Sigma Rule Update (2023-09-29 20:07:20) (#500)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/registry/registry_event/registry_event_scheduled_task_creation.yml

@@ -0,0 +1,32 @@
+title: Scheduled Task Created - Registry
+id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3
+status: experimental
+description: Detects the creation of a scheduled task via Registry keys.
+references:
+    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
+    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
+author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+date: 2023/09/27
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.s0111
+    - attack.t1053.005
+    - car.2013-08-001
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    registry_event:
+        EventID: 4657
+        Channel: Security
+    selection:
+        TargetObject|contains:
+            - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\
+            - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
+    condition: registry_event and selection
+falsepositives:
+    - Normal behaviour on Windows
+level: low
+ruletype: Sigma

sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml

@@ -12,7 +12,7 @@ references:
     - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
-modified: 2023/08/17
+modified: 2023/09/29
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -27,25 +27,22 @@ detection:
         TargetObject|contains: Security\Trusted Locations\Location
         TargetObject|endswith: \Path
     filter_exclude_known_paths:
-        Details|startswith:
+        Details|contains:
             - '%APPDATA%\Microsoft\Templates'
             - '%%APPDATA%%\Microsoft\Templates'
             - '%APPDATA%\Microsoft\Word\Startup'
             - '%%APPDATA%%\Microsoft\Word\Startup'
-            - C:\Program Files (x86)\Microsoft Office\root\Templates\
-            - C:\Program Files\Microsoft Office (x86)\Templates
-            - C:\Program Files\Microsoft Office\root\Templates\
-            - C:\Program Files\Microsoft Office\Templates\
+            - :\Program Files (x86)\Microsoft Office\root\Templates\
+            - :\Program Files\Microsoft Office (x86)\Templates
+            - :\Program Files\Microsoft Office\root\Templates\
+            - :\Program Files\Microsoft Office\Templates\
     filter_main_office_click_to_run:
-        Image|startswith: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
+        Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
         Image|endswith: \OfficeClickToRun.exe
     filter_main_office_apps:
-        Image|startswith:
-            - C:\Program Files\Microsoft Office\
-            - C:\Program Files (x86)\Microsoft Office\
-        Image|endswith:
-            - \winword.exe
-            - \excel.exe
+        Image|contains:
+            - :\Program Files\Microsoft Office\
+            - :\Program Files (x86)\Microsoft Office\
     condition: registry_set and (selection and not 1 of filter_main_* and not 1 of
         filter_exclude_*)
 falsepositives:

sigma/builtin/security/win_security_registry_permissions_weakness_check.yml

@@ -0,0 +1,42 @@
+title: Service Registry Key Read Access Request
+id: 11d00fff-5dc3-428c-8184-801f292faec0
+status: experimental
+description: 'Detects "read access" requests on the services registry key.
+
+    Adversaries may execute their own malicious payloads by hijacking the Registry
+    entries used by services.
+
+    Adversaries may use flaws in the permissions for Registry keys related to services
+    to redirect from the originally specified executable to one that they control,
+    in order to launch their own code when a service starts.
+
+    '
+references:
+    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
+author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+date: 2023/09/28
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.011
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry
+        keys used in this rule'
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID: 4663
+        ObjectName|contains|all:
+            - \SYSTEM\
+            - ControlSet\Services\
+        AccessList|contains: '%%1538'
+    condition: security and selection
+falsepositives:
+    - Likely from legitimate applications reading their key. Requires heavy tuning
+level: low
+ruletype: Sigma

sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml

@@ -26,7 +26,14 @@ detection:
     selection:
         TargetObject|contains: Security\Trusted Locations\Location
         TargetObject|endswith: \Path
-    condition: registry_set and selection
+    filter_main_office_click_to_run:
+        Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
+        Image|endswith: \OfficeClickToRun.exe
+    filter_main_office_apps:
+        Image|contains:
+            - :\Program Files\Microsoft Office\
+            - :\Program Files (x86)\Microsoft Office\
+    condition: registry_set and (selection and not 1 of filter_main_*)
 falsepositives:
     - During office installations or setup, trusted locations are added, which will
         trigger this rule.

sigma/sysmon/file/file_event/file_event_win_scheduled_task_creation.yml

@@ -0,0 +1,34 @@
+title: Scheduled Task Created - FileCreation
+id: a762e74f-4dce-477c-b023-4ed81df600f9
+status: experimental
+description: Detects the creation of a scheduled task via file creation.
+references:
+    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
+    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
+author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+date: 2023/09/27
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1053.005
+    - attack.s0111
+    - car.2013-08-001
+    - sysmon
+logsource:
+    product: windows
+    category: file_event
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        TargetFilename|contains:
+            - :\Windows\System32\Tasks\
+            - :\Windows\SysWOW64\Tasks\
+            - :\Windows\Tasks\
+    condition: file_event and selection
+falsepositives:
+    - Normal behaviour on Windows
+level: low
+ruletype: Sigma

sigma/sysmon/registry/registry_event/registry_event_scheduled_task_creation.yml

@@ -0,0 +1,36 @@
+title: Scheduled Task Created - Registry
+id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3
+status: experimental
+description: Detects the creation of a scheduled task via Registry keys.
+references:
+    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
+    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
+author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
+date: 2023/09/27
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.s0111
+    - attack.t1053.005
+    - car.2013-08-001
+    - sysmon
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    registry_event:
+        EventID:
+            - 12
+            - 13
+            - 14
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        TargetObject|contains:
+            - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\
+            - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
+    condition: registry_event and selection
+falsepositives:
+    - Normal behaviour on Windows
+level: low
+ruletype: Sigma

sigma/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml

@@ -12,7 +12,7 @@ references:
     - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/21
-modified: 2023/08/17
+modified: 2023/09/29
 tags:
     - attack.defense_evasion
     - attack.t1112
@@ -28,25 +28,22 @@ detection:
         TargetObject|contains: Security\Trusted Locations\Location
         TargetObject|endswith: \Path
     filter_exclude_known_paths:
-        Details|startswith:
+        Details|contains:
             - '%APPDATA%\Microsoft\Templates'
             - '%%APPDATA%%\Microsoft\Templates'
             - '%APPDATA%\Microsoft\Word\Startup'
             - '%%APPDATA%%\Microsoft\Word\Startup'
-            - C:\Program Files (x86)\Microsoft Office\root\Templates\
-            - C:\Program Files\Microsoft Office (x86)\Templates
-            - C:\Program Files\Microsoft Office\root\Templates\
-            - C:\Program Files\Microsoft Office\Templates\
+            - :\Program Files (x86)\Microsoft Office\root\Templates\
+            - :\Program Files\Microsoft Office (x86)\Templates
+            - :\Program Files\Microsoft Office\root\Templates\
+            - :\Program Files\Microsoft Office\Templates\
     filter_main_office_click_to_run:
-        Image|startswith: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
+        Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
         Image|endswith: \OfficeClickToRun.exe
     filter_main_office_apps:
-        Image|startswith:
-            - C:\Program Files\Microsoft Office\
-            - C:\Program Files (x86)\Microsoft Office\
-        Image|endswith:
-            - \winword.exe
-            - \excel.exe
+        Image|contains:
+            - :\Program Files\Microsoft Office\
+            - :\Program Files (x86)\Microsoft Office\
     condition: registry_set and (selection and not 1 of filter_main_* and not 1 of
         filter_exclude_*)
 falsepositives:

sigma/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml

@@ -27,7 +27,14 @@ detection:
     selection:
         TargetObject|contains: Security\Trusted Locations\Location
         TargetObject|endswith: \Path
-    condition: registry_set and selection
+    filter_main_office_click_to_run:
+        Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\
+        Image|endswith: \OfficeClickToRun.exe
+    filter_main_office_apps:
+        Image|contains:
+            - :\Program Files\Microsoft Office\
+            - :\Program Files (x86)\Microsoft Office\
+    condition: registry_set and (selection and not 1 of filter_main_*)
 falsepositives:
     - During office installations or setup, trusted locations are added, which will
         trigger this rule.