update: DNS Query to External Service Interaction Domains - Changed modifier to endswith for better accuracy and add additional domains.
---------
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened
fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path
fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename
fix: Startup Folder File Write - Add a filter for OneNote
fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field
fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field
fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images
fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets
fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports
fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine
fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE
fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin
fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml
fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
new: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
new: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
new: Attempts of Kerberos Coercion Via DNS SPN Spoofing
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
update: Communication To Uncommon Destination Ports - Add link-local address range
update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
update: Potentially Suspicious Malware Callback Communication - Add link-local address range
update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
update: Publicly Accessible RDP Service - Add link-local address range
update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
update: Rundll32 Internet Connection - Add link-local address range
update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: WebDav Put Request - Update rule to use cidr modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
fix: Potential NT API Stub Patching - Tune FP filter
new: Credential Dumping Activity By Python Based Tool
new: HackTool - Generic Process Access
remove: Credential Dumping Tools Accessing LSASS Memory
update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives
update: Credential Dumping Attempt Via WerFault - Update title
update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium
update: HackTool - CobaltStrike BOF Injection Pattern - Update title
update: HackTool - HandleKatz Duplicating LSASS Handle - Update title
update: HackTool - LittleCorporal Generated Maldoc Injection - Update title
update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters
update: HackTool - winPEAS Execution - Add additional image names for winPEAS
update: LSASS Access From Potentially White-Listed Processes - Update title and description
update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C:
update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description
update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32
update: Malware Shellcode in Verclsid Target Process - Move to hunting folder
update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder
update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata
update: Potential Process Hollowing Activity - Update FP filter
update: Potential Shellcode Injection - Update title and enhance false positive filter
update: Potentially Suspicious GrantedAccess Flags On LSASS -
update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C:
update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations
update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: swachchhanda000
When a Sigma rule writer wants to create a list of values where all of
them must be matched for the rule to trigger, the approach used
previously was to have an `all of` condition for a single selector.
However, this has now changed, and the new approach is to use an empty
key and the |all modifier (i.e., `'|all'`).
This commit (tries to) identify all the rules that used the old
approach and modifies them to use the new approach instead.
See SigmaHQ/sigma-specification#53 for further discussion.
Nasreddine Bencherchali