new sigma rules related to lummac and RATs behaviors observed ITW

[jstnk9]

new sigma rules related to lummac and RATs behaviors observed ITW through VirusTotal

Summary of the Pull Request

While doing research to create new detection content, I discovered some interesting patterns observed related to Lummac stealer and other RATs. I've created two new Sigma rules for the community in relation to these behaviors.

File Creation Related To RAT Clients

This Sigma rule tries to identify .conf files created during the execution of Lummac or other RATs observed. Using the following VT queries you can get more context and a bunch of IOCs

behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"

behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"

Example of results:

Detect The Execution Of More.com And Vbc.exe Related to Lummac Stealer

This Sigma rule tries to identify the execution of the utility more.com to spawn vbc.exe as a child. We couldn't identify legit behavior of these two processes as a parent and child (This does not mean that it does not exist).

Using the following VT queries you can get more context and a bunch of IOCs.

behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"

Example Log Event

---

File Creation Related To RAT Clients

<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" Name="Microsoft-Windows-Sysmon"/>
		<EventID>11</EventID>
		<Version>2</Version>
		<Level>4</Level>
		<Task>11</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000000000000000</Keywords>
		<TimeCreated SystemTime="2024-12-02T00:52:23.072811600Z"/>
		<EventRecordID>1555690</EventRecordID>
		<Correlation/>
		<Execution ProcessID="2624" ThreadID="3112"/>
		<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
		<Computer>DESKTOP-B0T93D6</Computer>
		<Security UserID="S-1-5-18"/>
	</System>
	<EventData>
		<Data Name="RuleName">-</Data>
		<Data Name="UtcTime">2024-12-02 00:52:23.059</Data>
		<Data Name="ProcessGuid">{C784477D-04C6-674D-5C06-000000004B00}</Data>
		<Data Name="ProcessId">7592</Data>
		<Data Name="Image">C:\Users\george\Desktop\ezzz.exe</Data>
		<Data Name="TargetFilename">C:\Users\george\AppData\Roaming\MyData\DataLogs.conf</Data>
		<Data Name="CreationUtcTime">2024-12-02 00:52:23.059</Data>
		<Data Name="User">DESKTOP-B0T93D6\george</Data>
	</EventData>
</Event>

Detect The Execution Of More.com And Vbc.exe Related to Lummac Stealer

<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" Name="Microsoft-Windows-Sysmon"/>
		<EventID>1</EventID>
		<Version>5</Version>
		<Level>4</Level>
		<Task>1</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000000000000000</Keywords>
		<TimeCreated SystemTime="2024-11-26T16:23:05.132539500Z"/>
		<EventRecordID>692861</EventRecordID>
		<Correlation/>
		<Execution ProcessID="2396" ThreadID="3116"/>
		<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
		<Computer>DESKTOP-B0T93D6</Computer>
		<Security UserID="S-1-5-18"/>
	</System>
	<EventData>
		<Data Name="RuleName">-</Data>
		<Data Name="UtcTime">2024-11-26 16:23:05.064</Data>
		<Data Name="ProcessGuid">{C784477D-F5E9-6745-6006-000000003F00}</Data>
		<Data Name="ProcessId">4184</Data>
		<Data Name="Image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe</Data>
		<Data Name="FileVersion">14.8.3761.0</Data>
		<Data Name="Description">Visual Basic Command Line Compiler</Data>
		<Data Name="Product">Microsoft\xae .NET Framework</Data>
		<Data Name="Company">Microsoft Corporation</Data>
		<Data Name="OriginalFileName">vbc.exe</Data>
		<Data Name="CommandLine">C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe</Data>
		<Data Name="CurrentDirectory">C:\Users\george\AppData\Roaming\comlocal\RUYCLAXYVMFJ\</Data>
		<Data Name="User">DESKTOP-B0T93D6\george</Data>
		<Data Name="LogonGuid">{C784477D-9D9B-66FF-6E87-050000000000}</Data>
		<Data Name="LogonId">0x5876e</Data>
		<Data Name="TerminalSessionId">1</Data>
		<Data Name="IntegrityLevel">High</Data>
		<Data Name="Hashes">SHA1=61F4D9A9EE38DBC72E840B3624520CF31A3A8653,MD5=FCCB961AE76D9E600A558D2D0225ED43,SHA256=466876F453563A272ADB5D568670ECA98D805E7ECAA5A2E18C92B6D3C947DF93,IMPHASH=1460E2E6D7F8ECA4240B7C78FA619D15</Data>
		<Data Name="ParentProcessGuid">{C784477D-F5D4-6745-5E06-000000003F00}</Data>
		<Data Name="ParentProcessId">6572</Data>
		<Data Name="ParentImage">C:\Windows\SysWOW64\more.com</Data>
		<Data Name="ParentCommandLine">C:\Windows\SysWOW64\more.com</Data>
		<Data Name="ParentUser">DESKTOP-B0T93D6\george</Data>
	</EventData>
</Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions