Merge PR #4702 from @nasbench - Rule tuning and updates

fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter fix: Outbound RDP Connections Over Non-Standard Tools - Update filters fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic remove: Suspicious Non-Browser Network Communication With Reddit API update: BITS Transfer Job Download From File Sharing Domains - Add additional domains update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports update: HH.EXE Initiated HTTP Network Connection - Update list of ports update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports update: Network Connection Initiated To Mega.nz - Update domains update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports update: Office Application Initiated Network Connection To Non-Local IP - update list of filters update: Potential Dead Drop Resolvers - Update domains and filters update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains update: Suspicious File Download From File Sharing Websites - Add additional domains update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains update: Suspicious Remote AppX Package Locations - Add additional domains update: Unusual File Download From File Sharing Websites - Add additional domains
SigmaHQ · Feb 12, 2024 · 2acebc9 · 2acebc9
1 parent cf84dcd
commit 2acebc9
Show file tree

Hide file tree

Showing 53 changed files with 431 additions and 245 deletions.
diff --git a/...ion_win_reddit_api_non_browser_access.yml → ...ion_win_reddit_api_non_browser_access.yml b/...ion_win_reddit_api_non_browser_access.yml → ...ion_win_reddit_api_non_browser_access.yml
@@ -1,14 +1,14 @@
 title: Suspicious Non-Browser Network Communication With Reddit API
 id: d7b09985-95a3-44be-8450-b6eadf49833e
-status: experimental
+status: deprecated # In favour of 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
 description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2
 references:
     - https://github.com/kleiton0x00/RedditC2
     - https://twitter.com/kleiton0x7e/status/1600567316810551296
     - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Gavin Knapp
 date: 2023/02/16
-modified: 2023/04/18
+modified: 2024/02/02
 tags:
     - attack.command_and_control
     - attack.t1102

diff --git a/...et_connection_win_dfsvc_suspicious_ip.yml → ...net_connection_win_dfsvc_non_local_ip.yml b/...et_connection_win_dfsvc_suspicious_ip.yml → ...net_connection_win_dfsvc_non_local_ip.yml
diff --git a/...t_connection_win_dfsvc_uncommon_ports.yml → ...t_connection_win_dfsvc_uncommon_ports.yml b/...t_connection_win_dfsvc_uncommon_ports.yml → ...t_connection_win_dfsvc_uncommon_ports.yml
@@ -1,11 +1,12 @@
-title: Dfsvc.EXE Network Connection To Uncommon Ports
+title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port
 id: 4c5fba4a-9ef6-4f16-823d-606246054741
 status: experimental
-description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports
+description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/12
+modified: 2024/01/31
 tags:
     - attack.execution
     - attack.t1203
@@ -14,14 +15,18 @@ logsource:
     product: windows
 detection:
     selection:
+        Image|contains: ':\Windows\Microsoft.NET\'
         Image|endswith: '\dfsvc.exe'
         Initiated: 'true'
     filter_main_known_ports:
         DestinationPort:
             - 80
             - 443
-            - 445
-    condition: selection and not 1 of filter_main_*
+    filter_optional_dns_ipv6:
+        # Based on VT. More than 140 binaries made communication over DNS
+        DestinationIsIpv6: 'true'
+        DestinationPort: 53
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
-level: medium
+level: high
diff --git a/...work_connection/net_connection_win_hh.yml → ...net_connection_win_hh_http_connection.yml b/...work_connection/net_connection_win_hh.yml → ...net_connection_win_hh_http_connection.yml
@@ -1,10 +1,11 @@
-title: HH.EXE Network Connections
+title: HH.EXE Initiated HTTP Network Connection
 id: 468a8cea-2920-4909-a593-0cbe1d96674a
 related:
     - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
       type: derived
 status: test
-description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files
+description: |
+    Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
 references:
     - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
     - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
@@ -13,6 +14,7 @@ date: 2022/10/05
 tags:
     - attack.defense_evasion
     - attack.t1218.001
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows
@@ -23,9 +25,7 @@ detection:
         DestinationPort:
             - 80
             - 443
-            - 135
-            - 445
     condition: selection
 falsepositives:
-    - Unknown
+    - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
 level: medium
diff --git a/...ion_win_powershell_network_connection.yml → ...ion_win_powershell_network_connection.yml b/...ion_win_powershell_network_connection.yml → ...ion_win_powershell_network_connection.yml
@@ -1,7 +1,10 @@
-title: PowerShell Initiated Network Connection
+title: Network Connection Initiated By PowerShell Process
 id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
 status: experimental
-description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems.
+description: |
+    Detects a network connection that was initiated from a PowerShell process.
+    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
+    Use this rule as a basis for hunting for anomalies.
 references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 author: Florian Roth (Nextron Systems)
@@ -10,6 +13,7 @@ modified: 2023/09/07
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.threat_hunting
 logsource:
     category: network_connection
     product: windows

diff --git a/.../proc_creation_win_net_susp_execution.yml → ...ation/proc_creation_win_net_execution.yml b/.../proc_creation_win_net_susp_execution.yml → ...ation/proc_creation_win_net_execution.yml
@@ -1,7 +1,7 @@
-title: Net.exe Execution
+title: Net.EXE Execution
 id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
 status: test
-description: Detects execution of Net.exe, whether suspicious or benign.
+description: Detects execution of "Net.EXE".
 references:
     - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
     - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
@@ -25,6 +25,7 @@ tags:
     - attack.lateral_movement
     - attack.t1021.002
     - attack.s0039
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -38,20 +39,15 @@ detection:
               - 'net1.exe'
     selection_cli:
         CommandLine|contains:
+            - ' accounts'
             - ' group'
             - ' localgroup'
-            - ' user'
-            - ' view'
             - ' share'
-            - ' accounts'
-            - ' stop '
             - ' start'
+            - ' stop '
+            - ' user'
+            - ' view'
     condition: all of selection_*
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
-    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
+    - Likely
 level: low
diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
@@ -9,7 +9,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/11
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
     - attack.defense_evasion
 logsource:
@@ -26,10 +26,12 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
             - 'mediafire.com'
             - 'mega.nz'
+            - 'onrender.com'
             - 'paste.ee'
             - 'pastebin.com'
             - 'pastebin.pl'
@@ -40,6 +42,7 @@ detection:
             - 'sendspace.com'
             - 'storage.googleapis.com'
             - 'storjshare.io'
+            - 'supabase.co'
             - 'temp.sh'
             - 'transfer.sh'
             - 'ufile.io'

diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
@@ -6,9 +6,10 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
     - https://twitter.com/malmoeb/status/1535142803075960832
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/06/28
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -27,10 +28,12 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
             - 'mediafire.com'
             - 'mega.nz'
+            - 'onrender.com'
             - 'paste.ee'
             - 'pastebin.com'
             - 'pastebin.pl'
@@ -41,6 +44,7 @@ detection:
             - 'sendspace.com'
             - 'storage.googleapis.com'
             - 'storjshare.io'
+            - 'supabase.co'
             - 'temp.sh'
             - 'transfer.sh'
             - 'ufile.io'

diff --git a/...ws/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/...ws/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
@@ -9,9 +9,10 @@ references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
     - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
     - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
     - attack.defense_evasion
     - attack.s0139
@@ -29,10 +30,12 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
             - 'mediafire.com'
             - 'mega.nz'
+            - 'onrender.com'
             - 'paste.ee'
             - 'pastebin.com'
             - 'pastebin.pl'
@@ -43,6 +46,7 @@ detection:
             - 'sendspace.com'
             - 'storage.googleapis.com'
             - 'storjshare.io'
+            - 'supabase.co'
             - 'temp.sh'
             - 'transfer.sh'
             - 'ufile.io'

