Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contribute Sigma Rules from Personal Repository to Main Sigma Repository #4961

Merged
merged 13 commits into from
Aug 29, 2024
Merged

Contribute Sigma Rules from Personal Repository to Main Sigma Repository #4961

merged 13 commits into from
Aug 29, 2024

Conversation

tsale
Copy link
Contributor

@tsale tsale commented Aug 10, 2024
edited by nasbench
Loading

Summary of the Pull Request

This PR introduces a set of Sigma rules originally published in my personal repository (https://github.com/tsale/Sigma_rules). The project was created to include unique rules based on my research, specifically targeting gaps in the open-source community. At the time of their creation, no similar rules were found in the main Sigma repository or elsewhere on the internet. Although some overlap with existing rules may occur, I welcome any feedback or necessary adjustments.

I plan to continue adding new rules to my repository as part of my ongoing research; however, I also want these rules to be available in the main Sigma repository to benefit the entire community and provide easier access when downloading Sigma rules from a centralized source.

Changelog

fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Aug 10, 2024
github-actions[bot]
github-actions bot reviewed Aug 10, 2024
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @tsale 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench nasbench added the Work In Progress Some changes are needed label Aug 10, 2024
@nasbench nasbench self-assigned this Aug 10, 2024
@nasbench nasbench self-requested a review August 10, 2024 23:16
@nasbench nasbench marked this pull request as draft August 10, 2024 23:21
@nasbench
Copy link
Member

Thanks @tsale for this huge contribution. I'll get to reviewing and get back to you with any comments (if necessary).

@nasbench
Copy link
Member

Now you've broken all my work! @tsale 😢 please revert the commit

@nasbench
Copy link
Member

I'm still working on this so i'll be reverting ba843fb. Cuz i already did all the changes and more.

@tsale
Copy link
Contributor Author

tsale commented Aug 16, 2024

Now you've broken all my work! @tsale 😢 please revert the commit

Oops sorry about that, lol. I reverted the commit and then I saw you made another comment below 😆

tsale and others added 4 commits August 23, 2024 19:39
@tsale @nasbench
Contribute Sigma Rules from Personal Repository to Main Sigma Repository
668b6fc 
This PR introduces a set of Sigma rules originally published in my personal repository (https://github.com/tsale/Sigma_rules). The project was created to include unique rules based on my research, specifically targeting gaps in the open-source community. At the time of their creation, no similar rules were found in the main Sigma repository or elsewhere on the internet. Although some overlap with existing rules may occur, I welcome any feedback or necessary adjustments.

I plan to continue adding new rules to my repository as part of my ongoing research; however, I also want these rules to be available in the main Sigma repository to benefit the entire community and provide easier access when downloading Sigma rules from a centralized source.
@tsale @nasbench
Fix: Fixing file naming mistake
7608e57
@nasbench
Revert "Fix: Fixing file naming mistake"
f5ecd45 
This reverts commit ba843fb.
@nasbench
update rules
e8945a0
@nasbench nasbench force-pushed the tsale-rule-migration branch from 6b83e63 to e8945a0 Compare August 23, 2024 17:41
@nasbench
Copy link
Member

A couple of notes on rules that I removed/merged

  • 74256088-d35f-40e4-91e6-601cfa2e7615 - SamAccountName Spoofing and Domain Controller Impersonation

    • Removed because it requires correlation support (which is not yet accepted in sigmahq)

  • b4019300-4846-4c66-9d3e-62efff5cff51 - LAPS Credential Dumping Spoofing and Domain Controller Impersonation

    • Removed because it requires correlation support (which is not yet accepted in sigmahq)

  • 3f3e85e9-2fec-4c2f-89cd-6762b5928570 - KrbRelayUp local privilege escalation

    • Already existed in the repo, merged the filter provided by your rule

  • b3ad3c0f-c949-47a1-a30e-b0491ccae876

    • Updated the paths to full paths
    • removed timeframe it requires correlation support (which is not yet accepted in sigmahq)

  • 932ade0f-3ba6-49c4-ba78-51c5234384d5 - Exploitation of 7zip vulnerability - CVE-2022-29072

    • Already exists (see: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3) - I merged yours with that.

  • 4f7f3162-d6e7-48f7-bbf9-2a56eb6a1ff2 - PowerShell AMSI Bypass Pattern

    • already exists (see: 30edb182-aa75-42c0-b0a9-e998bb29067c) - Copied from yours

  • 0e6e820b-f829-472e-9e34-930939778187

    • already exists (see: 28ac00d6-22d9-4a3c-927f-bbd770104573)

  • c284e98e-a2a6-4917-aeb9-7159c6283e05

    • already exists (see: 534f2ef7-e8a2-4433-816d-c91bccde289b) - While the logic was a bit different, the effect is the same.

  • 4dd98986-86b3-44d3-9618-c58e86b5674d

    • already covered (see: 52cad028-0ff0-4854-8f67-d25dfcbc78b4)

  • 5eff5816-a518-4ab8-b7e0-a776344e7d36

    • already covered (see: 258fc8ce-8352-443a-9120-8a11e4857fa5)

  • 7cd354a2-92f2-4c39-85b5-6b5096366d4e

    • already covered (see: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78)

  • 29419560-7c08-46d4-bb2c-531ed2ea0383

    • already covered (see: c2b86e67-b880-4eec-b045-50bc98ef4844)

  • c0d0392c-de50-4a11-9565-a457587e0c9d

    • already covered by a more generic rule (see: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78)

  • 6469c7a1-8a28-40c4-a72b-5acddcfd0b0b

    • Merged with f3d39c45-de1a-4486-a687-ab126124f744

  • afed5f7a-362a-46c2-8cc3-38a2e96b07b1

    • Already covered/copied before (see: 0d5675be-bc88-4172-86d3-1e96a4476536)

@nasbench nasbench marked this pull request as ready for review August 23, 2024 23:51
@nasbench nasbench removed the Work In Progress Some changes are needed label Aug 29, 2024
@nasbench nasbench merged commit 2851ef5 into SigmaHQ:master Aug 29, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsale @nasbench