Sigma Rule Update (2024-12-14 20:14:40) (#791)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 14, 2024 · 434b2a3 · 434b2a3
1 parent c30819a
commit 434b2a3
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -14,9 +14,10 @@ references:
     - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
     - https://blog.talosintelligence.com/uat-5647-romcom/
     - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
+    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2024-11-19
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -43,6 +44,7 @@ detection:
             - \{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\
             - \{7849596a-48ea-486e-8937-a2a3009f31a9}\
             - \{0b91a74b-ad7c-4a9d-b563-29eef9167172}\
+            - \{603D3801-BD81-11d0-A3A5-00C04FD706EC}\
     selection_susp_location_1:
         NewValue|contains:
             # Note: Add more suspicious paths and locations

diff --git a/...in/security/win_security_susp_sdelete.yml → ...ity_sdelete_potential_secure_deletion.yml b/...in/security/win_security_susp_sdelete.yml → ...ity_sdelete_potential_secure_deletion.yml
@@ -1,17 +1,17 @@
-title: Secure Deletion with SDelete
+title: Potential Secure Deletion with SDelete
 id: 70c3269a-a7f2-49bd-1e28-a0921f353db7
 related:
     - id: 39a80702-d7ca-4a83-b776-525b1f86a36d
       type: derived
 status: test
-description: Detects renaming of file while deletion with SDelete tool.
+description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
 author: Thomas Patzke
 date: 2017-06-14
-modified: 2021-11-27
+modified: 2024-12-13
 tags:
     - attack.impact
     - attack.defense-evasion
@@ -37,5 +37,6 @@ detection:
     condition: security and selection
 falsepositives:
     - Legitimate usage of SDelete
+    - Files that are interacted with that have these extensions legitimately
 level: medium
 ruletype: Sigma
diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -14,9 +14,10 @@ references:
     - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
     - https://blog.talosintelligence.com/uat-5647-romcom/
     - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
+    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2024-11-19
+modified: 2024-12-14
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -45,6 +46,7 @@ detection:
             - \{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\
             - \{7849596a-48ea-486e-8937-a2a3009f31a9}\
             - \{0b91a74b-ad7c-4a9d-b563-29eef9167172}\
+            - \{603D3801-BD81-11d0-A3A5-00C04FD706EC}\
     selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations