Merge branch 'master' into rule-devel

2022-03-05 12:39:13 +01:00
parent a2031b7898 2e2f4fbae5
commit a30ee0b37d
17 changed files with 123 additions and 36 deletions
@@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
 status: experimental
 date: 2019/10/27
-modified: 2022/02/16
+modified: 2022/03/04
 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
 references:
    - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -86,6 +86,9 @@ detection:
            - '\jre\bin\java.dll'
            - '|C:\Windows\SYSTEM32\windows.storage.dll+'
            - '\configuration\org.eclipse.osgi\'
+    filter_openwith:
+        SourceImage: 'C:\Windows\system32\OpenWith.exe'
+        TargetImage: 'C:\Windows\Explorer.EXE'
    condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*
 fields:
    - ComputerName
@@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S
 references:
  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
 date: 2020/10/15
-modified: 2021/12/06
+modified: 2022/03/04
 logsource:
  category: process_creation
  product: windows
@@ -26,13 +26,15 @@ detection:
  selection5:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*`.*`.*`.*`.*`.*'
-  filter:
-    ParentImage:
-        - C:\Program Files\Amazon\SSM\ssm-document-worker.exe
-  condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter
+  filter_amazonSSM:
+    ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
+  filter_windef_atp:
+    CommandLine|contains: 'new EventSource("Microsoft.Windows.Sense.Client.Management"'
+  condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter_amazonSSM and not (selection3 and filter_windef_atp)
 falsepositives:
  - Unlikely
  - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result)
+  - Windows Defender ATP
 level: high
 tags:
  - attack.defense_evasion
@@ -8,7 +8,7 @@ references:
    - https://www.joesandbox.com/analysis/476188/1/iochtml
 author: '@neonprimetime, Florian Roth'
 date: 2021/09/08
-modified: 2021/09/09
+modified: 2022/03/03
 logsource:
    category: process_creation
    product: windows
@@ -20,7 +20,9 @@ detection:
            - '\powerpnt.exe'
            - '\excel.exe'
    filter:
-        CommandLine|endswith: '\control.exe input.dll'
+        CommandLine|endswith:
+            - '\control.exe input.dll'
+            - '\control.exe" input.dll'
    condition: selection and not filter
 falsepositives:
    - Unknown
@@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from MSSQL process, this might be si
 status: experimental
 author: FPT.EagleEye Team, wagga
 date: 2020/12/11
-modified: 2021/06/27
+modified: 2022/03/03
 tags:
    - attack.t1505.003
    - attack.t1190
@@ -23,5 +23,10 @@ detection:
            - '\bash.exe'
            - '\powershell.exe'
            - '\bitsadmin.exe'
+    filter_datev:
+        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
+        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
+        Image: 'C:\Windows\System32\cmd.exe'
+        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection
 level: critical
@@ -4,7 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1
 description: Detects different hacktools used for relay attacks on Windows for privilege escalation
 author: Florian Roth
 date: 2021/07/24
-modified: 2021/07/26
+modified: 2022/03/03
 references:
    - https://attack.mitre.org/techniques/T1557/001/
    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
@@ -41,7 +41,15 @@ detection:
            - 'cme smb '
            - ' /ntlm:NTLMhash '
            - 'Invoke-PetitPotam'
-    condition: selection_pe or selection_script
+    filter_hotpotatoes:  # known goodware https://hotpot.uvic.ca/
+        Image|contains:
+            - 'HotPotatoes6'
+            - 'HotPotatoes 6'
+            - 'HotPotatoes7'
+            - 'HotPotatoes 7'
+            - 'HotPotatoes Help'
+            - 'HotPotatoes Tutorial'
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
    - Legitimate files with these rare hacktool names
 level: critical
@@ -0,0 +1,26 @@
+title: Gamaredon UltraVNC Execution
+id: 871b9555-69ca-4993-99d3-35a59f9f3599
+status: experimental
+author: Bhabesh Raj
+date: 2022/03/04
+description: Gamaredon is known to use UltraVNC via command line for gaining remote access.
+references:
+    - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
+    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
+tags:
+    - attack.lateral_movement
+    - attack.g0047
+    - attack.t1021.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '-autoreconnect '
+            - '-connect '
+            - '-id:'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/05
 logsource:
    category: registry_event
    product: windows
@@ -44,13 +44,22 @@ detection:
            - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
            - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
        - Details:
-                - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
-                - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
-                - '{42089D2D-912D-4018-9087-2B87803E93FB}'
-                - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
-                - '{807583E5-5146-11D5-A672-00B0D022E945}'
+            - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
+            - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
+            - '{42089D2D-912D-4018-9087-2B87803E93FB}'
+            - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
+            - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\'
+    filter_image:
+        Image: 
+            - 'C:\Windows\System32\poqexec.exe'
+            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+    filter_office:
+        Image|startswith: 
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+        Image|endswith: '\OfficeClickToRun.exe'        
    condition: main_selection and not 1 of filter_*
 fields:
    - SecurityID
@@ -94,6 +94,8 @@ detection:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
+    filter_defender:
+        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
    condition: current_version_base and current_version and not 1 of filter_*
 fields:
    - SecurityID
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/02/16
+modified: 2022/03/05
 logsource:
    category: registry_event
    product: windows
@@ -61,6 +61,11 @@ detection:
            - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-'
            - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-'
        Details|endswith: '.exe" /burn.runonce'
+    filter_office:
+        Image|startswith: 
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+        Image|endswith: '\OfficeClickToRun.exe'    
    condition: wow_current_version_base and wow_current_version and not 1 of filter_*
 fields:
    - SecurityID
@@ -6,7 +6,7 @@ references:
  - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
 author: Tobias Michalski
 date: 2021/06/10
-modified: 2022/01/13
+modified: 2022/03/05
 tags:
  - attack.persistence
  - attack.t1112
@@ -24,7 +24,12 @@ detection:
    Details: DWORD (0x00000001) 
  selectionUserDefined:
    TargetObject|endswith: UserDefinedUrl
-  condition: selection1 and (selectionStamp or selectionUserDefined)
+  filter_office:
+    Image|startswith: 
+      - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+      - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+    Image|endswith: '\OfficeClickToRun.exe'
+  condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_*
 fields:
  - Details
 falsepositives:
@@ -7,7 +7,7 @@ references:
    - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/02/25
+modified: 2022/03/05
 tags:
    - attack.persistence
    - attack.t1546.015
@@ -46,9 +46,10 @@ detection:
            - C:\WINDOWS\system32\wuauclt.exe
            - C:\WINDOWS\system32\svchost.exe
    filter_defender:
-        Image|contains|all:
+        Image|contains|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
-            - '\MsMpEng.exe'
+            - 'C:\Program Files\Windows Defender\'
+        Image|contains|endswith: '\MsMpEng.exe'
    filter_nvidia:
        Details|contains:
            - '\FileRepository\nvmdi.inf'
@@ -10,7 +10,7 @@ references:
  - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
  - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
 date: 2020/05/02
-modified: 2022/03/03
+modified: 2022/03/05
 logsource:
  product: windows
  category: registry_event
@@ -21,8 +21,15 @@ detection:
  filter_svchost:
    Image: 'C:\Windows\system32\svchost.exe'
  filter_office:
-    Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+    Image|startswith: 
+      - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+      - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
    Image|endswith: '\OfficeClickToRun.exe'
+  filter_integrator:
+    Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+  filter_dropbox:
+    Image|endswith: '\Dropbox.exe'
+    TargetObject|startswith: 'HKCR\Dropbox.'
  condition: selection and not 1 of filter_*
 falsepositives:
  - unknown
@@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f
 description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
 status: experimental
 date: 2021/03/05
-modified: 2022/02/09
+modified: 2022/03/04
 author: Florian Roth
 references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@@ -31,10 +31,13 @@ detection:
        Details|contains:
            - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
            - '<\Microsoft.mshtml,fileVersion='
+            - 'FL_Microsoft_mshtml_dll_____X86.'
+            - 'Microsoft_mshtml_dll_1_____X86.'
+            - '<\Microsoft.mshtml,culture='
    condition: selection and not 1 of filter*
 falsepositives:
    - Unknown
 level: high
 tags:
    - attack.persistence
-    - attack.t1547.001
+    - attack.t1547.001
@@ -72,6 +72,8 @@ optional:
    level:
        type: //any
        of:
+            - type: //str
+              value: informational
            - type: //str
              value: low
            - type: //str
@@ -27,6 +27,16 @@ if [[ "${OS}" != "Linux" && "${OS}" != "Darwin" ]]; then
    exit 1
 fi

+SCRIPT="$(realpath $0)"
+TOOLS="${SCRIPT%/*}"
+SIGMA="${TOOLS%/*}"
+
+if [[ -n "$1" && -d "$1" && -r "$1" ]]; then
+    RULES="$1"
+else
+    RULES="${SIGMA}"/rules
+fi
+
 TMP=$(mktemp -d)
 if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then
    >2& echo "Error: Created temporary directory ${TMP} is not writable."
@@ -34,15 +44,12 @@ if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then
    exit 1
 fi

-SCRIPT="$(realpath $0)"
-TOOLS="${SCRIPT%/*}"
-SIGMA="${TOOLS%/*}"

 cd "${TMP}"

 echo
 echo "Copy rules from ${SIGMA} to ${TMP}"
-cp -r "${SIGMA}"/rules/windows .
+cp -r "${RULES}"/windows .
 echo
 echo "Download evtx-sigma-checker"
 if [[ "${OS}" == "Linux" ]]; then
@@ -111,7 +111,7 @@ logsources:
    product: windows
    service: codeintegrity-operational
    conditions:
-      source: 'Microsoft-Windows-CodeIntegrity/Operational'
+      source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational'
  windows-smbclient-security:
    product: windows
    service: smbclient-security
@@ -126,11 +126,11 @@ logsources:
    product: windows
    service: firewall-as
    conditions:
-      source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
+      source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
  windows-bits-client:
    product: windows
    service: bits-client
    conditions:
-      source: 'Microsoft-Windows-Bits-Client/Operational' 
+      source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' 
 fieldmappings:
  EventID: EventCode
@@ -119,7 +119,7 @@ logsources:
    product: windows
    service: bits-client
    conditions:
-      winlog.channel: 'WinEventlog:Microsoft-Windows-Bits-Client/Operational'
+      winlog.channel: 'Microsoft-Windows-Bits-Client/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
@@ -572,4 +572,4 @@ fieldmappings:
    ApplicationPath: winlog.event_data.ApplicationPath
    ModifyingApplication: winlog.event_data.ModifyingApplication
    Action: winlog.event_data.Action
-    
+