SigmaHQ · nasbench · Dec 21, 2023 · Nov 18, 2022 · Nov 18, 2022 · Nov 21, 2022
diff --git a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml
@@ -0,0 +1,41 @@
+title: System Information Discovery Using ioreg
+id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
+status: experimental
+description: |
+    Detects the use of "ioreg" which will show I/O Kit registry information.
+    This process is used for system information discovery.
+    We saw ITW the call of this process directly or using bash to call in the same line grep looking for specific strings
+references:
+    - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
+    - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
+    - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/12/20
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    # Examples:
+    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
+    #   /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
+    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
+    selection_img:
+        - Image|endswith: '/ioreg'
+        - CommandLine|contains|all:
+              - 'ioreg'
+              - '-l'
+    selection_cmd:
+        CommandLine|contains:
+            - 'AppleAHCIDiskDriver'
+            - 'Oracle'
+            - 'Parallels'
+            - 'USB Vendor Name'
+            - 'VirtualBox'
+            - 'VMware'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administration activities
+level: medium
diff --git a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml
@@ -0,0 +1,28 @@
+title: System Information Discovery Using sw_vers
+id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
+status: experimental
+description: Detects the use of "sw_vers" for system information discovery
+references:
+    - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
+    - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/12/20
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    # VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
+    selection_image:
+        Image|endswith: '/sw_vers'
+    selection_options:
+        CommandLine|contains:
+            - '-buildVersion'
+            - '-productName'
+            - '-productVersion'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administration activities
+level: medium
diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml
@@ -0,0 +1,46 @@
+title: Potential Base64 Decoded From Images
+id: 09a910bf-f71f-4737-9c40-88880ba5913d
+status: experimental
+description: |
+    Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the content. This execution is one-line execution through bash
+references:
+    - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
+    - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/12/20
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    # Example:  /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
+    # VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
+    selection_image:
+        Image|endswith: '/bash'
+    selection_view:
+        CommandLine|contains|all:
+            - 'tail'
+            - '-c'
+    selection_b64:
+        CommandLine|contains|all:
+            - 'base64'
+            - '-d' # Also covers "--decode"
+            - '>'
+    selection_files:
+        CommandLine|contains:
+            - '.avif'
+            - '.gif'
+            - '.jfif'
+            - '.jpeg'
+            - '.jpg'
+            - '.pjp'
+            - '.pjpeg'
+            - '.png'
+            - '.svg'
+            - '.webp'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml
@@ -0,0 +1,62 @@
+title: System Information Discovery Via Wmic.EXE
+id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
+related:
+    - id: 9d5a1274-922a-49d0-87f3-8c653483b909
+      type: derived
+status: experimental
+description: |
+    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
+    including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
+    and GPU driver products/versions.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
+    - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
+    - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
+    - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
+    - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
+    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2023/12/19
+tags:
+    - attack.discovery
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_wmic:
+        - Description: 'WMI Commandline Utility'
+        - OriginalFileName: 'wmic.exe'
+        - Image|endswith: '\WMIC.exe'
+    selection_get:
+        CommandLine|contains: 'get'
+    selection_classes:
+        CommandLine|contains:
+            - 'baseboard'
+            - 'bios'
+            - 'cpu'
+            - 'diskdrive'
+            - 'logicaldisk'
+            - 'memphysical'
+            - 'os'
+            - 'path'
+            - 'startup'
+            - 'win32_videocontroller'
+    selection_attributes:
+        CommandLine|contains:
+            - 'caption'
+            - 'command'
+            - 'driverversion'
+            - 'maxcapacity'
+            - 'name'
+            - 'osarchitecture'
+            - 'product'
+            - 'size'
+            - 'smbiosbiosversion'
+            - 'version'
+            - 'videomodedescription'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+# Note: Might be upgraded to medium after some time
+level: low
diff --git a/..._win_wmic_recon_system_info_discovery.yml → ...n_win_wmic_recon_system_info_uncommon.yml b/..._win_wmic_recon_system_info_discovery.yml → ...n_win_wmic_recon_system_info_uncommon.yml
@@ -1,5 +1,8 @@
-title: Potential System Information Discovery Via Wmic.EXE
+title: Uncommon System Information Discovery Via Wmic.EXE
 id: 9d5a1274-922a-49d0-87f3-8c653483b909
+related:
+    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
+      type: derived
 status: experimental
 description: |
     Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
@@ -12,9 +15,10 @@ references:
     - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
     - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
     - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
+    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
 author: TropChaud
 date: 2023/01/26
-modified: 2023/05/05
+modified: 2023/12/19
 tags:
     - attack.discovery
     - attack.t1082
@@ -28,17 +32,8 @@ detection:
         - Image|endswith: '\WMIC.exe'
     selection_commands:
         CommandLine|contains:
-            - 'baseboard get product'
-            - 'baseboard get version'
-            - 'bios get SMBIOSBIOSVersion'
-            - 'cpu get name'
-            - 'DISKDRIVE get Caption'
             - 'LOGICALDISK get Name,Size,FreeSpace'
-            - 'MEMPHYSICAL get MaxCapacity'
-            - 'OS get Caption,OSArchitecture,Version'
-            - 'path win32_VideoController get DriverVersion'
-            - 'path win32_VideoController get name'
-            - 'path win32_VideoController get VideoModeDescription'
+            - 'os get Caption,OSArchitecture,Version'
     condition: all of selection_*
 falsepositives:
     - Unknown