diff --git a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml new file mode 100644 index 000000000..ba4578c7e --- /dev/null +++ b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -0,0 +1,30 @@ +title: Remote Access Tool - ScreenConnect Command Execution +id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 +related: + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar +status: experimental +description: Detects command execution via ScreenConnect RMM +references: + - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 +logsource: + service: application + product: windows +detection: + application: + Channel: Application + selection: + Provider_Name: ScreenConnect + EventID: 200 + Data|contains: Executed command of length + condition: application and selection +falsepositives: + - Legitimate use of ScreenConnect +level: low +ruletype: Sigma diff --git a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml new file mode 100644 index 000000000..217afc973 --- /dev/null +++ b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -0,0 +1,30 @@ +title: Remote Access Tool - ScreenConnect File Transfer +id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 +related: + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar +status: experimental +description: Detects file being transferred via ScreenConnect RMM +references: + - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 +logsource: + service: application + product: windows +detection: + application: + Channel: Application + selection: + Provider_Name: ScreenConnect + EventID: 201 + Data|contains: Transferred files with action + condition: application and selection +falsepositives: + - Legitimate use of ScreenConnect +level: low +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml new file mode 100644 index 000000000..cdde24563 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -0,0 +1,56 @@ +title: Suspicious AddinUtil.EXE CommandLine Execution +id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 +status: experimental +description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe + with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store + payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), + Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + selection_susp_1_flags: + CommandLine|contains: + - '-AddInRoot:' + - '-PipelineRoot:' + selection_susp_1_paths: + CommandLine|contains: + - \AppData\Local\Temp\ + - \Desktop\ + - \Downloads\ + - \Users\Public\ + - \Windows\Temp\ + selection_susp_2: + CommandLine|contains: + - -AddInRoot:. + - -AddInRoot:"." + - -PipelineRoot:. + - -PipelineRoot:"." + CurrentDirectory|contains: + - \AppData\Local\Temp\ + - \Desktop\ + - \Downloads\ + - \Users\Public\ + - \Windows\Temp\ + condition: process_creation and (selection_img and (all of selection_susp_1_* + or selection_susp_2)) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml new file mode 100644 index 000000000..472e37d8c --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -0,0 +1,34 @@ +title: Uncommon Child Process Of AddinUtil.EXE +id: b5746143-59d6-4603-8d06-acbd60e166ee +status: experimental +description: 'Detects uncommon child processes of the Add-In deployment cache updating + utility (AddInutil.exe) which could be a sign of potential abuse of the binary + to proxy execution via a custom Addins.Store payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \addinutil.exe + filter_main_werfault: + NewProcessName|endswith: + - :\Windows\System32\conhost.exe + - :\Windows\System32\werfault.exe + - :\Windows\SysWOW64\werfault.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml new file mode 100644 index 000000000..a95cd947c --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -0,0 +1,41 @@ +title: Uncommon AddinUtil.EXE CommandLine Execution +id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a +status: experimental +description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe + with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store + payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + selection_cli: + CommandLine|contains: + - '-AddInRoot:' + - '-PipelineRoot:' + filter_main_addinroot: + CommandLine|contains: + - -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml new file mode 100644 index 000000000..68bceba03 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -0,0 +1,32 @@ +title: AddinUtil.EXE Execution From Uncommon Directory +id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 +status: experimental +description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + from a non-standard directory. +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + filter_main_legit_location: + NewProcessName|contains: + - :\Windows\Microsoft.NET\Framework\ + - :\Windows\Microsoft.NET\Framework64\ + - :\Windows\WinSxS\ + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml new file mode 100644 index 000000000..89b8fc337 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -0,0 +1,31 @@ +title: Remote Access Tool - ScreenConnect Remote Command Execution +id: b1f73849-6329-4069-bc8f-78a604bb8b23 +status: experimental +description: Detects the execution of a system command via the ScreenConnect RMM service. +references: + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \ScreenConnect.ClientService.exe + selection_img: + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + selection_cli: + CommandLine|contains: \TEMP\ScreenConnect\ + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily + used. