Merge PR #4681 from @nasbench - Add Missing Ref & Tags

fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
SigmaHQ · Jan 29, 2024 · be359ef · be359ef
1 parent 7f582c3
commit be359ef
Show file tree

Hide file tree

Showing 114 changed files with 480 additions and 340 deletions.
diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
@@ -26,8 +26,6 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.2
 c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe
 69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*
 ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote-
-cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$
-7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon

diff --git a/...shell_script/posh_ps_dnscat_execution.yml → ...ated/windows/posh_ps_dnscat_execution.yml b/...shell_script/posh_ps_dnscat_execution.yml → ...ated/windows/posh_ps_dnscat_execution.yml
@@ -1,10 +1,10 @@
 title: Dnscat Execution
 id: a6d67db4-6220-436d-8afc-f3842fe05d43
-status: test
+status: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules
 description: Dnscat exfiltration tool execution
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
-modified: 2022/12/25
+modified: 2024/01/25
 tags:
     - attack.exfiltration
     - attack.t1048

diff --git a/...rnel_general/win_system_susp_sam_dump.yml → ...ated/windows/win_system_susp_sam_dump.yml b/...rnel_general/win_system_susp_sam_dump.yml → ...ated/windows/win_system_susp_sam_dump.yml
@@ -1,10 +1,10 @@
 title: SAM Dump to AppData
 id: 839dd1e8-eda8-4834-8145-01beeee33acd
-status: test
+status: deprecated
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
 author: Florian Roth (Nextron Systems)
 date: 2018/01/27
-modified: 2023/04/30
+modified: 2024/01/18
 tags:
     - attack.credential_access
     - attack.t1003.002

diff --git a/...all/net_firewall_apt_equationgroup_c2.yml → ...oup/net_firewall_apt_equationgroup_c2.yml b/...all/net_firewall_apt_equationgroup_c2.yml → ...oup/net_firewall_apt_equationgroup_c2.yml
@@ -12,18 +12,18 @@ tags:
     - attack.command_and_control
     - attack.g0020
     - attack.t1041
+    - detection.emerging_threats
 logsource:
     category: firewall
 detection:
-    select_outgoing:
-        dst_ip:
-            - '69.42.98.86'
-            - '89.185.234.145'
-    select_incoming:
-        src_ip:
-            - '69.42.98.86'
-            - '89.185.234.145'
-    condition: 1 of select*
+    selection:
+        - dst_ip:
+              - '69.42.98.86'
+              - '89.185.234.145'
+        - src_ip:
+              - '69.42.98.86'
+              - '89.185.234.145'
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml
@@ -6,6 +6,9 @@ references:
     - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
 author: CISA
 date: 2023/12/18
+tags:
+    - attack.defense_evasion
+    - attack.t1574.002
 logsource:
     category: image_load
     product: windows

diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml
@@ -2,6 +2,8 @@ title: Interactive Logon to Server Systems
 id: 3ff152b2-1388-4984-9cd9-a323323fdadf
 status: test
 description: Detects interactive console logons to Server Systems
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/17
 modified: 2023/12/15
@@ -22,10 +24,10 @@ detection:
         ComputerName|expand:
             - '%ServerSystems%'
             - '%DomainControllers%'
-    filter_main:
+    filter_main_advapi:
         LogonProcessName: 'Advapi'
         ComputerName|expand: '%Workstations%'
-    condition: selection and not filter_main
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Administrative activity via KVM or ILO board
 level: medium
diff --git a/...ion_win_susp_execution_path_webserver.yml → ...ion_win_susp_execution_path_webserver.yml b/...ion_win_susp_execution_path_webserver.yml → ...ion_win_susp_execution_path_webserver.yml
@@ -1,13 +1,17 @@
-title: Execution in Webserver Root Folder
+title: Execution From Webserver Root Folder
 id: 35efb964-e6a5-47ad-bbcd-19661854018d
 status: test
-description: Detects a suspicious program execution in a web service root folder (filter out false positives)
+description: |
+    Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2024/01/18
 tags:
     - attack.persistence
     - attack.t1505.003
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -17,16 +21,13 @@ detection:
             - '\wwwroot\'
             - '\wmpub\'
             - '\htdocs\'
-    filter:
+    filter_main_generic:
         Image|contains:
             - 'bin\'
             - '\Tools\'
             - '\SMSComponent\'
         ParentImage|endswith: '\services.exe'
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Various applications
     - Tools that include ping or nslookup command invocations

