Sigma Rule Update (2024-01-10 20:07:57) (#563)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

@@ -0,0 +1,56 @@
+title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
+id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
+status: experimental
+description: 'Detects the execution of concatenated commands via "cmd.exe". Pikabot
+    often executes a combination of multiple commands via the command handler "cmd
+    /c" in order to download and execute additional payloads.
+
+    Commands such as "curl", "wget" in order to download extra payloads. "ping" and
+    "timeout" are abused to introduce delays in the command execution and "Rundll32"
+    is also used to execute malicious DLL files.
+
+    In the observed Pikabot infections, a combination of the commands described above
+    are used to orchestrate the download and execution of malicious DLL files.
+
+    '
+references:
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
+author: Alejandro Houspanossian ('@lekz86')
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.t1105
+    - attack.t1218
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_cmd:
+        CommandLine|contains|all:
+            - cmd
+            - /c
+    selection_pipes:
+        CommandLine|contains:
+            - ' & '
+            - ' || '
+    selection_commands_1:
+        CommandLine|contains:
+            - ' curl'
+            - ' wget'
+            - ' timeout '
+            - ' ping '
+    selection_commands_2:
+        CommandLine|contains:
+            - ' rundll32'
+            - ' mkdir '
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml

@@ -28,14 +28,13 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection_grandparent:
+    selection:
         GrandParentImage|endswith: \rundll32.exe
-    selection_cmdline:
         CommandLine:
             - ipconfig.exe /all
             - netstat.exe -aon
             - whoami.exe /all
-    condition: process_creation and (all of selection_*)
+    condition: process_creation and selection
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml

@@ -23,9 +23,8 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection_parent:
+    selection:
         ParentProcessName|endswith: \rundll32.exe
-    selection_child:
         NewProcessName|endswith:
             - \searchprotocolhost.exe
             - \sndvol.exe
@@ -34,7 +33,7 @@ detection:
     filter_main_legit_sndvol:
         ParentCommandLine|contains: mmsys.cpl
         NewProcessName|endswith: \sndvol.exe
-    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unlikely
 level: high

sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml

@@ -10,7 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2021/06/07
-modified: 2023/10/27
+modified: 2024/01/02
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -37,6 +37,10 @@ detection:
             - -DisableBehaviorMonitoring 1
             - -DisableBlockAtFirstSeen $true
             - -DisableBlockAtFirstSeen 1
+            - -DisableCatchupFullScan $true
+            - -DisableCatchupFullScan 1
+            - -DisableCatchupQuickScan $true
+            - -DisableCatchupQuickScan 1
             - -DisableIntrusionPreventionSystem $true
             - -DisableIntrusionPreventionSystem 1
             - -DisableIOAVProtection $true
@@ -51,6 +55,8 @@ detection:
             - -DisableScanningNetworkFiles 1
             - -DisableScriptScanning $true
             - -DisableScriptScanning 1
+            - -MAPSReporting $false
+            - -MAPSReporting 0
             - -drdsc $true
             - -drdsc 1
             - -drtm $true

sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml

@@ -13,7 +13,7 @@ references:
 author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel,
     Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/16
-modified: 2023/06/21
+modified: 2024/01/02
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -43,6 +43,10 @@ detection:
             - -DisableBehaviorMonitoring 1
             - -DisableBlockAtFirstSeen $true
             - -DisableBlockAtFirstSeen 1
+            - -DisableCatchupFullScan $true
+            - -DisableCatchupFullScan 1
+            - -DisableCatchupQuickScan $true
+            - -DisableCatchupQuickScan 1
             - -DisableIntrusionPreventionSystem $true
             - -DisableIntrusionPreventionSystem 1
             - -DisableIOAVProtection $true
@@ -57,6 +61,8 @@ detection:
             - -DisableScanningNetworkFiles 1
             - -DisableScriptScanning $true
             - -DisableScriptScanning 1
+            - -MAPSReporting $false
+            - -MAPSReporting 0
             - -drdsc $true
             - -drdsc 1
             - -drtm $true

sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml

@@ -0,0 +1,31 @@
+title: Binary Proxy Execution Via Dotnet-Trace.EXE
+id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
+status: experimental
+description: Detects commandline arguments for executing a child process via dotnet-trace.exe
+references:
+    - https://twitter.com/bohops/status/1740022869198037480
+author: Jimmy Bayne (@bohops)
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        -   NewProcessName|endswith: \dotnet-trace.exe
+        -   OriginalFileName: dotnet-trace.dll
+    selection_cli:
+        CommandLine|contains|all:
+            - '-- '
+            - collect
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate usage of the utility in order to debug and trace a program.
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml

@@ -0,0 +1,41 @@
+title: Forfiles.EXE Child Process Masquerading
+id: f53714ec-5077-420e-ad20-907ff9bb2958
+status: experimental
+description: 'Detects the execution of "forfiles" from a non-default location, in
+    order to potentially spawn a custom "cmd.exe" from the current working directory.
+
+    '
+references:
+    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
+author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
+date: 2024/01/05
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        ParentCommandLine|endswith:
+            - .exe
+            - .exe"
+        CommandLine|startswith: /c echo "
+        NewProcessName|endswith: \cmd.exe
+    filter_main_parent_not_sys:
+        ParentProcessName|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+        ParentProcessName|endswith: \forfiles.exe
+        NewProcessName|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+        NewProcessName|endswith: \cmd.exe
+    condition: process_creation and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_lolbin_forfiles.yml → sigma/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml

@@ -1,18 +1,26 @@
-title: Use of Forfiles For Execution
+title: Forfiles Command Execution
 id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 related:
     -   id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
         type: obsoletes
     -   id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
         type: obsoletes
 status: test
-description: Execute commands and binaries from the context of "forfiles". This is
-    used as a LOLBIN for example to bypass application whitelisting.
+description: 'Detects the execution of "forfiles" with the "/c" flag.
+
+    While this is an expected behavior of the tool, it can be abused in order to proxy
+    execution through it with any binary.
+
+    Can be used to bypass application whitelisting.
+
+    '
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
     - https://pentestlab.blog/2020/07/06/indirect-command-execution/
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame),
+    oscd.community
 date: 2022/06/14
+modified: 2024/01/05
 tags:
     - attack.execution
     - attack.t1059
@@ -26,19 +34,11 @@ detection:
     selection_img:
         -   NewProcessName|endswith: \forfiles.exe
         -   OriginalFileName: forfiles.exe
-    selection_cli_p:
-        CommandLine|contains:
-            - ' /p '
-            - ' -p '
-    selection_cli_m:
-        CommandLine|contains:
-            - ' /m '
-            - ' -m '
-    selection_cli_c:
+    selection_cli:
         CommandLine|contains:
             - ' /c '
             - ' -c '
-    condition: process_creation and (all of selection*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Legitimate use via a batch script or by an administrator.
 level: medium

sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml

@@ -0,0 +1,31 @@
+title: HackTool - EDRSilencer Execution
+id: eb2d07d4-49cb-4523-801a-da002df36602
+status: experimental
+description: 'Detects the execution of EDRSilencer, a tool that leverages Windows
+    Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents
+    from reporting security events to the server based on PE metadata information.
+
+    '
+references:
+    - https://github.com/netero1010/EDRSilencer
+author: '@gott_cyber'
+date: 2024/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        -   NewProcessName|endswith: \EDRSilencer.exe
+        -   OriginalFileName: EDRSilencer.exe
+        -   Description|contains: EDRSilencer
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml

@@ -9,7 +9,7 @@ references:
     - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
 author: Florian Roth (Nextron Systems)
 date: 2022/03/03
-modified: 2022/03/07
+modified: 2024/01/02
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -20,30 +20,40 @@ detection:
     process_creation:
         EventID: 4688
         Channel: Security
-    selection1:
+    selection_cli_cmdlet:
         CommandLine|contains:
             - 'Add-MpPreference '
             - 'Set-MpPreference '
-    selection2:
+    selection_cli_option:
         CommandLine|contains:
+            - 'DisableArchiveScanning '
             - 'DisableRealtimeMonitoring '
             - 'DisableIOAVProtection '
             - 'DisableBehaviorMonitoring '
             - 'DisableBlockAtFirstSeen '
-    selection3:
+            - 'DisableCatchupFullScan '
+            - 'DisableCatchupQuickScan '
+    selection_cli_value:
         CommandLine|contains:
             - $true
             - ' 1 '
-    encoded_command:
+    selection_encoded_modifier:
         CommandLine|base64offset|contains:
-            - 'DisableRealtimeMonitoring '
-            - 'DisableIOAVProtection '
+            - 'disablearchivescanning '
+            - 'DisableArchiveScanning '
+            - 'disablebehaviormonitoring '
             - 'DisableBehaviorMonitoring '
+            - 'disableblockatfirstseen '
             - 'DisableBlockAtFirstSeen '
-            - 'disablerealtimemonitoring '
+            - 'disablecatchupfullscan '
+            - 'DisableCatchupFullScan '
+            - 'disablecatchupquickscan '
+            - 'DisableCatchupQuickScan '
             - 'disableioavprotection '
-            - 'disablebehaviormonitoring '
-            - 'disableblockatfirstseen '
+            - 'DisableIOAVProtection '
+            - 'disablerealtimemonitoring '
+            - 'DisableRealtimeMonitoring '
+    selection_encoded_direct:
         CommandLine|contains:
             - RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA
             - QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA
@@ -69,9 +79,12 @@ detection:
             - ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA
             - QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA
             - kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA
-    condition: process_creation and (all of selection* or encoded_command)
+            - RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA
+            - RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA
+            - RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA
+    condition: process_creation and (all of selection_cli_* or 1 of selection_encoded_*)
 falsepositives:
-    - Possible Admin Activity
+    - Possible administrative activity
     - Other Cmdlets that may use the same parameters
 level: high
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml

@@ -1,15 +1,15 @@
-title: Psr.exe Capture Screenshots
+title: Screen Capture Activity Via Psr.EXE
 id: 2158f96f-43c2-43cb-952a-ab4580f32382
 status: test
-description: The psr.exe captures desktop screenshots and saves them on the local
-    machine
+description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility
+    used to record the user screen and clicks.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Psr/
     - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 author: Beyu Denis, oscd.community
 date: 2019/10/12
-modified: 2021/11/27
+modified: 2024/01/04
 tags:
     - attack.collection
     - attack.t1113
@@ -21,7 +21,9 @@ detection:
         EventID: 4688
         Channel: Security
     selection:
-        CommandLine|contains: /start
+        CommandLine|contains:
+            - /start
+            - -start
         NewProcessName|endswith: \Psr.exe
     condition: process_creation and selection
 falsepositives:

sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml

@@ -7,7 +7,7 @@ references:
     - https://decoded.avast.io/martinchlumecky/png-steganography
 author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
 date: 2022/12/15
-modified: 2023/12/11
+modified: 2024/01/02
 tags:
     - attack.execution
     - attack.t1059
@@ -31,14 +31,14 @@ detection:
             - ' -r '
     selection_cli_folders:
         CommandLine|contains:
-            - ' :\\\*.'
-            - ' :\\\\\*.'
-            - ' :\Users\Public\'
+            - ' ?:\\\*.'
+            - ' ?:\\\\\*.'
+            - ' ?:\$Recycle.bin\'
+            - ' ?:\PerfLogs\'
+            - ' ?:\Temp'
+            - ' ?:\Users\Public\'
+            - ' ?:\Windows\'
             - ' %public%'
-            - ' :\Windows\'
-            - ' :\PerfLogs\'
-            - ' :\Temp'
-            - ' :\$Recycle.bin\'
     condition: process_creation and (1 of selection_opt_* and all of selection_cli_*)
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml

@@ -13,9 +13,10 @@ description: 'Detects installation of a potentially suspicious new shim with an
     '
 references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/01
-modified: 2023/12/13
+modified: 2024/01/10
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -33,7 +34,11 @@ detection:
     filter_main_legit_ext:
         CommandLine|contains: .sdb
     filter_main_svchost:
-        -   CommandLine|endswith: ' -mm'
+        -   CommandLine|endswith:
+                - ' -c'
+                - ' -f'
+                - ' -mm'
+                - ' -t'
         -   CommandLine|contains: ' -m -bg'
     filter_main_null:
         CommandLine: null

sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml

@@ -4,8 +4,11 @@ related:
     -   id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
         type: derived
 status: experimental
-description: 'Detects execution of different log query utilities to search and dump
-    the content of specific event logs or look for specific event IDs.
+description: 'Detects execution of different log query utilities and commands to search
+    and dump the content of specific event logs or look for specific event IDs.
+
+    This technique is used by threat actors in order to extract sensitive information
+    from events logs such as usernames, IP addresses, hostnames, etc.
 
     '
 references:
@@ -20,7 +23,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/09/09
-modified: 2023/11/20
+modified: 2024/01/02
 tags:
     - attack.credential_access
     - attack.discovery
@@ -44,8 +47,8 @@ detection:
             - ' qe '
             - ' query-events '
     selection_wmic_img:
-        -   NewProcessName|endswith: \wevtutil.exe
-        -   OriginalFileName: wevtutil.exe
+        -   NewProcessName|endswith: \wmic.exe
+        -   OriginalFileName: wmic.exe
     selection_wmic_cli:
         CommandLine|contains: ' ntevent'
     selection_cmdlet:

sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml

@@ -1,9 +1,21 @@
-title: Cscript/Wscript Suspicious Child Process
+title: Cscript/Wscript Potentially Suspicious Child Process
 id: b6676963-0353-4f88-90f5-36c20d443c6a
 status: experimental
-description: Detects suspicious child processes of Wscript/Cscript
-author: Nasreddine Bencherchali (Nextron Systems)
+description: 'Detects potentially suspicious child processes of Wscript/Cscript. These
+    include processes such as rundll32 with uncommon exports or PowerShell spawning
+    rundll32 or regsvr32.
+
+    Malware such as Pikabot and Qakbot were seen using similar techniques as well
+    as many others.
+
+    '
+references:
+    - Internal Research
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
 date: 2023/05/15
+modified: 2024/01/02
 tags:
     - attack.execution
 logsource:
@@ -31,8 +43,17 @@ detection:
             - rundll32
             - regsvr32
             - msiexec
-    condition: process_creation and (selection_parent and (selection_cli_script_main
-        and 1 of selection_cli_script_option_*))
+    selection_cli_standalone:
+        NewProcessName|endswith: \rundll32.exe
+    filter_main_rundll32_known_exports:
+        CommandLine|contains:
+            - UpdatePerUserSystemParameters
+            - PrintUIEntry
+            - ClearMyTracksByProcess
+        NewProcessName|endswith: \rundll32.exe
+    condition: process_creation and (selection_parent and ( selection_cli_standalone
+        or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and
+        not 1 of filter_main_*)
 falsepositives:
     - Some false positives might occur with admin or third party software scripts.
         Investigate and apply additional filters accordingly.

sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml

@@ -10,6 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
 author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
 date: 2023/03/14
+modified: 2024/01/10
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -22,7 +23,10 @@ detection:
         Channel: Security
     selection:
         OperationType: '%%1905'
-        ObjectName|endswith: \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
+        ObjectName|endswith:
+            - \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
+            - \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity
+            - \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
         NewValue: DWORD (0x00000000)
     condition: registry_set and selection
 falsepositives:

sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml

@@ -0,0 +1,34 @@
+title: Potential Persistence Via AppCompat RegisterAppRestart Layer
+id: b86852fb-4c77-48f9-8519-eb1b2c308b59
+status: experimental
+description: 'Detects the setting of the REGISTERAPPRESTART compatibility layer on
+    an application.
+
+    This compatibility layer allows an application to register for restart using the
+    "RegisterApplicationRestart" API.
+
+    This can be potentially abused as a persistence mechanism.
+
+    '
+references:
+    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/01/01
+tags:
+    - attack.persistence
+    - attack.t1546.011
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 4657
+        Channel: Security
+    selection:
+        ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
+        NewValue|contains: REGISTERAPPRESTART
+    condition: registry_set and selection
+falsepositives:
+    - Legitimate applications making use of this feature for compatibility reasons
+level: medium
+ruletype: Sigma

sigma/builtin/security/win_security_hktl_nofilter.yml

@@ -0,0 +1,37 @@
+title: HackTool - NoFilter Execution
+id: 7b14c76a-c602-4ae6-9717-eff868153fc0
+status: experimental
+description: 'Detects execution of NoFilter, a tool for abusing the Windows Filtering
+    Platform for privilege escalation via hardcoded policy name indicators
+
+    '
+references:
+    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
+    - https://github.com/deepinstinct/NoFilter
+    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
+    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
+author: Stamatis Chatzimangou (st0pp3r)
+date: 2024/01/05
+tags:
+    - attack.privilege_escalation
+    - attack.t1134
+    - attack.t1134.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be
+        enabled'
+detection:
+    security:
+        Channel: Security
+    selection_5447:
+        EventID: 5447
+        FilterName|contains: RonPolicy
+    selection_5449:
+        EventID: 5449
+        ProviderContextName|contains: RonPolicy
+    condition: security and (1 of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/sysmon/create_stream_hash/create_stream_hash_hacktool_download.yml

@@ -1,13 +1,23 @@
-title: Hacktool Download
+title: Hacktool Named File Stream Created
 id: 19b041f6-e583-40dc-b842-d6fa8011493f
 status: experimental
-description: Detects the creation of a file on disk that has an imphash of a well-known
+description: Detects the creation of a named file stream with the imphash of a well-known
     hack tool
 references:
-    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+    - https://github.com/gentilkiwi/mimikatz
+    - https://github.com/topotam/PetitPotam
+    - https://github.com/ohpe/juicy-potato
+    - https://github.com/antonioCoco/RoguePotato
+    - https://www.tarasco.org/security/pwdump_7/
+    - https://github.com/fortra/nanodump
+    - https://github.com/codewhitesec/HandleKatz
+    - https://github.com/xuanxuan0/DripLoader
+    - https://github.com/hfiref0x/UACME
+    - https://github.com/outflanknl/Dumpert
+    - https://github.com/wavestone-cdt/EDRSandblast
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
-modified: 2023/05/05
+modified: 2024/01/02
 tags:
     - attack.defense_evasion
     - attack.s0139
@@ -16,7 +26,7 @@ tags:
 logsource:
     product: windows
     category: create_stream_hash
-    definition: Requirements Sysmon config with Imphash logging activated
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
     create_stream_hash:
         EventID: 15
@@ -116,6 +126,15 @@ detection:
                 - 96df3a3731912449521f6f8d183279b1
                 - 7e6cf3ff4576581271ac8a313b2aab46
                 - 51791678f351c03a0eb4e2a7b05c6e17
+                - 25ce42b079282632708fc846129e98a5
+                - 021bcca20ba3381b11bdde26b4e62f20
+                - 59223b5f52d8799d38e0754855cbdf42
+                - 81e75d8f1d276c156653d3d8813e4a43
+                - 17244e8b6b8227e57fe709ccad421420
+                - 5b76da3acdedc8a5cdf23a798b5936b4
+                - cb2b65bb77d995cc1c0e5df1c860133c
+                - 40445337761d80cf465136fafb1f63e6
+                - 8a790f401b29fa87bc1e56f7272b3aa6
         -   Hash|contains:
                 - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932
                 - IMPHASH=3A19059BD7688CB88E70005F18EFC439
@@ -210,10 +229,16 @@ detection:
                 - IMPHASH=96DF3A3731912449521F6F8D183279B1
                 - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46
                 - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17
+                - IMPHASH=25CE42B079282632708FC846129E98A5
+                - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20
+                - IMPHASH=59223B5F52D8799D38E0754855CBDF42
+                - IMPHASH=81E75D8F1D276C156653D3D8813E4A43
+                - IMPHASH=17244E8B6B8227E57FE709CCAD421420
+                - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4
+                - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C
+                - IMPHASH=40445337761D80CF465136FAFB1F63E6
+                - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6
     condition: create_stream_hash and selection
-fields:
-    - TargetFilename
-    - Image
 falsepositives:
     - Unknown
 level: high

sigma/sysmon/image_load/image_load_side_load_svchost_dlls.yml → sigma/sysmon/deprecated/image_load_side_load_svchost_dlls.yml

@@ -1,6 +1,6 @@
 title: Svchost DLL Search Order Hijack
 id: 602a1f13-c640-4d73-b053-be9a2fa58b77
-status: test
+status: deprecated
 description: 'Detects DLL sideloading of DLLs that are loaded by the SCM for some
     services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
 
@@ -17,7 +17,7 @@ references:
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
 author: SBousseaden
 date: 2019/10/28
-modified: 2021/11/27
+modified: 2024/01/10
 tags:
     - attack.persistence
     - attack.defense_evasion

sigma/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml

@@ -27,18 +27,16 @@ detection:
     network_connection:
         EventID: 3
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection_parent:
+    selection:
         ParentImage|endswith: \rundll32.exe
-    selection_child:
         Image|endswith:
             - \searchprotocolhost.exe
             - \sndvol.exe
             - \wermgr.exe
             - \wwahost.exe
-    selection_connection:
         Protocol: tcp
         Initiated: 'true'
-    condition: network_connection and (all of selection_*)
+    condition: network_connection and selection
 falsepositives:
     - Unlikely
 level: high

sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

@@ -0,0 +1,57 @@
+title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
+id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
+status: experimental
+description: 'Detects the execution of concatenated commands via "cmd.exe". Pikabot
+    often executes a combination of multiple commands via the command handler "cmd
+    /c" in order to download and execute additional payloads.
+
+    Commands such as "curl", "wget" in order to download extra payloads. "ping" and
+    "timeout" are abused to introduce delays in the command execution and "Rundll32"
+    is also used to execute malicious DLL files.
+
+    In the observed Pikabot infections, a combination of the commands described above
+    are used to orchestrate the download and execution of malicious DLL files.
+
+    '
+references:
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
+author: Alejandro Houspanossian ('@lekz86')
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.t1105
+    - attack.t1218
+    - detection.emerging_threats
+    - sysmon
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_cmd:
+        CommandLine|contains|all:
+            - cmd
+            - /c
+    selection_pipes:
+        CommandLine|contains:
+            - ' & '
+            - ' || '
+    selection_commands_1:
+        CommandLine|contains:
+            - ' curl'
+            - ' wget'
+            - ' timeout '
+            - ' ping '
+    selection_commands_2:
+        CommandLine|contains:
+            - ' rundll32'
+            - ' mkdir '
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml

@@ -29,14 +29,13 @@ detection:
     process_creation:
         EventID: 1
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection_grandparent:
+    selection:
         GrandParentImage|endswith: \rundll32.exe
-    selection_cmdline:
         CommandLine:
             - ipconfig.exe /all
             - netstat.exe -aon
             - whoami.exe /all
-    condition: process_creation and (all of selection_*)
+    condition: process_creation and selection
 falsepositives:
     - Unlikely
 level: high

sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml

@@ -24,9 +24,8 @@ detection:
     process_creation:
         EventID: 1
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection_parent:
+    selection:
         ParentImage|endswith: \rundll32.exe
-    selection_child:
         Image|endswith:
             - \searchprotocolhost.exe
             - \sndvol.exe
@@ -35,7 +34,7 @@ detection:
     filter_main_legit_sndvol:
         Image|endswith: \sndvol.exe
         ParentCommandLine|contains: mmsys.cpl
-    condition: process_creation and (all of selection_* and not 1 of filter_main_*)
+    condition: process_creation and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unlikely
 level: high

sigma/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml

@@ -4,8 +4,12 @@ related:
     -   id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
         type: similar
 status: test
-description: Detects the creation of system dlls that are not present on the system.
-    Usually to achieve dll hijacking
+description: 'Detects the creation of system DLLs that are usually not present on
+    the system (or at least not in system directories).
+
+    Usually this technique is used to achieve DLL hijacking.
+
+    '
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
@@ -15,7 +19,7 @@ references:
     - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
 author: Nasreddine Bencherchali (Nextron Systems), fornotes
 date: 2022/12/01
-modified: 2023/02/15
+modified: 2024/01/10
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -31,17 +35,15 @@ detection:
         EventID: 11
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
-        -   TargetFilename:
-                - C:\Windows\System32\WLBSCTRL.dll
-                - C:\Windows\System32\TSMSISrv.dll
-                - C:\Windows\System32\TSVIPSrv.dll
-                - C:\Windows\System32\wow64log.dll
-                - C:\Windows\System32\WptsExtensions.dll
-                - C:\Windows\System32\wbem\wbemcomn.dll
-        -   TargetFilename|endswith: \SprintCSP.dll
-    filter:
-        Image|startswith: C:\Windows\System32\
-    condition: file_event and (selection and not filter)
+        TargetFilename|endswith:
+            - :\Windows\System32\TSMSISrv.dll
+            - :\Windows\System32\TSVIPSrv.dll
+            - :\Windows\System32\wbem\wbemcomn.dll
+            - :\Windows\System32\WLBSCTRL.dll
+            - :\Windows\System32\wow64log.dll
+            - :\Windows\System32\WptsExtensions.dll
+            - \SprintCSP.dll
+    condition: file_event and selection
 falsepositives:
     - Unknown
 level: medium

sigma/sysmon/image_load/image_load_side_load_from_non_system_location.yml

@@ -2,15 +2,16 @@ title: Potential System DLL Sideloading From Non System Locations
 id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
 status: experimental
 description: Detects DLL sideloading of DLLs usually located in system locations (System32,
-    SysWOW64, etc.)
+    SysWOW64, etc.).
 references:
     - https://hijacklibs.net/
     - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
     - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
     - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
+    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
-modified: 2023/12/15
+modified: 2024/01/10
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -143,6 +144,7 @@ detection:
             - \idstore.dll
             - \ieadvpack.dll
             - \iedkcs32.dll
+            - \iernonce.dll
             - \iertutil.dll
             - \ifmon.dll
             - \iphlpapi.dll
@@ -443,13 +445,13 @@ detection:
             - \WptsExtensions.dll
             - \wbemcomn.dll
     filter_main_generic:
-        ImageLoaded|startswith:
-            - C:\Windows\System32\
-            - C:\Windows\SysWOW64\
-            - C:\Windows\WinSxS\
-            - C:\Windows\SoftwareDistribution\
-            - C:\Windows\SystemTemp\
-            - C:\$WINDOWS.~BT\
+        ImageLoaded|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+            - :\Windows\WinSxS\
+            - :\Windows\SoftwareDistribution\
+            - :\Windows\SystemTemp\
+            - :\$WINDOWS.~BT\
     filter_main_defender:
         Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
         Image|endswith: \version.dll

sigma/sysmon/image_load/image_load_side_load_non_existent_dlls.yml

@@ -3,19 +3,25 @@ id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 related:
     -   id: df6ecb8b-7822-4f4b-b412-08f524b4576c
         type: similar
+    -   id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+        type: obsoletes
 status: test
-description: Detects DLL sideloading of system dlls that are not present on the system
-    by default. Usually to achieve techniques such as UAC bypass and privilege escalation
+description: 'Detects DLL sideloading of system DLLs that are not present on the system
+    by default (at least not in system directories).
+
+    Usually this technique is used to achieve UAC bypass or privilege escalation.
+
+    '
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
     - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
     - https://github.com/Wh04m1001/SysmonEoP
     - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
     - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
 date: 2022/12/09
-modified: 2023/01/30
+modified: 2024/01/10
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -31,17 +37,18 @@ detection:
         EventID: 7
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
-        ImageLoaded:
-            - C:\Windows\System32\WLBSCTRL.dll
-            - C:\Windows\System32\TSMSISrv.dll
-            - C:\Windows\System32\TSVIPSrv.dll
-            - C:\Windows\System32\wow64log.dll
-            - C:\Windows\System32\WptsExtensions.dll
-            - C:\Windows\System32\wbem\wbemcomn.dll
-    filter_ms_signed:
+        ImageLoaded|endswith:
+            - :\Windows\System32\TSMSISrv.dll
+            - :\Windows\System32\TSVIPSrv.dll
+            - :\Windows\System32\wbem\wbemcomn.dll
+            - :\Windows\System32\WLBSCTRL.dll
+            - :\Windows\System32\wow64log.dll
+            - :\Windows\System32\WptsExtensions.dll
+    filter_main_ms_signed:
         Signed: 'true'
+        SignatureStatus: Valid
         Signature: Microsoft Windows
-    condition: image_load and (selection and not 1 of filter_*)
+    condition: image_load and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown
 level: high

sigma/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml

@@ -0,0 +1,32 @@
+title: Binary Proxy Execution Via Dotnet-Trace.EXE
+id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
+status: experimental
+description: Detects commandline arguments for executing a child process via dotnet-trace.exe
+references:
+    - https://twitter.com/bohops/status/1740022869198037480
+author: Jimmy Bayne (@bohops)
+date: 2024/01/02
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_img:
+        -   Image|endswith: \dotnet-trace.exe
+        -   OriginalFileName: dotnet-trace.dll
+    selection_cli:
+        CommandLine|contains|all:
+            - '-- '
+            - collect
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate usage of the utility in order to debug and trace a program.
+level: medium
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml

@@ -0,0 +1,42 @@
+title: Forfiles.EXE Child Process Masquerading
+id: f53714ec-5077-420e-ad20-907ff9bb2958
+status: experimental
+description: 'Detects the execution of "forfiles" from a non-default location, in
+    order to potentially spawn a custom "cmd.exe" from the current working directory.
+
+    '
+references:
+    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
+author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
+date: 2024/01/05
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        ParentCommandLine|endswith:
+            - .exe
+            - .exe"
+        Image|endswith: \cmd.exe
+        CommandLine|startswith: /c echo "
+    filter_main_parent_not_sys:
+        ParentImage|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+        ParentImage|endswith: \forfiles.exe
+        Image|contains:
+            - :\Windows\System32\
+            - :\Windows\SysWOW64\
+        Image|endswith: \cmd.exe
+    condition: process_creation and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_lolbin_forfiles.yml → sigma/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml

@@ -1,18 +1,26 @@
-title: Use of Forfiles For Execution
+title: Forfiles Command Execution
 id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 related:
     -   id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
         type: obsoletes
     -   id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
         type: obsoletes
 status: test
-description: Execute commands and binaries from the context of "forfiles". This is
-    used as a LOLBIN for example to bypass application whitelisting.
+description: 'Detects the execution of "forfiles" with the "/c" flag.
+
+    While this is an expected behavior of the tool, it can be abused in order to proxy
+    execution through it with any binary.
+
+    Can be used to bypass application whitelisting.
+
+    '
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
     - https://pentestlab.blog/2020/07/06/indirect-command-execution/
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame),
+    oscd.community
 date: 2022/06/14
+modified: 2024/01/05
 tags:
     - attack.execution
     - attack.t1059
@@ -27,19 +35,11 @@ detection:
     selection_img:
         -   Image|endswith: \forfiles.exe
         -   OriginalFileName: forfiles.exe
-    selection_cli_p:
-        CommandLine|contains:
-            - ' /p '
-            - ' -p '
-    selection_cli_m:
-        CommandLine|contains:
-            - ' /m '
-            - ' -m '
-    selection_cli_c:
+    selection_cli:
         CommandLine|contains:
             - ' /c '
             - ' -c '
-    condition: process_creation and (all of selection*)
+    condition: process_creation and (all of selection_*)
 falsepositives:
     - Legitimate use via a batch script or by an administrator.
 level: medium

sigma/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml

@@ -0,0 +1,32 @@
+title: HackTool - EDRSilencer Execution
+id: eb2d07d4-49cb-4523-801a-da002df36602
+status: experimental
+description: 'Detects the execution of EDRSilencer, a tool that leverages Windows
+    Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents
+    from reporting security events to the server based on PE metadata information.
+
+    '
+references:
+    - https://github.com/netero1010/EDRSilencer
+author: '@gott_cyber'
+date: 2024/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        -   Image|endswith: \EDRSilencer.exe
+        -   OriginalFileName: EDRSilencer.exe
+        -   Description|contains: EDRSilencer
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml

@@ -9,7 +9,7 @@ references:
     - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
 author: Florian Roth (Nextron Systems)
 date: 2022/03/03
-modified: 2022/03/07
+modified: 2024/01/02
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -21,30 +21,40 @@ detection:
     process_creation:
         EventID: 1
         Channel: Microsoft-Windows-Sysmon/Operational
-    selection1:
+    selection_cli_cmdlet:
         CommandLine|contains:
             - 'Add-MpPreference '
             - 'Set-MpPreference '
-    selection2:
+    selection_cli_option:
         CommandLine|contains:
+            - 'DisableArchiveScanning '
             - 'DisableRealtimeMonitoring '
             - 'DisableIOAVProtection '
             - 'DisableBehaviorMonitoring '
             - 'DisableBlockAtFirstSeen '
-    selection3:
+            - 'DisableCatchupFullScan '
+            - 'DisableCatchupQuickScan '
+    selection_cli_value:
         CommandLine|contains:
             - $true
             - ' 1 '
-    encoded_command:
+    selection_encoded_modifier:
         CommandLine|base64offset|contains:
-            - 'DisableRealtimeMonitoring '
-            - 'DisableIOAVProtection '
+            - 'disablearchivescanning '
+            - 'DisableArchiveScanning '
+            - 'disablebehaviormonitoring '
             - 'DisableBehaviorMonitoring '
+            - 'disableblockatfirstseen '
             - 'DisableBlockAtFirstSeen '
-            - 'disablerealtimemonitoring '
+            - 'disablecatchupfullscan '
+            - 'DisableCatchupFullScan '
+            - 'disablecatchupquickscan '
+            - 'DisableCatchupQuickScan '
             - 'disableioavprotection '
-            - 'disablebehaviormonitoring '
-            - 'disableblockatfirstseen '
+            - 'DisableIOAVProtection '
+            - 'disablerealtimemonitoring '
+            - 'DisableRealtimeMonitoring '
+    selection_encoded_direct:
         CommandLine|contains:
             - RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA
             - QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA
@@ -70,9 +80,12 @@ detection:
             - ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA
             - QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA
             - kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA
-    condition: process_creation and (all of selection* or encoded_command)
+            - RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA
+            - RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA
+            - RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA
+    condition: process_creation and (all of selection_cli_* or 1 of selection_encoded_*)
 falsepositives:
-    - Possible Admin Activity
+    - Possible administrative activity
     - Other Cmdlets that may use the same parameters
 level: high
 ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml

@@ -1,15 +1,15 @@
-title: Psr.exe Capture Screenshots
+title: Screen Capture Activity Via Psr.EXE
 id: 2158f96f-43c2-43cb-952a-ab4580f32382
 status: test
-description: The psr.exe captures desktop screenshots and saves them on the local
-    machine
+description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility
+    used to record the user screen and clicks.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Psr/
     - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 author: Beyu Denis, oscd.community
 date: 2019/10/12
-modified: 2021/11/27
+modified: 2024/01/04
 tags:
     - attack.collection
     - attack.t1113
@@ -23,7 +23,9 @@ detection:
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
         Image|endswith: \Psr.exe
-        CommandLine|contains: /start
+        CommandLine|contains:
+            - /start
+            - -start
     condition: process_creation and selection
 falsepositives:
     - Unknown

sigma/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml

@@ -7,7 +7,7 @@ references:
     - https://decoded.avast.io/martinchlumecky/png-steganography
 author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
 date: 2022/12/15
-modified: 2023/12/11
+modified: 2024/01/02
 tags:
     - attack.execution
     - attack.t1059
@@ -32,14 +32,14 @@ detection:
             - ' -r '
     selection_cli_folders:
         CommandLine|contains:
-            - ' :\\\*.'
-            - ' :\\\\\*.'
-            - ' :\Users\Public\'
+            - ' ?:\\\*.'
+            - ' ?:\\\\\*.'
+            - ' ?:\$Recycle.bin\'
+            - ' ?:\PerfLogs\'
+            - ' ?:\Temp'
+            - ' ?:\Users\Public\'
+            - ' ?:\Windows\'
             - ' %public%'
-            - ' :\Windows\'
-            - ' :\PerfLogs\'
-            - ' :\Temp'
-            - ' :\$Recycle.bin\'
     condition: process_creation and (1 of selection_opt_* and all of selection_cli_*)
 falsepositives:
     - Unknown

sigma/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml

@@ -13,9 +13,10 @@ description: 'Detects installation of a potentially suspicious new shim with an
     '
 references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/01
-modified: 2023/12/13
+modified: 2024/01/10
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -34,7 +35,11 @@ detection:
     filter_main_legit_ext:
         CommandLine|contains: .sdb
     filter_main_svchost:
-        -   CommandLine|endswith: ' -mm'
+        -   CommandLine|endswith:
+                - ' -c'
+                - ' -f'
+                - ' -mm'
+                - ' -t'
         -   CommandLine|contains: ' -m -bg'
     filter_main_null:
         CommandLine: null

sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml

@@ -4,8 +4,11 @@ related:
     -   id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
         type: derived
 status: experimental
-description: 'Detects execution of different log query utilities to search and dump
-    the content of specific event logs or look for specific event IDs.
+description: 'Detects execution of different log query utilities and commands to search
+    and dump the content of specific event logs or look for specific event IDs.
+
+    This technique is used by threat actors in order to extract sensitive information
+    from events logs such as usernames, IP addresses, hostnames, etc.
 
     '
 references:
@@ -20,7 +23,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 date: 2022/09/09
-modified: 2023/11/20
+modified: 2024/01/02
 tags:
     - attack.credential_access
     - attack.discovery
@@ -45,8 +48,8 @@ detection:
             - ' qe '
             - ' query-events '
     selection_wmic_img:
-        -   Image|endswith: \wevtutil.exe
-        -   OriginalFileName: wevtutil.exe
+        -   Image|endswith: \wmic.exe
+        -   OriginalFileName: wmic.exe
     selection_wmic_cli:
         CommandLine|contains: ' ntevent'
     selection_cmdlet:

sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml

@@ -1,9 +1,21 @@
-title: Cscript/Wscript Suspicious Child Process
+title: Cscript/Wscript Potentially Suspicious Child Process
 id: b6676963-0353-4f88-90f5-36c20d443c6a
 status: experimental
-description: Detects suspicious child processes of Wscript/Cscript
-author: Nasreddine Bencherchali (Nextron Systems)
+description: 'Detects potentially suspicious child processes of Wscript/Cscript. These
+    include processes such as rundll32 with uncommon exports or PowerShell spawning
+    rundll32 or regsvr32.
+
+    Malware such as Pikabot and Qakbot were seen using similar techniques as well
+    as many others.
+
+    '
+references:
+    - Internal Research
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt
+    - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
+author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
 date: 2023/05/15
+modified: 2024/01/02
 tags:
     - attack.execution
     - sysmon
@@ -32,8 +44,17 @@ detection:
             - rundll32
             - regsvr32
             - msiexec
-    condition: process_creation and (selection_parent and (selection_cli_script_main
-        and 1 of selection_cli_script_option_*))
+    selection_cli_standalone:
+        Image|endswith: \rundll32.exe
+    filter_main_rundll32_known_exports:
+        Image|endswith: \rundll32.exe
+        CommandLine|contains:
+            - UpdatePerUserSystemParameters
+            - PrintUIEntry
+            - ClearMyTracksByProcess
+    condition: process_creation and (selection_parent and ( selection_cli_standalone
+        or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and
+        not 1 of filter_main_*)
 falsepositives:
     - Some false positives might occur with admin or third party software scripts.
         Investigate and apply additional filters accordingly.

sigma/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml

@@ -10,6 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
 author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
 date: 2023/03/14
+modified: 2024/01/10
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -23,7 +24,10 @@ detection:
         Channel: Microsoft-Windows-Sysmon/Operational
     selection:
         EventType: SetValue
-        TargetObject|endswith: \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
+        TargetObject|endswith:
+            - \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
+            - \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity
+            - \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
         Details: DWORD (0x00000000)
     condition: registry_set and selection
 falsepositives:

sigma/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml

@@ -0,0 +1,35 @@
+title: Potential Persistence Via AppCompat RegisterAppRestart Layer
+id: b86852fb-4c77-48f9-8519-eb1b2c308b59
+status: experimental
+description: 'Detects the setting of the REGISTERAPPRESTART compatibility layer on
+    an application.
+
+    This compatibility layer allows an application to register for restart using the
+    "RegisterApplicationRestart" API.
+
+    This can be potentially abused as a persistence mechanism.
+
+    '
+references:
+    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/01/01
+tags:
+    - attack.persistence
+    - attack.t1546.011
+    - sysmon
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    registry_set:
+        EventID: 13
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\
+        Details|contains: REGISTERAPPRESTART
+    condition: registry_set and selection
+falsepositives:
+    - Legitimate applications making use of this feature for compatibility reasons
+level: medium
+ruletype: Sigma