Merge PR #4960 from @fukusuket - Update unreachable/broken references

chore: Unix Shell Configuration Modification - Update unreachable/broken references chore: JNDIExploit Pattern - Update unreachable/broken references chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references chore: Potential Dead Drop Resolvers - Update unreachable/broken references chore: HackTool - SecurityXploded Execution - Update unreachable/broken references chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references chore: PUA - AdvancedRun Execution - Update unreachable/broken references chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references chore: PUA - NSudo Execution - Update unreachable/broken references chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references chore: Suspect Svchost Activity - Update unreachable/broken references chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references chore: Turla PNG Dropper Service - Update unreachable/broken references chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references chore: .Class Extension URI Ending Request - Update unreachable/broken references chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
SigmaHQ · Aug 10, 2024 · dbba992 · dbba992
1 parent 51d0119
commit dbba992
Show file tree

Hide file tree

Showing 22 changed files with 22 additions and 22 deletions.
diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml
@@ -3,7 +3,7 @@ id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
 status: test
 description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
 references:
-    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+    - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
 author: Florian Roth (Nextron Systems)
 date: 2018/11/23
 modified: 2021/11/30

diff --git a/...-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/...-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml
@@ -3,7 +3,7 @@ id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
 status: test
 description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
 references:
-    - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
+    - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
 author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 date: 2019/11/15
 modified: 2021/11/27

diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml
@@ -3,7 +3,7 @@ id: 5ea8faa8-db8b-45be-89b0-151b84c82702
 status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
 references:
-    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
     - https://news.ycombinator.com/item?id=29504755
     - https://github.com/tangxiaofeng7/apache-log4j-poc
     - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml
@@ -3,7 +3,7 @@ id: 9be472ed-893c-4ec0-94da-312d2765f654
 status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
-    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
     - https://news.ycombinator.com/item?id=29504755
     - https://github.com/tangxiaofeng7/apache-log4j-poc
     - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

diff --git a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml
@@ -5,7 +5,7 @@ description: |
     Detects requests to URI ending with the ".class" extension in proxy logs.
     This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
 references:
-    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades)
 date: 2021/12/21
 modified: 2024/02/26

diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml
@@ -3,7 +3,7 @@ id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
 status: stable
 description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
 references:
-    - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
+    - https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
     - https://github.com/Neo23x0/DLLRunner
     - https://twitter.com/cyb3rops/status/1186631731543236608
     - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml
@@ -7,7 +7,7 @@ status: test
 description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
 references:
     - https://objective-see.org/blog/blog_0x68.html
-    - https://www.glitch-cat.com/p/green-lambert-and-attack
+    - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
     - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
 author: Peter Matkovski, IAI
 date: 2023/03/06

diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects exploitation attempt using the JNDI-Exploit-Kit
 references:
     - https://github.com/pimps/JNDI-Exploit-Kit
-    - https://githubmemory.com/repo/FunctFan/JNDIExploit
+    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
 author: Florian Roth (Nextron Systems)
 date: 2021/12/12
 modified: 2022/12/25

diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml
@@ -11,7 +11,7 @@ description: |
 references:
     - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
     - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
-    - https://www.swascan.com/cactus-ransomware-malware-analysis/
+    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
     - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
 author: Luc Génaux
 date: 2023/11/28

diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml
@@ -11,7 +11,7 @@ description: |
 references:
     - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
     - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
-    - https://www.swascan.com/cactus-ransomware-malware-analysis/
+    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
     - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
 author: Luc Génaux
 date: 2023/11/28

diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml
@@ -3,7 +3,7 @@ id: ee6cea48-c5b6-4304-a332-10fc6446f484
 status: test
 description: Detects potential DLL sideloading of "appverifUI.dll"
 references:
-    - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
+    - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
 author: X__Junior (Nextron Systems)
 date: 2023/06/20
 tags:

diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml
@@ -8,7 +8,7 @@ description: |
     Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
     In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
 references:
-    - https://content.fireeye.com/apt-41/rpt-apt41
+    - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
     - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
     - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
     - https://github.com/kleiton0x00/RedditC2

diff --git a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml
@@ -4,7 +4,7 @@ status: stable
 description: Detects the execution of SecurityXploded Tools
 references:
     - https://securityxploded.com/
-    - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
+    - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
 author: Florian Roth (Nextron Systems)
 date: 2018/12/19
 modified: 2023/02/04

diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
 references:
-    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades), Florian Roth
 date: 2021/12/17
 modified: 2024/01/18

diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml
@@ -6,7 +6,7 @@ related:
 status: test
 description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
 references:
-    - https://www.lunasec.io/docs/blog/log4j-zero-day/
+    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
 date: 2021/12/17
 modified: 2024/01/18

diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml
@@ -3,7 +3,7 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
 status: test
 description: Detects the addition of a new rule to the Windows firewall via netsh
 references:
-    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
+    - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
 author: Markus Neis, Sander Wiebing
 date: 2019/01/29
 modified: 2023/02/10

diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml
@@ -8,7 +8,7 @@ description: Detects the execution of AdvancedRun utility
 references:
     - https://twitter.com/splinter_code/status/1483815103279603714
     - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
-    - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
+    - https://www.elastic.co/security-labs/operation-bleeding-bear
     - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 author: Florian Roth (Nextron Systems)
 date: 2022/01/20

diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml
@@ -8,7 +8,7 @@ description: Detects the execution of AdvancedRun utility in the context of the
 references:
     - https://twitter.com/splinter_code/status/1483815103279603714
     - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
-    - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
+    - https://www.elastic.co/security-labs/operation-bleeding-bear
     - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 author: Florian Roth (Nextron Systems)
 date: 2022/01/20

diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml
@@ -3,7 +3,7 @@ id: 771d1eb5-9587-4568-95fb-9ec44153a012
 status: test
 description: Detects the use of NSudo tool for command execution
 references:
-    - https://nsudo.m2team.org/en-us/
+    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
     - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 date: 2022/01/24

diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml
@@ -3,7 +3,7 @@ id: 96036718-71cc-4027-a538-d1587e0006a7
 status: test
 description: Detect suspicious parent processes of well-known Windows processes
 references:
-    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
     - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
     - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 author: vburov

diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml
@@ -3,7 +3,7 @@ id: 16c37b52-b141-42a5-a3ea-bbe098444397
 status: test
 description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
 references:
-    - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 author: David Burkett, @signalblur
 date: 2019/12/28
 modified: 2022/06/27

diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml
@@ -7,7 +7,7 @@ status: experimental
 description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-    - https://nsudo.m2team.org/en-us/
+    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
 author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
 date: 2022/01/28
 modified: 2023/12/04