Merge PR #4505 from @nasbench - Add New Rules Related to Onyx & Dimao…

…nd Sleet APT Exploitation Activity fix: Potential System DLL Sideloading From Non System Locations new: Diamond Sleet APT DNS Communication Indicators new: Diamond Sleet APT File Creation Indicators new: Diamond Sleet APT DLL Sideloading Indicators new: Diamond Sleet APT Process Activity Indicators new: Diamond Sleet APT Scheduled Task Creation - Registry new: Diamond Sleet APT Scheduled Task Creation new: Onyx Sleet APT File Creation Indicators
SigmaHQ · Oct 28, 2023 · fe3b8c4 · fe3b8c4
1 parent 9f1d772
commit fe3b8c4
Show file tree

Hide file tree

Showing 11 changed files with 218 additions and 1 deletion.
diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md
@@ -13,3 +13,14 @@ You can find more information on the threat in the following articles:
 - [Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise - By Nextron Systems](https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/)
 - [Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack - By Kaspersky](https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/)
 - [Elastic users protected from SUDDENICON’s supply chain attack - By Elastic](https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack)
+
+## Rules
+
+- [Potential Compromised 3CXDesktopApp Beaconing Activity - DNS](./dns_query_win_malware_3cx_compromise.yml)
+- [Malicious DLL Load By Compromised 3CXDesktopApp](./image_load_malware_3cx_compromise_susp_dll.yml)
+- [Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon](./net_connection_win_malware_3cx_compromise_beaconing_activity.yml)
+- [Potential Compromised 3CXDesktopApp Execution](./proc_creation_win_malware_3cx_compromise_execution.yml)
+- [Potential Suspicious Child Process Of 3CXDesktopApp](./proc_creation_win_malware_3cx_compromise_susp_children.yml)
+- [Potential Compromised 3CXDesktopApp Update Activity](./proc_creation_win_malware_3cx_compromise_susp_update.yml)
+- [Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy](./proxy_malware_3cx_compromise_c2_beacon_activity.yml)
+- [Potential Compromised 3CXDesktopApp ICO C2 File Download](./proxy_malware_3cx_compromise_susp_ico_requests.yml)
diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/README.md b/rules-emerging-threats/2023/TA/Diamond-Sleet/README.md
@@ -0,0 +1,18 @@
+# Diamond Sleet APT
+
+## Summary
+
+Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world.
+
+You can find more information on the threat in the following articles:
+
+- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/)
+
+## Rules
+
+- [Diamond Sleet APT DNS Communication Indicators](./dns_query_win_apt_diamond_steel_indicators.yml)
+- [Diamond Sleet APT File Creation Indicators](./file_event_win_apt_diamond_sleet_indicators.yml)
+- [Diamond Sleet APT DLL Sideloading Indicators](./image_load_apt_diamond_sleet_side_load.yml)
+- [Diamond Sleet APT Process Activity Indicators](./proc_creation_win_apt_diamond_sleet_indicators.yml)
+- [Diamond Sleet APT Scheduled Task Creation - Registry](./registry_event_apt_diamond_sleet_scheduled_task.yml)
+- [Diamond Sleet APT Scheduled Task Creation](./win_security_apt_diamond_sleet_scheduled_task.yml)
diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml
@@ -0,0 +1,25 @@
+title: Diamond Sleet APT DNS Communication Indicators
+id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f
+status: experimental
+description: Detects DNS queries related to Diamond Sleet APT activity
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.command_and_control
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection:
+        QueryName|contains:
+            - '3dkit.org'
+            - 'dersmarketim.com'
+            - 'galerielamy.com'
+            - 'olidhealth.com'
+    condition: selection
+falsepositives:
+    - Might generate some false positive if triggered by a user during investigation for example.
+level: high
diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml
@@ -0,0 +1,28 @@
+title: Diamond Sleet APT File Creation Indicators
+id: e1212b32-55ff-4dfb-a595-62b572248056
+status: experimental
+description: Detects file creation activity that is related to Diamond Sleet APT activity
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith:
+            - ':\ProgramData\4800-84DC-063A6A41C5C'
+            - ':\ProgramData\clip.exe'
+            - ':\ProgramData\DSROLE.dll'
+            - ':\ProgramData\Forest64.exe'
+            - ':\ProgramData\readme.md'
+            - ':\ProgramData\Version.dll'
+            - ':\ProgramData\wsmprovhost.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml
@@ -0,0 +1,26 @@
+title: Diamond Sleet APT DLL Sideloading Indicators
+id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
+status: experimental
+description: Detects DLL sideloading activity seen used by Diamond Sleet APT
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.defense_evasion
+    - attack.t1574.002
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: image_load
+detection:
+    selection_1:
+        Image|endswith: ':\ProgramData\clip.exe'
+        ImageLoaded|endswith: ':\ProgramData\Version.dll'
+    selection_2:
+        Image|endswith: ':\ProgramData\wsmprovhost.exe'
+        ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
diff --git a/...emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/...emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml
@@ -0,0 +1,21 @@
+title: Diamond Sleet APT Process Activity Indicators
+id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2
+status: experimental
+description: Detects process creation activity indicators related to Diamond Sleet APT
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: ' uTYNkfKxHiZrx3KJ'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/...merging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/...merging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml
@@ -0,0 +1,25 @@
+title: Diamond Sleet APT Scheduled Task Creation - Registry
+id: 9f9f92ba-5300-43a4-b435-87d1ee571688
+status: experimental
+description: |
+    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains|all:
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
+            - 'Windows TeamCity Settings User Interface'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/...-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/...-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml
@@ -0,0 +1,28 @@
+title: Diamond Sleet APT Scheduled Task Creation
+id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d
+status: experimental
+description: |
+    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053.005
+    - detection.emerging_threats
+logsource:
+    product: windows
+    service: security
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
+detection:
+    selection:
+        EventID: 4698
+        TaskName: '\Windows TeamCity Settings User Interface'
+        TaskContent|contains: 'uTYNkfKxHiZrx3KJ'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/README.md b/rules-emerging-threats/2023/TA/Onyx-Sleet/README.md
@@ -0,0 +1,11 @@
+# Onyx Sleet APT
+
+## Summary
+
+Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India.
+
+- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/)
+
+## Rules
+
+- [Onyx Sleet APT File Creation Indicators](./file_event_win_apt_onyx_sleet_indicators.yml)
diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml
@@ -0,0 +1,21 @@
+title: Onyx Sleet APT File Creation Indicators
+id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
+status: experimental
+description: Detects file creation activity that is related to Onyx Sleet APT activity
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/24
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
-modified: 2023/05/16
+modified: 2023/10/24
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -449,6 +449,9 @@ detection:
             - 'C:\Windows\SoftwareDistribution\'
             - 'C:\Windows\SystemTemp\'
             - 'C:\$WINDOWS.~BT\'
+    filter_main_defender:
+        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
+        Image|endswith: '\version.dll'
     filter_optional_office_appvpolicy:
         Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
         ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'