Sigma Rule Update (2023-04-25 20:58:45) (#379)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
Yamato-Security · Apr 25, 2023 · 7a98ea2 · 7a98ea2
1 parent 47e8c01
commit 7a98ea2
Show file tree

Hide file tree

Showing 12 changed files with 247 additions and 56 deletions.
diff --git a/.../proc_creation_win_lolbin_rdrleakdiag.yml → .../proc_creation_win_lolbin_rdrleakdiag.yml b/.../proc_creation_win_lolbin_rdrleakdiag.yml → .../proc_creation_win_lolbin_rdrleakdiag.yml
@@ -27,10 +27,10 @@ level: high
 logsource:
     category: process_creation
     product: windows
-modified: 2023/02/13
+modified: 2023/04/24
 references:
 - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
-status: experimental
+status: deprecated
 tags:
 - attack.defense_evasion
 - attack.t1036

diff --git a/...ment-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/...ment-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml
@@ -0,0 +1,49 @@
+title: PaperCut MF/NG Exploitation Related Indicators
+ruletype: Sigma
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/25
+description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
+detection:
+    SELECTION_1:
+        EventID: 4688
+    SELECTION_10:
+        CommandLine: '*/i *'
+    SELECTION_11:
+        CommandLine: '*setup.msi *'
+    SELECTION_12:
+        CommandLine: '*/qn *'
+    SELECTION_13:
+        CommandLine: '*IntegratorLogin=fimaribahundq*'
+    SELECTION_2:
+        Channel: Security
+    SELECTION_3:
+        CommandLine: '* /c *'
+    SELECTION_4:
+        CommandLine: '*powershell*'
+    SELECTION_5:
+        CommandLine: '*-nop -w hidden*'
+    SELECTION_6:
+        CommandLine: '*Invoke-WebRequest*'
+    SELECTION_7:
+        CommandLine: '*setup.msi*'
+    SELECTION_8:
+        CommandLine: '*-OutFile*'
+    SELECTION_9:
+        CommandLine: '*msiexec *'
+    condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13)))
+falsepositives:
+- Unlikely
+id: de1bd0b6-6d59-417c-86d9-a44114aede3b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
+- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
+status: test
+tags:
+- attack.execution
+
diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml
@@ -24,11 +24,11 @@ detection:
         - '*.exe download *'
     SELECTION_7:
         CommandLine:
-        - '*vulnerable *'
-        - '*template*'
-        - '*altname*'
-        - '*domain*'
-        - '*path*'
+        - '* /vulnerable*'
+        - '* /template:*'
+        - '* /altname:*'
+        - '* /domain:*'
+        - '* /path:*'
         - '* /ca:*'
     condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 or SELECTION_4 or
         SELECTION_5) or (SELECTION_6 and SELECTION_7)))
@@ -39,6 +39,7 @@ level: high
 logsource:
     category: process_creation
     product: windows
+modified: 2023/04/25
 references:
 - https://github.com/GhostPack/Certify
 status: experimental

diff --git a/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml
@@ -1,7 +1,7 @@
 title: Suspicious Microsoft Office Child Process
 ruletype: Sigma
-author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim
-    Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io
+author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov,
+    Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
 date: 2018/04/06
 description: Detects a suspicious process spawning from one of the Microsoft Office
     suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
@@ -94,16 +94,24 @@ detection:
         - '*\wmic.exe'
         - '*\workfolders.exe'
         - '*\wscript.exe'
+    SELECTION_6:
+        NewProcessName:
+        - '*\AppData\\*'
+        - '*\Users\Public\\*'
+        - '*\ProgramData\\*'
+        - '*\Windows\Tasks\\*'
+        - '*\Windows\Temp\\*'
+        - '*\Windows\System32\Tasks\\*'
     condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3 and (SELECTION_4 or
-        SELECTION_5))
+        SELECTION_5 or SELECTION_6))
 falsepositives:
 - Unknown
 id: 438025f9-5856-4663-83f7-52f878a70a50
 level: high
 logsource:
     category: process_creation
     product: windows
-modified: 2023/02/10
+modified: 2023/04/24
 references:
 - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html

diff --git a/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml
@@ -1,28 +1,55 @@
-title: Process Dump via RdrLeakDiag.exe
+title: Process Memory Dump via RdrLeakDiag.EXE
 ruletype: Sigma
-author: Cedric MAURUGEON
+author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel,
+    Nasreddine Bencherchali (Nextron Systems)
 date: 2021/09/24
-description: Detects a process memory dump performed by RdrLeakDiag.exe
+description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool
+    "rdrleakdiag.exe" to dump process memory
 detection:
     SELECTION_1:
         EventID: 4688
     SELECTION_2:
         Channel: Security
     SELECTION_3:
-        OriginalFileName: RdrLeakDiag.exe
+        CommandLine:
+        - '*fullmemdmp*'
+        - '*/memdmp*'
+        - '*-memdmp*'
     SELECTION_4:
-        CommandLine: '*fullmemdmp*'
-    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+        CommandLine:
+        - '* -o *'
+        - '* /o *'
+    SELECTION_5:
+        CommandLine:
+        - '* -p *'
+        - '* /p *'
+    SELECTION_6:
+        NewProcessName: '*\rdrleakdiag.exe'
+    SELECTION_7:
+        OriginalFileName: RdrLeakDiag.exe
+    SELECTION_8:
+        CommandLine:
+        - '*fullmemdmp*'
+        - '*/memdmp*'
+        - '*-memdmp*'
+    condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or ((SELECTION_6 or SELECTION_7) and SELECTION_8)))
 falsepositives:
 - Unknown
 id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
 level: high
 logsource:
     category: process_creation
     product: windows
-modified: 2022/10/09
+modified: 2023/04/24
 references:
 - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
+- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
+- https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
+- https://twitter.com/0gtweet/status/1299071304805560321?s=21
+related:
+-   id: 6355a919-2e97-4285-a673-74645566340d
+    type: obsoletes
 status: test
 tags:
 - attack.credential_access

diff --git a/.../proc_creation_win_lolbin_rdrleakdiag.yml → .../proc_creation_win_lolbin_rdrleakdiag.yml b/.../proc_creation_win_lolbin_rdrleakdiag.yml → .../proc_creation_win_lolbin_rdrleakdiag.yml
@@ -27,10 +27,10 @@ level: high
 logsource:
     category: process_creation
     product: windows
-modified: 2023/02/13
+modified: 2023/04/24
 references:
 - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
-status: experimental
+status: deprecated
 tags:
 - attack.defense_evasion
 - attack.t1036

diff --git a/sigma/sysmon/dns_query/dns_query_win_susp_ipify.yml b/sigma/sysmon/dns_query/dns_query_win_susp_ipify.yml
@@ -35,23 +35,35 @@ detection:
         Channel: Microsoft-Windows-Sysmon/Operational
     SELECTION_3:
         QueryName:
-        - canireachthe.net
-        - ipv4.icanhazip.com
-        - ip.anysrc.net
-        - edns.ip-api.com
-        - wtfismyip.com
-        - checkip.dyndns.org
-        - api.2ip.ua
-        - icanhazip.com
-        - api.ipify.org
-        - ip-api.com
-        - checkip.amazonaws.com
-        - ipecho.net
-        - ipinfo.io
-        - ipv4bot.whatismyipaddress.com
-        - freegeoip.app
-        - ifconfig.me
-        - ipwho.is
+        - '*api.2ip.ua*'
+        - '*api.ipify.org*'
+        - '*bot.whatismyipaddress.com*'
+        - '*canireachthe.net*'
+        - '*checkip.amazonaws.com*'
+        - '*checkip.dyndns.org*'
+        - '*curlmyip.com*'
+        - '*edns.ip-api.com*'
+        - '*eth0.me*'
+        - '*freegeoip.app*'
+        - '*icanhazip.com*'
+        - '*ident.me*'
+        - '*ifconfig.io*'
+        - '*ifconfig.me*'
+        - '*ip-api.com*'
+        - '*ip.anysrc.net*'
+        - '*ip.tyk.nu*'
+        - '*ipaddressworld.com*'
+        - '*ipecho.net*'
+        - '*ipinfo.io*'
+        - '*ipof.in*'
+        - '*ipv4.icanhazip.com*'
+        - '*ipv4bot.whatismyipaddress.com*'
+        - '*ipwho.is*'
+        - '*l2.io*'
+        - '*myexternalip.com*'
+        - '*wgetip.com*'
+        - '*whatismyip.akamai.com*'
+        - '*wtfismyip.com*'
     SELECTION_4:
         Image: '*\brave.exe'
     SELECTION_5:
@@ -81,7 +93,7 @@ level: medium
 logsource:
     category: dns_query
     product: windows
-modified: 2023/04/18
+modified: 2023/04/24
 references:
 - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
 - https://twitter.com/neonprimetime/status/1436376497980428318

diff --git a/...ment-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/...ment-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml
@@ -0,0 +1,49 @@
+title: PaperCut MF/NG Exploitation Related Indicators
+ruletype: Sigma
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/25
+description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*/i *'
+    SELECTION_11:
+        CommandLine: '*setup.msi *'
+    SELECTION_12:
+        CommandLine: '*/qn *'
+    SELECTION_13:
+        CommandLine: '*IntegratorLogin=fimaribahundq*'
+    SELECTION_2:
+        Channel: Microsoft-Windows-Sysmon/Operational
+    SELECTION_3:
+        CommandLine: '* /c *'
+    SELECTION_4:
+        CommandLine: '*powershell*'
+    SELECTION_5:
+        CommandLine: '*-nop -w hidden*'
+    SELECTION_6:
+        CommandLine: '*Invoke-WebRequest*'
+    SELECTION_7:
+        CommandLine: '*setup.msi*'
+    SELECTION_8:
+        CommandLine: '*-OutFile*'
+    SELECTION_9:
+        CommandLine: '*msiexec *'
+    condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13)))
+falsepositives:
+- Unlikely
+id: de1bd0b6-6d59-417c-86d9-a44114aede3b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
+- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
+status: test
+tags:
+- attack.execution
+
diff --git a/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
@@ -80,6 +80,12 @@ detection:
         TargetImage: '*\winlogon.exe'
     SELECTION_37:
         GrantedAccess: '0x1fffff'
+    SELECTION_38:
+        SourceImage:
+        - C:\Program Files\Common Files\Adobe\ARM\\*
+        - C:\Program Files (x86)\Common Files\Adobe\ARM\\*
+    SELECTION_39:
+        SourceImage: '*\AdobeARMHelper.exe'
     SELECTION_4:
         GrantedAccess:
         - '*10'
@@ -108,6 +114,8 @@ detection:
         - '*FA'
         - '*0x14C2'
         - '*FF'
+    SELECTION_40:
+        GrantedAcces: '0x1410'
     SELECTION_5:
         SourceImage:
         - '*\Temp\\*'
@@ -137,7 +145,8 @@ detection:
         or (SELECTION_20 and SELECTION_21 and SELECTION_22 and SELECTION_23) or (SELECTION_24
         and SELECTION_25 and SELECTION_26) or (SELECTION_27 and SELECTION_28 and SELECTION_29)
         or (SELECTION_30 and SELECTION_31 and SELECTION_32) or (SELECTION_33 and SELECTION_34
-        and SELECTION_35 and SELECTION_36 and SELECTION_37)))
+        and SELECTION_35 and SELECTION_36 and SELECTION_37) or (SELECTION_38 and SELECTION_39
+        and SELECTION_40)))
 falsepositives:
 - Updaters and installers are typical false positives. Apply custom filters depending
     on your environment
@@ -150,7 +159,7 @@ level: high
 logsource:
     category: process_access
     product: windows
-modified: 2023/04/11
+modified: 2023/04/25
 references:
 - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
 - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml
@@ -24,11 +24,11 @@ detection:
         - '*.exe download *'
     SELECTION_7:
         CommandLine:
-        - '*vulnerable *'
-        - '*template*'
-        - '*altname*'
-        - '*domain*'
-        - '*path*'
+        - '* /vulnerable*'
+        - '* /template:*'
+        - '* /altname:*'
+        - '* /domain:*'
+        - '* /path:*'
         - '* /ca:*'
     condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 or SELECTION_4 or
         SELECTION_5) or (SELECTION_6 and SELECTION_7)))
@@ -39,6 +39,7 @@ level: high
 logsource:
     category: process_creation
     product: windows
+modified: 2023/04/25
 references:
 - https://github.com/GhostPack/Certify
 status: experimental