Sigma Rule Update (2023-10-05 20:07:26) (#502)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml

@@ -0,0 +1,30 @@
+title: Remote Access Tool - ScreenConnect Command Execution
+id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
+related:
+    -   id: b1f73849-6329-4069-bc8f-78a604bb8b23
+        type: similar
+status: experimental
+description: Detects command execution via ScreenConnect RMM
+references:
+    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
+    - https://github.com/SigmaHQ/sigma/pull/4467
+author: Ali Alwashali
+date: 2023/10/10
+tags:
+    - attack.execution
+    - attack.t1059.003
+logsource:
+    service: application
+    product: windows
+detection:
+    application:
+        Channel: Application
+    selection:
+        Provider_Name: ScreenConnect
+        EventID: 200
+        Data|contains: Executed command of length
+    condition: application and selection
+falsepositives:
+    - Legitimate use of ScreenConnect
+level: low
+ruletype: Sigma

sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml

@@ -0,0 +1,30 @@
+title: Remote Access Tool - ScreenConnect File Transfer
+id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
+related:
+    -   id: b1f73849-6329-4069-bc8f-78a604bb8b23
+        type: similar
+status: experimental
+description: Detects file being transferred via ScreenConnect RMM
+references:
+    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
+    - https://github.com/SigmaHQ/sigma/pull/4467
+author: Ali Alwashali
+date: 2023/10/10
+tags:
+    - attack.execution
+    - attack.t1059.003
+logsource:
+    service: application
+    product: windows
+detection:
+    application:
+        Channel: Application
+    selection:
+        Provider_Name: ScreenConnect
+        EventID: 201
+        Data|contains: Transferred files with action
+    condition: application and selection
+falsepositives:
+    - Legitimate use of ScreenConnect
+level: low
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml

@@ -0,0 +1,56 @@
+title: Suspicious AddinUtil.EXE CommandLine Execution
+id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
+status: experimental
+description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
+    with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
+    with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
+    payload.
+
+    '
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike),
+    Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \addinutil.exe
+        -   OriginalFileName: AddInUtil.exe
+    selection_susp_1_flags:
+        CommandLine|contains:
+            - '-AddInRoot:'
+            - '-PipelineRoot:'
+    selection_susp_1_paths:
+        CommandLine|contains:
+            - \AppData\Local\Temp\
+            - \Desktop\
+            - \Downloads\
+            - \Users\Public\
+            - \Windows\Temp\
+    selection_susp_2:
+        CommandLine|contains:
+            - -AddInRoot:.
+            - -AddInRoot:"."
+            - -PipelineRoot:.
+            - -PipelineRoot:"."
+        CurrentDirectory|contains:
+            - \AppData\Local\Temp\
+            - \Desktop\
+            - \Downloads\
+            - \Users\Public\
+            - \Windows\Temp\
+    condition: process_creation and (selection_img and (all of selection_susp_1_*
+        or selection_susp_2))
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml

@@ -0,0 +1,34 @@
+title: Uncommon Child Process Of AddinUtil.EXE
+id: b5746143-59d6-4603-8d06-acbd60e166ee
+status: experimental
+description: 'Detects uncommon child processes of the Add-In deployment cache updating
+    utility (AddInutil.exe) which could be a sign of potential abuse of the binary
+    to proxy execution via a custom Addins.Store payload.
+
+    '
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        ParentProcessName|endswith: \addinutil.exe
+    filter_main_werfault:
+        NewProcessName|endswith:
+            - :\Windows\System32\conhost.exe
+            - :\Windows\System32\werfault.exe
+            - :\Windows\SysWOW64\werfault.exe
+    condition: process_creation and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml

@@ -0,0 +1,41 @@
+title: Uncommon AddinUtil.EXE CommandLine Execution
+id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a
+status: experimental
+description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
+    with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
+    with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
+    payload.
+
+    '
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \addinutil.exe
+        -   OriginalFileName: AddInUtil.exe
+    selection_cli:
+        CommandLine|contains:
+            - '-AddInRoot:'
+            - '-PipelineRoot:'
+    filter_main_addinroot:
+        CommandLine|contains:
+            - -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
+            - -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
+            - -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
+            - -PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
+    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml

