Merge branch 'SigmaHQ:master' into nasbench-rule-devel

rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml

@@ -0,0 +1,28 @@
+title: PST Export Alert Using New-ComplianceSearchAction
+id: 6897cd82-6664-11ed-9022-0242ac120002
+related:
+    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
+      type: similar
+status: experimental
+description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
+author: Nikita Khalimonenkov
+date: 2022/11/17
+tags:
+    - attack.collection
+    - attack.t1114
+logsource:
+    service: threat_management
+    product: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        Payload|contains|all:
+            - 'New-ComplianceSearchAction'
+            - 'Export'
+            - 'pst'
+    condition: selection
+falsepositives:
+    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
+level: medium

rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/12/02
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -22,7 +22,16 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        # ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
+        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
+        ServiceFileName|contains|all:
+            - 'cmd'
+            - '"set'
+            - '-f'
+        ServiceFileName|contains:
+            - '/c'
+            - '/r'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2022/10/09
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -22,7 +22,21 @@ logsource:
 detection:
     selection:
         EventID: 4697
-        ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        # ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
+        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
+        ServiceFileName|contains|all:
+            - '&&set'
+            - 'cmd'
+            - '/c'
+            - '-f'
+        ServiceFileName|contains:
+            - '{0}'
+            - '{1}'
+            - '{2}'
+            - '{3}'
+            - '{4}'
+            - '{5}'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 25)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/11/30
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -16,11 +16,24 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_main:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: selection
+        # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+        # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
+        # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
+        ImagePath|contains|all:
+            - 'cmd'
+            - 'powershell'
+        ImagePath|contains:
+            - '/c'
+            - '/r'
+    selection_other:
+        - ImagePath|contains: 'noexit'
+        - ImagePath|contains|all:
+            - 'input'
+            - '$'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009  #(Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/11/30
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -19,7 +19,16 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
+        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
+        ImagePath|contains|all:
+            - 'cmd'
+            - '"set'
+            - '-f'
+        ImagePath|contains:
+            - '/c'
+            - '/r'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
-modified: 2021/11/30
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -19,7 +19,16 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        # Example 1: C:\wiNdOWs\SystEm32\cMD.EXe /c "sET XnK= Invoke-Expression (New-Object Net.WebClient).DownloadString && sET PZVh=ECho ${EXECutIoNcOnTExT}.inVokecommaNd.iNvoKeSCrIPt( ([eNvirOnMEnT]::GETenVIrOnmENtVARIABLe('XNk','pRoceSS'))) ^| poweRSHelL -NoE - && C:\wiNdOWs\SystEm32\cMD.EXe /c%PzVh%"
+        # Example 2: C:\winDowS\SysteM32\Cmd /C "set sHM=Invoke-Expression (New-Object Net.WebClient).DownloadString && SEt gBc=ECHO $eXECutionconTeXt.inVoKECOmmanD.InVoKESCripT( ([ENVirOnment]::geTenVIrONMEnTvaRIAble('shM','PRoCEss')) ) ^| C:\WiNDoWS\SYSwoW64\WindoWSpoWerSHelL\V1.0\pOwersheLl.EXe ^^^&( $PShOME[4]+$psHOMe[30]+'X') ( $InPUt) && C:\winDowS\SysteM32\Cmd /C %gbc%"
+        ImagePath|contains|all:
+            - 'set'
+            - '&&'
+        ImagePath|contains:
+            - 'environment'
+            - 'invoke'
+            - 'input'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2021/11/30
+modified: 2022/11/17
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -19,7 +19,21 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        # ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
+        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
+        ImagePath|contains|all:
+            - '&&set'
+            - 'cmd'
+            - '/c'
+            - '-f'
+        ImagePath|contains:
+            - '{0}'
+            - '{1}'
+            - '{2}'
+            - '{3}'
+            - '{4}'
+            - '{5}'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml

@@ -16,7 +16,7 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_cmdlet:
-        - ScriptBlockText|contains: Invoke-DNSExfiltrator
+        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
         - ScriptBlockText|contains|all:
             - ' -i '
             - ' -d '

rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml

@@ -16,7 +16,7 @@ logsource:
     definition: Script Block Logging must be enabled
 detection:
     selection:
-        ScriptBlockText|contains: Invoke-Nightmare
+        ScriptBlockText|contains: 'Invoke-Nightmare'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml

@@ -16,6 +16,7 @@ tags:
     - attack.t1059.001
     - attack.defense_evasion
     - attack.t1027
+    - attack.t1620
 logsource:
     category: process_creation
     product: windows

rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml

@@ -7,6 +7,7 @@ references:
     - https://twitter.com/mrd0x/status/1511489821247684615
 author: Florian Roth
 date: 2022/04/06
+modified: 2022/11/18
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -15,15 +16,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\DumpMinitool.exe'
-    selection_original_name:
-        OriginalName: 'DumpMinitool.exe'
-    selection_flags:
+    selection_img:
+        - Image|endswith: '\DumpMinitool.exe'
+        - OriginalFileName: 'DumpMinitool.exe'
+    selection_cli:
         CommandLine|contains|all:
             - ' --processId '
             - ' --dumpType Full'
-    condition: 1 of selection*
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: medium

rules/windows/process_creation/proc_creation_win_susp_msbuild.yml

@@ -0,0 +1,30 @@
+title: Suspicious Msbuild Execution By Uncommon Parent Process
+id: 33be4333-2c6b-44f4-ae28-102cdbde0a31
+status: experimental
+description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
+references:
+    - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
+    - https://www.echotrail.io/insights/search/msbuild.exe
+author: frack113
+date: 2022/11/17
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\MSBuild.exe'
+        - OriginalFileName: 'MSBuild.exe'
+    filter_parent:
+        ParentImage|endswith:
+            - '\devenv.exe'
+            - '\cmd.exe'
+            - '\msbuild.exe'
+            - '\python.exe'
+            - '\explorer.exe'
+            - '\nuget.exe'
+    condition: selection and not filter_parent
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_susp_powercfg.yml

@@ -0,0 +1,34 @@
+title: Suspicious Powercfg Execution To Change Lock Screen Timeout
+id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
+status: experimental
+description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
+references:
+    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
+    - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
+author: frack113
+date: 2022/11/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_power:
+        - Image|endswith: '\powercfg.exe'
+        - OriginalFileName: 'PowerCfg.exe'
+    selection_standby:
+        # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
+        - CommandLine|contains|all:
+            - '/setacvalueindex '
+            - 'SCHEME_CURRENT'
+            - 'SUB_VIDEO'
+            - 'VIDEOCONLOCK'
+        # powercfg -change -standby-timeout-dc 3000
+        # powercfg -change -standby-timeout-ac 3000
+        - CommandLine|contains|all:
+            - '-change '
+            - '-standby-timeout-' 
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

tests/test_rules.py

@@ -871,7 +871,8 @@ class TestRules(unittest.TestCase):
     def test_field_name_typo(self):
         # add "OriginalFilename" after Aurora switched to SourceFilename
         # add "ProviderName" after special case powershell classic is resolved
-        typos = ["ServiceFilename", "TargetFileName", "SourceFileName", "Commandline", "Targetobject"]
+        # typos is a list of tuples where each tuple contains ("The typo", "The correct version")
+        typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")]
         faulty_rules = []
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             detection = self.get_rule_part(file_path=file, part_name="detection")
@@ -880,8 +881,8 @@ class TestRules(unittest.TestCase):
                     if isinstance(detection[search_identifier], dict):
                         for field in detection[search_identifier]:
                             for typo in typos:
-                                if typo in field:
-                                    print(Fore.RED + "Rule {} has a common typo ({}) in selection ({}/{})".format(file, typo, search_identifier, field))
+                                if typo[0] in field:
+                                    print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field))
                                     faulty_rules.append(file)
 
         self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with common typos in field names.")