Sigma Rule Update (2024-08-02 01:49:51) (#691)

Co-authored-by: YamatoSecurity <[email protected]>

sigma/builtin/deprecated/proc_creation_win_apt_gallium.yml

@@ -1,5 +1,10 @@
 title: GALLIUM Artefacts
 id: 99aad877-16b0-5952-af26-eb8f63100781
+related:
+    - id: 440a56bf-7873-4439-940a-1c8a671073c2
+      type: derived
+    - id: 18739897-21b1-41da-8ee4-5b786915a676
+      type: derived
 status: deprecated
 description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
 references:

sigma/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml

@@ -1,5 +1,12 @@
 title: Execution via MSSQL Xp_cmdshell Stored Procedure
 id: 807db7b2-c1e5-520b-2e63-7b2c400be00d
+related:
+    - id: d08dd86f-681e-4a00-a92c-1db218754417
+      type: derived
+    - id: 7f103213-a04e-4d59-8261-213dddf22314
+      type: derived
+    - id: 344482e4-a477-436c-aa70-7536d18a48c7
+      type: derived
 status: deprecated
 description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.
 references:

sigma/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml

@@ -1,5 +1,10 @@
 title: Indirect Command Exectuion via Forfiles
 id: 4bea8156-6003-3037-62a5-4be1429183b9
+related:
+    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+      type: obsoletes
+    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
+      type: derived
 status: deprecated
 description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
 references:

sigma/builtin/deprecated/proc_creation_win_mal_ryuk.yml

@@ -1,5 +1,10 @@
 title: Ryuk Ransomware Command Line Activity
 id: 7b159be0-8034-a6cb-dcb7-f6fbcf9b2680
+related:
+    - id: c37510b8-2107-4b78-aa32-72f251e7a844
+      type: similar
+    - id: 0acaad27-9f02-4136-a243-c357202edd74
+      type: derived
 status: deprecated
 description: Detects Ryuk Ransomware command lines
 references:

sigma/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml

@@ -1,5 +1,10 @@
 title: Trickbot Malware Reconnaissance Activity
 id: 10aa2f9c-45d9-5c31-ffa2-06fc745b7e33
+related:
+    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
+      type: similar
+    - id: 410ad193-a728-4107-bc79-4419789fcbf8
+      type: derived
 status: deprecated
 description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
 references:

sigma/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml

@@ -1,5 +1,10 @@
 title: Malicious Base64 Encoded Powershell Invoke Cmdlets
 id: a3b6ca34-23c2-eedd-8733-1294655ca76a
+related:
+    - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
+      type: similar
+    - id: fd6e2919-3936-40c9-99db-0aa922c356f7
+      type: derived
 status: deprecated
 description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
 references:

sigma/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml

@@ -1,5 +1,10 @@
 title: Potential Xor Encoded PowerShell Command
 id: 405d20b3-771f-a808-6794-c0aae7cf9cf6
+related:
+    - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+      type: similar
+    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
+      type: derived
 status: deprecated
 description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
 references:

sigma/builtin/deprecated/proc_creation_win_reg_dump_sam.yml

@@ -1,5 +1,10 @@
 title: Registry Dump of SAM Creds and Secrets
 id: f4ff3d8e-34aa-51f7-6a8e-5081ec934b65
+related:
+    - id: fd877b94-9bb5-4191-bb25-d79cbd93c167
+      type: similar
+    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
+      type: derived
 status: deprecated
 description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
 references:

sigma/builtin/deprecated/proc_creation_win_root_certificate_installed.yml

@@ -1,5 +1,10 @@
 title: Root Certificate Installed
 id: f378e980-dd67-4968-9df5-2ac09c718d4d
+related:
+    - id: 42821614-9264-4761-acfc-5772c3286f76
+      type: derived
+    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
+      type: derived
 status: deprecated
 description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
 references:

sigma/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml

@@ -1,5 +1,10 @@
 title: PsExec Tool Execution
 id: 02e5fd82-2643-35a3-b104-51f4ef19c215
+related:
+    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+      type: derived
+    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
+      type: derived
 status: deprecated
 description: Detects PsExec service execution via default service image name
 references:

sigma/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml

@@ -1,5 +1,12 @@
 title: WMI Execution Via Office Process
 id: 0bca1760-51b3-cdf0-9756-923f2be12c94
+related:
+    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
+      type: derived
+    - id: 438025f9-5856-4663-83f7-52f878a70a50
+      type: similar
+    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
+      type: derived
 status: deprecated
 description: Initial execution of malicious document calls wmic to execute the file with regsvr32
 references:

sigma/builtin/deprecated/registry_set_malware_adwind.yml

@@ -1,5 +1,10 @@
 title: Adwind RAT / JRAT - Registry
 id: 6c44673b-8c80-9ce9-718d-46f34b17ffcc
+related:
+    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+      type: derived
+    - id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
+      type: derived
 status: deprecated
 description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
 references:

sigma/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml

@@ -1,5 +1,10 @@
 title: APT29 2018 Phishing Campaign CommandLine Indicators
 id: a9a106d5-22d5-d9b2-c10f-60f4cd7e055d
+related:
+    - id: 033fe7d6-66d1-4240-ac6b-28908009c71f
+      type: obsoletes
+    - id: 7453575c-a747-40b9-839b-125a0aae324b
+      type: derived
 status: stable
 description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
 references:

sigma/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml

@@ -1,5 +1,14 @@
 title: OilRig APT Activity
 id: 18831824-9288-e5da-ec10-093f213d54b3
+related:
+    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
+      type: similar
+    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
+      type: similar
+    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
+      type: similar
+    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
+      type: derived
 status: test
 description: Detects OilRig activity as reported by Nyotron in their March 2018 report
 references:

sigma/builtin/emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml

@@ -1,5 +1,14 @@
 title: OilRig APT Registry Persistence
 id: e3b2e8dd-18aa-f9bc-9af7-bc31d7717574
+related:
+    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
+      type: similar
+    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
+      type: similar
+    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
+      type: similar
+    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
+      type: derived
 status: test
 description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
 references:

sigma/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml

@@ -1,5 +1,12 @@
 title: Potential Ryuk Ransomware Activity
 id: d7037073-136c-baf0-a9d7-cb2c03fcd245
+related:
+    - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
+      type: similar
+    - id: 0acaad27-9f02-4136-a243-c357202edd74
+      type: obsoletes
+    - id: c37510b8-2107-4b78-aa32-72f251e7a844
+      type: derived
 status: stable
 description: Detects Ryuk ransomware activity
 references:

sigma/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml

@@ -1,5 +1,10 @@
 title: Operation Wocao Activity
 id: 5a419751-992b-77c8-867f-49e5097ecddd
+related:
+    - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+      type: derived
+    - id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
+      type: derived
 status: test
 description: Detects activity mentioned in Operation Wocao report
 references:

sigma/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml

@@ -1,5 +1,10 @@
 title: Blue Mockingbird
 id: f6378d07-9103-4e8d-742c-4c622112632a
+related:
+    - id: ce239692-aa94-41b3-b32f-9cab259c96ea
+      type: merged
+    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
+      type: derived
 status: test
 description: Attempts to detect system changes made by Blue Mockingbird
 references:

sigma/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml

@@ -1,5 +1,10 @@
 title: Lazarus Group Activity
 id: 2e608159-dacf-a4b9-091f-28534c9424d3
+related:
+    - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
+      type: obsoletes
+    - id: 24c4d154-05a4-4b99-b57d-9b977472443a
+      type: derived
 status: test
 description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
 references:

sigma/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -1,5 +1,10 @@
 title: Potential Devil Bait Malware Reconnaissance
 id: 35938479-283e-16c7-ff2a-78b5f267f8f6
+related:
+    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
+      type: derived
+    - id: e8954be4-b2b8-4961-be18-da1a5bda709c
+      type: derived
 status: test
 description: Detects specific process behavior observed with Devil Bait samples
 references:

sigma/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml

@@ -1,5 +1,12 @@
 title: Pingback Backdoor Activity
 id: 2efc692b-49f5-1d23-c6ca-3e4e63d3026c
+related:
+    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
+      type: similar
+    - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
+      type: similar
+    - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
+      type: derived
 status: test
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 references:

sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml

@@ -1,5 +1,10 @@
 title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
 id: b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c
+related:
+    - id: f8987c03-4290-4c96-870f-55e75ee377f4
+      type: similar
+    - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
+      type: derived
 status: experimental
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml

@@ -1,5 +1,10 @@
 title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
 id: 1afd58da-cc18-91ca-c728-f9ead1f47317
+related:
+    - id: e4556676-fc5c-4e95-8c39-5ef27791541f
+      type: similar
+    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+      type: derived
 status: experimental
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:

sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml

@@ -1,5 +1,22 @@
 title: Potential Compromised 3CXDesktopApp Execution
 id: 35f3ea40-3ec2-86b1-9633-0a8230a46fc6
+related:
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
+      type: similar
+    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
+      type: similar
+    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
+      type: similar
+    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
+      type: similar
+    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
+      type: similar
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
+      type: derived
 status: test
 description: Detects execution of known compromised version of 3CXDesktopApp
 references:

sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml

@@ -1,5 +1,22 @@
 title: Potential Suspicious Child Process Of 3CXDesktopApp
 id: 55dc8b32-c836-8c99-848d-630c50764aeb
+related:
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
+      type: similar
+    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
+      type: similar
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
+      type: similar
+    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
+      type: similar
+    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
+      type: similar
+    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88
+      type: derived
 status: test
 description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
 references:

sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml

@@ -1,5 +1,22 @@
 title: Potential Compromised 3CXDesktopApp Update Activity
 id: dfd05613-5afb-ff48-86b9-082194e9ae79
+related:
+    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
+      type: similar
+    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
+      type: similar
+    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
+      type: similar
+    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
+      type: similar
+    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
+      type: similar
+    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
+      type: similar
+    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
+      type: similar
+    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
+      type: derived
 status: test
 description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
 references:

sigma/builtin/emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml

@@ -1,5 +1,10 @@
 title: Kapeka Backdoor Autorun Persistence
 id: 4f676138-05ac-facf-8305-99c355044751
+related:
+    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
+      type: similar
+    - id: c0c67b21-eb8a-4c84-a395-40473ec3b482
+      type: derived
 status: experimental
 description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
 references:

sigma/builtin/network_connection/net_connection_win_imewdbld.yml

@@ -1,5 +1,10 @@
 title: Network Connection Initiated By IMEWDBLD.EXE
 id: 0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55
+related:
+    - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
+      type: derived
+    - id: 8d7e392e-9b28-49e1-831d-5949c6281228
+      type: derived
 status: test
 description: |
     Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.

sigma/builtin/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml

@@ -1,5 +1,10 @@
 title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
 id: 34ba9d0c-a415-a91a-013b-30158906f18c
+related:
+    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
+      type: obsoletes
+    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+      type: derived
 status: test
 description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
 references:

sigma/builtin/network_connection/net_connection_win_susp_malware_callback_port.yml

@@ -1,5 +1,10 @@
 title: Potentially Suspicious Malware Callback Communication
 id: 7ac85830-5907-5206-2d25-490b3ace5587
+related:
+    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
+      type: similar
+    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+      type: derived
 status: test
 description: |
     Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

sigma/builtin/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml

@@ -1,5 +1,10 @@
 title: Communication To Uncommon Destination Ports
 id: 7983db98-5767-b29d-2652-a01fd3e751ad
+related:
+    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+      type: similar
+    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
+      type: derived
 status: test
 description: Detects programs that connect to uncommon destination ports
 references: