Sigma Rule Update (2024-12-29 07:12:33) (#802)

Co-authored-by: YamatoSecurity <[email protected]>

sigma/builtin/placeholder/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml

@@ -0,0 +1,33 @@
+title: New RDP Connection Initiated From Domain Controller
+id: 8b0f1458-5a23-5950-ebc7-f8d7a562dc06
+related:
+    - id: fda34293-718e-4b36-b018-38caab0d1209
+      type: derived
+status: experimental
+description: Detects an RDP connection originating from a domain controller.
+references:
+    - Internal Research
+author: Josh Nickels
+date: 2024-05-10
+tags:
+    - attack.lateral-movement
+    - attack.t1021
+logsource:
+    product: windows
+    category: network_connection
+detection:
+    network_connection:
+        EventID: 5156
+        Channel: Security
+    selection_connection:
+        Direction: 'True'
+        DestPort: 3389
+    selection_hosts:
+        Computer|expand: '%domain_controller_hostnames%'
+    filter_optional_defender_identity:
+        Application|endswith: \Microsoft.Tri.Sensor.exe
+    condition: network_connection and (all of selection_* and not 1 of filter_*)
+falsepositives:
+    - Legitimate administration activity
+level: high
+ruletype: Sigma

sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml

@@ -0,0 +1,31 @@
+title: Userdomain Variable Enumeration
+id: a0611cee-4fe8-b36f-b9a7-8c31f5d9977b
+related:
+    - id: 43311e65-84d8-42a5-b3d4-c94d9b67038f
+      type: derived
+status: test
+description: Detects suspicious enumeration of the domain the user is associated with.
+references:
+    - https://www.arxiv-vanity.com/papers/2008.04676/
+    - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
+author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
+date: 2023-02-09
+modified: 2024-08-01
+tags:
+    - attack.discovery
+    - attack.t1016
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains: 'echo '
+        CommandLine|contains|expand: '%userdomain%'
+    condition: process_creation and selection
+falsepositives:
+    - Certain scripts or applications may leverage this.
+level: low
+ruletype: Sigma

sigma/builtin/placeholder/security/win_security_admin_logon.yml

@@ -0,0 +1,40 @@
+title: User with Privileges Logon
+id: b3d10465-f171-0ef7-d28e-8ef2f9409cf1
+related:
+    - id: 94309181-d345-4cbf-b5fe-061769bdf9cb
+      type: derived
+status: test
+description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
+references:
+    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
+    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
+author: frack113
+date: 2022-10-14
+modified: 2023-12-14
+tags:
+    - attack.defense-evasion
+    - attack.lateral-movement
+    - attack.credential-access
+    - attack.t1558
+    - attack.t1649
+    - attack.t1550
+logsource:
+    service: security
+    product: windows
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID:
+            - 4672
+            - 4964
+    filter_main_local_system:
+        SubjectUserSid: S-1-5-18
+    filter_main_valid_account:
+        SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account
+    condition: security and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Unknown
+level: low
+ruletype: Sigma

sigma/builtin/placeholder/security/win_security_exploit_cve_2020_1472.yml

@@ -0,0 +1,35 @@
+title: Potential Zerologon (CVE-2020-1472) Exploitation
+id: 7d4b25c3-0cef-1638-1d47-bb18acda0e6c
+related:
+    - id: dd7876d8-0f09-11eb-adc1-0242ac120002
+      type: derived
+status: test
+description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+references:
+    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+    - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
+date: 2020-10-15
+modified: 2023-12-15
+tags:
+    - attack.privilege-escalation
+    - attack.t1068
+    - cve.2020-1472
+logsource:
+    product: windows
+    service: security
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID: 4742
+        SubjectUserName: ANONYMOUS LOGON
+        TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
+    filter_main:
+        PasswordLastSet: '-'
+    condition: security and (selection and not filter_main)
+falsepositives:
+    - Automatic DC computer account password change
+    - Legitimate DC computer account password change
+level: high
+ruletype: Sigma

sigma/builtin/placeholder/security/win_security_potential_pass_the_hash.yml

@@ -0,0 +1,38 @@
+title: Potential Pass the Hash Activity
+id: 35890fd4-9ed3-b244-0eff-91fe61e52f8b
+related:
+    - id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+      type: derived
+status: test
+description: Detects the attack technique pass the hash which is used to move laterally inside the network
+references:
+    - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017-03-08
+modified: 2023-12-15
+tags:
+    - attack.lateral-movement
+    - attack.t1550.002
+    - car.2016-04-004
+logsource:
+    product: windows
+    service: security
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID:
+            - 4624
+            - 4625
+        LogonType: 3
+        LogonProcessName: NtLmSsp
+        WorkstationName|expand: '%Workstations%'
+        ComputerName|expand: '%Workstations%'
+    filter:
+        TargetUserName: ANONYMOUS LOGON
+    condition: security and (selection and not filter)
+falsepositives:
+    - Administrator activity
+level: medium
+ruletype: Sigma

sigma/builtin/placeholder/security/win_security_remote_registry_management_via_reg.yml

@@ -0,0 +1,36 @@
+title: Remote Registry Management Using Reg Utility
+id: e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a
+related:
+    - id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+      type: derived
+status: test
+description: Remote registry management using REG utility from non-admin workstation
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019-10-22
+modified: 2023-12-15
+tags:
+    - attack.credential-access
+    - attack.defense-evasion
+    - attack.discovery
+    - attack.s0075
+    - attack.t1012
+    - attack.t1112
+    - attack.t1552.002
+logsource:
+    product: windows
+    service: security
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID: 5145
+        RelativeTargetName|contains: \winreg
+    filter_main:
+        IpAddress|expand: '%Admins_Workstations%'
+    condition: security and (selection and not filter_main)
+falsepositives:
+    - Legitimate usage of remote registry management by administrator
+level: medium
+ruletype: Sigma

sigma/builtin/placeholder/security/win_security_susp_interactive_logons.yml

@@ -0,0 +1,39 @@
+title: Interactive Logon to Server Systems
+id: 7298c707-7564-3229-7c76-ec514847d8c2
+related:
+    - id: 3ff152b2-1388-4984-9cd9-a323323fdadf
+      type: derived
+status: test
+description: Detects interactive console logons to Server Systems
+references:
+    - Internal Research
+author: Florian Roth (Nextron Systems)
+date: 2017-03-17
+modified: 2023-12-15
+tags:
+    - attack.lateral-movement
+    - attack.t1078
+logsource:
+    product: windows
+    service: security
+detection:
+    security:
+        Channel: Security
+    selection:
+        EventID:
+            - 528
+            - 529
+            - 4624
+            - 4625
+        LogonType: 2
+        ComputerName|expand:
+            - '%ServerSystems%'
+            - '%DomainControllers%'
+    filter_main_advapi:
+        LogonProcessName: Advapi
+        ComputerName|expand: '%Workstations%'
+    condition: security and (selection and not 1 of filter_main_*)
+falsepositives:
+    - Administrative activity via KVM or ILO board
+level: medium
+ruletype: Sigma

sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml

@@ -10,7 +10,7 @@ references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Harish Segar, frack113
 date: 2020-06-29
-modified: 2024-10-08
+modified: 2024-12-27
 tags:
     - attack.execution
     - attack.t1059.001
@@ -36,7 +36,7 @@ detection:
     filter_main_host_application_null:
         # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
         # If you're already mapping and extracting the field, then obviously use that directly.
-        Data|re: HostId=[a-zA-Z0-9-]{36} EngineVersion=
+        Data|re: HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=
     condition: ps_classic_start and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown

sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml

@@ -0,0 +1,87 @@
+title: Tamper Windows Defender - PSClassic
+id: 3ec981cc-6521-d6a9-9630-d1df7d2090b9
+related:
+    - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
+      type: similar
+    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+      type: derived
+status: test
+description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021-06-07
+modified: 2024-01-02
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: ps_classic_provider_start
+detection:
+    ps_classic_provider_start:
+        EventID: 600
+        Channel: Windows PowerShell
+    selection_set_mppreference:
+        Data|contains: Set-MpPreference
+    selection_options_bool_allow:
+        Data|contains:
+            - -dbaf $true
+            - -dbaf 1
+            - -dbm $true
+            - -dbm 1
+            - -dips $true
+            - -dips 1
+            - -DisableArchiveScanning $true
+            - -DisableArchiveScanning 1
+            - -DisableBehaviorMonitoring $true
+            - -DisableBehaviorMonitoring 1
+            - -DisableBlockAtFirstSeen $true
+            - -DisableBlockAtFirstSeen 1
+            - -DisableCatchupFullScan $true
+            - -DisableCatchupFullScan 1
+            - -DisableCatchupQuickScan $true
+            - -DisableCatchupQuickScan 1
+            - -DisableIntrusionPreventionSystem $true
+            - -DisableIntrusionPreventionSystem 1
+            - -DisableIOAVProtection $true
+            - -DisableIOAVProtection 1
+            - -DisableRealtimeMonitoring $true
+            - -DisableRealtimeMonitoring 1
+            - -DisableRemovableDriveScanning $true
+            - -DisableRemovableDriveScanning 1
+            - -DisableScanningMappedNetworkDrivesForFullScan $true
+            - -DisableScanningMappedNetworkDrivesForFullScan 1
+            - -DisableScanningNetworkFiles $true
+            - -DisableScanningNetworkFiles 1
+            - -DisableScriptScanning $true
+            - -DisableScriptScanning 1
+            - -MAPSReporting $false
+            - -MAPSReporting 0
+            - -drdsc $true
+            - -drdsc 1
+            - -drtm $true
+            - -drtm 1
+            - -dscrptsc $true
+            - -dscrptsc 1
+            - -dsmndf $true
+            - -dsmndf 1
+            - -dsnf $true
+            - -dsnf 1
+            - -dss $true
+            - -dss 1
+    selection_options_actions_func:
+        Data|contains:
+            - HighThreatDefaultAction Allow
+            - htdefac Allow
+            - LowThreatDefaultAction Allow
+            - ltdefac Allow
+            - ModerateThreatDefaultAction Allow
+            - mtdefac Allow
+            - SevereThreatDefaultAction Allow
+            - stdefac Allow
+    condition: ps_classic_provider_start and (selection_set_mppreference and 1 of selection_options_*)
+falsepositives:
+    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
+level: high
+ruletype: Sigma

sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml

@@ -11,7 +11,7 @@ references:
     - https://github.com/bohops/WSMan-WinRM
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-06-24
-modified: 2024-10-08
+modified: 2024-12-27
 tags:
     - attack.execution
     - attack.t1059.001
@@ -36,7 +36,7 @@ detection:
     filter_main_host_application_null:
         # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
         # If you're already mapping and extracting the field, then obviously use that directly.
-        Data|re: HostId=[a-zA-Z0-9-]{36} EngineVersion=
+        Data|re: HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=
     condition: powershell_classic and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown