Sigma Rule Update (2024-02-24 20:11:49) (#609)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml

@@ -1,7 +1,9 @@
 title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
 id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
 status: test
-description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
+description: |
+    Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
+    Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
 references:
     - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
     - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
@@ -53,13 +55,8 @@ detection:
     selection_accounts_flags:
         CommandLine|contains: ' /do' # short for domain
     condition: process_creation and (selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*))
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Inventory tool runs
     - Administrative activity
 level: medium
-analysis:
-    recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
 ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml

@@ -0,0 +1,69 @@
+title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
+id: b6e04788-29e1-4557-bb14-77f761848ab8
+status: experimental
+description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/23
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        - NewProcessName|endswith:
+              - \powershell.exe
+              - \pwsh.exe
+        - OriginalFileName:
+              - PowerShell.EXE
+              - pwsh.dll
+    selection_websites:
+        CommandLine|contains:
+            # Note: You might want to baseline the github domain before including it
+            #- '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
+            - anonfiles.com
+            - cdn.discordapp.com
+            - cdn.discordapp.com/attachments/
+            - ddns.net
+            - dl.dropboxusercontent.com
+            - ghostbin.co
+            - glitch.me
+            - gofile.io
+            - hastebin.com
+            - mediafire.com
+            - mega.nz
+            - onrender.com
+            - paste.ee
+            - pastebin.com
+            - pastebin.pl
+            - pastetext.net
+            - privatlab.com
+            - privatlab.net
+            - send.exploit.in
+            - sendspace.com
+            - storage.googleapis.com
+            - storjshare.io
+            - supabase.co
+            - temp.sh
+            - transfer.sh
+            - ufile.io
+    selection_download:
+        CommandLine|contains:
+            - .DownloadString(
+            - .DownloadFile(
+            - 'Invoke-WebRequest '
+            - 'iwr '
+            - 'wget '
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml

@@ -4,7 +4,8 @@ status: test
 description: Detects suspicious ways to run Invoke-Execution using IEX alias
 references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
-author: Florian Roth (Nextron Systems)
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/03/24
 modified: 2022/11/28
 tags:
@@ -39,7 +40,8 @@ detection:
             - );iex($
             - );iex $
             - ' | IEX | '
-    condition: process_creation and (all of selection_combined* or selection_standalone)
+            - ' | iex\"'
+    condition: process_creation and (all of selection_combined_* or selection_standalone)
 falsepositives:
     - Legitimate scripts that use IEX
 level: high

sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml

@@ -9,7 +9,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/02
-modified: 2023/04/21
+modified: 2024/02/23
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -48,7 +48,7 @@ detection:
             - '%Public%'
             - '%Temp%'
             - '%tmp%'
-            - C:\Windows\
+            - :\Windows\
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml

@@ -1,7 +1,13 @@
 title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly
 id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
+related:
+    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
+      type: derived
+    - id: 51544ca6-51ab-48de-97e9-b1317707760c
+      type: derived
 status: test
-description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
+description: |
+    Detects suspicious child processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
 references:
     - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
     - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
@@ -19,7 +25,7 @@ detection:
         EventID: 4688
         Channel: Security
     selection:
-        ParentProcessName|endswith: ScreenConnect.ClientService.exe
+        ParentProcessName|endswith: \ScreenConnect.ClientService.exe
         NewProcessName|endswith:
             - \cmd.exe
             - \powershell.exe

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly_2.yml

@@ -0,0 +1,43 @@
+title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
+id: 51544ca6-51ab-48de-97e9-b1317707760c
+related:
+    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
+      type: derived
+    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
+      type: derived
+status: experimental
+description: Detects suspicious grand child processes started by the ScreenConnect client service.
+references:
+    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
+    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+author: Florian Roth (Nextron Systems)
+date: 2022/02/25
+modified: 2023/03/05
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    category: process_creation
+    definition: 'Requirements: To make use of this rule, GrandParentImage field enrichment needs to be available for process creation events'
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        GrandParentImage|endswith: \ScreenConnect.ClientService.exe
+        ParentProcessName|endswith:
+            - \cmd.exe
+            - \powershell.exe
+            - \pwsh.exe
+        NewProcessName|endswith:
+            - \cmd.exe
+            - \curl.exe
+            - \powershell.exe
+            - \pwsh.exe
+            - \wevtutil.exe
+    condition: process_creation and selection
+falsepositives:
+    - Unlikely
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml

@@ -0,0 +1,29 @@
+title: Remote Access Tool - ScreenConnect Remote Execution
+id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
+related:
+    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
+      type: derived
+    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
+      type: derived
+status: experimental
+description: Detects remote binary or command execution via the ScreenConnect Service.
+references:
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/23
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        ParentProcessName|endswith: \ScreenConnect.ClientService.exe
+    condition: process_creation and selection
+falsepositives:
+    - Unknown
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_remote_access_tools_simple_help.yml

@@ -0,0 +1,31 @@
+title: Remote Access Tool - Simple Help Execution
+id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/23
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        NewProcessName|contains:
+            - \JWrapper-Remote Access\
+            - \JWrapper-Remote Support\
+        NewProcessName|endswith: \SimpleService.exe
+    condition: process_creation and selection
+falsepositives:
+    - Legitimate usage of the tool
+level: medium
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml

@@ -1,10 +1,12 @@
-title: Add User to Local Administrators Group
+title: User Added to Local Administrators Group
 id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
 related:
     - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
       type: similar
+    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
+      type: similar
 status: test
-description: Detects suspicious command line that adds an account to the local administrators/administrateurs group
+description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
 references:
     - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

sigma/builtin/process_creation/proc_creation_win_susp_add_user_privileged_group.yml

@@ -0,0 +1,41 @@
+title: User Added To Highly Privileged Group
+id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
+related:
+    - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
+      type: similar
+    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
+      type: similar
+status: test
+description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
+references:
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/02/23
+tags:
+    - attack.persistence
+    - attack.t1098
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_main:
+        - CommandLine|contains|all:
+              # net.exe
+              - 'localgroup '
+              - ' /add'
+        - CommandLine|contains|all:
+              # powershell.exe
+              - 'Add-LocalGroupMember '
+              - ' -Group '
+    selection_group:
+        CommandLine|contains:
+            - Group Policy Creator Owners
+            - Schema Admins
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Administrative activity that must be investigated
+level: high
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml

@@ -1,10 +1,12 @@
-title: Suspicious Add User to Remote Desktop Users Group
+title: User Added to Remote Desktop Users Group
 id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
 related:
     - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
       type: similar
+    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
+      type: similar
 status: test
-description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
+description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
 references:
     - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
 author: Florian Roth (Nextron Systems)
@@ -36,9 +38,6 @@ detection:
             - Utilisateurs du Bureau à distance   # French for "Remote Desktop Users"
             - Usuarios de escritorio remoto   # Spanish for "Remote Desktop Users"
     condition: process_creation and (all of selection_*)
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Administrative activity
 level: high

sigma/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml

@@ -1,14 +1,17 @@
 title: Weak or Abused Passwords In CLI
 id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4
 status: test
-description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
+description: |
+    Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
+    An example would be a threat actor creating a new user via the net command and providing the password inline
 references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
     - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
     - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
+    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/14
-modified: 2022/11/06
+modified: 2024/02/23
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -22,11 +25,14 @@ detection:
     selection:
         CommandLine|contains:
             # Add more passwords
-            - Asd123.aaaa
-            - password123   # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
             - '123456789'
-            - P@ssw0rd!
+            - 123123qwE
+            - Asd123.aaaa
             - Decryptme
+            - P@ssw0rd!
+            - Pass8080
+            - password123   # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
+            - test@202   # Covers multiple years
     condition: process_creation and selection
 falsepositives:
     - Legitimate usage of the passwords by users via commandline (should be discouraged)

sigma/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml

@@ -27,6 +27,7 @@ detection:
         - CommandLine|contains: --output-document
     selection_ext:
         CommandLine|endswith:
+            # Note you can transform this into a "contains" to increase coverage but you would need to take care of some FP.
             - .ps1
             - .ps1'
             - .ps1"