Merge pull request #2953 from SigmaHQ/aurora-false-positive-fixing

Hacktool by Cube0x0, KrbRelay

rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml

@@ -0,0 +1,19 @@
+title: Hacktool by Cube0x0
+id: 37c1333a-a0db-48be-b64b-7393b2386e3b
+status: experimental
+description: Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)
+author: Florian Roth
+references:
+  - https://github.com/cube0x0
+  - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
+date: 2022/04/27
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Company: 'Cube0x0'
+  condition: selection
+falsepositives:
+  - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml

@@ -0,0 +1,38 @@
+title: KrbRelay Hack Tool
+id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
+status: experimental
+description: Detects the use of KrbRelay, a Kerberos relaying tool
+author: Florian Roth
+references:
+  - https://github.com/cube0x0/KrbRelay
+date: 2022/04/27
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection_name:
+    Image|endswith: '\KrbRelay.exe'
+  selection_original_name:  # in case the file has been renamed after compilation
+    OriginalFilename: 'KrbRelay.exe'
+  selection_flags1:
+    CommandLine|contains|all:
+      - ' -spn '
+      - ' -clsid '
+      - ' -rbcd '
+  selection_flags2:
+    CommandLine|contains|all:
+      - 'shadowcred'
+      - 'clsid'
+      - 'spn'
+  selection_flags3:
+    CommandLine|contains|all:
+      - 'spn '
+      - 'session '
+      - 'clsid '
+  condition: 1 of selection*
+falsepositives:
+  - Unlikely
+level: high
+tags:
+  - attack.credential_access
+  - attack.t1558.003