Merge PR #4503 from @nasbench - Multiple Updates & Fixes

fix: Suspicious Sysmon as Execution Parent - Typo and restructure update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection update: Antivirus Relevant File Paths Alerts update: Dump Ntds.dit To Suspicious Location update: MSI Installation From Suspicious Locations update: PowerShell Profile Modification - Reduce rule level to medium update: Obfuscated IP Download Activity --------- Co-authored-by: frack113 <[email protected]>
SigmaHQ · Oct 28, 2023 · 52e3911 · 52e3911
1 parent fe3b8c4
commit 52e3911
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 47 deletions.
diff --git a/...us/av_printernightmare_cve_2021_34527.yml → ...75/av_printernightmare_cve_2021_34527.yml b/...us/av_printernightmare_cve_2021_34527.yml → ...75/av_printernightmare_cve_2021_34527.yml
@@ -8,22 +8,18 @@ references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
 author: Sittikorn S, Nuttakorn T, Tim Shelton
 date: 2021/07/01
-modified: 2022/03/22
+modified: 2023/10/23
 tags:
     - attack.privilege_escalation
     - attack.t1055
 logsource:
     category: antivirus
 detection:
     selection:
-        Filename|contains: 'C:\Windows\System32\spool\drivers\x64\'
+        Filename|contains: ':\Windows\System32\spool\drivers\x64\'
     keywords:
         - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
     condition: selection and not keywords
-fields:
-    - Signature
-    - Filename
-    - ComputerName
 falsepositives:
     - Unlikely, or pending PSP analysis
 level: critical
diff --git a/...eats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/...eats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
@@ -8,7 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2023/10/18
+modified: 2023/10/23
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -23,15 +23,15 @@ detection:
             - '\Sysmon.exe'
             - '\Sysmon64.exe'
     filter_main_generic:
-        - Image:
-              - 'C:\Windows\Sysmon.exe'
-              - 'C:\Windows\Sysmon64.exe'
-              - 'C:\Windows\System32\conhost.exe'
-              - 'wevtutil.exe'
-              - 'C:\WINDOWS\system32\wevtutil.exe'
-              - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
-              - 'C:\Windows\System32\WerFaultSecure.ex' # When Sysmon crashes
-        - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
+        Image|contains:
+            - ':\Windows\Sysmon.exe'
+            - ':\Windows\Sysmon64.exe'
+            - ':\Windows\System32\conhost.exe'
+            - ':\Windows\System32\WerFault.exe' # When Sysmon crashes
+            - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
+            - ':\Windows\System32\wevtutil.exe'
+            - ':\Windows\SysWOW64\wevtutil.exe'
+            - '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     filter_main_null:
         Image: null
     condition: selection and not 1 of filter_main_*

diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml
@@ -6,7 +6,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018/09/09
-modified: 2023/05/19
+modified: 2023/10/23
 tags:
     - attack.resource_development
     - attack.t1588
@@ -16,11 +16,11 @@ detection:
     selection_path:
         Filename|contains:
             # could be startswith, if there is a better backend handling
-            - 'C:\Windows\'
-            - 'C:\Temp\'
-            - 'C:\PerfLogs\'
-            - 'C:\Users\Public\'
-            - 'C:\Users\Default\'
+            - ':\Windows\'
+            - ':\Temp\'
+            - ':\PerfLogs\'
+            - ':\Users\Public\'
+            - ':\Users\Default\'
             # true 'contains' matches:
             - '\Client\'
             - '\tsclient\'

diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
@@ -7,6 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
+modified: 2023/10/23
 tags:
     - attack.execution
 logsource:
@@ -21,13 +22,13 @@ detection:
     selection_paths:
         Data|contains:
             # Add more locations that you don't use in your env or that are just suspicious
-            - '\Users\Public\'
-            - '\Perflogs\'
-            - '\Temp\'
+            - ':\ntds.dit'
             - '\Appdata\'
             - '\Desktop\'
             - '\Downloads\'
-            - 'C:\ntds.dit'
+            - '\Perflogs\'
+            - '\Temp\'
+            - '\Users\Public\'
     condition: all of selection_*
 falsepositives:
     - Legitimate backup operation/creating shadow copies

diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
@@ -6,7 +6,7 @@ references:
     - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/31
-modified: 2022/10/18
+modified: 2023/10/23
 tags:
     - attack.execution
 logsource:
@@ -21,18 +21,18 @@ detection:
             - 1042
         Data|contains:
             # Add more suspicious paths
-            - '\Users\Public\'
-            - '\PerfLogs\'
+            - ':\Windows\TEMP\'
+            - '\\\\'
             - '\Desktop\'
-            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
+            - '\PerfLogs\'
+            - '\Users\Public\'
             # - '\AppData\Local\Temp\'  # too many FPs
-            - 'C:\Windows\TEMP\'
-            - '\\\\'
+            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
     filter_winget:
         Data|contains: '\AppData\Local\Temp\WinGet\'
     filter_updhealthtools:
         Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares
+    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
@@ -7,7 +7,7 @@ references:
     - https://persistence-info.github.io/Data/powershellprofile.html
 author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/24
-modified: 2023/10/18
+modified: 2023/10/23
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - System administrator creating Powershell profile manually
-level: high
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml
@@ -1,35 +1,49 @@
-title: Obfuscated IP Download
+title: Obfuscated IP Download Activity
 id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
 status: test
 description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
 references:
     - https://h.43z.one/ipconverter/
     - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
-author: Florian Roth (Nextron Systems)
+    - https://twitter.com/fr0s7_/status/1712780207105404948
+author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/08/03
+modified: 2023/10/24
 tags:
     - attack.discovery
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_img:
+    selection_command:
         CommandLine|contains:
             - 'Invoke-WebRequest'
             - 'iwr '
             - 'wget '
             - 'curl '
             - 'DownloadFile'
             - 'DownloadString'
-    selection_ip:
-        - CommandLine|contains:
-              - '//0x'
-              - '.0x'
-              - '.00x'
-        - CommandLine|contains|all:
-              - 'http://%'
-              - '%2e'
-    condition: all of selection*
+    selection_ip_1:
+        CommandLine|contains:
+            - '//0x'
+            - '.0x'
+            - '.00x'
+    selection_ip_2:
+        CommandLine|contains|all:
+            - 'http://%'
+            - '%2e'
+    selection_ip_3:
+        # http://81.4.31754
+        - CommandLine|re: 'https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,5}(?!.)'
+        # http://81.293898
+        - CommandLine|re: 'https?:\/\/[0-9]{1,3}\.[0-9]{1,8}(?!.)'
+        # http://1359248394
+        - CommandLine|re: 'https?:\/\/[0-9]{1,10}(?!.)'
+        # http://0121.04.0174.012
+        - CommandLine|re: 'https?:\/\/(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
+        # http://012101076012
+        - CommandLine|re: 'https?:\/\/0[0-9]{1,11}(?!.)'
+    condition: selection_command and 1 of selection_ip_*
 falsepositives:
     - Unknown
 level: medium