Update multiple rules

SigmaHQ · Oct 18, 2024 · a33f41b · a33f41b
1 parent f33530e
commit a33f41b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml
@@ -16,7 +16,7 @@ references:
     - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022-08-17
-modified: 2024-08-22
+modified: 2024-10-18
 tags:
     - attack.command-and-control
     - attack.t1102
@@ -76,6 +76,7 @@ detection:
             - 'wetransfer.com'
             - 'workers.dev'
             - 'youtube.com'
+            - 'pixeldrain.com'
     # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
     # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
     filter_main_chrome:

diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -17,7 +17,7 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-08-25
+modified: 2024-10-18
 tags:
     - attack.defense-evasion
     - attack.t1489
@@ -275,6 +275,7 @@ detection:
             - 'WPFFontCache_v0400'
             - 'WRSVC'
             - 'wsbexchange'
+            - 'WSearch'
             - 'Zoolz 2 Service'
     condition: all of selection_*
 falsepositives:

diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -10,9 +10,10 @@ description: Detects potential COM object hijacking via modification of default
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
     - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+    - https://blog.talosintelligence.com/uat-5647-romcom/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2024-10-01
+modified: 2024-10-18
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -34,6 +35,7 @@ detection:
             - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
             - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
             - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
+            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
     selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations