Sigma Rule Update (2023-12-21 20:07:08) (#558)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/application/Other/win_av_relevant_match.yml

@@ -1,14 +1,15 @@
-title: Relevant Anti-Virus Event
+title: Relevant Anti-Virus Signature Keywords In Application Log
 id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
 status: test
-description: This detection method points out highly relevant Antivirus events
+description: Detects potentially highly relevant antivirus events in the application
+    log based on known virus signature names and malware keywords.
 references:
     - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
     - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
     - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017/02/19
-modified: 2023/07/04
+modified: 2023/11/22
 tags:
     - attack.resource_development
     - attack.t1588
@@ -38,22 +39,21 @@ detection:
         - Destructor
         - DumpCreds
         - Exploit.Script.CVE
-        - Filecoder
         - FastReverseProxy
+        - Filecoder
         - GrandCrab
         - HackTool
+        - 'HKTL:'
         - HKTL.
         - HKTL/
-        - 'HKTL:'
         - HTool
-        - Impacket
         - IISExchgSpawnCMD
+        - Impacket
         - JSP/BackDoor
         - Keylogger
         - Koadic
         - Krypt
         - Lazagne
-        - Locker
         - Metasploit
         - Meterpreter
         - MeteTool
@@ -64,7 +64,6 @@ detection:
         - PentestPowerShell
         - Phobos
         - PHP/BackDoor
-        - Potato
         - PowerSploit
         - PowerSSH
         - PshlSpy

sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -15,7 +15,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/20
-modified: 2023/07/25
+modified: 2023/11/15
 tags:
     - attack.execution
 logsource:
@@ -100,5 +100,5 @@ detection:
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite
         a lot. Initial filters and tuning is required before using this rule.
-level: medium
+level: low
 ruletype: Sigma

sigma/builtin/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml → sigma/builtin/deprecated/posh_ps_file_and_directory_discovery.yml

@@ -1,6 +1,6 @@
 title: Powershell File and Directory Discovery
 id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
-status: test
+status: deprecated
 description: 'Adversaries may enumerate files and directories or may search in specific
     locations of a host or network share for certain information within a file system.
 
@@ -15,7 +15,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 author: frack113
 date: 2021/12/15
-modified: 2022/12/25
+modified: 2023/12/11
 tags:
     - attack.discovery
     - attack.t1083

sigma/builtin/powershell/powershell_script/posh_ps_susp_gwmi.yml → sigma/builtin/deprecated/posh_ps_susp_gwmi.yml

@@ -1,14 +1,14 @@
 title: Suspicious Get-WmiObject
 id: 0332a266-b584-47b4-933d-a00b103e1b37
-status: test
+status: deprecated
 description: The infrastructure for management data and operations that enables local
     and remote management of Windows personal computers and servers
 references:
     - https://attack.mitre.org/datasources/DS0005/
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
-modified: 2022/11/02
+modified: 2023/12/11
 tags:
     - attack.persistence
     - attack.t1546

sigma/builtin/windefend/win_defender_disabled.yml → sigma/builtin/deprecated/win_defender_disabled.yml

@@ -1,13 +1,13 @@
 title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-status: stable
+status: deprecated
 description: Detects disabling Windows Defender threat protection
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: "J\xE1n Tren\u010Dansk\xFD, frack113"
 date: 2020/07/28
-modified: 2022/12/06
+modified: 2023/11/22
 tags:
     - attack.defense_evasion
     - attack.t1562.001

sigma/builtin/security/win_security_event_log_cleared.yml → sigma/builtin/deprecated/win_security_event_log_cleared.yml

@@ -1,12 +1,12 @@
 title: Security Event Log Cleared
 id: a122ac13-daf8-4175-83a2-72c387be339d
-status: test
+status: deprecated
 description: Checks for event id 1102 which indicates the security event log was cleared.
 references:
     - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 author: Saw Winn Naung
 date: 2021/08/15
-modified: 2022/12/25
+modified: 2023/12/06
 tags:
     - attack.t1070.001
 logsource:

sigma/builtin/system/service_control_manager/win_system_service_install_susp_double_ampersand.yml → sigma/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml

@@ -1,12 +1,13 @@
 title: New Service Uses Double Ampersand in Path
 id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
-status: test
+status: deprecated
 description: Detects a service installation that uses a suspicious double ampersand
     used in the image path value
 references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/07/05
+modified: 2023/11/15
 tags:
     - attack.defense_evasion
     - attack.t1027

sigma/builtin/lsa_server/win_lsa_server_normal_user_admin.yml

@@ -16,8 +16,8 @@ tags:
 logsource:
     product: windows
     service: lsa-server
-    definition: 'Requirements: Microsoft-Windows-LSA/Operational ({199FE037-2B82-40A9-82AC-E1D46C792B99})
-        Event Log must be collected in order to receive the events.'
+    definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99)
+        Event Log must be enabled and collected in order to use this rule.'
 detection:
     lsa_server:
         Channel: Microsoft-Windows-LSA/Operational
@@ -29,12 +29,12 @@ detection:
             - -500}
             - -518}
             - -519}
-    filter_admin:
+    filter_main_admin:
         TargetUserSid|endswith:
             - '-500'
             - '-518'
             - '-519'
-    condition: lsa_server and (selection and not filter_admin)
+    condition: lsa_server and (selection and not 1 of filter_main_*)
 falsepositives:
     - Standard domain users who are part of the administrator group. These users shouldn't
         have these right. But in the case where it's necessary. They should be filtered

sigma/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml

@@ -34,7 +34,7 @@ author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nas
     Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt,
     Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/04/17
+modified: 2023/11/22
 tags:
     - attack.execution
     - attack.discovery
@@ -63,17 +63,13 @@ detection:
             - Add-RegBackdoor
             - Add-RemoteRegBackdoor
             - Add-ScrnSaveBackdoor
-            - Check-VM
             - ConvertTo-Rc4ByteStream
             - Decrypt-Hash
             - Disable-ADIDNSNode
-            - Disable-MachineAccount
             - Do-Exfiltration
             - Enable-ADIDNSNode
-            - Enable-MachineAccount
             - Enabled-DuplicateToken
             - Exploit-Jboss
-            - Export-ADR
             - Export-ADRCSV
             - Export-ADRExcel
             - Export-ADRHTML
@@ -82,8 +78,11 @@ detection:
             - Find-Fruit
             - Find-GPOLocation
             - Find-TrustedDocuments
-            - Get-ADIDNS
-            - Get-ApplicationHost
+            - Get-ADIDNSNodeAttribute
+            - Get-ADIDNSNodeOwner
+            - Get-ADIDNSNodeTombstoned
+            - Get-ADIDNSPermission
+            - Get-ADIDNSZone
             - Get-ChromeDump
             - Get-ClipboardContents
             - Get-FoxDump
@@ -92,8 +91,6 @@ detection:
             - Get-KerberosAESKey
             - Get-Keystrokes
             - Get-LSASecret
-            - Get-MachineAccountAttribute
-            - Get-MachineAccountCreator
             - Get-PassHashes
             - Get-RegAlwaysInstallElevated
             - Get-RegAutoLogon
@@ -104,7 +101,6 @@ detection:
             - Get-RemoteMachineAccountHash
             - Get-RemoteNLKMKey
             - Get-RickAstley
-            - Get-Screenshot
             - Get-SecurityPackages
             - Get-ServiceFilePermission
             - Get-ServicePermission
@@ -120,9 +116,6 @@ detection:
             - Get-VulnSchTask
             - Grant-ADIDNSPermission
             - Gupt-Backdoor
-            - HTTP-Login
-            - Install-ServiceBinary
-            - Install-SSP
             - Invoke-ACLScanner
             - Invoke-ADRecon
             - Invoke-ADSBackdoor
@@ -224,26 +217,19 @@ detection:
             - Invoke-Zerologon
             - MailRaider
             - New-ADIDNSNode
-            - New-DNSRecordArray
             - New-HoneyHash
             - New-InMemoryModule
-            - New-MachineAccount
             - New-SOASerialNumberArray
             - Out-Minidump
-            - Port-Scan
             - PowerBreach
             - 'powercat '
             - PowerUp
             - PowerView
             - Remove-ADIDNSNode
-            - Remove-MachineAccount
             - Remove-Update
             - Rename-ADIDNSNode
             - Revoke-ADIDNSPermission
             - Set-ADIDNSNode
-            - Set-MacAttribute
-            - Set-MachineAccountAttribute
-            - Set-Wallpaper
             - Show-TargetScreen
             - Start-CaptureServer
             - Start-WebcamRecorder

sigma/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml

@@ -1,18 +1,18 @@
-title: Malicious PowerView PowerShell Commandlets
+title: PowerView PowerShell Cmdlets - ScriptBlock
 id: dcd74b95-3f36-4ed9-9598-0490951643aa
 related:
     -   id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
         type: similar
 status: test
-description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
+description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
 references:
     - https://powersploit.readthedocs.io/en/stable/Recon/README
     - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
     - https://thedfirreport.com/2020/10/08/ryuks-return
     - https://adsecurity.org/?p=2277
 author: Bhabesh Raj
 date: 2021/05/18
-modified: 2023/04/20
+modified: 2023/11/22
 tags:
     - attack.execution
     - attack.t1059.001
@@ -28,14 +28,6 @@ detection:
             - PowerShellCore/Operational
     selection:
         ScriptBlockText|contains:
-            - Add-DomainGroupMember
-            - Add-DomainObjectAcl
-            - Add-ObjectAcl
-            - Add-RemoteConnection
-            - Convert-ADName
-            - ConvertFrom-UACValue
-            - Convert-NameToSid
-            - ConvertTo-SID
             - Export-PowerViewCSV
             - Find-DomainLocalGroupMember
             - Find-DomainObjectPropertyOutlier
@@ -53,57 +45,26 @@ detection:
             - Find-ManagedSecurityGroups
             - Get-CachedRDPConnection
             - Get-DFSshare
-            - Get-DNSRecord
-            - Get-DNSZone
-            - Get-DomainComputer
-            - Get-DomainController
             - Get-DomainDFSShare
             - Get-DomainDNSRecord
             - Get-DomainDNSZone
             - Get-DomainFileServer
-            - Get-DomainGPO
-            - Get-DomainGroup
-            - Get-DomainGroupMember
-            - Get-DomainManagedSecurityGroup
-            - Get-DomainObject
-            - Get-DomainObjectAcl
-            - Get-DomainOU
-            - Get-DomainPolicy
-            - Get-DomainSID
-            - Get-DomainSite
-            - Get-DomainSPNTicket
-            - Get-DomainSubnet
-            - Get-DomainUser
-            - Get-DomainUserEvent
-            - Get-Forest
-            - Get-IPAddress
+            - Get-DomainGPOComputerLocalGroupMapping
+            - Get-DomainGPOLocalGroup
+            - Get-DomainGPOUserLocalGroupMapping
             - Get-LastLoggedOn
             - Get-LoggedOnLocal
-            - Get-NetComputer
-            - Get-NetDomain
             - Get-NetFileServer
             - Get-NetForest
-            - Get-NetGPO
-            - Get-NetGroup
-            - Get-NetLocalGroup
-            - Get-NetLoggedon
-            - Get-NetOU
+            - Get-NetGPOGroup
             - Get-NetProcess
             - Get-NetRDPSession
-            - Get-NetSession
-            - Get-NetShare
-            - Get-NetSite
-            - Get-NetSubnet
-            - Get-NetUser
-            - Get-ObjectAcl
-            - Get-PathAcl
-            - Get-Proxy
             - Get-RegistryMountedDrive
             - Get-RegLoggedOn
-            - Get-SiteName
-            - Get-UserEvent
-            - Get-WMIProcess
-            - Get-WMIReg
+            - Get-WMIRegCachedRDPConnection
+            - Get-WMIRegLastLoggedOn
+            - Get-WMIRegMountedDrive
+            - Get-WMIRegProxy
             - Invoke-ACLScanner
             - Invoke-CheckLocalAdminAccess
             - Invoke-EnumerateLocalAdmin
@@ -116,17 +77,11 @@ detection:
             - Invoke-ShareFinder
             - Invoke-UserHunter
             - Invoke-UserImpersonation
-            - New-DomainGroup
-            - New-DomainUser
             - Remove-RemoteConnection
             - Request-SPNTicket
             - Resolve-IPAddress
-            - Set-ADObject
-            - Set-DomainObject
-            - Set-DomainUserPassword
-            - Test-AdminAccess
     condition: ps_script and selection
 falsepositives:
-    - Should not be any as administrators do not use this tool
+    - Unknown
 level: high
 ruletype: Sigma