Merge branch 'SigmaHQ:master' into patch-1

rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -6,7 +6,7 @@ status: experimental
 references:
     - https://twitter.com/SBousseaden/status/1483810148602814466
 date: 2022/01/20
-modified: 2022/10/31
+modified: 2022/11/07
 tags:
     - attack.execution
 logsource:
@@ -79,7 +79,10 @@ detection:
             - 12
         ValidatedPolicy: 1
     filter_gac:
-        FileNameBuffer|endswith: '\stdole.dll'
+        # If other DLLs show up from this process. Filter the path containing this string `\Windows\assembly\GAC\`
+        FileNameBuffer|endswith:
+            - '\stdole.dll'
+            - '\msdatasrc.dll'
         ProcessNameBuffer|endswith: '\mscorsvw.exe'
         ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
         RequestedPolicy: 8

rules/windows/file/file_event/file_event_win_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
 date: 2020/05/26
-modified: 2022/10/28
+modified: 2022/11/07
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -14,78 +14,78 @@ logsource:
 detection:
     selection:
         TargetFilename|endswith:
-            - '\svchost.exe'
-            - '\rundll32.exe'
-            - '\services.exe'
-            - '\powershell.exe'
-            - '\pwsh.exe'
-            - '\regsvr32.exe'
-            - '\spoolsv.exe'
-            - '\lsass.exe'
-            - '\smss.exe'
-            - '\csrss.exe'
-            - '\conhost.exe'
-            - '\wininit.exe'
-            - '\lsm.exe'
-            - '\winlogon.exe'
-            - '\explorer.exe'
-            - '\taskhost.exe'
-            - '\Taskmgr.exe'
-            - '\sihost.exe'
-            - '\RuntimeBroker.exe'
-            - '\smartscreen.exe'
-            - '\dllhost.exe'
-            - '\audiodg.exe'
-            - '\wlanext.exe'
             - '\AtBroker.exe'
+            - '\audiodg.exe'
+            - '\backgroundTaskHost.exe'
             - '\bcdedit.exe'
             - '\bitsadmin.exe'
+            - '\cmdl32.exe'
+            - '\cmstp.exe'
+            - '\conhost.exe'
+            - '\csrss.exe'
+            - '\dasHost.exe'
+            - '\dfrgui.exe'
+            - '\dllhost.exe'
+            - '\dwm.exe'
+            - '\eventcreate.exe'
+            - '\eventvwr.exe'
+            - '\explorer.exe'
+            - '\extrac32.exe'
+            - '\fontdrvhost.exe'
             - '\ipconfig.exe'
-            - '\LsaIso.exe'
-            - '\LogonUI.exe'
+            - '\iscsicli.exe'
+            - '\iscsicpl.exe'
             - '\logman.exe'
+            - '\LogonUI.exe'
+            - '\LsaIso.exe'
+            - '\lsass.exe'
+            - '\lsm.exe'
+            - '\msiexec.exe'
             - '\msinfo32.exe'
             - '\mstsc.exe'
-            - '\msiexec.exe'
             - '\nbtstat.exe'
-            - '\regini.exe'
-            - '\TiWorker.exe'
-            - '\WmiPrvSE.exe'
-            - '\WUDFHost.exe'
-            - '\taskhostw.exe'
-            - '\dasHost.exe'
-            - '\wslhost.exe'
-            - '\fontdrvhost.exe'
-            - '\dwm.exe'
-            - '\backgroundTaskHost.exe'
-            - '\SystemSettingsBroker.exe'
             - '\odbcconf.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regini.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\RuntimeBroker.exe'
             - '\schtasks.exe'
-            - '\SearchProtocolHost.exe'
-            - '\SearchIndexer.exe'
             - '\SearchFilterHost.exe'
-            - '\SecurityHealthSystray.exe'
+            - '\SearchIndexer.exe'
+            - '\SearchProtocolHost.exe'
             - '\SecurityHealthService.exe'
+            - '\SecurityHealthSystray.exe'
+            - '\services.exe'
             - '\ShellAppRuntime.exe'
+            - '\sihost.exe'
+            - '\smartscreen.exe'
+            - '\smss.exe'
+            - '\spoolsv.exe'
+            - '\svchost.exe'
+            - '\SystemSettingsBroker.exe'
+            - '\taskhost.exe'
+            - '\taskhostw.exe'
+            - '\Taskmgr.exe'
+            - '\TiWorker.exe'
             - '\vssadmin.exe'
             - '\w32tm.exe'
             - '\WerFault.exe'
             - '\WerFaultSecure.exe'
             - '\wermgr.exe'
             - '\wevtutil.exe'
+            - '\wininit.exe'
+            - '\winlogon.exe'
             - '\winrshost.exe'
-            - '\wlrmdr.exe'
             - '\WinRTNetMUAHostServer.exe'
+            - '\wlanext.exe'
+            - '\wlrmdr.exe'
+            - '\WmiPrvSE.exe'
+            - '\wslhost.exe'
             - '\WSReset.exe'
+            - '\WUDFHost.exe'
             - '\WWAHost.exe'
-            - '\iscsicpl.exe'
-            - '\iscsicli.exe'
-            - '\extrac32.exe'
-            - '\eventvwr.exe'
-            - '\eventcreate.exe'
-            - '\dfrgui.exe'
-            - '\cmdl32.exe'
-            - '\cmstp.exe'
     filter1:
         TargetFilename|startswith:
             - 'C:\Windows\System32\'
@@ -95,6 +95,7 @@ detection:
         Image|endswith:
             - '\Windows\System32\dism.exe'
             - '\TiWorker.exe'
+            - '\bcdedit.exe'
     filter2:
         TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
         Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'

rules/windows/file/file_event/file_event_win_susp_double_extension.yml

@@ -3,8 +3,10 @@ id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
 related:
     - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
       type: derived
+    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
+      type: similar
 status: experimental
-description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
+description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
 references:
     - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
     - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
@@ -13,7 +15,7 @@ references:
     - https://twitter.com/luc4m/status/1073181154126254080
 author: Nasreddine Bencherchali, frack113
 date: 2022/06/19
-modified: 2022/07/28
+modified: 2022/11/07
 tags:
     - attack.defense_evasion
     - attack.t1036.007
@@ -25,7 +27,7 @@ detection:
         TargetFilename|endswith:
             - '.zip'
             - '.rar'
-            - '.lnk'
+            #- '.lnk'  # legitimate links can happen just anywhere
             - '.iso'
             - '.exe'
         TargetFilename|contains:
@@ -36,15 +38,16 @@ detection:
             - '.ppt.'
             - '.pptx.'
             - '.jpg.'
+            - '.pdf.'
     selection_exe:
         TargetFilename|endswith:
             - '.zip.exe'
             - '.rar.exe'
-    filter:
-        TargetFilename|contains:
-            - '\AppData\Roaming\Microsoft\Office\Recent\'
-            - '\AppData\Roaming\Microsoft\Windows\Recent\'
-    condition: 1 of selection_* and not filter
+    #filter:
+    #    TargetFilename|contains:
+    #        - '\AppData\Roaming\Microsoft\Office\Recent\'
+    #        - '\AppData\Roaming\Microsoft\Windows\Recent\'
+    condition: 1 of selection_*
 falsepositives:
     - Unlikely
 level: high

rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml

@@ -0,0 +1,41 @@
+title: Suspicious LNK Double Extension Files
+id: 3215aa19-f060-4332-86d5-5602511f3ca8
+related:
+    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
+      type: derived
+status: experimental
+description: Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
+references:
+    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
+    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
+    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
+    - https://twitter.com/malwrhunterteam/status/1235135745611960321
+    - https://twitter.com/luc4m/status/1073181154126254080
+author: Nasreddine Bencherchali, frack113
+date: 2022/11/07
+tags:
+    - attack.defense_evasion
+    - attack.t1036.007
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '.lnk'
+        TargetFilename|contains:
+            - '.doc.'
+            - '.docx.'
+            - '.xls.'
+            - '.xlsx.'
+            - '.ppt.'
+            - '.pptx.'
+            - '.jpg.'
+            - '.pdf.'
+    filter:
+        TargetFilename|contains:
+            - '\AppData\Roaming\Microsoft\Office\Recent\'
+            - '\AppData\Roaming\Microsoft\Windows\Recent\'
+    condition: selection and not filter
+falsepositives:
+    - Users creating a shortcut on e.g. desktop
+level: medium

rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml

@@ -7,7 +7,7 @@ references:
     - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 author: Florian Roth
 date: 2021/07/27
-modified: 2022/09/20
+modified: 2022/11/07
 tags:
     - attack.execution
     - attack.t1059
@@ -15,31 +15,31 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection_normal_1:
         CommandLine|contains: '\cmd.exe /C whoami'
         ParentImage|startswith: 'C:\Temp'
-    selection2:
+    selection_normal_2:
         CommandLine|contains:
             - 'cmd.exe /c echo'
             - '> \\\\.\\pipe'
             - '\whoami.exe'
         ParentImage|endswith: '\dllhost.exe'
-    selection3:
+    selection_normal_3:
         Image|endswith: '\cmd.exe'
         ParentImage|endswith: '\runonce.exe'
         ParentCommandLine|endswith: '\runonce.exe'
-    selection_special1:
+    selection_special_conhost:
         CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
         ParentCommandLine|contains:
             - '/C whoami'
             - 'cmd.exe /C echo'
             - ' > \\\\.\\pipe'
-    filter_special1:
-        # Internet Download Manager - Chrome Extension
+    filter_internet_download_manager:
+        # Internet Download Manager - Chrome Extension (Remove this filter if you don't use this extension)
         ParentCommandLine|contains:
             - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
             - 'chrome-extension://'
-    condition: 1 of selection* and (selection_special1 and not filter_special1)
+    condition: 1 of selection_normal_* or (selection_special_conhost and not filter_internet_download_manager)
 falsepositives:
     - Other programs that cause these patterns (please report)
 level: high

rules/windows/process_creation/proc_creation_win_susp_calc.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/ItsReallyNick/status/1094080242686312448
 author: Florian Roth
 date: 2019/02/09
-modified: 2022/08/04
+modified: 2022/11/07
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -14,15 +14,16 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        - CommandLine|contains: '\calc.exe '
-        - Image|endswith: '\calc.exe'
-    filter:
+    selection_1:
+        CommandLine|contains: '\calc.exe '
+    selection_2:
+        Image|endswith: '\calc.exe'
+    filter_2:
         Image|startswith:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
             - 'C:\Windows\WinSxS\'
-    condition: selection and not filter
+    condition: selection_1 or ( selection_2 and not filter_2 )
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml

@@ -10,7 +10,7 @@ references:
     - https://twitter.com/mattifestation/status/1326228491302563846
 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
 date: 2019/02/22
-modified: 2021/12/01
+modified: 2022/11/07
 tags:
     - attack.defense_evasion
     - attack.t1140
@@ -22,7 +22,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image|endswith: '\mshta.exe'
         CommandLine|contains:
             - 'vbscript'
@@ -34,8 +34,8 @@ detection:
             - '.doc'
             - '.zip'
             - '.dll'
-            - '.exe'
-    condition: selection1
+            # - '.exe'
+    condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: high

rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml

@@ -8,7 +8,7 @@ references:
     - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 author: Florian Roth
 date: 2021/07/17
-modified: 2022/07/14
+modified: 2022/11/07
 tags:
     - attack.execution
     - attack.t1106
@@ -33,7 +33,7 @@ detection:
             - 'C:\Users\Public'
     # Suspicious Execution Locations
     filter3:
-        Image|contains:
+        Image|startswith:
             - 'C:\Windows\System32'
             - 'C:\Windows\SysWOW64'
     # Suspicious extensions
@@ -44,7 +44,7 @@ detection:
         CommandLine|endswith:
             - 'mshta.exe'
             - 'mshta'
-    condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 )
+    condition: ( selection_base and ( selection1 or selection2 ) ) or ( selection_base and not 1 of filter* )
 falsepositives:
     - Unknown
 level: high