Merge pull request #3277 from SigmaHQ/rule-devel

refactor: driver loads, docs: description change

rules/windows/driver_load/driver_load_vuln_dell_driver.yml

@@ -4,6 +4,7 @@ description: Detects the load of the vulnerable Dell BIOS update driver as repor
 status: experimental
 author: Florian Roth
 date: 2021/05/05
+modified: 2022/07/27
 references:
     - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
 logsource:
@@ -16,15 +17,25 @@ tags:
 detection:
     selection_image:
         ImageLoaded|contains: '\DBUtil_2_3.Sys'
-    selection_hash:
+    selection_sysmon:
         Hashes|contains:
+            - 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'
+            - 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1'
+            - 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD'
+            - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
+            - 'MD5=C996D7971C49252C582171D9380360F2'
+            - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
+    selection_hash:
+        SHA256: 
             - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
-            - 'c948ae14761095e4d76b55d9de86412258be7afd'
-            - 'c996d7971c49252c582171d9380360f2'
             - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
+        SHA1: 
+            - 'c948ae14761095e4d76b55d9de86412258be7afd'
             - '10b30bdee43b3a2ec4aa63375577ade650269d25'
+        MD5: 
+            - 'c996d7971c49252c582171d9380360f2'
             - 'd2fd132ab7bbc6bbb87a84f026fa0244'
-    condition: selection_image or selection_hash
+    condition: 1 of selection*
 falsepositives:
     - Legitimate BIOS driver updates (should be rare)
 level: high

rules/windows/driver_load/driver_load_vuln_hw_driver.yml

@@ -1,7 +1,7 @@
 title: Vulnerable HW Driver Load
 id: 9bacc538-d1b9-4d42-862e-469eafc05a41
 status: experimental
-description: Detects the load of a legitimate signed driver often used by threat actors or malware for privilege escalation
+description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation
 author: Florian Roth
 references:
     - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/

rules/windows/driver_load/driver_load_windivert.yml

@@ -4,6 +4,7 @@ status: experimental
 description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
 author: Florian Roth
 date: 2021/07/30
+modified: 2022/07/27
 references:
     - https://reqrypt.org/windivert-doc.html
     - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
@@ -20,7 +21,51 @@ detection:
         ImageLoaded|contains: 
             - '\WinDivert.sys'
             - '\WinDivert64.sys'
-    condition: selection
+            # Other used names
+            - '\NordDivert.sys'
+            - '\lingtiwfp.sys'
+            - '\eswfp.sys'
+    selection_sysmon:
+        Hashes|contains:
+            - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
+            - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
+            - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
+            - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
+            - 'IMPHASH=58623490691babe8330adc81cd04a663'
+            - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
+            - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
+            - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
+            - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
+            - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
+            - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
+            - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
+            - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
+            - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
+            - 'IMPHASH=a74929edfc3289895e3f2885278947ae'
+            - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
+            - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
+            - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
+    selection_hashes:
+        IMPHASH:
+            - '0604bb7cb4bb851e2168d5c7d9399087'
+            - '2e5f0e649d97f32b03c09e4686d0574f'
+            - '52f8aa269f69f0edad9e8fcdaedce276'
+            - 'c0e5d314da39dbf65a2dbff409cc2c76'
+            - '58623490691babe8330adc81cd04a663'
+            - '8ee39b48656e4d6b8459d7ba7da7438b'
+            - '45ee545ae77e8d43fc70ede9efcd4c96'
+            - 'a1b2e245acd47e4a348e1a552a02859a'
+            - '2a5f85fe4609461c6339637594fa9b0a'
+            - '6b2c6f95233c2914d1d488ee27531acc'
+            - '9f2fdd3f9ab922bbb0560a7df46f4342'
+            - 'd8a719865c448b1bd2ec241e46ac1c88'
+            - '0ea54f8c9af4a2fe8367fa457f48ed38'
+            - '9d519ae0a0864d6d6ae3f8b6c9c70af6'
+            - 'a74929edfc3289895e3f2885278947ae'
+            - 'a66b476c2d06c370f0a53b5537f2f11e'
+            - 'bdcd836a46bc2415773f6b5ea77a46e4'
+            - 'c28cd6ccd83179e79dac132a553693d9'
+    condition: 1 of selection*
 falsepositives:
     - Legitimate WinDivert driver usage
 level: high