Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auto] Sigma Update report(2024-05-13 20:11:52) #664

Merged
merged 1 commit into from
May 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,26 +1,24 @@
title: Malicious Service Installations
title: CosmicDuke Service Installation
id: 8428d90d-a928-f70a-c46e-f08457d6b01f
related:
- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
type: derived
- id: cb062102-587e-4414-8efa-dbe3c7bf19c6
type: derived
status: test
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
description: |
Detects the installation of a service named "javamtsup" on the system.
The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
references:
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
modified: 2022/10/09
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1003
- car.2013-09-005
- attack.t1543.003
- attack.t1569.002
- detection.emerging_threats
logsource:
product: windows
service: security
Expand All @@ -30,10 +28,9 @@ detection:
Channel: Security
selection:
EventID: 4697
malsvc_apt29:
ServiceName: javamtsup
condition: security and (selection and 1 of malsvc_*)
condition: security and selection
falsepositives:
- Unknown
- Unlikely
level: critical
ruletype: Sigma
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/04/23
modified: 2024/05/11
tags:
- attack.defense_evasion
- attack.execution
Expand Down Expand Up @@ -44,7 +45,7 @@ detection:
- \Microsoft\Windows\WinSrv
NewProcessName|endswith: \schtasks.exe
selection_powershell:
CommandLine|contains:
CommandLine|contains|all:
- Get-ChildItem
- .save
- Compress-Archive -DestinationPath C:\ProgramData\
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: 0357e3d7-f8fe-0601-0902-364f4cdbed81
related:
- id: da34e323-1e65-42db-83be-a6725ac2caa3
type: derived
status: experimental
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024/05/12
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
ps_script:
EventID: 4104
Channel:
- Microsoft-Windows-PowerShell/Operational
- PowerShellCore/Operational
selection:
ScriptBlockText|contains: Start-NetEventSession
condition: ps_script and selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ detection:
- OriginalFileName: ATTRIB.EXE
selection_cli:
CommandLine|contains: ' +h '
filter_msiexec:
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_intel:
filter_optional_intel:
CommandLine: +R +H +S +A \\\*.cui
ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat
ParentProcessName|endswith: \cmd.exe
condition: process_creation and (all of selection_* and not 1 of filter_*)
condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*)
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ detection:
- .ps1
- .vbe
- .vbs
filter:
filter_optional_installer:
CommandLine|contains|all:
- \Windows\TEMP\
- .exe
condition: process_creation and (all of selection* and not filter)
condition: process_creation and (all of selection* and not 1 of filter_optional_*)
falsepositives:
- Unknown
level: high
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019/10/22
modified: 2022/11/11
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
title: Format.com FileSystem LOLBIN
title: Uncommon FileSystem Load Attempt By Format.com
id: de9e4f46-8404-a8bb-7f5a-78bc21b25a9e
related:
- id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
type: derived
status: test
description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
description: |
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
- https://twitter.com/0gtweet/status/1477925112561209344
- https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022/01/04
modified: 2024/05/13
tags:
- attack.defense_evasion
- sysmon
Expand All @@ -23,14 +25,14 @@ detection:
selection:
CommandLine|contains: '/fs:'
NewProcessName|endswith: \format.com
filter:
filter_main_known_fs:
CommandLine|contains:
- /fs:FAT
- /fs:exFAT
- /fs:FAT
- /fs:NTFS
- /fs:UDF
- /fs:ReFS
condition: process_creation and (selection and not 1 of filter*)
- /fs:UDF
condition: process_creation and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
level: high
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ detection:
process_creation:
EventID: 4688
Channel: Security
selection_mstsc:
selection:
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
NewProcessName|endswith: \ruby.exe
condition: process_creation and (1 of selection_*)
condition: process_creation and selection
falsepositives:
- Unknown
level: medium
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
- https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
author: frack113
date: 2022/07/18
modified: 2024/04/29
tags:
- attack.defense_evasion
- attack.t1564.001
Expand All @@ -25,11 +26,10 @@ detection:
- NewProcessName|endswith: \icacls.exe
selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
CommandLine|contains|all:
- C:\Users\
- /deny
- '*S-1-1-0:'
condition: process_creation and (all of selection*)
condition: process_creation and (all of selection_*)
falsepositives:
- Legitimate use
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
title: Potentially Suspicious Child Process of KeyScrambler.exe
id: b2e90afd-fc69-1c5c-0457-d908fe3c4335
status: experimental
description: Detects potentially suspicious child processes of KeyScrambler.exe
references:
- https://twitter.com/DTCERT/status/1712785421845790799
author: Swachchhanda Shrawan Poudel
date: 2024/05/13
tags:
- attack.execution
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1203
- attack.t1574.002
- sysmon
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection_parent:
ParentProcessName|endswith: \KeyScrambler.exe
selection_binaries:
# Note: add additional binaries that the attacker might use
- NewProcessName|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- OriginalFileName:
- Cmd.Exe
- cscript.exe
- mshta.exe
- PowerShell.EXE
- pwsh.dll
- regsvr32.exe
- RUNDLL32.EXE
- wscript.exe
condition: process_creation and (all of selection_*)
falsepositives:
- Unknown
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
title: Suspicious Execution Of PDQDeployRunner
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 26de0206-5a40-c902-6fcf-8ab280a45735
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/22
modified: 2024/05/02
tags:
- attack.execution
- sysmon
Expand All @@ -17,39 +18,40 @@ detection:
EventID: 4688
Channel: Security
selection_parent:
ParentProcessName|contains: PDQDeployRunner-
selection_susp:
ParentProcessName|contains: \PDQDeployRunner-
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- NewProcessName|endswith:
# If you use any of the following processes legitimately comment them out
- \wscript.exe
- \cscript.exe
- \rundll32.exe
- \regsvr32.exe
- \wmic.exe
- \msiexec.exe
- \mshta.exe
- \bash.exe
- \certutil.exe
- \cmd.exe
- \csc.exe
- \cscript.exe
- \dllhost.exe
- \certutil.exe
- \mshta.exe
- \msiexec.exe
- \regsvr32.exe
- \rundll32.exe
- \scriptrunner.exe
- \bash.exe
- \wmic.exe
- \wscript.exe
- \wsl.exe
- NewProcessName|contains:
- C:\Users\Public\
- C:\ProgramData\
- C:\Windows\TEMP\
- :\ProgramData\
- :\Users\Public\
- :\Windows\TEMP\
- \AppData\Local\Temp
- CommandLine|contains:
- 'iex '
- Invoke-
- DownloadString
- http
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- FromBase64String
- ' -decode '
- ' -w hidden'
- DownloadString
- FromBase64String
- http
- 'iex '
- Invoke-
condition: process_creation and (all of selection_*)
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ detection:
- \WinDefend
- \wscsvc
- \wuauserv
condition: process_creation and (selection_reg_add and 1 of selection_cli_*)
condition: process_creation and (all of selection_*)
falsepositives:
- Unlikely
level: high
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,6 @@ detection:
- \Temp\
NewProcessName|endswith: \schtasks.exe
condition: process_creation and selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative activity
- Software installation
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,21 +17,21 @@ detection:
process_creation:
EventID: 4688
Channel: Security
schtasks_exe:
selection:
CommandLine|contains|all:
- /delete
- /tn
CommandLine|contains:
# Add more important tasks
- \Windows\BitLocker
- \Windows\ExploitGuard
- \Windows\SystemRestore\SR
- \Windows\UpdateOrchestrator\
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\
- \Windows\ExploitGuard
NewProcessName|endswith: \schtasks.exe
condition: process_creation and (all of schtasks_*)
condition: process_creation and selection
falsepositives:
- Unlikely
level: high
Expand Down
Loading