Skip to content

Commit

Permalink
Merge PR SigmaHQ#4954 from @omaramin17 - Update multiple rules with a…
Browse files Browse the repository at this point in the history 
…dditional sharing domains

update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites -  File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`

--------- 

Co-authored-by: nasbench <[email protected]>
  • Loading branch information
@omaramin17 @nasbench
omaramin17 and nasbench authored Aug 23, 2024
1 parent 17d1977 commit 9b3c363
Show file tree
Hide file tree
Showing 12 changed files with 74 additions and 41 deletions.
10 changes: 7 additions & 3 deletions rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
title: Suspicious Remote AppX Package Locations
id: 8b48ad89-10d8-4382-a546-50588c410f0d
status: experimental
description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain
description: |
Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
logsource:
Expand All @@ -22,7 +23,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -32,6 +32,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -45,7 +46,10 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection
falsepositives:
- Unknown
Expand Down
7 changes: 5 additions & 2 deletions rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
- attack.persistence
Expand All @@ -24,7 +24,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -34,6 +33,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -47,7 +47,10 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection
falsepositives:
- Unknown
Expand Down
21 changes: 12 additions & 9 deletions ...ws/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
title: Suspicious File Download From File Sharing Websites
title: Suspicious File Download From File Sharing Websites - File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
Expand All @@ -12,7 +12,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
- attack.s0139
Expand All @@ -26,7 +26,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -36,6 +35,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -49,19 +49,22 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.exe:Zone'
- '.vbs:Zone'
- '.vbe:Zone'
- '.cpl:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.one:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.xll:Zone'
- '.cpl:Zone'
condition: all of selection*
condition: all of selection_*
falsepositives:
- Some false positives might occur with binaries download via Github
level: high
16 changes: 8 additions & 8 deletions ...create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
title: Unusual File Download From File Sharing Websites
title: Unusual File Download From File Sharing Websites - File Stream
id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
related:
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
Expand All @@ -11,7 +11,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
- attack.s0139
Expand All @@ -25,7 +25,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -35,6 +34,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -48,16 +48,16 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.ps1:Zone'
- '.bat:Zone'
- '.cmd:Zone'
condition: all of selection*
fields:
- TargetFilename
- Image
- '.ps1:Zone'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
10 changes: 7 additions & 3 deletions rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
title: Potential Dead Drop Resolvers
title: New Connection Initiated To Potential Dead Drop Resolver Domain
id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
related:
- id: d7b09985-95a3-44be-8450-b6eadf49833e
Expand All @@ -16,7 +16,7 @@ references:
- https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
author: Sorina Ionescu, X__Junior (Nextron Systems)
date: 2022-08-17
modified: 2024-07-16
modified: 2024-08-22
tags:
- attack.command-and-control
- attack.t1102
Expand All @@ -30,6 +30,7 @@ detection:
DestinationHostname|endswith:
- '.t.me'
- '4shared.com'
- 'abuse.ch'
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cloudflare.com'
Expand All @@ -52,6 +53,7 @@ detection:
- 'mega.co.nz'
- 'mega.nz'
- 'onedrive.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -66,11 +68,13 @@ detection:
- 'technet.microsoft.com'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'twitter.com'
- 'ufile.io'
- 'abuse.ch'
- 'vimeo.com'
- 'w3spaces.com'
- 'wetransfer.com'
- 'workers.dev'
- 'youtube.com'
# Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
# Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
Expand Down
7 changes: 5 additions & 2 deletions .../windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2024-05-31
modified: 2024-08-22
tags:
- attack.command-and-control
- attack.t1105
Expand Down Expand Up @@ -42,7 +42,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -53,6 +52,7 @@ detection:
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -66,7 +66,10 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
Expand Down
7 changes: 5 additions & 2 deletions ...network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2024-05-31
modified: 2024-08-22
tags:
- attack.command-and-control
- attack.t1105
Expand All @@ -34,7 +34,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -45,6 +44,7 @@ detection:
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -59,7 +59,10 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
Expand Down
10 changes: 5 additions & 5 deletions rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
- attack.persistence
Expand All @@ -35,7 +35,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -45,6 +44,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -58,11 +58,11 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Some legitimate apps use this, but limited.
level: high
7 changes: 5 additions & 2 deletions rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-02-09
modified: 2024-08-22
tags:
- attack.defense-evasion
- attack.t1027
Expand All @@ -36,7 +36,6 @@ detection:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cdn.discordapp.com/attachments/'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
Expand All @@ -46,6 +45,7 @@ detection:
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
Expand All @@ -59,7 +59,10 @@ detection:
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Unknown
Expand Down
Loading

0 comments on commit 9b3c363

Please sign in to comment.