Merge branch 'SigmaHQ:master' into master

rules/cloud/aws/aws_pass_role_to_lambda_function.yml

@@ -0,0 +1,28 @@
+title: AWS Passed Role to Lambda Function
+id: d914951b-52c8-485f-875e-86abab710c0b
+description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: iam.amazonaws.com
+        eventName: PassRole
+    selection2:
+        eventSource: lambda.amazonaws.com
+        eventName: CreateFunction
+    selection3:
+        eventSource: lambda.amazonaws.com
+        eventName: InvokeFunction
+    condition: selection1 and selection2 and selection3
+level: low
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
+falsepositives:
+ - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.

rules/cloud/aws/passed_role_to_glue_development_endpoint.yml

@@ -0,0 +1,25 @@
+title: AWS Passed Role to Glue Development Endpoint
+id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
+description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: lambda.amazonaws.com
+        eventName: PassRole
+    selection2:
+        eventSource: glue.amazonaws.com
+        eventName: CreateDevEndpoint
+    condition: selection1 and selection2
+level: low
+tags:
+    - attack.privilege_escalation
+falsepositives:
+ - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.

rules/linux/auditd/lnx_auditd_coinminer.yml

@@ -0,0 +1,33 @@
+title: Possible Coin Miner CPU Priority Param
+id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
+status: experimental
+description: Detects command line parameter very often used with coin miners
+author: Florian Roth
+date: 2021/10/09
+references:
+    - https://xmrig.com/docs/miner/command-line-options
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmd1:
+        a1|startswith: '--cpu-priority'
+    cmd2:
+        a2|startswith: '--cpu-priority'
+    cmd3:
+        a3|startswith: '--cpu-priority'
+    cmd4:
+        a4|startswith: '--cpu-priority'
+    cmd5:
+        a5|startswith: '--cpu-priority'
+    cmd6:
+        a6|startswith: '--cpu-priority'
+    cmd7:
+        a7|startswith: '--cpu-priority'
+    condition: 1 of them
+falsepositives:
+    - Other tools that use a --cpu-priority flag
+level: critical

rules/web/web_cve_2021_41773_apache_path_traversal.yml

@@ -4,17 +4,25 @@ status: experimental
 description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
 author: daffainfo, Florian Roth
 date: 2021/10/05
+modified: 2021/10/06
 references:
     - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
     - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
     - https://twitter.com/ptswarm/status/1445376079548624899
     - https://twitter.com/h4x0r_dz/status/1445401960371429381
     - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml
+    - https://twitter.com/bl4sty/status/1445462677824761878
 logsource:
   category: webserver
 detection:
     selection:
-        c-uri|contains: '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e'
+        c-uri|contains: 
+            - '/cgi-bin/.%2e/'
+            - '/icons/.%2e/'
+            - '/cgi-bin/.%%32%65/'
+            - '/icons/.%%32%65/'
+            - '/cgi-bin/.%%%25%33'
+            - '/icons/.%%%25%33'
     selection_success:
         sc-status: 
             - 200
@@ -25,4 +33,4 @@ false_positives:
 tags:
     - attack.initial_access
     - attack.t1190
-level: critical
+level: high

rules/web/web_iis_tilt_shortname_scan.yml

@@ -0,0 +1,30 @@
+title: Successful IIS Shortname Fuzzing Scan
+id: 7cb02516-6d95-4ffc-8eee-162075e111ac
+status: experimental
+author: frack113
+description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
+references:
+    - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml
+    - https://www.exploit-db.com/exploits/19525
+    - https://github.com/lijiejie/IIS_shortname_Scanner
+date: 2021/10/06
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains: '~1'
+        c-uri|endswith: 'a.aspx'
+        cs-method:
+            - GET
+            - OPTIONS
+        #only succes
+        sc-status:
+            - 200
+            - 301
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/builtin/win_event_log_cleared.yml

@@ -5,6 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was
 references: 
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 date: 2021/08/15
+modified: 2021/10/08
 author: Saw Winn Naung
 level: medium
 logsource:                     
@@ -16,6 +17,7 @@ tags:
 detection:
     selection:
         EventID: 1102
+        Source: Microsoft-Windows-Eventlog
     condition: selection
 fields:
     - SubjectLogonId

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -9,7 +9,7 @@ references:
     - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 date: 2017/01/10
-modified: 2021/09/21
+modified: 2021/10/08
 tags:
     - attack.defense_evasion
     - attack.t1070           # an old one
@@ -23,8 +23,9 @@ detection:
         EventID:
             - 517
             - 1102
+        Source: Microsoft-Windows-Eventlog
     condition: selection
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
     - System provisioning (system reset before the golden image creation)
-level: high
+level: high

rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml

@@ -0,0 +1,33 @@
+title: ADFS Database Named Pipe Connection
+id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
+description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
+status: experimental
+date: 2021/10/08
+modified: 2021/10/08
+author: Roberto Rodriguez @Cyb3rWard0g
+references:
+    - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
+    - https://o365blog.com/post/adfs/
+    - https://github.com/Azure/SimuLand
+tags:
+    - attack.collection
+    - attack.t1005
+logsource:
+    product: windows
+    service: pipe_connected
+detection:
+    selection:
+        PipeName: '\MICROSOFT##WID\tsql\query'
+    filter:
+        Image|endswith:
+            - 'Microsoft.IdentityServer.ServiceHost.exe'
+            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
+            - 'AzureADConnect.exe'
+            - 'Microsoft.Tri.Sensor.exe'
+            - 'wsmprovhost.exe'
+            - 'mmc.exe'
+            - 'sqlservr.exe'
+    condition: selection and not filter
+falsepositives:
+    - Processes in the filter condition
+level: critical

rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml

@@ -0,0 +1,40 @@
+title: VMToolsd Suspicious Child Process
+id: 5687f942-867b-4578-ade7-1e341c46e99a
+status: experimental
+description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1059
+author: behops, Bhabesh Raj
+date: 2021/10/08
+modified: 2021/10/10
+references:
+    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - Details
+falsepositives:
+    - Legitimate use by adminstrator
+level: high
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\vmtoolsd.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+    filter:
+        CommandLine|contains:
+            - '\VMware\VMware Tools\poweron-vm-default.bat'
+            - '\VMware\VMware Tools\poweroff-vm-default.bat'
+            - '\VMware\VMware Tools\resume-vm-default.bat'
+            - '\VMware\VMware Tools\suspend-vm-default.bat'
+    condition: selection and not filter

rules/windows/process_creation/win_susp_regsvr32_no_dll.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line
 author: Florian Roth
 date: 2019/07/17
-modified: 2021/07/20
+modified: 2021/10/07
 references:
     - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 tags:
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith: '\regsvr32.exe'
+        Image|endswith: '\regsvr32.exe'
     filter:
         CommandLine|contains: 
             - '.dll'