Merge pull request SigmaHQ#1134 from Neo23x0/rule-devel

Rule devel
lukiffer · Oct 12, 2020 · d30502c · d30502c
2 parents c56cd2d + 3affdd1
commit d30502c
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 15 deletions.
diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml
@@ -48,6 +48,7 @@ detection:
         - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
         - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'  # Hidden Cobra malware
         - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'  # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;'  # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
     condition: selection
 fields:
     - ClientIP

diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml
@@ -10,18 +10,22 @@ references:
 logsource:
     category: proxy
 detection:
-    selection:
-      c-useragent:
-        # Badly scripted UA
+    selection1:
+      c-useragent|startswith:
         - 'user-agent'  # User-Agent: User-Agent:
-        - '* (compatible;MSIE *'  # typical typo - missing space
-        - '*.0;Windows NT *'  # typical typo - missing space
-        - 'Mozilla/3.0 *'
-        - 'Mozilla/2.0 *'
-        - 'Mozilla/1.0 *'
-        - 'Mozilla *'  # missing slash
-        - ' Mozilla/*'  # leading space
-        - 'Mozila/*'  # single 'l'
+        - 'Mozilla/3.0 '
+        - 'Mozilla/2.0 '
+        - 'Mozilla/1.0 '
+        - 'Mozilla '  # missing slash
+        - ' Mozilla/'  # leading space
+        - 'Mozila/'  # single 'l'
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
+    selection2:
+      c-useragent|contains:
+        - ' (compatible;MSIE '  # typical typo - missing space
+        - '.0;Windows NT '  # typical typo - missing space
+    selection3:
+      c-useragent:
         - '_'
         - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
         - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
@@ -30,7 +34,7 @@ detection:
     falsepositives:
         c-useragent:
             - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
-    condition: selection and not falsepositives
+    condition: ( selection1 or selection2 or selection3 ) and not falsepositives
 fields:
     - ClientIP
     - c-uri

diff --git a/rules/windows/process_creation/win_crime_snatch_ransomware.yml b/rules/windows/process_creation/win_crime_snatch_ransomware.yml
@@ -1,7 +1,7 @@
 title: Snatch Ransomware
 id: 5325945e-f1f0-406e-97b8-65104d393fff
 status: experimental
-description: Detects specific process characteristics of Maze ransomware word document droppers
+description: Detects specific process characteristics of Snatch ransomware word document droppers
 references:
     - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
 author: Florian Roth

diff --git a/rules/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/win_susp_mpcmdrun_download.yml
@@ -10,6 +10,8 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1218.010
+    - attack.command_and_control
+    - attack.t1105
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml
@@ -29,6 +29,5 @@ tags:
     - attack.t1047
     - car.2016-03-002
 falsepositives:
-    - Will need to be tuned
-    - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.
+    - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine
 level: medium
diff --git a/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml
@@ -0,0 +1,26 @@
+title: Suspicious WMI Execution Using Rundll32
+id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
+status: experimental
+description: Detects WMI executing rundll32
+references:
+    - https://thedfirreport.com/2020/10/08/ryuks-return/
+author: Florian Roth
+date: 2020/10/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'process call create'
+            - 'rundll32'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+tags:
+    - attack.execution
+    - attack.t1047
+falsepositives:
+    - Unknown
+level: high