Sigma Rule Update (2023-10-11 20:07:18) (#504)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml

@@ -0,0 +1,32 @@
+title: MSSQL Server Failed Logon
+id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
+related:
+    -   id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
+        type: similar
+status: experimental
+description: Detects failed logon attempts from clients to MSSQL server.
+author: Nasreddine Bencherchali (Nextron Systems), j4son
+date: 2023/10/11
+references:
+    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
+    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
+tags:
+    - attack.credential_access
+    - attack.t1110
+logsource:
+    product: windows
+    service: application
+    definition: 'Requirements: Must enable MSSQL authentication.'
+detection:
+    application:
+        Channel: Application
+    selection:
+        Provider_Name: MSSQLSERVER
+        EventID: 18456
+    condition: application and selection
+falsepositives:
+    - This event could stem from users changing an account's password that's used
+        to authenticate via a job or an automated process. Investigate the source
+        of such events and mitigate them
+level: low
+ruletype: Sigma

sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml

@@ -0,0 +1,53 @@
+title: MSSQL Server Failed Logon From External Network
+id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
+related:
+    -   id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
+        type: similar
+status: experimental
+description: Detects failed logon attempts from clients with external network IP to
+    an MSSQL server. This can be a sign of a bruteforce attack.
+author: j4son
+date: 2023/10/11
+references:
+    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
+    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
+tags:
+    - attack.credential_access
+    - attack.t1110
+logsource:
+    product: windows
+    service: application
+    definition: 'Requirements: Must enable MSSQL authentication.'
+detection:
+    application:
+        Channel: Application
+    selection:
+        Provider_Name: MSSQLSERVER
+        EventID: 18456
+    filter_main_local_ips:
+        Data|contains:
+            - 'CLIENT: 10.'
+            - 'CLIENT: 172.16.'
+            - 'CLIENT: 172.17.'
+            - 'CLIENT: 172.18.'
+            - 'CLIENT: 172.19.'
+            - 'CLIENT: 172.20.'
+            - 'CLIENT: 172.21.'
+            - 'CLIENT: 172.22.'
+            - 'CLIENT: 172.23.'
+            - 'CLIENT: 172.24.'
+            - 'CLIENT: 172.25.'
+            - 'CLIENT: 172.26.'
+            - 'CLIENT: 172.27.'
+            - 'CLIENT: 172.28.'
+            - 'CLIENT: 172.29.'
+            - 'CLIENT: 172.30.'
+            - 'CLIENT: 172.31.'
+            - 'CLIENT: 192.168.'
+            - 'CLIENT: 127.'
+            - 'CLIENT: 169.254.'
+    condition: application and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml

@@ -0,0 +1,35 @@
+title: BlueSky Ransomware Artefacts
+id: eee8311f-a752-44f0-bf2f-6b007db16300
+status: experimental
+description: Detect access to files and shares with names and extensions used by BlueSky
+    ransomware which could indicate a current or previous encryption attempt.
+references:
+    - https://unit42.paloaltonetworks.com/bluesky-ransomware/
+author: j4son
+date: 2023/05/23
+tags:
+    - attack.impact
+    - attack.t1486
+logsource:
+    product: windows
+    service: security
+detection:
+    security:
+        Channel: Security
+    selection_access_eid:
+        EventID:
+            - 4663
+            - 4656
+    selection_access_data:
+        -   ObjectName|endswith: .bluesky
+        -   ObjectName|contains: DECRYPT FILES BLUESKY
+    selection_share_eid:
+        EventID: 5145
+    selection_share_data:
+        -   RelativeTargetName|endswith: .bluesky
+        -   RelativeTargetName|contains: DECRYPT FILES BLUESKY
+    condition: security and (all of selection_access_* or all of selection_share_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml

@@ -0,0 +1,36 @@
+title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
+id: 0900463c-b33b-49a8-be1d-552a3b553dae
+related:
+    -   id: a8f866e1-bdd4-425e-a27a-37619238d9c7
+        type: similar
+status: experimental
+description: 'Detects command line containing reference to the "::$index_allocation"
+    stream, which can be used as a technique to prevent access to folders or files
+    from tooling such as "explorer.exe" or "cmd.exe"
+
+    '
+references:
+    - https://twitter.com/pfiatde/status/1681977680688738305
+    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
+    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
+    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
+    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
+author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
+date: 2023/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains: ::$index_allocation
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: medium
+ruletype: Sigma

sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml

@@ -0,0 +1,40 @@
+title: Certificate Use With No Strong Mapping
+id: 993c2665-e6ef-40e3-a62a-e1a97686af79
+status: experimental
+description: 'Detects a user certificate that was valid but could not be mapped to
+    a user in a strong way (such as via explicit mapping, key trust mapping, or a
+    SID)
+
+    This could be a sign of exploitation of the elevation of privilege vulnerabilities
+    (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows
+    certificate spoofing by not requiring a strong mapping.
+
+    Events where the AccountName and CN of the Subject do not match, or where the
+    CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
+
+    '
+references:
+    - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
+author: '@br4dy5'
+date: 2023/10/09
+tags:
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: system
+detection:
+    system:
+        Channel: System
+    selection:
+        Provider_Name: Kerberos-Key-Distribution-Center
+        EventID:
+            - 39
+            - 41
+    condition: system and selection
+falsepositives:
+    - If prevalent in the environment, filter on events where the AccountName and
+        CN of the Subject do not reference the same user
+    - If prevalent in the environment, filter on CNs that end in a dollar sign indicating
+        it is a machine name
+level: medium
+ruletype: Sigma

sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml

@@ -0,0 +1,32 @@
+title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
+id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
+status: experimental
+description: Detects suspicious ".hta" file creation in the startup folder by Foxit
+    Reader. This can be an indication of CVE-2023-27363 exploitation.
+references:
+    - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
+    - https://www.zerodayinitiative.com/advisories/ZDI-23-491/
+    - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
+author: Gregory
+date: 2023/10/11
+tags:
+    - attack.persistence
+    - attack.t1505.001
+    - cve.2023.27363
+    - sysmon
+logsource:
+    product: windows
+    category: file_event
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Image|endswith: \FoxitPDFReader.exe
+        TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\
+        TargetFilename|endswith: .hta
+    condition: file_event and selection
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml

@@ -0,0 +1,37 @@
+title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
+id: a8f866e1-bdd4-425e-a27a-37619238d9c7
+related:
+    -   id: 0900463c-b33b-49a8-be1d-552a3b553dae
+        type: similar
+status: experimental
+description: 'Detects the creation of hidden file/folder with the "::$index_allocation"
+    stream. Which can be used as a technique to prevent access to folder and files
+    from tooling such as "explorer.exe" and "cmd.exe"
+
+    '
+references:
+    - https://twitter.com/pfiatde/status/1681977680688738305
+    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
+    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
+    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
+    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
+author: Scoubi (@ScoubiMtl)
+date: 2023/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+    - sysmon
+logsource:
+    product: windows
+    category: file_event
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        TargetFilename|contains: ::$index_allocation
+    condition: file_event and selection
+falsepositives:
+    - Unlikely
+level: medium
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml

@@ -0,0 +1,37 @@
+title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
+id: 0900463c-b33b-49a8-be1d-552a3b553dae
+related:
+    -   id: a8f866e1-bdd4-425e-a27a-37619238d9c7
+        type: similar
+status: experimental
+description: 'Detects command line containing reference to the "::$index_allocation"
+    stream, which can be used as a technique to prevent access to folders or files
+    from tooling such as "explorer.exe" or "cmd.exe"
+
+    '
+references:
+    - https://twitter.com/pfiatde/status/1681977680688738305
+    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
+    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
+    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
+    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
+author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
+date: 2023/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+    - sysmon
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        CommandLine|contains: ::$index_allocation
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: medium
+ruletype: Sigma