Sigma Rule Update (2024-12-27 20:14:19) (#800)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 27, 2024 · cb4237f · cb4237f
1 parent 49df878
commit cb4237f
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 7 deletions.
diff --git a/sigma/builtin/application/Other/win_av_relevant_match.yml b/sigma/builtin/application/Other/win_av_relevant_match.yml
@@ -13,7 +13,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017-02-19
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.resource-development
     - attack.t1588
@@ -48,7 +48,9 @@ detection:
         - 'GrandCrab '
         - HackTool
         - HKTL
-        - HTool
+        - HTool-
+        - /HTool
+        - .HTool
         - IISExchgSpawnCMD
         - Impacket
         - 'JSP/BackDoor '

diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
@@ -12,7 +12,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
 logsource:
@@ -38,6 +38,7 @@ detection:
             - https://statics.teams.cdn.live.net/
             - https://statics.teams.cdn.office.net/
             - microsoft.com   # Example: https://go.microsoft.com/fwlink/?linkid=2160968
+            - https://installer.teams.static.microsoft/
     condition: appxdeployment_server and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown

diff --git a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/malmoeb/status/1535142803075960832
 author: Florian Roth (Nextron Systems)
 date: 2022-06-10
-modified: 2023-03-27
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -29,6 +29,8 @@ detection:
             - .com/
             - .sfx.ms/
             - download.mozilla.org/   # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&amp;os=win64&amp;lang=en-US
+            - cdn.onenote.net/
+            - cdn.office.net/
     condition: bits_client and (selection and not 1 of filter_main_*)
 falsepositives:
     - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service

diff --git a/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -14,7 +14,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-20
-modified: 2024-10-08
+modified: 2024-12-25
 tags:
     - attack.execution
 logsource:
@@ -109,6 +109,17 @@ detection:
         - FileNameBuffer|contains: \Program Files\SentinelOne\Sentinel Agent
         # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
         - ProcessNameBuffer|contains: \Program Files\SentinelOne\Sentinel Agent
+    filter_optional_national_instruments:
+        # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
+        FileNameBuffer|contains: \National Instruments\Shared\mDNS Responder\
+    filter_optional_kaspersky:
+        # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
+        - ProcessNameBuffer|contains|all:
+              - \Kaspersky Lab\
+              - \avp.exe
+        - FileNameBuffer|contains|all:
+              - \Kaspersky Lab\
+              - \antimalware_provider.dll
     condition: codeintegrity_operational and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml b/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -20,10 +20,11 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-10-21
+modified: 2024-12-23
 tags:
     - attack.defense-evasion
     - attack.t1489
+    - attack.t1562.001
 logsource:
     category: process_creation
     product: windows
@@ -153,6 +154,7 @@ detection:
             - mfewc
             - MMS
             - mozyprobackup
+            - mpssvc
             - MSComplianceAudit
             - MSDTC
             - MsDtsServer
@@ -240,6 +242,7 @@ detection:
             - swi_service
             - swi_update
             - Symantec
+            - sysmon
             - TeamViewer
             - Telemetryserver
             - ThreatLockerService
@@ -282,6 +285,7 @@ detection:
             - WRSVC
             - wsbexchange
             - WSearch
+            - wscsvc
             - Zoolz 2 Service
     condition: process_creation and (all of selection_*)
 falsepositives:

diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -20,10 +20,11 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-10-21
+modified: 2024-12-23
 tags:
     - attack.defense-evasion
     - attack.t1489
+    - attack.t1562.001
     - sysmon
 logsource:
     category: process_creation
@@ -154,6 +155,7 @@ detection:
             - mfewc
             - MMS
             - mozyprobackup
+            - mpssvc
             - MSComplianceAudit
             - MSDTC
             - MsDtsServer
@@ -241,6 +243,7 @@ detection:
             - swi_service
             - swi_update
             - Symantec
+            - sysmon
             - TeamViewer
             - Telemetryserver
             - ThreatLockerService
@@ -283,6 +286,7 @@ detection:
             - WRSVC
             - wsbexchange
             - WSearch
+            - wscsvc
             - Zoolz 2 Service
     condition: process_creation and (all of selection_*)
 falsepositives: