Merge branch 'SigmaHQ:master' into master

rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml → deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml

@@ -1,12 +1,12 @@
 title: Potential Persistence Via COM Hijacking From Suspicious Locations
 id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
-status: experimental
-description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location
+status: deprecated
+description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/28
-modified: 2023/09/28
+modified: 2024/07/16
 tags:
     - attack.persistence
     - attack.t1546.015

rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml → rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml

@@ -11,6 +11,7 @@ modified: 2023/09/28
 tags:
     - attack.defense_evasion
     - attack.t1112
+    - detection.emerging_threats
 logsource:
     category: registry_event
     product: windows

rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml → rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml

@@ -24,6 +24,7 @@ tags:
     - attack.t1112
     - attack.command_and_control
     - attack.t1071.004
+    - detection.emerging_threats
 logsource:
     category: registry_event
     product: windows

rules/windows/registry/registry_add/registry_add_malware_ursnif.yml → rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml

@@ -11,6 +11,7 @@ modified: 2023/02/07
 tags:
     - attack.execution
     - attack.t1112
+    - detection.emerging_threats
 logsource:
     product: windows
     category: registry_add

rules/windows/registry/registry_event/registry_event_apt_leviathan.yml → rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml

@@ -10,6 +10,7 @@ modified: 2023/09/19
 tags:
     - attack.persistence
     - attack.t1547.001
+    - detection.emerging_threats
 logsource:
     category: registry_event
     product: windows

rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml

@@ -0,0 +1,33 @@
+title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
+id: 6c7defa9-69f8-4c34-b815-41fce3931754
+status: experimental
+description: |
+    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
+references:
+    - https://www.tenable.com/security/research/tra-2023-11
+    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
+    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
+author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain
+date: 2024/06/25
+tags:
+    - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.1389
+logsource:
+    category: proxy
+detection:
+    selection_uri:
+        cs-method:
+            - 'GET'
+            - 'POST'
+        cs-uri|contains|all:
+            - '/cgi-bin/luci/;stok=/locale'
+            - 'form=country'
+    selection_keyword:
+        - 'operation=write'
+        - 'country=$('
+    condition: all of selection_*
+falsepositives:
+    - Vulnerability Scanners
+level: medium

rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml

@@ -8,6 +8,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024/04/23
+modified: 2024/07/11
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -28,8 +29,8 @@ detection:
             - 'C:\ProgramData\UbiSoft\v'
             - 'C:\ProgramData\Steam\v'
         TargetFilename|contains:
-            - '\pnms003.inf_'
-            - '\pnms009.inf_'
+            - '\prnms003.inf_'
+            - '\prnms009.inf_'
     selection_programdata_main:
         TargetFilename|startswith: 'C:\ProgramData\'
     selection_programdata_files_1:

rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml

@@ -1,9 +1,9 @@
 title: Creation of an Executable by an Executable
 id: 297afac9-5d02-4138-8c58-b977bac60556
 status: experimental
-description: Detects the creation of an executable by another executable
+description: Detects the creation of an executable by another executable.
 references:
-    - Malware Sandbox
+    - Internal Research
 author: frack113
 date: 2022/03/09
 modified: 2023/11/06

rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml → rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml

@@ -2,20 +2,21 @@ title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 id: cfed2f44-16df-4bf3-833a-79405198b277
 status: test
 description: |
-    Detects dllhost initiating a network connection to a non-local IP address.
+    Detects Dllhost.EXE initiating a network connection to a non-local IP address.
     Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
     An initial baseline is recommended before deployment.
 references:
     - https://redcanary.com/blog/child-processes/
     - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: bartblaze
 date: 2020/07/13
-modified: 2024/03/12
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218
     - attack.execution
     - attack.t1559.001
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows
@@ -42,6 +43,7 @@ detection:
             - '51.103.0.0/16' # Microsoft Corporation
             - '51.104.0.0/15' # Microsoft Corporation
             - '52.224.0.0/11'  # Microsoft Corporation
+            - '150.171.0.0/19'  # Microsoft Corporation
             - '204.79.197.0/24' # Microsoft Corporation'
     condition: selection and not 1 of filter_main_*
 falsepositives:

rules/windows/network_connection/net_connection_win_msiexec_http.yml → rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml

@@ -2,17 +2,19 @@ title: Msiexec.EXE Initiated Network Connection Over HTTP
 id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
 status: test
 description: |
-    Detects an initiated network connection by "Msiexec.exe" over port 80 or 443.
+    Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
     Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
+    Use this rule to hunt for potentially anomalous or suspicious communications.
 references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 author: frack113
 date: 2022/01/16
-modified: 2024/02/01
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218.007
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows
@@ -25,5 +27,5 @@ detection:
             - 443
     condition: selection
 falsepositives:
-    - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required.
-level: high
+    - Likely
+level: low

rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml

@@ -0,0 +1,56 @@
+title: Potential Shellcode Injection
+id: 250ae82f-736e-4844-a68b-0b5e8cc887da
+status: test
+description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
+references:
+    - https://github.com/EmpireProject/PSInject
+author: Bhabesh Raj
+date: 2022/03/11
+modified: 2024/07/02
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
+    - detection.threat_hunting
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        GrantedAccess:
+            - '0x147a'
+            - '0x1f3fff'
+        CallTrace|contains: 'UNKNOWN'
+    filter_main_wmiprvse:
+        SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
+        TargetImage: 'C:\Windows\system32\lsass.exe'
+    filter_optional_dell_folders:
+        # If dell software is installed we get matches like these
+        # Example 1:
+        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 2:
+        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   GrantedAccess: 0x1F3FFF
+        # Example 3:
+        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+        #   GrantedAccess: 0x1F3FFF
+        SourceImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+        TargetImage|startswith:
+            - 'C:\Program Files\Dell\'
+            - 'C:\Program Files (x86)\Dell\'
+    filter_optional_dell_specifc:
+        SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
+        TargetImage: 'C:\Windows\Explorer.EXE'
+    filter_optional_visual_studio:
+        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml

@@ -6,9 +6,11 @@ references:
     - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/03/10
+modified: 2024/07/16
 tags:
     - attack.collection
     - attack.t1560.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -30,4 +32,4 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate activity is expected since extracting files with a password can be common in some environment.
-level: medium
+level: low

rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml

@@ -1,15 +1,18 @@
 title: Potentially Suspicious PowerShell Child Processes
 id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 status: test
-description: Detects potentially suspicious child processes spawned by PowerShell
+description: |
+    Detects potentially suspicious child processes spawned by PowerShell.
+    Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
 references:
     - https://twitter.com/ankit_anubhav/status/1518835408502620162
 author: Florian Roth (Nextron Systems), Tim Shelton
 date: 2022/04/26
-modified: 2023/05/30
+modified: 2024/07/16
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -38,7 +41,19 @@ detection:
     filter_optional_amazon:
         ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
         CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
-    condition: selection and not 1 of filter_optional_*
+    filter_main_certutil_verify_store:
+        Image|endswith: '\certutil.exe'
+        CommandLine|contains: '-verifystore '
+    filter_main_wmic:
+        Image|endswith: '\wmic.exe'
+        CommandLine|contains:
+            - 'qfe list'
+            - 'diskdrive '
+            - 'csproduct '
+            - 'computersystem '
+            - ' os '
+            - ''
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed.
-level: high
+    - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
+level: medium

rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml

@@ -1,18 +1,19 @@
-title: Suspicious Call by Ordinal
+title: DLL Call by Ordinal Via Rundll32.EXE
 id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
 status: stable
-description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
+description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
 references:
     - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
     - https://github.com/Neo23x0/DLLRunner
     - https://twitter.com/cyb3rops/status/1186631731543236608
     - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
 author: Florian Roth (Nextron Systems)
 date: 2019/10/22
-modified: 2023/02/09
+modified: 2024/07/16
 tags:
     - attack.defense_evasion
     - attack.t1218.011
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -26,11 +27,11 @@ detection:
             - ', #'
             - '.dll #'  # Sysmon removes , in its log
             - '.ocx #'  # HermeticWizard
-    filter_edge:
+    filter_optional_edge:
         CommandLine|contains|all:
             - 'EDGEHTML.dll'
             - '#141'
-    filter_vsbuild_dll:
+    filter_optional_vsbuild_dll:
         ParentImage|contains:
             - '\Msbuild\Current\Bin\'
             - '\VC\Tools\MSVC\'
@@ -40,8 +41,8 @@ detection:
             - '\FileTracker32.dll",#1'
             - '\FileTracker64.dll,#1'
             - '\FileTracker64.dll",#1'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Windows control panel elements have been identified as source (mmc)
-level: high
+    - False positives depend on scripts and administrative tools used in the monitored environment.
+    - Windows control panel elements have been identified as source (mmc).
+level: medium

rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml

@@ -1,7 +1,9 @@
-title: Suspicious Execution From GUID Like Folder Names
+title: Potential Suspicious Execution From GUID Like Folder Names
 id: 90b63c33-2b97-4631-a011-ceb0f47b77c3
 status: test
-description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks
+description: |
+    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
+    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
 references:
     - https://twitter.com/Kostastsale/status/1565257924204986369
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -10,6 +12,7 @@ modified: 2023/03/02
 tags:
     - attack.defense_evasion
     - attack.t1027
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -27,15 +30,19 @@ detection:
         CommandLine|contains|all:
             - '\{'
             - '}\'
-    filter:
+    filter_main_image_guid:
         Image|contains|all:
             - '\{'
             - '}\'
-    filter_null:
+    filter_main_null:
         Image: null
-    filter_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
+    filter_main_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
         Image: 'C:\Windows\System32\drvinst.exe'
+    filter_main_msiexec:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
     condition: all of selection_* and not 1 of filter*
 falsepositives:
     - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly
-level: medium
+level: low