diff --git a/...tration_and_tunneling_tools_execution.yml → ...sp_exfil_and_tunneling_tool_execution.yml b/...tration_and_tunneling_tools_execution.yml → ...sp_exfil_and_tunneling_tool_execution.yml
@@ -1,27 +1,30 @@
-title: Exfiltration and Tunneling Tools Execution
+title: Tunneling Tool Execution
 id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
 status: test
-description: Execution of well known tools for data exfiltration and tunneling
+description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
 author: Daniil Yugoslavskiy, oscd.community
+references:
+    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2024/01/18
 tags:
     - attack.exfiltration
     - attack.command_and_control
     - attack.t1041
     - attack.t1572
     - attack.t1071.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
         Image|endswith:
+            - '\httptunnel.exe'
             - '\plink.exe'
             - '\socat.exe'
             - '\stunnel.exe'
-            - '\httptunnel.exe'
     condition: selection
 falsepositives:
-    - Legitimate Administrator using tools
+    - Legitimate administrators using one of these tools
 level: medium
diff --git a/...ation_win_wscript_cscript_script_exec.yml → ...ation_win_wscript_cscript_script_exec.yml b/...ation_win_wscript_cscript_script_exec.yml → ...ation_win_wscript_cscript_script_exec.yml
@@ -3,15 +3,21 @@ id: 1e33157c-53b1-41ad-bbcc-780b80b58288
 related:
     - id: 23250293-eed5-4c39-b57a-841c8933a57d
       type: obsoletes
+    - id: cea72823-df4d-4567-950c-0b579eaf0846
+      type: derived
 status: test
 description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
+references:
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://redcanary.com/blog/gootloader/
 author: Michael Haag
 date: 2019/01/16
 modified: 2023/05/15
 tags:
     - attack.execution
     - attack.t1059.005
     - attack.t1059.007
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml
@@ -2,6 +2,8 @@ title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
 status: test
 description: Detects AWS Config Service disabling
+references:
+    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
 author: vitaliy0x1
 date: 2020/01/21
 modified: 2022/10/09
@@ -12,12 +14,12 @@ logsource:
     product: aws
     service: cloudtrail
 detection:
-    selection_source:
-        eventSource: config.amazonaws.com
+    selection:
+        eventSource: 'config.amazonaws.com'
         eventName:
-            - DeleteDeliveryChannel
-            - StopConfigurationRecorder
-    condition: selection_source
+            - 'DeleteDeliveryChannel'
+            - 'StopConfigurationRecorder'
+    condition: selection
 falsepositives:
     - Valid change in AWS Config Service
 level: high
diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml
@@ -9,6 +9,8 @@ references:
 author: Austin Songer @austinsonger
 date: 2021/09/12
 modified: 2022/10/09
+tags:
+    - attack.command_and_control
 logsource:
     product: okta
     service: okta

diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml
@@ -2,16 +2,17 @@ title: Default Credentials Usage
 id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
 status: stable
 description: |
-  Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
-  Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+    Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
+    Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 references:
     - https://www.cisecurity.org/controls/cis-controls-list/
     - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
     - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
     - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
-# tags:
+tags:
+    - attack.initial_access
     # - CSC4
     # - CSC4.2
     # - NIST CSF 1.1 PR.AC-4

diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml
@@ -12,7 +12,8 @@ references:
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
 modified: 2022/11/18
-# tags:
+tags:
+    - attack.credential_access
     # - CSC4
     # - CSC4.5
     # - CSC14

diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml
@@ -2,6 +2,8 @@ title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 status: test
 description: Detects suspicious log entries in Linux log files
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
 author: Florian Roth (Nextron Systems)
 date: 2017/03/25
 modified: 2021/11/27
@@ -12,11 +14,11 @@ logsource:
 detection:
     keywords:
         # Generic suspicious log lines
-        - entered promiscuous mode
+        - 'entered promiscuous mode'
         # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-        - Deactivating service
-        - Oversized packet received from
-        - imuxsock begins to drop messages
+        - 'Deactivating service'
+        - 'Oversized packet received from'
+        - 'imuxsock begins to drop messages'
     condition: keywords
 falsepositives:
     - Unknown

diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
@@ -2,6 +2,9 @@ title: Cisco Clear Logs
 id: ceb407f6-8277-439b-951f-e4210e3ed956
 status: test
 description: Clear command history in network OS which is used for defense evasion
+references:
+    - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
+    - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
 author: Austin Clark
 date: 2019/08/12
 modified: 2023/05/26
@@ -16,12 +19,6 @@ detection:
         - 'clear logging'
         - 'clear archive'
     condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
     - Legitimate administrators may run these commands
 level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
@@ -2,6 +2,10 @@ title: Cisco Collect Data
 id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
 status: test
 description: Collect pertinent data from the configuration files
+references:
+    - https://blog.router-switch.com/2013/11/show-running-config/
+    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
+    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
 author: Austin Clark
 date: 2019/08/11
 modified: 2023/01/04
@@ -22,12 +26,6 @@ detection:
         - 'show archive config'
         - 'more'
     condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
     - Commonly run by administrators
 level: low
diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
@@ -2,6 +2,8 @@ title: Cisco Crypto Commands
 id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 status: test
 description: Show when private keys are being exported from the device, or when new certificates are installed
+references:
+    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
 author: Austin Clark
 date: 2019/08/12
 modified: 2023/01/04
@@ -19,12 +21,6 @@ detection:
         - 'crypto pki import'
         - 'crypto pki trustpoint'
     condition: keywords
-fields:
-    - src
-    - CmdSet
-    - User
-    - Privilege_Level
-    - Remote_Address
 falsepositives:
     - Not commonly run by administrators. Also whitelist your known good certificates
 level: high
diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
@@ -2,6 +2,8 @@ title: Cisco Disabling Logging
 id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
 status: test
 description: Turn off logging locally or remote
+references:
+    - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
 author: Austin Clark
 date: 2019/08/11
 modified: 2023/01/04