Sigma Rule Update (2024-06-25 20:12:08) (#678)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml

@@ -0,0 +1,49 @@
+title: HackTool - Evil-WinRm Execution - PowerShell Module
+id: a0ecd6f3-309d-3ad0-2231-421f98a89f32
+related:
+    - id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
+      type: derived
+status: experimental
+description: |
+    Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
+references:
+    - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
+    - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/25
+tags:
+    - attack.lateral_movement
+logsource:
+    product: windows
+    category: ps_module
+detection:
+    ps_module:
+        EventID: 4103
+        Channel:
+            - Microsoft-Windows-PowerShell/Operational
+            - PowerShellCore/Operational
+    selection_wsm:
+        ContextInfo|contains:
+            - :\Windows\System32\wsmprovhost.exe
+            - :\Windows\SysWOW64\wsmprovhost.exe
+    selection_payload_1:
+        Payload|contains:
+            - value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592
+            - value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490
+            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740
+            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761
+            - Bypass-4MSI
+            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')
+    selection_payload_2:
+        Payload|contains|all:
+            - $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\"
+            - Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath
+    selection_payload_3:
+        Payload|contains|all:
+            - $a +=  \"$($_.FullName.Replace('\\','/'))/\"}else{  $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001
+            - $a=@();$
+    condition: ps_module and (selection_wsm and 1 of selection_payload_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml

@@ -0,0 +1,39 @@
+title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
+id: 183b6ab0-741c-5a2c-a72d-660f201d5710
+related:
+    - id: 129966c9-de17-4334-a123-8b58172e664d
+      type: derived
+status: test
+description: |
+    Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
+    Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
+references:
+    - https://twitter.com/mrd0x/status/1460597833917251595
+author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2021/11/26
+modified: 2024/06/21
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+    - sysmon
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_dump:
+        NewProcessName|startswith: :\Program Files
+        NewProcessName|contains: \Microsoft Visual Studio\
+        NewProcessName|endswith: \dump64.exe
+    selection_tools_procdump:
+        - OriginalFileName: procdump
+        - CommandLine|contains:
+              - ' -ma ' # Full Dump
+              - ' -mp ' # Mini Plus
+    condition: process_creation and (selection_dump and 1 of selection_tools_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml

@@ -12,7 +12,7 @@ references:
     - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
 author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/22
-modified: 2022/11/11
+modified: 2024/06/04
 tags:
     - attack.credential_access
     - attack.t1003.002
@@ -31,24 +31,24 @@ detection:
         - NewProcessName|endswith: \esentutl.exe
         - OriginalFileName: \esentutl.exe
     selection_esent_cli:
-        CommandLine|contains:
+        CommandLine|contains|windash:
             - vss
             - ' /m '
             - ' /y '
     selection_susp_paths:
         CommandLine|contains:
-            - \windows\ntds\ntds.dit
+            - \config\RegBack\sam
+            - \config\RegBack\security
+            - \config\RegBack\system
             - \config\sam
             - \config\security
             - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
             - \repair\sam
-            - \repair\system
             - \repair\security
-            - \config\RegBack\sam
-            - \config\RegBack\system
-            - \config\RegBack\security
+            - \repair\system
+            - \windows\ntds\ntds.dit
     condition: process_creation and (all of selection_esent_* or selection_susp_paths)
 falsepositives:
-    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator
+    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
 level: high
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml

@@ -14,7 +14,7 @@ references:
     - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
 date: 2019/06/29
-modified: 2022/09/20
+modified: 2024/06/04
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -31,7 +31,7 @@ detection:
         - CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}   # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
         # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
         # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
-        - CommandLine|contains|all:
+        - CommandLine|contains|all|windash:
               - explorer.exe
               - ' /root,'
     condition: process_creation and selection

sigma/builtin/process_creation/proc_creation_win_findstr_lsass.yml

@@ -9,7 +9,7 @@ references:
     - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 author: Florian Roth (Nextron Systems)
 date: 2022/08/12
-modified: 2023/11/11
+modified: 2024/06/04
 tags:
     - attack.credential_access
     - attack.t1552.006
@@ -31,7 +31,7 @@ detection:
     selection_findstr_cli:
         CommandLine|contains: lsass
     selection_special:
-        CommandLine|contains:
+        CommandLine|contains|windash:
             - ' /i "lsass'
             - ' /i lsass.exe'
             - findstr "lsass

sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml

@@ -5,9 +5,9 @@ description: Detect filter driver unloading activity via fltmc.exe
 references:
     - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
     - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
-author: Nasreddine Bencherchali
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/13
-modified: 2023/03/14
+modified: 2024/06/24
 tags:
     - attack.defense_evasion
     - attack.t1070
@@ -26,11 +26,16 @@ detection:
         - OriginalFileName: fltMC.exe
     selection_cli:
         CommandLine|contains: unload
-    filter_avira:
-        # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp
+    filter_optional_avira:
         CommandLine|endswith: unload rtp_filesystem_filter
-    condition: process_creation and (all of selection_* and not 1 of filter_*)
+        ParentProcessName|startswith: C:\Users\
+        ParentProcessName|contains: \AppData\Local\Temp\
+        ParentProcessName|endswith: \endpoint-protection-installer-x64.tmp
+    filter_optional_manageengine:
+        CommandLine|endswith: unload DFMFilter
+        ParentProcessName: C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe
+    condition: process_creation and (all of selection_* and not 1 of filter_optional_*)
 falsepositives:
     - Unknown
-level: high
+level: medium
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_iexpress_susp_execution.yml

@@ -14,6 +14,7 @@ references:
     - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
 author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
 date: 2024/02/05
+modified: 2024/06/04
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -29,7 +30,7 @@ detection:
         - NewProcessName|endswith: \iexpress.exe
         - OriginalFileName: IEXPRESS.exe
     selection_cli:
-        CommandLine|contains: ' /n '
+        CommandLine|contains|windash: ' /n '
     selection_paths:
         CommandLine|contains:
             # Note: Add more uncommon paths that fit your organizational needs.

sigma/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml → sigma/builtin/process_creation/proc_creation_win_kavremover_uncommon_execution.yml

@@ -22,11 +22,11 @@ detection:
         Channel: Security
     selection:
         CommandLine|contains: ' run run-cmd '
-    filter:
+    filter_main_legit_parents:
         ParentProcessName|endswith:
-            - \kavremover.exe   # When launched from kavremover.exe
             - \cleanapi.exe   # When launched from KES installer
-    condition: process_creation and (selection and not filter)
+            - \kavremover.exe   # When launched from kavremover.exe
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: high

sigma/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml

@@ -9,6 +9,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
 author: frack113
 date: 2022/12/29
+modified: 2024/06/04
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -24,7 +25,7 @@ detection:
         - NewProcessName|endswith: \unregmp2.exe
         - OriginalFileName: unregmp2.exe
     selection_cmd:
-        CommandLine|contains: ' /HideWMP'
+        CommandLine|contains|windash: ' /HideWMP'
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml

@@ -12,7 +12,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
 author: frack113
 date: 2022/01/07
-modified: 2023/02/03
+modified: 2024/06/04
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -28,7 +28,7 @@ detection:
         - NewProcessName|endswith: \mstsc.exe
         - OriginalFileName: mstsc.exe
     selection_cli:
-        CommandLine|contains: ' /v:'
+        CommandLine|contains|windash: ' /v:'
     filter_optional_wsl:
         # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
         CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp

sigma/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml

@@ -1,12 +1,14 @@
 title: Renamed ProcDump Execution
 id: a6320654-afe9-8fa6-7fdc-3270c5a552d2
 status: test
-description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
+description: |
+    Detects the execution of a renamed ProcDump executable.
+    This often done by attackers or malware in order to evade defensive mechanisms.
 references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2019/11/18
-modified: 2022/12/08
+modified: 2024/06/25
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -18,23 +20,22 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection_org:
+    selection_ofn:
         OriginalFileName: procdump
-    selection_args_ma:
-        CommandLine|contains:
-            - ' -ma '
-            - ' /ma '
-    selection_args_other:
-        CommandLine|contains:
-            - ' -accepteula '
-            - ' /accepteula '
-    filter:
+    selection_cli_dump_flag:
+        CommandLine|contains|windash:
+            - ' -ma ' # Full Dump
+            - ' -mp ' # Mini Plus
+    selection_cli_eula_flag:
+        # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
+        CommandLine|contains|windash: ' /accepteula'
+    filter_main_known_names:
         NewProcessName|endswith:
             - \procdump.exe
             - \procdump64.exe
-    condition: process_creation and ((selection_org or all of selection_args_*) and not filter)
+    condition: process_creation and ((selection_ofn or all of selection_cli_*) and not 1 of filter_main_*)
 falsepositives:
-    - Procdump illegaly bundled with legitimate software
-    - Administrators who rename binaries (should be investigated)
+    - Procdump illegally bundled with legitimate software.
+    - Administrators who rename binaries (should be investigated).
 level: high
 ruletype: Sigma