diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 0c6fe8cf7..6c9a20e2d 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -79,7 +79,7 @@ jobs: run: | pip install pysigma pip install sigma-cli - pip install pySigma-validators-sigmahq==0.9.* + pip install pySigma-validators-sigmahq==0.10.* - name: Test Sigma Rule Syntax run: | sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index b65cefdc2..571c60200 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -5,7 +5,7 @@ description: Detects a file or folder's permissions being modified or tampered w references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) - - https://github.com/swagkarna/Defeat-Defender-V1.2.0 + - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019-10-23 modified: 2023-11-21 diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index bdd8cc5b0..3d19e70b7 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -21,7 +21,6 @@ logsource: category: registry_set detection: selection_key: - EventType: SetValue TargetObject|contains: '\Shell\Open\Command' selection_value_img: Details|contains: diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml b/rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml index 508e5a303..ccf9bda92 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml @@ -7,7 +7,7 @@ status: experimental description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. references: - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer - - https://github.com/c3c/ADExplorerSnapshot.py + - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24 - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/ - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/ - https://trustedsec.com/blog/adexplorer-on-engagements diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 40ffef90b..bef19981f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -3,13 +3,13 @@ id: afd12fed-b0ec-45c9-a13d-aa86625dac81 status: test description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information references: - - https://attack.mitre.org/datasources/DS0005/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 date: 2022-01-12 tags: - attack.credential-access - attack.t1003.003 + - attack.ds0005 logsource: product: windows category: ps_script diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index e23aa4e98..3186c08a5 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -5,7 +5,7 @@ description: | Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ - - https://github.com/swagkarna/Defeat-Defender-V1.2.0 + - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 - https://tria.ge/241231-j9yatstqbm/behavioral1 author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index 186428be5..962032b5b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -8,7 +8,7 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer - - https://github.com/c3c/ADExplorerSnapshot.py + - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24 - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/ - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/ - https://trustedsec.com/blog/adexplorer-on-engagements diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 4223e3d8f..008cb67e8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -8,7 +8,7 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer - - https://github.com/c3c/ADExplorerSnapshot.py + - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24 - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/ - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/ - https://trustedsec.com/blog/adexplorer-on-engagements diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml index 66fe2e553..5a7224cff 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml @@ -1,4 +1,4 @@ -title: Detect Virtualbox Driver Installation OR Starting Of VMs +title: Virtualbox Driver Installation or Starting of VMs id: bab049ca-7471-4828-9024-38279a4c04da status: test description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. @@ -7,7 +7,7 @@ references: - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ author: Janantha Marasinghe date: 2020-09-26 -modified: 2022-07-14 +modified: 2025-07-29 tags: - attack.defense-evasion - attack.t1564.006 diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index fe95cd9b6..5ce4cc41f 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -14,7 +14,6 @@ logsource: product: windows detection: selection: - EventType: SetValue TargetObject|endswith: '\Software\Winternals\BGInfo\Database' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 483a428f9..9c4c1e35b 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -17,7 +17,6 @@ logsource: product: windows detection: selection: - EventType: SetValue TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\' Details|startswith: '4' # WMI condition: selection diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index c68567d41..014cd8e34 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -17,7 +17,6 @@ logsource: product: windows detection: selection: - EventType: SetValue TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\' Details|startswith: '6' # WMI condition: selection diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index ea7048a89..66e150db5 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -18,7 +18,6 @@ logsource: product: windows detection: selection: - EventType: 'SetValue' TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index 568327cc9..e2cf16462 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -21,7 +21,6 @@ logsource: product: windows detection: selection: - EventType: 'SetValue' TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 77fb05059..58872729d 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -20,7 +20,6 @@ logsource: product: windows detection: selection_main: - EventType: 'SetValue' TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' selection_susp_paths: Image|contains: diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index bbec1f9b5..331ec3d0a 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -65,3 +65,8 @@ exclusions: 7dc2dedd-7603-461a-bc13-15803d132355: sigmahq_category_windows_provider_name # SigmahqInvalidHashKvIssue b69888d4-380c-45ce-9cf9-d9ce46e67821: sigmahq_invalid_hash_kv + # SigmahqRedundantFieldIssue + 0f06a3a5-6a09-413f-8743-e6cf35561297: sigmahq_redundant_field + f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7: sigmahq_redundant_field + # InvalidATTACKTagIssue remove after pySigma 1.0.0 release + afd12fed-b0ec-45c9-a13d-aa86625dac81: attacktag