diff --git a/sigma/builtin/category/antivirus/av_exploiting.yml b/sigma/builtin/category/antivirus/av_exploiting.yml index 23aac0bb4..9b49b2e17 100644 --- a/sigma/builtin/category/antivirus/av_exploiting.yml +++ b/sigma/builtin/category/antivirus/av_exploiting.yml @@ -4,7 +4,9 @@ related: - id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 type: derived status: stable -description: Detects a highly relevant Antivirus alert that reports an exploitation framework. +description: | + Detects a highly relevant Antivirus alert that reports an exploitation framework. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 @@ -12,7 +14,7 @@ references: - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1203 diff --git a/sigma/builtin/category/antivirus/av_hacktool.yml b/sigma/builtin/category/antivirus/av_hacktool.yml index 4ceacf8b4..72904ed5d 100644 --- a/sigma/builtin/category/antivirus/av_hacktool.yml +++ b/sigma/builtin/category/antivirus/av_hacktool.yml @@ -4,13 +4,15 @@ related: - id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba type: derived status: stable -description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. +description: | + Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021-08-16 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1204 @@ -36,8 +38,7 @@ detection: Channel: Microsoft-Windows-Windows Defender/Operational selection: - ThreatName|startswith: - - Adfind - - ATK/ + - ATK/ # Sophos - Exploit.Script.CVE - HKTL - HTOOL @@ -47,7 +48,6 @@ detection: # - 'FRP.' - ThreatName|contains: - Adfind - - ATK/ # Sophos - Brutel - BruteR - Cobalt @@ -56,10 +56,10 @@ detection: - DumpCreds - FastReverseProxy - Hacktool + - Havoc - Impacket - Keylogger - Koadic - - Lazagne - Mimikatz - Nighthawk - PentestPowerShell @@ -71,12 +71,16 @@ detection: - PWCrack - PWDump - Rozena + - Rusthound - Sbelt - Seatbelt - SecurityTool - SharpDump + - SharpHound - Shellcode - Sliver + - Snaffler + - SOAPHound - Splinter - Swrort - TurtleLoader diff --git a/sigma/builtin/category/antivirus/av_password_dumper.yml b/sigma/builtin/category/antivirus/av_password_dumper.yml index 4cce40771..3ddde8580 100644 --- a/sigma/builtin/category/antivirus/av_password_dumper.yml +++ b/sigma/builtin/category/antivirus/av_password_dumper.yml @@ -4,14 +4,16 @@ related: - id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 type: derived status: stable -description: Detects a highly relevant Antivirus alert that reports a password dumper. +description: | + Detects a highly relevant Antivirus alert that reports a password dumper. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-10-08 +modified: 2024-11-02 tags: - attack.credential-access - attack.t1003 @@ -41,13 +43,19 @@ detection: selection: - ThreatName|startswith: PWS - ThreatName|contains: + - Certify - DCSync - DumpCreds - DumpLsass + - DumpPert - HTool/WCE - Kekeo + - Lazagne - LsassDump - Mimikatz + - MultiDump + - Nanodump + - NativeDump - Outflank - PShlSpy - PSWTool @@ -55,9 +63,17 @@ detection: - PWDump - PWS. - PWSX + - pypykatz - Rubeus + - SafetyKatz - SecurityTool + - SharpChrome + - SharpDPAPI - SharpDump + - SharpKatz + - SharpS. # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d + - ShpKatz + - TrickDump condition: antivirus and selection falsepositives: - Unlikely diff --git a/sigma/builtin/category/antivirus/av_ransomware.yml b/sigma/builtin/category/antivirus/av_ransomware.yml index 1abbd5d88..a19a1e46d 100644 --- a/sigma/builtin/category/antivirus/av_ransomware.yml +++ b/sigma/builtin/category/antivirus/av_ransomware.yml @@ -4,7 +4,9 @@ related: - id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f type: derived status: test -description: Detects a highly relevant Antivirus alert that reports ransomware. +description: | + Detects a highly relevant Antivirus alert that reports ransomware. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 @@ -12,9 +14,10 @@ references: - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c + - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022-05-12 -modified: 2023-02-03 +modified: 2024-11-02 tags: - attack.t1486 logsource: @@ -40,21 +43,34 @@ detection: selection: ThreatName|contains: - BlackWorm + - Chaos + - Cobra + - ContiCrypt - Crypter - CRYPTES - Cryptor + - CylanCrypt + - DelShad - Destructor - Filecoder - GandCrab - GrandCrab + - Haperlock + - Hiddentear + - HydraCrypt - Krypt + - Lockbit - Locker + - Mallox - Phobos - Ransom - Ryuk - Ryzerlo + - Stopcrypt - Tescrypt - TeslaCrypt + - WannaCry + - Xorist condition: antivirus and selection falsepositives: - Unlikely diff --git a/sigma/builtin/category/antivirus/av_relevant_files.yml b/sigma/builtin/category/antivirus/av_relevant_files.yml index e3a84e4db..e32a03036 100644 --- a/sigma/builtin/category/antivirus/av_relevant_files.yml +++ b/sigma/builtin/category/antivirus/av_relevant_files.yml @@ -4,12 +4,14 @@ related: - id: c9a88268-0047-4824-ba6e-4d81ce0b907c type: derived status: test -description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name. +description: | + Detects an Antivirus alert in a highly relevant file path or with a relevant file name. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.resource-development - attack.t1588 @@ -41,7 +43,7 @@ detection: - :\Users\Public\ - :\Windows\ - /www/ - - \Client\ + # - '\Client\' - \inetpub\ - \tsclient\ - apache diff --git a/sigma/builtin/category/antivirus/av_webshell.yml b/sigma/builtin/category/antivirus/av_webshell.yml index b94c5d76d..9a58a4db7 100644 --- a/sigma/builtin/category/antivirus/av_webshell.yml +++ b/sigma/builtin/category/antivirus/av_webshell.yml @@ -7,6 +7,7 @@ status: test description: | Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://github.com/tennc/webshell @@ -20,7 +21,7 @@ references: - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.persistence - attack.t1505.003 @@ -55,13 +56,13 @@ detection: - Troj/ASP - Troj/JSP - Troj/PHP - - VBS/Uxor # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - VBS/Uxor # looking for 'VBS/' would also find downloader's and droppers meant for desktops - ThreatName|contains: - - ASP_ # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - ASP_ # looking for 'VBS_' would also find downloader's and droppers meant for desktops - 'ASP:' - ASP.Agent - ASP/ - - ASP/Agent + # - 'ASP/Agent' - Aspdoor - ASPXSpy - Backdoor.ASP @@ -81,14 +82,14 @@ detection: - 'JSP:' - JSP.Agent - JSP/ - - JSP/Agent + # - 'JSP/Agent' - 'Perl:' - Perl/ - PHP_ - 'PHP:' - PHP.Agent - PHP/ - - PHP/Agent + # - 'PHP/Agent' - PHPShell - PShlSpy - SinoChoper diff --git a/sigma/sysmon/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml b/sigma/sysmon/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml index ab0e720ea..8f9eff670 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml @@ -15,6 +15,7 @@ references: - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 author: Florian Roth date: 2024-11-01 +modified: 2024-11-03 tags: - attack.defense-evasion - sysmon @@ -28,7 +29,9 @@ detection: selection_extension: TargetFilename|endswith: .rdp selection_location: - - TargetFilename|contains: \AppData\Local\Packages\Microsoft.Outlook_ # New Outlook + - TargetFilename|contains: + - \AppData\Local\Packages\Microsoft.Outlook_ # New Outlook + - \AppData\Local\Microsoft\Olk\Attachments\ # New Outlook - TargetFilename|contains|all: - \AppData\Local\Microsoft\Windows\ - \Content.Outlook\