Sigma Rule Update (2024-05-13 20:11:52) (#664)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/security/win_security_mal_service_installs.yml → sigma/builtin/emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml

@@ -1,26 +1,24 @@
-title: Malicious Service Installations
+title: CosmicDuke Service Installation
 id: 8428d90d-a928-f70a-c46e-f08457d6b01f
 related:
     - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
       type: derived
     - id: cb062102-587e-4414-8efa-dbe3c7bf19c6
       type: derived
 status: test
-description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
+description: |
+    Detects the installation of a service named "javamtsup" on the system.
+    The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
 references:
-    - https://awakesecurity.com/blog/threat-hunting-for-paexec/
-    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
     - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
 author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
 modified: 2022/10/09
 tags:
     - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1003
-    - car.2013-09-005
     - attack.t1543.003
     - attack.t1569.002
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security
@@ -30,10 +28,9 @@ detection:
         Channel: Security
     selection:
         EventID: 4697
-    malsvc_apt29:
         ServiceName: javamtsup
-    condition: security and (selection and 1 of malsvc_*)
+    condition: security and selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: critical
 ruletype: Sigma

sigma/builtin/emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml

@@ -11,6 +11,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024/04/23
+modified: 2024/05/11
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -44,7 +45,7 @@ detection:
             - \Microsoft\Windows\WinSrv
         NewProcessName|endswith: \schtasks.exe
     selection_powershell:
-        CommandLine|contains:
+        CommandLine|contains|all:
             - Get-ChildItem
             - .save
             - Compress-Archive -DestinationPath C:\ProgramData\

sigma/builtin/powershell/powershell_script/posh_ps_packet_capture.yml

@@ -0,0 +1,37 @@
+title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
+id: 0357e3d7-f8fe-0601-0902-364f4cdbed81
+related:
+    - id: da34e323-1e65-42db-83be-a6725ac2caa3
+      type: derived
+status: experimental
+description: |
+    Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
+    Adversaries may attempt to capture network to gather information over the course of an operation.
+    Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
+    - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
+    - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
+author: frack113
+date: 2024/05/12
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    ps_script:
+        EventID: 4104
+        Channel:
+            - Microsoft-Windows-PowerShell/Operational
+            - PowerShellCore/Operational
+    selection:
+        ScriptBlockText|contains: Start-NetEventSession
+    condition: ps_script and selection
+falsepositives:
+    - Legitimate network diagnostic scripts.
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml

@@ -27,13 +27,13 @@ detection:
         - OriginalFileName: ATTRIB.EXE
     selection_cli:
         CommandLine|contains: ' +h '
-    filter_msiexec:
+    filter_main_msiexec:
         CommandLine|contains: '\desktop.ini '
-    filter_intel:
+    filter_optional_intel:
         CommandLine: +R +H +S +A \\\*.cui
         ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat
         ParentProcessName|endswith: \cmd.exe
-    condition: process_creation and (all of selection_* and not 1 of filter_*)
+    condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*)
 falsepositives:
     - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
     - Msiexec.exe hiding desktop.ini

sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml

@@ -43,11 +43,11 @@ detection:
             - .ps1
             - .vbe
             - .vbs
-    filter:
+    filter_optional_installer:
         CommandLine|contains|all:
             - \Windows\TEMP\
             - .exe
-    condition: process_creation and (all of selection* and not filter)
+    condition: process_creation and (all of selection* and not 1 of filter_optional_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml

@@ -9,6 +9,7 @@ references:
     - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
 author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/22
 modified: 2022/11/11

sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml → sigma/builtin/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml

@@ -1,15 +1,17 @@
-title: Format.com FileSystem LOLBIN
+title: Uncommon FileSystem Load Attempt By Format.com
 id: de9e4f46-8404-a8bb-7f5a-78bc21b25a9e
 related:
     - id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
       type: derived
 status: test
-description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
+description: |
+    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
 references:
     - https://twitter.com/0gtweet/status/1477925112561209344
     - https://twitter.com/wdormann/status/1478011052130459653?s=20
 author: Florian Roth (Nextron Systems)
 date: 2022/01/04
+modified: 2024/05/13
 tags:
     - attack.defense_evasion
     - sysmon
@@ -23,14 +25,14 @@ detection:
     selection:
         CommandLine|contains: '/fs:'
         NewProcessName|endswith: \format.com
-    filter:
+    filter_main_known_fs:
         CommandLine|contains:
-            - /fs:FAT
             - /fs:exFAT
+            - /fs:FAT
             - /fs:NTFS
-            - /fs:UDF
             - /fs:ReFS
-    condition: process_creation and (selection and not 1 of filter*)
+            - /fs:UDF
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml

@@ -22,13 +22,13 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection_mstsc:
+    selection:
         CommandLine|contains|all:
             - '-i '
             - '-u '
             - '-p '
         NewProcessName|endswith: \ruby.exe
-    condition: process_creation and (1 of selection_*)
+    condition: process_creation and selection
 falsepositives:
     - Unknown
 level: medium

sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml

@@ -9,6 +9,7 @@ references:
     - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
 author: frack113
 date: 2022/07/18
+modified: 2024/04/29
 tags:
     - attack.defense_evasion
     - attack.t1564.001
@@ -25,11 +26,10 @@ detection:
         - NewProcessName|endswith: \icacls.exe
     selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
         CommandLine|contains|all:
-            - C:\Users\
             - /deny
             - '*S-1-1-0:'
-    condition: process_creation and (all of selection*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
-    - Legitimate use
+    - Unknown
 level: medium
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml

@@ -0,0 +1,49 @@
+title: Potentially Suspicious Child Process of KeyScrambler.exe
+id: b2e90afd-fc69-1c5c-0457-d908fe3c4335
+status: experimental
+description: Detects potentially suspicious child processes of KeyScrambler.exe
+references:
+    - https://twitter.com/DTCERT/status/1712785421845790799
+author: Swachchhanda Shrawan Poudel
+date: 2024/05/13
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1203
+    - attack.t1574.002
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_parent:
+        ParentProcessName|endswith: \KeyScrambler.exe
+    selection_binaries:
+        # Note: add additional binaries that the attacker might use
+        - NewProcessName|endswith:
+              - \cmd.exe
+              - \cscript.exe
+              - \mshta.exe
+              - \powershell.exe
+              - \pwsh.exe
+              - \regsvr32.exe
+              - \rundll32.exe
+              - \wscript.exe
+        - OriginalFileName:
+              - Cmd.Exe
+              - cscript.exe
+              - mshta.exe
+              - PowerShell.EXE
+              - pwsh.dll
+              - regsvr32.exe
+              - RUNDLL32.EXE
+              - wscript.exe
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml

@@ -1,11 +1,12 @@
-title: Suspicious Execution Of PDQDeployRunner
+title: Potentially Suspicious Execution Of PDQDeployRunner
 id: 26de0206-5a40-c902-6fcf-8ab280a45735
 status: test
 description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
 references:
     - https://twitter.com/malmoeb/status/1550483085472432128
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/22
+modified: 2024/05/02
 tags:
     - attack.execution
     - sysmon
@@ -17,39 +18,40 @@ detection:
         EventID: 4688
         Channel: Security
     selection_parent:
-        ParentProcessName|contains: PDQDeployRunner-
-    selection_susp:
+        ParentProcessName|contains: \PDQDeployRunner-
+    selection_child:
         # Improve this section by adding other suspicious processes, commandlines or paths
         - NewProcessName|endswith:
               # If you use any of the following processes legitimately comment them out
-              - \wscript.exe
-              - \cscript.exe
-              - \rundll32.exe
-              - \regsvr32.exe
-              - \wmic.exe
-              - \msiexec.exe
-              - \mshta.exe
+              - \bash.exe
+              - \certutil.exe
+              - \cmd.exe
               - \csc.exe
+              - \cscript.exe
               - \dllhost.exe
-              - \certutil.exe
+              - \mshta.exe
+              - \msiexec.exe
+              - \regsvr32.exe
+              - \rundll32.exe
               - \scriptrunner.exe
-              - \bash.exe
+              - \wmic.exe
+              - \wscript.exe
               - \wsl.exe
         - NewProcessName|contains:
-              - C:\Users\Public\
-              - C:\ProgramData\
-              - C:\Windows\TEMP\
+              - :\ProgramData\
+              - :\Users\Public\
+              - :\Windows\TEMP\
               - \AppData\Local\Temp
         - CommandLine|contains:
-              - 'iex '
-              - Invoke-
-              - DownloadString
-              - http
+              - ' -decode '
               - ' -enc '
               - ' -encodedcommand '
-              - FromBase64String
-              - ' -decode '
               - ' -w hidden'
+              - DownloadString
+              - FromBase64String
+              - http
+              - 'iex '
+              - Invoke-
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Legitimate use of the PDQDeploy tool to execute these commands

sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml

@@ -46,7 +46,7 @@ detection:
             - \WinDefend
             - \wscsvc
             - \wuauserv
-    condition: process_creation and (selection_reg_add and 1 of selection_cli_*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml

@@ -29,9 +29,6 @@ detection:
             - \Temp\
         NewProcessName|endswith: \schtasks.exe
     condition: process_creation and selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Administrative activity
     - Software installation

sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml

@@ -17,21 +17,21 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    schtasks_exe:
+    selection:
         CommandLine|contains|all:
             - /delete
             - /tn
         CommandLine|contains:
             # Add more important tasks
+            - \Windows\BitLocker
+            - \Windows\ExploitGuard
             - \Windows\SystemRestore\SR
+            - \Windows\UpdateOrchestrator\
             - \Windows\Windows Defender\
-            - \Windows\BitLocker
             - \Windows\WindowsBackup\
             - \Windows\WindowsUpdate\
-            - \Windows\UpdateOrchestrator\
-            - \Windows\ExploitGuard
         NewProcessName|endswith: \schtasks.exe
-    condition: process_creation and (all of schtasks_*)
+    condition: process_creation and selection
 falsepositives:
     - Unlikely
 level: high