Update WMIC Discovery Rule + New System Discovery Rules For MacOS #4615
Conversation
File and Directory Discovery title modified with sufix
UAC Bypass via Event Viewer title modified
Titles modified
Update title
github-actions
bot
added
Rules
Windows
|
Hey @jstnk9 thanks for this update. A little bit of history regarding this rule. As discussed here, here and here the strict order was known to produce blindspots but was used in fear of FPs as while this is used for recon its wasn't going to warrant a medium if used in a non strict manner (without correlation at least). What I suggest since you found this in the wild abuse. Is to keep your update as a low version rule and keep the old one with other variation that are more common now we have a little bit more data. As a side note in sigma we assume the backend is case insensitive so a CommandLine|contains:
- Example1
- Example2
- Example3
....Would do the trick. I will apply the update and you can check it out for additional comments or if you have feedback on this please let me know. |
|
Thank you @nasbench for your comments! I will add the variation to the sigma rule that was already created. On the other hand, I think that I have accidentally added three sigma rules for MacOS in this same pull request, I wanted to do it in a different one but everything went the same way xDD |
|
No worries man. Thanks for the updates, i'll check em in a bit |
|
Let me know if you need any specific examples or samples. I have tried to be as descriptive as possible and add samples in the references that have the described behaviors :) |
|
Thanks once again for the submission @jstnk9 Made a couple of changes that i'll explain below.
Cheers |
nasbench
changed the title
|
Everything looks good for me man. Appreciate your time reviewing it. I have extra rules that I'll send next days/weeks. Have a nice day dude! |
rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml
Outdated
Show resolved
Hide resolved
rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml
Outdated
Show resolved
Hide resolved
rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml
Outdated
Show resolved
Hide resolved
rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml
Outdated
Show resolved
Hide resolved
Summary of the Pull Request
I have been doing some research through VT corpus identifying WMIC executions. I have identified that this rule is not working correctly on some occasions due to the use of upper or lower case on the command line and the order of the attributes :)
I haven't worked much with the "re" module. Please, if you think it is not necessary to do so, no problem, but I think that something similar even without using "re" could be interesting.
See this example: https://www.virustotal.com/gui/file/2de5f5fd4fc61f049f1227b65fd17b5fd480b79d3e55aec8c790717b39dd17a7/behavior
I have the following command line
That command wasn't identified because the logic of the rule includes the following
In this case, is looking for a specific set of attributes followed
Caption,OSArchitecture,Version. Sometimes threat actors just want to discoverversionfor example.Also added new MAC rules related to potential information discovery using utilities such as
sw_versandioregas well as a generic rule for detection base64 encoded content inside of images being decoded on the flyChangelog
new: System Information Discovery Using Ioreg
new: System Information Discovery Using sw_vers
new: Potential Base64 Decoded From Images
new: System Information Discovery Via Wmic.EXE
update: Uncommon System Information Discovery Via Wmic.EXE - Updated logic to focus on more specific WMIC query sequence to increase the level and added a related rule to cover the missing gaps in d85ecdd7-b855-4e6e-af59-d9c78b5b861e