Sigma Rule Update (2024-11-04 20:14:47) (#764)

Co-authored-by: hach1yon <[email protected]>

sigma/builtin/category/antivirus/av_exploiting.yml

@@ -4,15 +4,17 @@ related:
     - id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
       type: derived
 status: stable
-description: Detects a highly relevant Antivirus alert that reports an exploitation framework.
+description: |
+    Detects a highly relevant Antivirus alert that reports an exploitation framework.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
     - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
     - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.execution
     - attack.t1203

sigma/builtin/category/antivirus/av_hacktool.yml

@@ -4,13 +4,15 @@ related:
     - id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
       type: derived
 status: stable
-description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
+description: |
+    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2021-08-16
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.execution
     - attack.t1204
@@ -36,8 +38,7 @@ detection:
         Channel: Microsoft-Windows-Windows Defender/Operational
     selection:
         - ThreatName|startswith:
-              - Adfind
-              - ATK/
+              - ATK/    # Sophos
               - Exploit.Script.CVE
               - HKTL
               - HTOOL
@@ -47,7 +48,6 @@ detection:
               # - 'FRP.'
         - ThreatName|contains:
               - Adfind
-              - ATK/    # Sophos
               - Brutel
               - BruteR
               - Cobalt
@@ -56,10 +56,10 @@ detection:
               - DumpCreds
               - FastReverseProxy
               - Hacktool
+              - Havoc
               - Impacket
               - Keylogger
               - Koadic
-              - Lazagne
               - Mimikatz
               - Nighthawk
               - PentestPowerShell
@@ -71,12 +71,16 @@ detection:
               - PWCrack
               - PWDump
               - Rozena
+              - Rusthound
               - Sbelt
               - Seatbelt
               - SecurityTool
               - SharpDump
+              - SharpHound
               - Shellcode
               - Sliver
+              - Snaffler
+              - SOAPHound
               - Splinter
               - Swrort
               - TurtleLoader

sigma/builtin/category/antivirus/av_password_dumper.yml

@@ -4,14 +4,16 @@ related:
     - id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
       type: derived
 status: stable
-description: Detects a highly relevant Antivirus alert that reports a password dumper.
+description: |
+    Detects a highly relevant Antivirus alert that reports a password dumper.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
     - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-10-08
+modified: 2024-11-02
 tags:
     - attack.credential-access
     - attack.t1003
@@ -41,23 +43,37 @@ detection:
     selection:
         - ThreatName|startswith: PWS
         - ThreatName|contains:
+              - Certify
               - DCSync
               - DumpCreds
               - DumpLsass
+              - DumpPert
               - HTool/WCE
               - Kekeo
+              - Lazagne
               - LsassDump
               - Mimikatz
+              - MultiDump
+              - Nanodump
+              - NativeDump
               - Outflank
               - PShlSpy
               - PSWTool
               - PWCrack
               - PWDump
               - PWS.
               - PWSX
+              - pypykatz
               - Rubeus
+              - SafetyKatz
               - SecurityTool
+              - SharpChrome
+              - SharpDPAPI
               - SharpDump
+              - SharpKatz
+              - SharpS.   # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
+              - ShpKatz
+              - TrickDump
     condition: antivirus and selection
 falsepositives:
     - Unlikely

sigma/builtin/category/antivirus/av_ransomware.yml

@@ -4,17 +4,20 @@ related:
     - id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
       type: derived
 status: test
-description: Detects a highly relevant Antivirus alert that reports ransomware.
+description: |
+    Detects a highly relevant Antivirus alert that reports ransomware.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
     - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
     - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
     - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
     - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
+    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2022-05-12
-modified: 2023-02-03
+modified: 2024-11-02
 tags:
     - attack.t1486
 logsource:
@@ -40,21 +43,34 @@ detection:
     selection:
         ThreatName|contains:
             - BlackWorm
+            - Chaos
+            - Cobra
+            - ContiCrypt
             - Crypter
             - CRYPTES
             - Cryptor
+            - CylanCrypt
+            - DelShad
             - Destructor
             - Filecoder
             - GandCrab
             - GrandCrab
+            - Haperlock
+            - Hiddentear
+            - HydraCrypt
             - Krypt
+            - Lockbit
             - Locker
+            - Mallox
             - Phobos
             - Ransom
             - Ryuk
             - Ryzerlo
+            - Stopcrypt
             - Tescrypt
             - TeslaCrypt
+            - WannaCry
+            - Xorist
     condition: antivirus and selection
 falsepositives:
     - Unlikely

sigma/builtin/category/antivirus/av_relevant_files.yml

@@ -4,12 +4,14 @@ related:
     - id: c9a88268-0047-4824-ba6e-4d81ce0b907c
       type: derived
 status: test
-description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
+description: |
+    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.resource-development
     - attack.t1588
@@ -41,7 +43,7 @@ detection:
             - :\Users\Public\
             - :\Windows\
             - /www/
-            - \Client\
+            # - '\Client\'
             - \inetpub\
             - \tsclient\
             - apache

sigma/builtin/category/antivirus/av_webshell.yml

@@ -7,6 +7,7 @@ status: test
 description: |
     Detects a highly relevant Antivirus alert that reports a web shell.
     It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
+    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
 references:
     - https://www.nextron-systems.com/?s=antivirus
     - https://github.com/tennc/webshell
@@ -20,7 +21,7 @@ references:
     - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-11-02
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -55,13 +56,13 @@ detection:
               - Troj/ASP
               - Troj/JSP
               - Troj/PHP
-              - VBS/Uxor   # looking for 'VBS/' would also find downloaders and droppers meant for desktops
+              - VBS/Uxor   # looking for 'VBS/' would also find downloader's and droppers meant for desktops
         - ThreatName|contains:
-              - ASP_   # looking for 'VBS_' would also find downloaders and droppers meant for desktops
+              - ASP_   # looking for 'VBS_' would also find downloader's and droppers meant for desktops
               - 'ASP:'
               - ASP.Agent
               - ASP/
-              - ASP/Agent
+              # - 'ASP/Agent'
               - Aspdoor
               - ASPXSpy
               - Backdoor.ASP
@@ -81,14 +82,14 @@ detection:
               - 'JSP:'
               - JSP.Agent
               - JSP/
-              - JSP/Agent
+              # - 'JSP/Agent'
               - 'Perl:'
               - Perl/
               - PHP_
               - 'PHP:'
               - PHP.Agent
               - PHP/
-              - PHP/Agent
+              # - 'PHP/Agent'
               - PHPShell
               - PShlSpy
               - SinoChoper

sigma/sysmon/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml

@@ -15,6 +15,7 @@ references:
     - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
 author: Florian Roth
 date: 2024-11-01
+modified: 2024-11-03
 tags:
     - attack.defense-evasion
     - sysmon
@@ -28,7 +29,9 @@ detection:
     selection_extension:
         TargetFilename|endswith: .rdp
     selection_location:
-        - TargetFilename|contains: \AppData\Local\Packages\Microsoft.Outlook_   # New Outlook
+        - TargetFilename|contains:
+              - \AppData\Local\Packages\Microsoft.Outlook_   # New Outlook
+              - \AppData\Local\Microsoft\Olk\Attachments\   # New Outlook
         - TargetFilename|contains|all:
               - \AppData\Local\Microsoft\Windows\
               - \Content.Outlook\