Merge branch 'SigmaHQ:master' into rules-update-31-05-23

2023-06-02 15:50:33 +02:00
parent 0c75470412 04cf7e9ea3
commit b11bd352bb
16 changed files with 470 additions and 1 deletions
@@ -7,7 +7,7 @@ body:
    label: Rule UUID
    placeholder: "f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0"
    description: |
-      You can copy the rule id from the `uuid` field in the rule.
+      You can copy the rule id from the `id` field in the rule.
  validations:
    required: true

@@ -0,0 +1,17 @@
+# MOVEit Transfer Critical Vulnerability (May 2023)
+
+## Summary
+
+Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.
+
+You can find more information on the threat in the following articles:
+
+- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/)
+- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)
+- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/)
+- [CRITICAL VULNERABILITY IN PROGRESS MOVEIT TRANSFER: TECHNICAL ANALYSIS AND RECOMMENDATIONS - TrustedSec](https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/)
+- [MOVEit Transfer Critical Vulnerability Rapid Response - Huntress](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)
+
+## Rules
+
+- [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml)
@@ -0,0 +1,58 @@
+title: Potential MOVEit Transfer Exploitation
+id: c3b2a774-3152-4989-83c1-7afc48fd1599
+status: experimental
+description: |
+    Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service.
+    Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration.
+references:
+    - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
+    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
+    - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
+    - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/01
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_generic:
+        TargetFilename|contains:
+            - '\MOVEit Transfer\wwwroot\'
+            - '\MOVEitTransfer\wwwroot\'
+        TargetFilename|endswith:
+            - '.7z'
+            - '.bat'
+            - '.dll'
+            - '.exe'
+            - '.ps1'
+            - '.rar'
+            - '.vbe'
+            - '.vbs'
+            - '.zip'
+    selection_known_ioc:
+        TargetFilename|endswith:
+            - '\MOVEit Transfer\wwwroot\human2.aspx'
+            - '\MOVEitTransfer\wwwroot\human2.aspx'
+    selection_compiled_asp:
+        CreationUtcTime|startswith:
+            - '2023-05-26 '
+            - '2023-05-27 '
+            - '2023-05-28 '
+            - '2023-05-29 '
+            - '2023-05-30 '
+            - '2023-05-31 '
+            - '2023-06-01 '
+            - '2023-06-02 '
+            - '2023-06-03 '
+        TargetFilename|contains|all:
+            - '\Windows\Microsoft.net\Framework64\v'
+            - '\Temporary ASP.NET Files\'
+            - 'App_Web_'
+        TargetFilename|endswith: '.dll'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,38 @@
+title: Potential Operation Triangulation C2 Beaconing Activity - DNS
+id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7
+related:
+    - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2
+      type: similar
+status: experimental
+description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
+references:
+    - https://securelist.com/operation-triangulation/109842/
+    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
+author: Florian Roth (Nextron Systems)
+date: 2023/06/01
+tags:
+    - attack.command_and_control
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'addatamarket.net'
+            - 'ans7tv.net'
+            - 'anstv.net'
+            - 'backuprabbit.com'
+            - 'businessvideonews.com'
+            - 'cloudsponcer.com'
+            - 'datamarketplace.net'
+            - 'growthtransport.com'
+            - 'mobilegamerstats.com'
+            - 'snoweeanalytics.com'
+            - 'tagclick-cdn.com'
+            - 'topographyupdates.com'
+            - 'unlimitedteacup.com'
+            - 'virtuallaughing.com'
+            - 'web-trackers.com'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,38 @@
+title: Potential Operation Triangulation C2 Beaconing Activity - Proxy
+id: aa03c712-75c6-438b-8d42-de88f2427e09
+related:
+    - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2
+      type: similar
+status: experimental
+description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
+references:
+    - https://securelist.com/operation-triangulation/109842/
+    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
+author: Florian Roth (Nextron Systems)
+date: 2023/06/01
+tags:
+    - attack.command_and_control
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-host|contains:
+            - 'addatamarket.net'
+            - 'ans7tv.net'
+            - 'anstv.net'
+            - 'backuprabbit.com'
+            - 'businessvideonews.com'
+            - 'cloudsponcer.com'
+            - 'datamarketplace.net'
+            - 'growthtransport.com'
+            - 'mobilegamerstats.com'
+            - 'snoweeanalytics.com'
+            - 'tagclick-cdn.com'
+            - 'topographyupdates.com'
+            - 'unlimitedteacup.com'
+            - 'virtuallaughing.com'
+            - 'web-trackers.com'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,27 @@
+title: Potentially Suspicious Shell Script Creation in Profile Folder
+id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
+status: experimental
+description: Detects the creation of shell scripts under the "profile.d" path.
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.persistence
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains: '/etc/profile.d/'
+        TargetFilename|endswith:
+            - '.csh'
+            - '.sh'
+    condition: selection
+falsepositives:
+    - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
+    - Regular file creation during system update or software installation by the package manager
+level: low # Can be increased to a higher level after some tuning
@@ -0,0 +1,27 @@
+title: Wget Creating Files in Tmp Directory
+id: 35a05c60-9012-49b6-a11f-6bab741c9f74
+status: experimental
+description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '/wget'
+        TargetFilename|startswith:
+            - '/tmp/'
+            - '/var/tmp/'
+    condition: selection
+falsepositives:
+    - Legitimate downloads of files in the tmp folder.
+level: medium
@@ -0,0 +1,25 @@
+title: Crontab Enumeration
+id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
+status: experimental
+description: Detects usage of crontab to list the tasks of the user
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.discovery
+    - attack.t1007
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/crontab'
+        CommandLine|contains: ' -l'
+    condition: selection
+falsepositives:
+    - Legitimate use of crontab
+level: low
@@ -0,0 +1,33 @@
+title: OS Architecture Discovery Via Grep
+id: d27ab432-2199-483f-a297-03633c05bae6
+status: experimental
+description: |
+    Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_process:
+        Image|endswith: '/grep'
+    selection_architecture:
+        CommandLine|endswith:
+            - 'aarch64'
+            - 'arm'
+            - 'i386'
+            - 'i686'
+            - 'mips'
+            - 'x86_64'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: low
@@ -0,0 +1,28 @@
+title: Potential GobRAT File Discovery Via Grep
+id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
+status: experimental
+description: Detects the use of grep to discover specific files created by the GobRAT malware
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/grep'
+        CommandLine|contains:
+            - 'apached'
+            - 'frpc'
+            - 'sshd.sh'
+            - 'zone.arm'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,27 @@
+title: Suspicious Nohup Execution
+id: 457df417-8b9d-4912-85f3-9dbda39c3645
+related:
+    - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
+      type: derived
+status: experimental
+description: Detects execution of binaries located in potentially suspicious locations via "nohup"
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/nohup'
+        CommandLine|contains: '/tmp/'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,21 @@
+title: Potentially Suspicious Execution From Tmp Folder
+id: 312b42b1-bded-4441-8b58-163a3af58775
+status: experimental
+description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|startswith: '/tmp/'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,31 @@
+title: Shell Execution Of Process Located In Tmp Directory
+id: 2fade0b6-7423-4835-9d4f-335b39b83867
+status: experimental
+description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        ParentImage|startswith: '/tmp/'
+        Image|endswith:
+            - '/bash'
+            - '/csh'
+            - '/dash'
+            - '/fish'
+            - '/ksh'
+            - '/sh'
+            - '/zsh'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,35 @@
+title: Execution Of Script Located In Potentially Suspicious Directory
+id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
+status: experimental
+description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection_img:
+        Image|endswith:
+            - '/bash'
+            - '/csh'
+            - '/dash'
+            - '/fish'
+            - '/ksh'
+            - '/sh'
+            - '/zsh'
+    selection_flag:
+        CommandLine|contains: ' -c '
+    selection_paths:
+        # Note: Add more suspicious paths
+        CommandLine|contains: '/tmp/'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,29 @@
+title: Download File To Potentially Suspicious Directory Via Wget
+id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
+status: experimental
+description: Detects the use of wget to download content to a suspicious directory
+references:
+    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
+    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
+    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
+    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/06/02
+tags:
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/wget'
+    selection_output:
+        - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
+        - CommandLine|contains: '--output-document'
+    selection_path:
+        CommandLine|contains: '/tmp/'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,35 @@
+title: Potential SmadHook.DLL Sideloading
+id: 24b6cf51-6122-469e-861a-22974e9c1e5b
+status: experimental
+description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
+references:
+    - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
+    - https://www.qurium.org/alerts/targeted-malware-against-crph/
+author: X__Junior (Nextron Systems)
+date: 2023/06/01
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith:
+            - '\SmadHook32c.dll'
+            - '\SmadHook64c.dll'
+    filter_main_legit_path:
+        Image:
+            - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
+            - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
+            - 'C:\Program Files\SMADAV\SmadavProtect32.exe'
+            - 'C:\Program Files\SMADAV\SmadavProtect64.exe'
+        ImageLoaded|startswith:
+            - 'C:\Program Files (x86)\SMADAV\'
+            - 'C:\Program Files\SMADAV\'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high