-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sigma Rule Update (2024-05-10 20:11:49) (#663)
Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
- Loading branch information
1 parent
be1072f
commit dfcce33
Showing
14 changed files
with
344 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
sigma/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE | ||
id: ac6e5dab-06d1-5064-a91c-0eb6246d22bd | ||
related: | ||
- id: eca81e8d-09e1-4d04-8614-c91f44fd0519 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). | ||
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule". | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule | ||
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 | ||
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ | ||
author: frack113, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/05/10 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1562.004 | ||
logsource: | ||
product: windows | ||
service: firewall-as | ||
detection: | ||
firewall_as: | ||
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | ||
selection: | ||
EventID: | ||
- 2004 # A rule has been added to the Windows Defender Firewall exception list | ||
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) | ||
- 2097 | ||
Action: 3 # Allow | ||
ModifyingApplication|endswith: :\Windows\System32\wbem\WmiPrvSE.exe | ||
condition: firewall_as and selection | ||
falsepositives: | ||
- Administrator scripts or activity. | ||
level: medium | ||
ruletype: Sigma |
32 changes: 0 additions & 32 deletions
32
sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml
This file was deleted.
Oops, something went wrong.
30 changes: 30 additions & 0 deletions
30
sigma/builtin/registry/registry_set/registry_set_uac_disable.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
title: UAC Disabled | ||
id: 6665e720-ff59-40c7-6fc2-63c2990aef5f | ||
status: stable | ||
description: | | ||
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
author: frack113 | ||
date: 2022/01/05 | ||
modified: 2024/05/10 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.defense_evasion | ||
- attack.t1548.002 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 4657 | ||
Channel: Security | ||
selection: | ||
ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | ||
NewValue: DWORD (0x00000000) | ||
condition: registry_set and selection | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
32 changes: 32 additions & 0 deletions
32
sigma/builtin/registry/registry_set/registry_set_uac_disable_notification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
title: UAC Notification Disabled | ||
id: 4936b46c-badc-cb8a-54d4-3d0b9502aa8a | ||
status: experimental | ||
description: | | ||
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. | ||
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. | ||
When "UACDisableNotify" is set to 1, UAC prompts are suppressed. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ | ||
author: frack113, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/05/10 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.defense_evasion | ||
- attack.t1548.002 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 4657 | ||
Channel: Security | ||
selection: | ||
ObjectName|contains: \Microsoft\Security Center\UACDisableNotify | ||
NewValue: DWORD (0x00000001) | ||
condition: registry_set and selection | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
31 changes: 31 additions & 0 deletions
31
sigma/builtin/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
title: UAC Secure Desktop Prompt Disabled | ||
id: 4475b3bd-9b24-b189-1118-871c5fe3fe17 | ||
status: experimental | ||
description: | | ||
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. | ||
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. | ||
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
author: frack113 | ||
date: 2024/05/10 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.defense_evasion | ||
- attack.t1548.002 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 4657 | ||
Channel: Security | ||
selection: | ||
ObjectName|contains: \Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop | ||
NewValue: DWORD (0x00000000) | ||
condition: registry_set and selection | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
37 changes: 37 additions & 0 deletions
37
...builtin/threat-hunting/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock | ||
id: 40fd8a4e-3820-0edf-530e-53785ee863e9 | ||
related: | ||
- id: 51483085-0cba-46a8-837e-4416496d6971 | ||
type: similar | ||
- id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule | ||
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 | ||
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ | ||
author: frack113 | ||
date: 2024/05/10 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1562.004 | ||
- detection.threat_hunting | ||
logsource: | ||
product: windows | ||
category: ps_script | ||
definition: 'Requirements: Script Block Logging must be enabled' | ||
detection: | ||
ps_script: | ||
EventID: 4104 | ||
Channel: | ||
- Microsoft-Windows-PowerShell/Operational | ||
- PowerShellCore/Operational | ||
selection: | ||
ScriptBlockText|contains: New-NetFirewallRule*-Action*Allow | ||
condition: ps_script and selection | ||
falsepositives: | ||
- Administrator script | ||
level: low | ||
ruletype: Sigma |
36 changes: 36 additions & 0 deletions
36
...hreat-hunting/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet | ||
id: 9a19f541-5164-a71e-b29a-91d7d34d09e6 | ||
status: experimental | ||
description: | | ||
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule | ||
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 | ||
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ | ||
author: frack113 | ||
date: 2024/05/03 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection_name: | ||
- NewProcessName|endswith: | ||
- \powershell.exe | ||
- \pwsh.exe | ||
- \powershell_ise.exe | ||
- OriginalFileName: | ||
- PowerShell.EXE | ||
- pwsh.dll | ||
selection_args: | ||
CommandLine|contains|all: | ||
- 'New-NetFirewallRule ' | ||
- ' -Action ' | ||
- allow | ||
condition: process_creation and (all of selection_*) | ||
falsepositives: | ||
- Administrator script | ||
level: low | ||
ruletype: Sigma |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
sigma/sysmon/registry/registry_set/registry_set_uac_disable_notification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: UAC Notification Disabled | ||
id: ede4148c-b047-cbbc-092c-88f52e003420 | ||
related: | ||
- id: 0d7ceeef-3539-4392-8953-3dc664912714 | ||
type: similar | ||
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919 | ||
type: similar | ||
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. | ||
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. | ||
When "UACDisableNotify" is set to 1, UAC prompts are suppressed. | ||
references: | ||
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md | ||
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ | ||
author: frack113, Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/05/10 | ||
tags: | ||
- attack.privilege_escalation | ||
- attack.defense_evasion | ||
- attack.t1548.002 | ||
- sysmon | ||
logsource: | ||
category: registry_set | ||
product: windows | ||
detection: | ||
registry_set: | ||
EventID: 13 | ||
Channel: Microsoft-Windows-Sysmon/Operational | ||
selection: | ||
TargetObject|contains: \Microsoft\Security Center\UACDisableNotify | ||
Details: DWORD (0x00000001) | ||
condition: registry_set and selection | ||
falsepositives: | ||
- Unknown | ||
level: medium | ||
ruletype: Sigma |
Oops, something went wrong.