diff --git a/...create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/...create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
@@ -8,9 +8,10 @@ description: Detects the download of suspicious file type from a well-known file
 references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
     - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
     - attack.defense_evasion
     - attack.s0139
@@ -28,10 +29,12 @@ detection:
             - 'ddns.net'
             - 'dl.dropboxusercontent.com'
             - 'ghostbin.co'
+            - 'glitch.me'
             - 'gofile.io'
             - 'hastebin.com'
             - 'mediafire.com'
             - 'mega.nz'
+            - 'onrender.com'
             - 'paste.ee'
             - 'pastebin.com'
             - 'pastebin.pl'
@@ -42,6 +45,7 @@ detection:
             - 'sendspace.com'
             - 'storage.googleapis.com'
             - 'storjshare.io'
+            - 'supabase.co'
             - 'temp.sh'
             - 'transfer.sh'
             - 'ufile.io'

diff --git a/rules/windows/network_connection/net_connection_win_addinutil.yml b/rules/windows/network_connection/net_connection_win_addinutil.yml
@@ -1,7 +1,9 @@
 title: Network Connection Initiated By AddinUtil.EXE
 id: 5205613d-2a63-4412-a895-3a2458b587b3
 status: experimental
-description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication.
+description: |
+    Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
+    This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
 references:
     - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
 author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)

diff --git a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml
@@ -2,7 +2,7 @@ title: Connection Initiated Via Certutil.EXE
 id: 0dba975d-a193-4ed1-a067-424df57570d1
 status: test
 description: |
-    Detects a network connection initiated by the certutil.exe tool.
+    Detects a network connection initiated by the certutil.exe utility.
     Attackers can abuse the utility in order to download malware or additional payloads.
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

diff --git a/...onnection_win_dllhost_net_connections.yml → ...t_connection_win_dllhost_non_local_ip.yml b/...onnection_win_dllhost_net_connections.yml → ...t_connection_win_dllhost_non_local_ip.yml
@@ -1,13 +1,16 @@
-title: Dllhost Internet Connection
+title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 id: cfed2f44-16df-4bf3-833a-79405198b277
 status: test
-description: Detects Dllhost that communicates with public IP addresses
+description: |
+    Detects dllhost initiating a network connection to a non-local IP address.
+    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
+    An initial baseline is recommended before deployment.
 references:
     - https://redcanary.com/blog/child-processes/
     - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: bartblaze
 date: 2020/07/13
-modified: 2023/01/20
+modified: 2024/01/31
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -20,7 +23,7 @@ detection:
     selection:
         Image|endswith: '\dllhost.exe'
         Initiated: 'true'
-    filter_ipv4:
+    filter_main_ipv4:
         DestinationIp|startswith:
             - '10.'
             - '192.168.'
@@ -42,16 +45,15 @@ detection:
             - '172.31.'
             - '169.254.'  # link-local address
             - '127.'  # loopback address
-    filter_ipv6:
+    filter_main_ipv6:
         DestinationIp|startswith:
             - '::1'  # IPv6 loopback variant
             - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
             - 'fe80:'  # link-local address
             - 'fc'  # private address range fc00::/7
             - 'fd'  # private address range fc00::/7
-    filter_msrange:
+    filter_main_msrange:
         DestinationIp|startswith:
-            # Subnet: 20.184.0.0/13
             - '20.184.'
             - '20.185.'
             - '20.186.'
@@ -60,14 +62,15 @@ detection:
             - '20.189.'
             - '20.190.'
             - '20.191.'
+            - '20.223.'
             - '23.79.'
             - '51.10.'
-            # Subnet: 51.103.210.0/23
             - '51.103.'
             - '51.104.'
             - '51.105.'
             - '52.239.'
-    condition: selection and not 1 of filter_*
+            - '204.79.197'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Communication to other corporate systems that use IP addresses from public address spaces
 level: medium
diff --git a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml
@@ -0,0 +1,28 @@
+title: Network Connection Initiated To Mega.nz
+id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
+status: test
+description: |
+    Detects a network connection initiated by a binary to "api.mega.co.nz".
+    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
+references:
+    - https://megatools.megous.com/
+    - https://www.mandiant.com/resources/russian-targeting-gov-business
+author: Florian Roth (Nextron Systems)
+date: 2021/12/06
+modified: 2024/02/01
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith:
+            - 'mega.co.nz'
+            - 'mega.nz'
+    condition: selection
+falsepositives:
+    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
+level: medium