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml new file mode 100644 index 000000000..b371ab7e7 --- /dev/null +++ b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -0,0 +1,37 @@ +title: Remote Access Tool - ScreenConnect Temporary File +id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 +related: + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar +status: experimental +description: 'Detects the creation of files in a specific location by ScreenConnect + RMM. + + ScreenConnect has feature to remotely execute binaries on a target machine. These + binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" + before execution. + + ' +references: + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 + - sysmon +logsource: + category: file_event + product: windows +detection: + file_event: + EventID: 11 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Image|endswith: \ScreenConnect.WindowsClient.exe + TargetFilename|contains: \Documents\ConnectWiseControl\Temp\ + condition: file_event and selection +falsepositives: + - Legitimate use of ScreenConnect +level: low +ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_addinutil.yml b/sigma/sysmon/network_connection/net_connection_win_addinutil.yml new file mode 100644 index 000000000..8b7f189a6 --- /dev/null +++ b/sigma/sysmon/network_connection/net_connection_win_addinutil.yml @@ -0,0 +1,28 @@ +title: Network Connection Initiated By AddinUtil.EXE +id: 5205613d-2a63-4412-a895-3a2458b587b3 +status: experimental +description: Detects network connections made by the Add-In deployment cache updating + utility (AddInutil.exe), which could indicate command and control communication. +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 + - sysmon +logsource: + category: network_connection + product: windows +detection: + network_connection: + EventID: 3 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Initiated: 'true' + Image|endswith: \addinutil.exe + condition: network_connection and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml new file mode 100644 index 000000000..58937a8c9 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -0,0 +1,57 @@ +title: Suspicious AddinUtil.EXE CommandLine Execution +id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 +status: experimental +description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe + with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store + payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), + Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + selection_susp_1_flags: + CommandLine|contains: + - '-AddInRoot:' + - '-PipelineRoot:' + selection_susp_1_paths: + CommandLine|contains: + - \AppData\Local\Temp\ + - \Desktop\ + - \Downloads\ + - \Users\Public\ + - \Windows\Temp\ + selection_susp_2: + CommandLine|contains: + - -AddInRoot:. + - -AddInRoot:"." + - -PipelineRoot:. + - -PipelineRoot:"." + CurrentDirectory|contains: + - \AppData\Local\Temp\ + - \Desktop\ + - \Downloads\ + - \Users\Public\ + - \Windows\Temp\ + condition: process_creation and (selection_img and (all of selection_susp_1_* + or selection_susp_2)) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml new file mode 100644 index 000000000..58f8c5c68 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -0,0 +1,35 @@ +title: Uncommon Child Process Of AddinUtil.EXE +id: b5746143-59d6-4603-8d06-acbd60e166ee +status: experimental +description: 'Detects uncommon child processes of the Add-In deployment cache updating + utility (AddInutil.exe) which could be a sign of potential abuse of the binary + to proxy execution via a custom Addins.Store payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + ParentImage|endswith: \addinutil.exe + filter_main_werfault: + Image|endswith: + - :\Windows\System32\conhost.exe + - :\Windows\System32\werfault.exe + - :\Windows\SysWOW64\werfault.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml new file mode 100644 index 000000000..a108c7b65 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -0,0 +1,42 @@ +title: Uncommon AddinUtil.EXE CommandLine Execution +id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a +status: experimental +description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe + with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store + payload. + + ' +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_img: + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + selection_cli: + CommandLine|contains: + - '-AddInRoot:' + - '-PipelineRoot:' + filter_main_addinroot: + CommandLine|contains: + - -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + - -PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml new file mode 100644 index 000000000..91aa6ec42 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -0,0 +1,33 @@ +title: AddinUtil.EXE Execution From Uncommon Directory +id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 +status: experimental +description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) + from a non-standard directory. +references: + - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html +author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +date: 2023/09/18 +tags: + - attack.defense_evasion + - attack.t1218 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe + filter_main_legit_location: + Image|contains: + - :\Windows\Microsoft.NET\Framework\ + - :\Windows\Microsoft.NET\Framework64\ + - :\Windows\WinSxS\ + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml new file mode 100644 index 000000000..79d887aa7 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -0,0 +1,32 @@ +title: Remote Access Tool - ScreenConnect Remote Command Execution +id: b1f73849-6329-4069-bc8f-78a604bb8b23 +status: experimental +description: Detects the execution of a system command via the ScreenConnect RMM service. +references: + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_parent: + ParentImage|endswith: \ScreenConnect.ClientService.exe + selection_img: + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + selection_cli: + CommandLine|contains: \TEMP\ScreenConnect\ + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily + used. +level: medium +ruletype: Sigma