@@ -0,0 +1,32 @@
+title: AddinUtil.EXE Execution From Uncommon Directory
+id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
+status: experimental
+description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
+    from a non-standard directory.
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        -   NewProcessName|endswith: \addinutil.exe
+        -   OriginalFileName: AddInUtil.exe
+    filter_main_legit_location:
+        NewProcessName|contains:
+            - :\Windows\Microsoft.NET\Framework\
+            - :\Windows\Microsoft.NET\Framework64\
+            - :\Windows\WinSxS\
+    condition: process_creation and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml

@@ -0,0 +1,31 @@
+title: Remote Access Tool - ScreenConnect Remote Command Execution
+id: b1f73849-6329-4069-bc8f-78a604bb8b23
+status: experimental
+description: Detects the execution of a system command via the ScreenConnect RMM service.
+references:
+    - https://github.com/SigmaHQ/sigma/pull/4467
+author: Ali Alwashali
+date: 2023/10/10
+tags:
+    - attack.execution
+    - attack.t1059.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_parent:
+        ParentProcessName|endswith: \ScreenConnect.ClientService.exe
+    selection_img:
+        -   NewProcessName|endswith: \cmd.exe
+        -   OriginalFileName: Cmd.Exe
+    selection_cli:
+        CommandLine|contains: \TEMP\ScreenConnect\
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily
+        used.
+level: medium
+ruletype: Sigma

sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml

@@ -0,0 +1,37 @@
+title: Remote Access Tool - ScreenConnect Temporary File
+id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
+related:
+    -   id: b1f73849-6329-4069-bc8f-78a604bb8b23
+        type: similar
+status: experimental
+description: 'Detects the creation of files in a specific location by ScreenConnect
+    RMM.
+
+    ScreenConnect has feature to remotely execute binaries on a target machine. These
+    binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\"
+    before execution.
+
+    '
+references:
+    - https://github.com/SigmaHQ/sigma/pull/4467
+author: Ali Alwashali
+date: 2023/10/10
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - sysmon
+logsource:
+    category: file_event
+    product: windows
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Image|endswith: \ScreenConnect.WindowsClient.exe
+        TargetFilename|contains: \Documents\ConnectWiseControl\Temp\
+    condition: file_event and selection
+falsepositives:
+    - Legitimate use of ScreenConnect
+level: low
+ruletype: Sigma

sigma/sysmon/network_connection/net_connection_win_addinutil.yml

@@ -0,0 +1,28 @@
+title: Network Connection Initiated By AddinUtil.EXE
+id: 5205613d-2a63-4412-a895-3a2458b587b3
+status: experimental
+description: Detects network connections made by the Add-In deployment cache updating
+    utility (AddInutil.exe), which could indicate command and control communication.
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - sysmon
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    network_connection:
+        EventID: 3
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Initiated: 'true'
+        Image|endswith: \addinutil.exe
+    condition: network_connection and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml

@@ -0,0 +1,57 @@
+title: Suspicious AddinUtil.EXE CommandLine Execution
+id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
+status: experimental
+description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe)
+    with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe
+    with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store
+    payload.
+
+    '
+references:
+    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike),
+    Tony Latteri (@TheLatteri)
+date: 2023/09/18
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_img:
+        -   Image|endswith: \addinutil.exe
+        -   OriginalFileName: AddInUtil.exe
+    selection_susp_1_flags:
+        CommandLine|contains:
+            - '-AddInRoot:'
+            - '-PipelineRoot:'
+    selection_susp_1_paths:
+        CommandLine|contains:
+            - \AppData\Local\Temp\
+            - \Desktop\
+            - \Downloads\
+            - \Users\Public\
+            - \Windows\Temp\
+    selection_susp_2:
+        CommandLine|contains:
+            - -AddInRoot:.
+            - -AddInRoot:"."
+            - -PipelineRoot:.
+            - -PipelineRoot:"."
+        CurrentDirectory|contains:
+            - \AppData\Local\Temp\
+            - \Desktop\
+            - \Downloads\
+            - \Users\Public\
+            - \Windows\Temp\
+    condition: process_creation and (selection_img and (all of selection_susp_1_*
+        or selection_susp_2))
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma