Merge branch 'SigmaHQ:master' into new-rules-13-07-23

2023-07-20 13:51:48 +02:00
parent 73f44e61d1 9acc4e1823
commit f7acf07882
19 changed files with 470 additions and 4 deletions
@@ -120,6 +120,9 @@ E.g.
 * Tell us about false positives (issues section)
 * Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule

+In order to enhance or fix some issues with a specific PR we might ask the author for some additional input.
+In such cases, the PR will be tagged with "Author Input Required". If the author of the PR does not respond in a timely manner the PR will automatically be closed after 1 month of inactivity.
+
 ## Work on open issues

 The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation.
@@ -0,0 +1,26 @@
+title: Potential CVE-2023-36884 Exploitation Dropped File
+id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
+status: experimental
+description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+    - https://twitter.com/wdormann/status/1679184475677130755
+    - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - cve.2023.36884
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
+        TargetFilename|endswith: '\file001.url'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: Potential CVE-2023-36884 Exploitation Pattern
+id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
+status: experimental
+description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior
+date: 2023/07/12
+tags:
+    - attack.command_and_control
+    - cve.2023.36884
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-method: 'GET'
+        c-uri|contains: '/MSHTML_C7/'
+        c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,24 @@
+title: Potential CVE-2303-36884 URL Request Pattern Traffic
+id: d9365e39-febd-4a4b-8441-3ca91bb9d333
+status: experimental
+description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior
+date: 2023/07/12
+tags:
+    - attack.command_and_control
+    - cve.2023.36884
+logsource:
+    category: proxy
+detection:
+    # Examples:
+    #   hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
+    #   104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
+    selection:
+        cs-method: 'GET'
+        c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,32 @@
+title: Potential CVE-2023-36884 Exploitation - File Downloads
+id: 6af1617f-c179-47e3-bd66-b28034a1052d
+status: experimental
+description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior
+date: 2023/07/12
+tags:
+    - attack.command_and_control
+    - cve.2023.36884
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-method: 'GET'
+        c-uri|contains:
+            - '/ex001.url'
+            - '/file001.search-ms'
+            - '/file001.url'
+            - '/file001.vbs'
+            - '/file1.mht'
+            - '/o2010.asp'
+            - '/redir_obj.html'
+            - '/RFile.asp'
+            - '/zip_k.asp'
+            - '/zip_k2.asp'
+            - '/zip_k3.asp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,21 @@
+title: Potential CVE-2023-36884 Exploitation - URL Marker
+id: e59f71ff-c042-4f7a-8a82-8f53beea817e
+status: experimental
+description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior
+date: 2023/07/12
+tags:
+    - attack.command_and_control
+    - cve.2023.36884
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-method: 'GET'
+        c-uri|contains: '/MSHTML_C7/'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: Potential CVE-2023-36884 Exploitation - Share Access
+id: 3df95076-9e78-4e63-accb-16699c3b74f8
+status: experimental
+description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/13
+tags:
+    - attack.command_and_control
+    - cve.2023.36884
+logsource:
+    product: windows
+    service: security
+    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
+detection:
+    selection_eid:
+        EventID: 5140
+    selection_share_name:
+        ShareName|contains: '\MSHTML_C7\'
+        ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    selection_share_path:
+        ShareLocalPath|contains: '\MSHTML_C7\'
+        ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
+    condition: selection_eid and 1 of selection_share_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,31 @@
+title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
+id: ea207a23-b441-4a17-9f76-ad5be47d51d3
+status: experimental
+description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps
+    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps
+author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+date: 2023/07/13
+tags:
+    - detection.threat_hunting
+    - attack.discovery
+    - attack.t1518.001
+    - attack.t1016
+logsource:
+    product: windows
+    category: ps_module
+    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
+detection:
+    selection_payload:
+        Payload|contains:
+            - 'Get-NetFirewallRule'
+            - 'Show-NetFirewallRule'
+    selection_contextinfo:
+        ContextInfo|contains:
+            - 'Get-NetFirewallRule'
+            - 'Show-NetFirewallRule'
+    condition: 1 of selection_*
+falsepositives:
+    - Administration scripts
+level: low
@@ -0,0 +1,23 @@
+title: Windows Mail App Mailbox Access Via PowerShell Script
+id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3
+status: experimental
+description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md
+author: frack113
+date: 2023/07/08
+tags:
+    - attack.defense_evasion
+    - attack.t1070.008
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains: '\Comms\Unistore\data'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,28 @@
+title: Potential Registry Reconnaissance Via PowerShell Script
+id: 064060aa-09fb-4636-817f-020a32aa7e9e
+related:
+    - id: 970007b7-ce32-49d0-a4a4-fbef016950bd
+      type: similar
+status: experimental
+description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
+author: frack113
+date: 2023/07/02
+tags:
+    - attack.discovery
+    - attack.t1012
+    - attack.t1007
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        # TODO: switch to |re|i: after sigma specification v2 is released
+        ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
+    condition: selection
+falsepositives:
+    - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
+level: medium
@@ -0,0 +1,27 @@
+title: AWS IAM S3Browser LoginProfile Creation
+id: db014773-b1d3-46bd-ba26-133337c0ffee
+status: experimental
+description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
+references:
+    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
+author: daniel.bohannon@permiso.io (@danielhbohannon)
+date: 2023/05/17
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1059.009
+    - attack.t1078.004
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'iam.amazonaws.com'
+        eventName:
+            - 'GetLoginProfile'
+            - 'CreateLoginProfile'
+        userAgent|contains: 'S3 Browser'
+    condition: selection
+falsepositives:
+    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
+level: high
@@ -23,7 +23,7 @@ detection:
    selection:
        c-useragent:
        # RATs
-            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK
+            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5
@@ -0,0 +1,33 @@
+title: Suspicious Office Outbound Connections
+id: 3b5ba899-9842-4bc2-acc2-12308498bf42
+status: experimental
+description: Detects office suit applications communicating to target systems on uncommon ports
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+logsource:
+   category: network_connection
+   product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\excel.exe'
+            - '\outlook.exe'
+            - '\powerpnt.exe'
+            - '\winword.exe'
+            - '\wordpad.exe'
+            - '\wordview.exe'
+    filter_main_ports:
+        DestinationPort:
+            - 139
+            - 443
+            - 445
+            - 80
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Other ports can be used, apply additional filters accordingly
+level: medium
@@ -0,0 +1,32 @@
+title: PowerShell Script Change Permission Via Set-Acl - PsScript
+id: cae80281-ef23-44c5-873b-fd48d2666f49
+related:
+    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
+      type: derived
+    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
+      type: derived
+    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
+      type: derived
+status: experimental
+description: Detects PowerShell scripts set ACL to of a file or a folder
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Set-Acl '
+            - '-AclObject '
+            - '-Path '
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
@@ -0,0 +1,49 @@
+title: PowerShell Set-Acl On Windows Folder - PsScript
+id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
+related:
+    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
+      type: derived
+    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
+      type: derived
+    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
+      type: derived
+status: experimental
+description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/07/18
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection_cmdlet:
+        ScriptBlockText|contains|all:
+            - 'Set-Acl '
+            - '-AclObject '
+    selection_paths:
+        # Note: Add more suspicious paths
+        ScriptBlockText|contains:
+            - '-Path "C:\Windows'
+            - '-Path "C:/Windows'
+            - "-Path 'C:\\Windows"
+            - "-Path 'C:/Windows"
+            - '-Path C:\\Windows'
+            - '-Path C:/Windows'
+            - '-Path $env:windir'
+            - '-Path "$env:windir'
+            - "-Path '$env:windir"
+    selection_permissions:
+        # Note: Add more suspicious permissions
+        ScriptBlockText|contains:
+            - 'FullControl'
+            - 'Allow'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -7,7 +7,7 @@ references:
    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
 author: frack113
 date: 2021/07/07
-modified: 2023/02/03
+modified: 2023/07/18
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -30,4 +30,4 @@ fields:
    - ParentCommandLine
 falsepositives:
    - Unknown
-level: medium
+level: high
@@ -0,0 +1,38 @@
+title: PowerShell Script Change Permission Via Set-Acl
+id: bdeb2cff-af74-4094-8426-724dc937f20a
+related:
+    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
+      type: derived
+    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
+      type: derived
+    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
+      type: derived
+status: experimental
+description: Detects PowerShell execution to set the ACL of a file or a folder
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
+    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022/10/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+    selection_cmdlet:
+        CommandLine|contains|all:
+            - 'Set-Acl '
+            - '-AclObject '
+            - '-Path '
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,49 @@
+title: PowerShell Set-Acl On Windows Folder
+id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
+related:
+    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
+      type: derived
+    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
+      type: derived
+    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
+      type: derived
+status: experimental
+description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
+    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022/10/18
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+    selection_cmdlet:
+        CommandLine|contains|all:
+            - 'Set-Acl '
+            - '-AclObject '
+    selection_paths:
+        # Note: Add more suspicious paths
+        CommandLine|contains:
+            - '-Path "C:\Windows'
+            - "-Path 'C:\\Windows"
+            - '-Path %windir%'
+            - '-Path $env:windir'
+    selection_permissions:
+        # Note: Add more suspicious permissions
+        CommandLine|contains:
+            - 'FullControl'
+            - 'Allow'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high