Merge branch 'SigmaHQ:master' into master

rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml

@@ -0,0 +1,24 @@
+title: Device Registration or Join Without MFA
+id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
+description: Monitor and alert for device registration or join events where MFA was not performed.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    ResourceDisplayName: 'Device Registration Service'
+    conditionalAccessStatus: 'success'
+  filter_mfa:
+    AuthenticationRequirement: 'multiFactorAuthentication'
+  condition: selection and not filter_mfa
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078

rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml

@@ -0,0 +1,21 @@
+title: Sign-ins from Non-Compliant Devices
+id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
+description: Monitor and alert for sign-ins where the device was non-compliant.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    DeviceDetail.isCompliant: 'false'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078

rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml

@@ -0,0 +1,27 @@
+title: Users Added to Global or Device Admin Roles
+id: 11c767ae-500b-423b-bae3-b234450736ed
+description: Monitor and alert for users added to device admin roles.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category: RoleManagement
+    OperationName|contains|all:
+      - 'Add'
+      - 'member to role'
+    TargetResources|contains:
+      - '7698a772-787b-4ac8-901f-60d6b08affd2'
+      - '62e90394-69f5-4237-9190-012177145e10'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078

rules/windows/process_creation/proc_creation_win_curl_download.yml

@@ -0,0 +1,26 @@
+title: Curl Usage on Windows
+id: bbeaed61-1990-4773-bf57-b81dbad7db2d
+status: test
+description: Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server
+author: Florian Roth
+references:
+    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
+date: 2022/07/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\curl.exe'
+        - Product: 'The curl executable'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Scripts created by developers and admins
+    - Administrative activity
+level: low
+tags:
+    - attack.command_and_control
+    - attack.t1105

rules/windows/process_creation/proc_creation_win_susp_curl_download.yml

@@ -1,33 +1,50 @@
 title: Suspicious Curl Usage on Windows
 id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
-status: test
+status: experimental
 description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
 author: Florian Roth, Nasreddine Bencherchali (updated)
 references:
+    - https://twitter.com/max_mal_/status/1542461200797163522
     - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
     - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_AA_23.06.2022.txt
 date: 2020/07/03
-modified: 2022/06/23
+modified: 2022/07/05
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_img:
+    selection_curl:
         - Image|endswith: '\curl.exe'
         - Product: 'The curl executable'
-    selection_cli:
+    selection_susp_locations:
         CommandLine|contains:
-            - ' -O'
+            - '\AppData\'
+            - '\Users\Public\'
+            - '\Temp'
+            - '%AppData%'
+            - '%Temp%'
+            - '%Public%'
+            - '\Desktop'
+    selection_susp_extensions:
+        CommandLine|endswith:
+            - '.jpg'
+            - '.jpeg'
+            - '.png'
+            - '.gif'
+            - '.tmp'
+            - '.temp'
+            - '.txt'
+    selection_susp_remote_name:
+        CommandLine|contains:
+            - ' -O'  # alias for --remote-name
             - '--remote-name'
-            - '--output'
-    condition: all of selection*
+    condition: selection_curl and 1 of selection_susp*
 fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - Scripts created by developers and admins
-    - Administrative activity
-level: medium
+    - Unknown
+level: high
 tags:
     - attack.command_and_control
     - attack.t1105

rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml

@@ -6,22 +6,26 @@ author: Sreeman
 references:
   - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
 date: 2020/01/13
-modified: 2021/11/27
+modified: 2022/07/05
 logsource:
   category: process_creation
   product: windows
 detection:
-  condition: selection
-  selection:
-    CommandLine|contains|all:
-      - 'curl'
+  selection_curl:
+    - Image|endswith: '\curl.exe'
+    - Product: 'The curl executable'
+  selection_susp_flags:
+    CommandLine|contains:
       - ' start '
+      - '&call '
+      - '& call '
+  condition: all of selection*
 fields:
   - ParentImage
   - CommandLine
 falsepositives:
   - Administrative scripts (installers)
-level: medium
+level: high
 tags:
   - attack.execution
   - attack.t1218

rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects various anomalies in relation to regsvr32.exe
 author: Florian Roth, oscd.community
 date: 2019/01/16
-modified: 2022/06/20
+modified: 2022/07/04
 references:
     - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
     - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
@@ -52,6 +52,17 @@ detection:
         CommandLine|contains:
             - '\AppData\Local'
             - 'C:\Users\Public'
+    selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
+        Image|endswith: '\regsvr32.exe'
+        CommandLine|endswith:
+            - '.jpg'
+            - '.jpeg'
+            - '.png'
+            - '.gif'
+            - '.bin'
+            - '.tmp'
+            - '.temp'
+            - '.txt'
     filter:
         CommandLine|contains: '\AppData\Local\Microsoft\Teams'
     condition: 1 of selection* and not filter

rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml

@@ -0,0 +1,23 @@
+title: Disabled Windows Defender Eventlog
+id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
+description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
+status: experimental
+date: 2022/07/04
+author: Florian Roth
+references:
+    - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001

rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml

@@ -3,7 +3,7 @@ id: 8ffc5407-52e3-478f-9596-0a7371eafe13
 description: Detects disabling Windows Defender PUA protection
 status: experimental
 date: 2021/08/04
-modified: 2022/03/26
+modified: 2022/07/04
 author: Austin Songer @austinsonger
 references:
     - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: SetValue
-        TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection'
+        TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
         Details: 'DWORD (0x00000000)'
     condition: selection
 falsepositives: