Merge branch 'master' of https://github.com/redsand/sigma into hawk

2022-01-31 15:08:37 +00:00
parent 8dae288ff8 d27deada7d
commit b8f399d0ca
20 changed files with 364 additions and 14 deletions
@@ -0,0 +1,23 @@
+title: PwnKit Local Privilege Escalation
+id: 0506a799-698b-43b4-85a1-ac4c84c720e9
+status: experimental
+description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
+author: Sreeman
+date: 2022/01/26
+references: 
+  - https://twitter.com/wdormann/status/1486161836961579020
+logsource: 
+  product: linux
+  service: auth
+detection: 
+  keyword: 
+    - 'pkexec'
+    - 'The value for environment variable XAUTHORITY contains suscipious content'
+    - '[USER=root] [TTY=/dev/pts/0]'
+  condition: all of keyword
+falsepositives: 
+  - Unknown
+level: high
+tags: 
+  - attack.privilege_escalation
+  - attack.t1548.001
@@ -0,0 +1,22 @@
+title: An Application Is Uninstall
+id: 570ae5ec-33dc-427c-b815-db86228ad43e
+status: experimental
+description: An application have been remove check if it is a critical
+author: frack113
+date: 2022/01/28
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Provider_Name: 'MsiInstaller'
+        EventID:
+            - 11724
+            - 1034
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.impact
+    - attack.t1489 
@@ -13,7 +13,7 @@ tags:
    - car.2019-04-004
 author: Sherif Eldeeb
 date: 2017/10/18
-modified: 2021/11/30
+modified: 2022/01/28
 logsource:
    product: windows
    category: process_access
@@ -25,7 +25,9 @@ detection:
            - '0x1010'
            - '0x410'
    filter:
-        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
+        SourceImage|startswith: 
+            - 'C:\Program Files\WindowsApps\'
+            - 'C:\Windows\System32\'
        SourceImage|endswith: '\GamingServices.exe'
    condition: selection and not filter
 fields:
@@ -0,0 +1,21 @@
+title: Installation of TeamViewer Desktop
+id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
+status: experimental
+description: TeamViewer_Desktop.exe is create during install 
+author: frack113
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
+date: 2022/01/28
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection:
+    TargetFilename|endswith: \TeamViewer_Desktop.exe
+  condition: selection 
+falsepositives:
+  - Unknown
+level: medium
+tags:
+  - attack.command_and_control
+  - attack.t1219
@@ -4,7 +4,7 @@ status: experimental
 description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
 author: Samir Bousseaden, Michael Haag
 date: 2019/04/03
-modified: 2022/01/27
+modified: 2022/01/29
 references:
    - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -22,15 +22,14 @@ detection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains: 
         - '0x1fffff'
-         - '0x01000'
+         #- '0x01000' # Too many false positives
         #- '0x1010'  # Too many false positives
         - '0x1038'
         - '0x40'
         #- '0x1400'  # Too many false positives
-         - '0x1410'  
+         # - '0x1410' # Too many false positives 
         - '0x1438'
         - '0x143a'
-         - '0x1000'
        CallTrace|contains:
         - 'dbghelp.dll'
         - 'dbgcore.dll'
@@ -0,0 +1,37 @@
+title: NirCmd Tool Execution
+id: 4e2ed651-1906-4a59-a78a-18220fca1b22
+status: experimental
+description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
+author: 'Florian Roth, Nasreddine Bencherchali @nas_bench'
+date: 2022/01/24
+references:
+    - https://www.nirsoft.net/utils/nircmd.html
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+    - https://www.nirsoft.net/utils/nircmd2.html#using
+tags:
+    - attack.execution
+    - attack.t1569.002
+    - attack.s0029
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\nircmd.exe'
+            - '\nircmdc.exe'
+    selection_params:
+        CommandLine|contains:
+            - ' execmd '
+            - ' exec2 '
+    selection_commands:
+        CommandLine|contains:
+            - ' copy '
+            - ' del '
+    condition: selection or ( selection_params and selection_commands )
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate use by administrators
+level: medium
@@ -0,0 +1,27 @@
+title: NirCmd Tool Execution As LOCAL SYSTEM
+id: d9047477-0359-48c9-b8c7-792cedcdc9c4
+status: experimental
+description: Detects the use of NirCmd tool for command execution as SYSTEM user
+author: 'Florian Roth, Nasreddine Bencherchali @nas_bench'
+date: 2022/01/24
+references:
+    - https://www.nirsoft.net/utils/nircmd.html
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+    - https://www.nirsoft.net/utils/nircmd2.html#using
+tags:
+    - attack.execution
+    - attack.t1569.002
+    - attack.s0029
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: ' runassystem '
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate use by administrators
+level: high
@@ -0,0 +1,27 @@
+title: NSudo Tool Execution As System
+id: 771d1eb5-9587-4568-95fb-9ec44153a012
+status: experimental
+description: Detects the use of NSudo tool for command execution
+author: Florian Roth
+date: 2022/01/24
+references:
+    - https://nsudo.m2team.org/en-us/
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+tags:
+    - attack.execution
+    - attack.t1569.002
+    - attack.s0029
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\NSudo.exe'
+        CommandLine|contains: ' -U:S '
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate use by administrators
+level: high
@@ -0,0 +1,28 @@
+title: RunXCmd Tool Execution As System
+id: 93199800-b52a-4dec-b762-75212c196542
+status: experimental
+description: Detects the use of RunXCmd tool for command execution
+author: Florian Roth
+date: 2022/01/24
+references:
+    - https://www.d7xtech.com/free-software/runx/
+    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
+tags:
+    - attack.execution
+    - attack.t1569.002
+    - attack.s0029
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all: 
+            - ' /account=system '
+            - '/exec='
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate use by administrators
+level: high
@@ -10,6 +10,7 @@ tags:
    - attack.t1218
 references:
    - https://dtm.uk/wuauclt/
+    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
 logsource:
    category: process_creation
    product: windows
@@ -0,0 +1,22 @@
+title: WMI Uninstall An Application 
+id: b53317a0-8acf-4fd1-8de8-a5401e776b96
+status: experimental
+description: Uninstall an application with wmic
+author: frac113
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
+date: 2022/01/28
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith: \WMIC.exe
+    CommandLine|contains: call uninstall
+  condition: selection
+falsepositives:
+  - Unknown
+level: medium
+tags:
+  - attack.execution
+  - attack.t1047
@@ -7,7 +7,7 @@ references:
  - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
  - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
 date: 2017/06/12
-modified: 2022/01/07
+modified: 2022/01/28
 logsource:
  category: process_creation
  product: windows
@@ -40,7 +40,7 @@ detection:
    Image|contains:
      - '\System32\'
      - '\SysNative\'
-      - '\SysWowo64\'
+      - '\SysWow64\'
  selection_mc:
    Image|endswith: '\Mc.exe'
  filter_mc:
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth
 date: 2022/01/13
+modified: 2022/01/27
 logsource:
    category: process_creation
    product: windows
@@ -17,6 +18,9 @@ detection:
    filter:
        - CommandLine|contains: '.dll'
        - CommandLine: ''
+    filter_iexplorer:
+        ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
+        CommandLine|contains: '.cpl'
    condition: selection and not 1 of filter*
 fields:
    - Image
@@ -0,0 +1,24 @@
+title: Run Whoami as Privileged User
+id: 79ce34ca-af29-4d0e-b832-fc1b377020db
+status: experimental
+description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://nsudo.m2team.org/en-us/
+author: Florian Roth
+date: 2022/01/28
+tags:
+    - attack.privilege_escalation
+    - attack.discovery
+    - attack.t1033
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        User|contains: 'TrustedInstaller'
+        Image|endswith: '\whoami.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -4,9 +4,9 @@ status: experimental
 description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-author: Teymur Kheirkhabarov
+author: Teymur Kheirkhabarov, Florian Roth
 date: 2019/10/23
-modified: 2021/08/26
+modified: 2022/01/28
 tags:
    - attack.privilege_escalation
    - attack.discovery    
@@ -16,11 +16,11 @@ logsource:
    product: windows
 detection:
    selection:
-        User|startswith: 
-            - 'NT AUTHORITY\SYSTEM'
-            - 'AUTORITE NT\Sys' # French language settings
+        User|contains: 
+            - 'AUTHORI'
+            - 'AUTORI'
        Image|endswith: '\whoami.exe'
    condition: selection
 falsepositives:
-    - Unknown
+    - Possible name overlap with NT AUHTORITY substring to cover all languages
 level: high
@@ -0,0 +1,27 @@
+title: XORDump Use
+id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
+description: Detects suspicious use of XORDump process memory dumping utility
+status: experimental
+references:
+    - https://github.com/audibleblink/xordump
+author: Florian Roth
+date: 2022/01/28
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - attack.t1003.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\xordump.exe'
+        - CommandLine|contains:
+            - ' -process lsass.exe '
+            - ' -m comsvcs '
+            - ' -m dbghelp '
+            - ' -m dbgcore '
+    condition: selection
+falsepositives:
+    - Another tool that uses the command line switches of XORdump
+level: high
@@ -0,0 +1,24 @@
+title: Use IE Registry for Persistence
+id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
+description: Use IE registry to hide a scripts
+author: frack113
+date: 2022/01/22
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection_domains:
+        EventType: SetValue
+        TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings
+    filter:
+        Details|startswith: DWORD
+    condition: selection_domains and not filter
+falsepositives:
+    - Unknown
+level: low # as unknow false positives
+tags:
+  - attack.defense_evasion
+  - attack.t1112
@@ -0,0 +1,21 @@
+title: Sysmon Process Hollowing Detection
+id: c4b890e5-8d8c-4496-8c66-c805753817cd
+status: experimental
+description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+date: 2022/01/25
+references:
+  - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 
+tags:
+    - attack.process_injection
+    - attack.t1055.012
+logsource:
+    product: windows
+    category: process_tampering
+detection:
+    selection:
+        Type: Image is replaced
+    condition: selection 
+falsepositives:
+    - There are no known false positives at this time
+level: high
@@ -0,0 +1,29 @@
+title: Suspicious Recursif Takeown 
+id: 554601fb-9b71-4bcc-abf4-21a611be4fde
+status: experimental
+description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
+author: frack113
+references:
+  - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
+date: 2022/01/30
+logsource:
+  category: process_creation
+  product: windows
+detection:
+    selection:
+        Image|endswith: '\takeown.exe'
+        CommandLine|contains|all:
+            - '/f '
+            - '/r'
+    condition: selection
+fields:
+  - CommandLine
+  - ParentCommandLine
+falsepositives:
+  - Scripts created by developers and admins
+  - Administrative activity
+level: medium
+tags:
+  - attack.defense_evasion
+  - attack.t1222.001
@@ -514,6 +514,9 @@ class LimaCharlieBackend(BaseBackend):
            }
            if op == "matches":
                newOp["re"] = newVal
+            elif op == "exists":
+                # Exists has no value.
+                pass
            else:
                newOp["value"] = newVal
            if self._postOpMapper is not None:
@@ -532,6 +535,9 @@ class LimaCharlieBackend(BaseBackend):
                }
                if op == "matches":
                    newOp["re"] = newVal
+                elif op == "exists":
+                    # Exists has no value.
+                    pass
                else:
                    newOp["value"] = newVal
                if self._postOpMapper is not None:
@@ -588,6 +594,9 @@ class LimaCharlieBackend(BaseBackend):
        if "*" not in val and "?" not in val:
            return ("is", val)

+        if val == "*":
+            return ("exists", None)
+
        # Now we do a small optimization for the shortcut operators
        # available in LC. We try to see if the wildcards are around
        # the main value, but NOT within. If that's the case we can
@@ -701,6 +710,9 @@ class LimaCharlieBackend(BaseBackend):
            }
            if op == "matches":
                newOp["re"] = newVal
+            elif op == "exists":
+                # Exists has no value.
+                pass
            else:
                newOp["value"] = newVal
            mapped.append(newOp)