Merge pull request #1791 from SigmaHQ/rule-devel

More rules - including the ones for ProxyShell

rules/web/web_exchange_proxyshell.yml

@@ -0,0 +1,31 @@
+title: Exchange ProxyShell Pattern
+id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
+status: experimental
+description: Detects URP patterns that could be found in ProxyShell exloitation attempts against Exchange servers
+references:
+    - https://youtu.be/5mqid-7zp8k?t=2231
+    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+author: Florian Roth
+date: 2020/08/07
+tags:
+    - attack.initial_access
+logsource:
+    category: webserver
+detection:
+    selection1:
+        c-uri|contains|all:
+            - '/autodiscover/autodiscover.json?'
+            - '/powershell'
+    selection2:
+        c-uri|contains: 
+            # since we don't know how it will appear in the log files, we'll just use all versions
+            - 'autodiscover.json?@'
+            - 'autodiscover.json%3f@'
+            - '%3f@foo.com'
+            - 'Email=autodiscover/autodiscover.json'
+            - 'json?@foo.com'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_cobaltstrike_service_installs.yml

@@ -4,8 +4,9 @@ description: Detects known malicious service installs that appear in cases in wh
 author: Florian Roth, Wojciech Lesicki
 references:
     - https://www.sans.org/webcasts/119395
+    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
 date: 2021/05/26
-modified: 2021/06/03
+modified: 2021/07/31
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -17,18 +18,24 @@ logsource:
     product: windows
     service: system
 detection:
-    selection1:
+    selection_id:
         EventID: 7045
-    selection2:
+    selection1:
         ServiceFileName|contains|all: 
             - 'ADMIN$'
             - '.exe'
-    selection3:
+    selection2:
         ServiceFileName|contains|all: 
             - '%COMSPEC%'
             - 'start'
             - 'powershell'
-    condition: selection1 and (selection2 or selection3)
+    selection3:
+        ServiceFileName|contains:
+            - 'powershell -nop -w hidden -encodedcommand'
+    selection4:
+        ServiceFileName|base64offset|contains:
+            - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
+    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
 falsepositives:
     - Unknown
 level: critical

rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml

@@ -21,9 +21,6 @@ detection:
             - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
             - '10b30bdee43b3a2ec4aa63375577ade650269d25'
             - 'd2fd132ab7bbc6bbb87a84f026fa0244'
-            
-            
-            
     condition: selection_image or selection_hash
 falsepositives:
     - legitimate BIOS driver updates (should be rare)

rules/windows/driver_load/sysmon_windivert_driver_load.yml

@@ -0,0 +1,26 @@
+title: WinDivert Driver Load
+id: 679085d5-f427-4484-9f58-1dc30a7c426d
+status: experimental
+description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
+author: Florian Roth
+date: 2021/07/30
+references:
+    - https://reqrypt.org/windivert-doc.html
+    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
+tags:
+    - attack.collection
+    - attack.defense_evasion
+    - attack.t1599.001
+    - attack.t1557.001
+logsource:
+    category: driver_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|contains: 
+            - '\WinDivert.sys'
+            - '\WinDivert64.sys'
+    condition: selection
+falsepositives:
+    - legitimate WinDivert driver usage
+level: high

rules/windows/process_creation/process_mailboxexport_share.yml

@@ -0,0 +1,26 @@
+title: Suspicious PowerShell Mailbox Export to Share
+id: 889719ef-dd62-43df-86c3-768fb08dc7c0
+status: experimental
+description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
+references:
+    - https://youtu.be/5mqid-7zp8k?t=2481
+    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+author: Florian Roth
+date: 2021/08/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'New-MailboxExport'
+            - ' -Mailbox '
+            - ' -FilePath \\127.0.0.1\C$'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
+fields:
+    - CommandLine
+    - ParentCommandLine

rules/windows/process_creation/win_hack_adcspwn.yml

@@ -0,0 +1,22 @@
+title: ADCSPwn Hack Tool
+id: cd8c163e-a19b-402e-bdd5-419ff5859f12
+description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
+author: Florian Roth
+references:
+    - https://github.com/bats3c/ADCSPwn
+date: 2021/07/31
+tags:
+    - attack.credential_access
+    - attack.t1557.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - ' --adcs '
+            - ' --port '
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical