Merge pull request SigmaHQ#2274 from SigmaHQ/rule-devel

rule: SiteCore PreAuth RCE, Winrar; fix: FPs
V1D1AN · Nov 19, 2021 · 3b9c92e · 3b9c92e
2 parents 5e96a5c + 4acbb15
commit 3b9c92e
Show file tree

Hide file tree

Showing 8 changed files with 93 additions and 11 deletions.
diff --git a/rules/linux/process_creation/lnx_webshell_detection.yml b/rules/linux/process_creation/lnx_webshell_detection.yml
@@ -14,12 +14,6 @@ logsource:
    product: linux
    category: process_creation
 detection:
-   selection_sub_processes:
-      Image|endswith: 
-         - '/whoami'
-         - '/ifconfig'
-         - '/usr/bin/ip'
-         - '/bin/uname'
    selection_general:
       ParentImage|endswith:
          - '/httpd'
@@ -35,6 +29,12 @@ detection:
       ParentCommandLine|contains|all:
          - '/bin/java'
          - 'websphere'
+   selection_sub_processes:
+      Image|endswith: 
+         - '/whoami'
+         - '/ifconfig'
+         - '/usr/bin/ip'
+         - '/bin/uname'
    condition: selection_sub_processes and ( selection_general or selection_tomcat )
 falsepositives:
    - Web applications that invoke Linux command line tools 

diff --git a/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml b/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml
@@ -0,0 +1,23 @@
+title: Sitecore Pre-Auth RCE CVE-2021-42237
+id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
+status: experimental
+description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
+author: Florian Roth
+date: 2021/11/17
+references:
+    - https://blog.assetnote.io/2021/11/02/sitecore-rce/
+    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
+        sc-status: 200
+    condition: selection
+falsepositives:
+    - Vulnerability Scanning/Pentesting
+level: high
diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
@@ -13,7 +13,7 @@ tags:
     - car.2019-04-004
 author: Sherif Eldeeb
 date: 2017/10/18
-modified: 2021/06/21
+modified: 2021/11/17
 logsource:
     product: windows
     category: process_access
@@ -23,7 +23,10 @@ detection:
         GrantedAccess:
             - '0x1410'
             - '0x1010'
-    condition: selection
+    filter:
+        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
+        SourceImage|endswith: '\GamingServices.exe'
+    condition: selection and not filter
 fields:
     - ComputerName
     - User

diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
 date: 2019/08/10
-modified: 2021/11/17
+modified: 2021/11/19
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
@@ -42,9 +42,14 @@ detection:
             - 'C:\Windows\Sysmon.exe'
             - 'C:\Windows\System32\wbem\unsecapp.exe'
             - '\logman.exe'
+            - '\systeminfo.exe'
             - '\nvcontainer.exe'
             - 'C:\Windows\System32\wbem\WMIC.exe'
-    condition: selection and not filter
+    filter_generic:             # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to
+        Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    condition: selection and not filter and not filter_generic
 fields:
     - ComputerName
     - User

diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml
@@ -3,6 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 status: experimental
 date: 2020/06/24
+modified: 2021/11/17
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
@@ -32,6 +33,8 @@ detection:
     respond_server:
         Image|endswith: '\svchost.exe'
         OriginalFileName: 'WsmWmiPl.dll'
+    filter:
+        CommandLine|endswith: '\svchost.exe -k netsvcs -p -s BITS'
     condition: (request_client and not filter_ps) or respond_server
 falsepositives:
     - Unknown

diff --git a/rules/windows/other/win_exchange_cve_2021_42321.yml b/rules/windows/other/win_exchange_cve_2021_42321.yml
@@ -0,0 +1,19 @@
+title: Possible Exploitation of Exchange RCE CVE-2021-42321
+id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
+status: experimental
+description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
+references:
+    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
+author: 'Florian Roth, @testanull'
+date: 2021/11/18
+logsource:
+    product: windows
+    service: msexchange-management
+detection:
+    EventID: 6
+    keywords:
+        - 'Cmdlet failed. Cmdlet Get-App, '
+    condition: keywords
+falsepositives:
+    - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
+level: critical
diff --git a/rules/windows/process_creation/win_susp_winrar_execution.yml b/rules/windows/process_creation/win_susp_winrar_execution.yml
@@ -0,0 +1,28 @@
+title: Winrar Execution in Non-Standard Folder
+id: 4ede543c-e098-43d9-a28f-dd784a13132f
+status: experimental
+description: Detects a suspicious winrar execution in a folder which is not the default installation folder
+references:
+    - https://twitter.com/cyb3rops/status/1460978167628406785
+author: Florian Roth, Tigzy
+date: 2021/11/17
+tags:
+    - attack.collection
+    - attack.t1560.001
+    - attack.exfiltration # an old one  
+    - attack.t1002        # an old one
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: 
+            - '\rar.exe'
+            - '\winrar.exe'
+        - Description: 'Command line RAR'
+    filter:
+        Image|contains: '\WinRAR'
+    condition: selection and not filter
+falsepositives:
+    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
+level: high
diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml
@@ -6,7 +6,7 @@ references:
     - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2021/11/16
+modified: 2021/11/18
 tags:
     - attack.command_and_control
     - attack.execution
@@ -26,6 +26,7 @@ detection:
     filter:
         CommandLine|contains:
             - ' /ClassId '
+            - ' wuaueng.dll '
     condition: selection and not filter
 falsepositives:
     - Unknown