Merge branch 'master' into rule-devel

.github/workflows/known-FPs.csv

@@ -44,3 +44,5 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon
 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe
 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
+1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer
+c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer

.github/workflows/sigma-test.yml

@@ -22,13 +22,13 @@ jobs:
     - uses: actions/checkout@v2
       with:
         submodules: true
-    - name: Set up Python 3.8
+    - name: Set up Python 3.11
       uses: actions/setup-python@v1
       with:
-        python-version: 3.8
+        python-version: 3.11
     - name: Install dependencies
       run: |
-        pip install sigma-cli~=0.3.2
+        pip install sigma-cli~=0.5.3
     - name: Test Sigma Rule Syntax
       run: |
         sigma check rules

LICENSE

@@ -3,5 +3,5 @@
 The content of this repository is released under the following licenses:
 
 - The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License
-- The Sigma specification and the Sigma logo are public domain
-- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1
+- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
+- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the Detection Rule License (DRL) 1.1

README.md

@@ -256,18 +256,21 @@ and included with `@filename` as parameter on the command line.
 
 Example:
 *misp.conf*:
-```
+
+```apacheconf
 url https://host
 key foobarfoobarfoobarfoobarfoobarfoobarfoo
 ```
 
 Load Sigma rule into MISP event 1234:
-```
+
+```bash
 sigma2misp @misp.conf --event 1234 sigma_rule.py
 ```
 
 Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
-```
+
+```bash
 sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 ```
 
@@ -280,11 +283,12 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
 
 Requirements:
-- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
+
+* Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
 
 Usage samples:
 
-```
+```bash
 # Use the default "rules" folder
 ./tools/sigma2attack
 
@@ -345,8 +349,9 @@ If you want to contribute, you are more then welcome. There are numerous ways to
 If you use it, let us know what works and what does not work.
 
 E.g.
-- Tell us about false positives (issues section)
-- Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule
+
+* Tell us about false positives (issues section)
+* Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule
 
 ## Work on open issues
 
@@ -358,15 +363,15 @@ Please don't provide backends for the old code base (sigmac) anymore. Please use
 
 ## Spread the word
 
-Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it. 
+Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it.
 
 # Licenses
 
 The content of this repository is released under the following licenses:
 
-* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
-* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain
-* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
+* The toolchain (everything under tools/) is licensed under the[GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
+* The [Sigma Specification](https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain
+* The rules contained in the [SigmaHQ repository](https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
 
 # Credits
 

rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml

@@ -0,0 +1,24 @@
+title: MavInject Process Injection
+id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
+status: deprecated
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+author: Florian Roth
+references:
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152
+date: 2018/12/12
+modified: 2021/11/27
+tags:
+    - attack.t1055.001
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: ' /INJECTRUNNING '
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml → rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml

@@ -1,11 +1,12 @@
 title: Nslookup PwSh Download Cradle
 id: 72671447-4352-4413-bb91-b85569687135
-status: experimental
+status: deprecated
 description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
 references:
     - https://twitter.com/alh4zr3d/status/1566489367232651264
 author: Zach Mathis (@yamatosecurity)
 date: 2022/09/06
+modified: 2022/12/14 # Deprecation date
 tags:
     - attack.command_and_control
     - attack.t1105

rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml

@@ -1,7 +1,11 @@
 title: Excel Proxy Executing Regsvr32 With Payload
 id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
-status: experimental
-description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
+status: deprecated
+description: |
+  Excel called wmic to finally proxy execute regsvr32 with the payload.
+  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
+  But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
+  Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml

rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml

@@ -1,13 +1,17 @@
-title: Excel Proxy Executing Regsvr32 With Payload
+title: Excel Proxy Executing Regsvr32 With Payload Alternate
 id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
-status: experimental
-description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
+status: deprecated
+description: |
+  Excel called wmic to finally proxy execute regsvr32 with the payload.
+  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
+  But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
+  Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
 author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
 date: 2021/08/23
-modified: 2022/07/07
+modified: 2022/12/02
 tags:
     - attack.t1204.002
     - attack.t1047

rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml → rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml

@@ -1,6 +1,6 @@
 title: Abusing Windows Telemetry For Persistence - Registry
 id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
-status: experimental
+status: deprecated
 description: |
   Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
   This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
@@ -23,19 +23,19 @@ detection:
         EventType: SetValue
         TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
         Details|endswith:
-            - .sh
-            - .exe
-            - .dll
-            - .bin
-            - .bat
-            - .cmd
-            - .js
-            - .ps
-            - .vb
-            - .jar
-            - .hta
-            - .msi
-            - .vbs
+            - '.sh'
+            - '.exe'
+            - '.dll'
+            - '.bin'
+            - '.bat'
+            - '.cmd'
+            - '.js'
+            - '.ps'
+            - '.vb'
+            - '.jar'
+            - '.hta'
+            - '.msi'
+            - '.vbs'
     condition: selection
 fields:
     - EventID

rules/windows/registry/registry_set/registry_set_silentprocessexit.yml → rules-deprecated/windows/registry_set_silentprocessexit.yml

@@ -1,6 +1,6 @@
 title: SilentProcessExit Monitor Registration
 id: c81fe886-cac0-4913-a511-2822d72ff505
-status: experimental
+status: deprecated
 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
 references:
     - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml → rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml

@@ -1,12 +1,12 @@
 title: Accessing WinAPI in PowerShell for Credentials Dumping
 id: 3f07b9d1-2082-4c56-9277-613a621983cc
-status: experimental
+status: deprecated
 description: Detects Accessing to lsass.exe by Powershell
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/07/14
+modified: 2022/12/18
 tags:
     - attack.credential_access
     - attack.t1003.001

rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml → rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml

@@ -1,12 +1,12 @@
 title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon
 id: e554f142-5cf3-4e55-ace9-a1b59e0def65
-status: test
+status: deprecated
 description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
 references:
     - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
 date: 2020/10/12
-modified: 2022/11/26
+modified: 2022/12/18
 tags:
     - attack.lateral_movement
     - attack.t1021.002
@@ -23,7 +23,7 @@ detection:
         EventID: 7
         Image|endswith: '\Internet Explorer\iexplore.exe'
         ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
-    condition: selection_one or selection_two
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: critical

rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml

@@ -1,17 +1,20 @@
 title: Account Created And Deleted By Non Approved Users
 id: c98184ba-4a27-4e10-b7b7-da48e71f4d25
 status: experimental
-description: Detects when accounts are created and deleted by non-approved users. 
-author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
-date: 2022/08/11
+description: Detects accounts that are created or deleted by non-approved users.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
+author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
+date: 2022/08/11
+tags:
+    - attack.defense_evasion
+    - attack.t1078
 logsource:
     product: azure
     service: auditlogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Add user
             - Delete user
         Status: Sucess
@@ -20,7 +23,4 @@ detection:
     condition: selection and not valid_admin
 falsepositives:
     - Legit administrative action
-tags:
-    - attack.defense_evasion
-    - attack.t1078
 level: medium

rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml

@@ -1,11 +1,14 @@
 title: Authentication Occuring Outside Normal Business Hours
 id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
 status: experimental
-description: Detects when an a user signs in outside of normal business hours. 
-author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
-date: 2022/08/11
+description: Detects user signs ins outside of normal business hours.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
+author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
+date: 2022/08/11
+tags:
+    - attack.persistence
+    - attack.t1078
 logsource:
     product: azure
     service: signinlogs
@@ -19,7 +22,4 @@ detection:
     condition: selection
 falsepositives:
      - User doing actual work outside of normal business hours.
-tags:
-    - attack.persistence
-    - attack.t1078
 level: low

rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml

@@ -1,16 +1,20 @@
 title: Privilege Role Elevation Not Occuring on SAW or PAW
 id: 38a5e67b-436a-4e77-9f73-f48a82626890
 status: experimental
-description: Detects when an account fails a sign-in when in from a PAW or SAW device
-author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
-date: 2022/08/11
+description: Detects failed sign-in from a PAW or SAW device
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
+author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
+date: 2022/08/11
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1078
 logsource:
     product: azure
     service: signinlogs
 detection:
-    # You have to tune the rule for your environnement before use it
+    # You have to tune the rule for your environment before use it
     selection:
         properties.message|contains: Add memmber to role completed (PIM aciviation)
         # Countries you DO operate out of e,g GB, use list for mulitple
@@ -25,8 +29,4 @@ detection:
     condition: selection
 falsepositives:
      - Not using a PAW/SAW in the environment
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1078
 level: high

rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml

@@ -1,16 +1,19 @@
 title: Privilege Role Sign-In Outside Expected Controls
 id: cf1e5687-84e1-41af-97a9-158094efef53
 status: experimental
-description: Detects when an account fails a sign-in when it doesn't meet expected controls for admins
-author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
-date: 2022/08/11
+description: Detects failed sign-in due to user not meeting expected controls for adminitrators
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
+author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
+date: 2022/08/11
+tags:
+    - attack.defense_evasion
+    - attack.t1078
 logsource:
     product: azure
     service: signinlogs
 detection:
-    # You have to tune the rule for your environnement before use it
+    # You have to tune the rule for your environment before use it
     selection:
         Status: failure
         # Countries you do NOT operate out of e,g GB, use list for mulitple
@@ -21,7 +24,4 @@ detection:
     condition: selection
 falsepositives:
      - A legit admin not following proper processes
-tags:
-    - attack.defense_evasion
-    - attack.t1078
 level: high