @@ detection:
         EventID: 13
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
-        TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+        TargetObject|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
         Details: DWORD (0x00000000)
     condition: registry_set and selection
 falsepositives:

sigma/sysmon/registry/registry_set/registry_set_uac_disable_notification.yml

@@ -0,0 +1,39 @@
+title: UAC Notification Disabled
+id: ede4148c-b047-cbbc-092c-88f52e003420
+related:
+    - id: 0d7ceeef-3539-4392-8953-3dc664912714
+      type: similar
+    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
+      type: similar
+    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
+      type: derived
+status: experimental
+description: |
+    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
+    UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
+    When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
+    - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/05/10
+tags:
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1548.002
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 13
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        TargetObject|contains: \Microsoft\Security Center\UACDisableNotify
+        Details: DWORD (0x00000001)
+    condition: registry_set and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma