Merge PR SigmaHQ#4937 from @nasbench - Multiple updates and fixes

fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS" update: Cab File Extraction Via Wusa.EXE - Move to TH folder update: COM Object Execution via Xwizard.EXE - Update logic update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
mavjs · Aug 29, 2024 · 4cd51a3 · 4cd51a3
1 parent 5550ccd
commit 4cd51a3
Show file tree

Hide file tree

Showing 21 changed files with 160 additions and 118 deletions.
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml
@@ -0,0 +1,32 @@
+title: Potential DLL Sideloading Activity Via ExtExport.EXE
+id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a
+status: test
+description: |
+    Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
+    It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
+    Arbitrary DLLs can also be loaded if a specific number of flags was provided.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Extexport/
+    - https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
+    - https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/
+    - https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/
+    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
+    - https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021-11-26
+modified: 2024-08-26
+tags:
+    - attack.defense-evasion
+    - attack.t1218
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\Extexport.exe'
+        - OriginalFileName: 'extexport.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/...creation_win_lolbin_workflow_compiler.yml → ...microsoft_workflow_compiler_execution.yml b/...creation_win_lolbin_workflow_compiler.yml → ...microsoft_workflow_compiler_execution.yml
@@ -1,7 +1,8 @@
 title: Microsoft Workflow Compiler Execution
 id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
 status: test
-description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
+description: |
+    Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
 references:
     - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
@@ -14,6 +15,7 @@ tags:
     - attack.execution
     - attack.t1127
     - attack.t1218
+    - detection.threat-hunting
 logsource:
     category: process_creation
     product: windows
@@ -22,9 +24,6 @@ detection:
         - Image|endswith: '\Microsoft.Workflow.Compiler.exe'
         - OriginalFileName: 'Microsoft.Workflow.Compiler.exe'
     condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Legitimate MWC use (unlikely in modern enterprise environments)
 level: medium
diff --git a/...roc_creation_win_wsl_lolbin_execution.yml → ...n_win_wsl_arbitrary_command_execution.yml b/...roc_creation_win_wsl_lolbin_execution.yml → ...n_win_wsl_arbitrary_command_execution.yml
@@ -4,7 +4,8 @@ related:
     - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules
       type: similar
 status: test
-description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands
+description: |
+    Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
     - https://twitter.com/nas_bench/status/1535431474429808642
@@ -16,6 +17,7 @@ tags:
     - attack.defense-evasion
     - attack.t1218
     - attack.t1202
+    - detection.threat-hunting
 logsource:
     category: process_creation
     product: windows

diff --git a/...reation_win_wusa_cab_files_extraction.yml → ...reation_win_wusa_cab_files_extraction.yml b/...reation_win_wusa_cab_files_extraction.yml → ...reation_win_wusa_cab_files_extraction.yml
@@ -1,13 +1,19 @@
-title: Wusa Extracting Cab Files
+title: Cab File Extraction Via Wusa.EXE
 id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
+related:
+    - id: c74c0390-3e20-41fd-a69a-128f0275a5ea
+      type: derived
 status: test
-description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique
+description: |
+    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
 references:
     - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-04
+modified: 2024-08-15
 tags:
     - attack.execution
+    - detection.threat-hunting
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml
@@ -10,7 +10,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017-02-19
-modified: 2024-07-17
+modified: 2024-08-29
 tags:
     - attack.resource-development
     - attack.t1588
@@ -94,8 +94,10 @@ detection:
         # - 'Ryuk'
     filter_optional_generic:
         - 'anti_ransomware_service.exe'
+        - 'Anti-Ransomware'
         - 'Crack'
         - 'cyber-protect-service.exe'
+        - 'encryptor'
         - 'Keygen'
     filter_optional_information:
         Level: 4  # Information level

diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml
@@ -1,7 +1,7 @@
 title: Potential DLL Sideloading Using Coregen.exe
 id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
 status: test
-description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
+description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
 author: frack113
@@ -16,13 +16,13 @@ logsource:
 detection:
     selection:
         Image|endswith: '\coregen.exe'
-    filter:
+    filter_main_legit_paths:
         ImageLoaded|startswith:
+            - 'C:\Program Files (x86)\Microsoft Silverlight\'
+            - 'C:\Program Files\Microsoft Silverlight\'
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
-            - 'C:\Program Files\Microsoft Silverlight\'
-            - 'C:\Program Files (x86)\Microsoft Silverlight\'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml b/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml
@@ -0,0 +1,33 @@
+title: Potential DLL Injection Via AccCheckConsole
+id: 0f6da907-5854-4be6-859a-e9958747b0aa
+status: test
+description: |
+    Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
+    One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
+    The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
+references:
+    - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
+    - https://twitter.com/bohops/status/1477717351017680899?s=12
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
+author: Florian Roth (Nextron Systems)
+date: 2022-01-06
+modified: 2024-08-29
+tags:
+    - attack.execution
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\AccCheckConsole.exe'
+        - OriginalFileName: 'AccCheckConsole.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' -hwnd'
+            - ' -process '
+            - ' -window '
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the UI Accessibility Checker
+level: medium
diff --git a/...n/proc_creation_win_lolbin_susp_dxcap.yml → ..._win_dxcap_arbitrary_binary_execution.yml b/...n/proc_creation_win_lolbin_susp_dxcap.yml → ..._win_dxcap_arbitrary_binary_execution.yml
@@ -1,7 +1,8 @@
-title: Application Whitelisting Bypass via Dxcap.exe
+title: New Capture Session Launched Via DXCap.EXE
 id: 60f16a96-db70-42eb-8f76-16763e333590
 status: test
-description: Detects execution of of Dxcap.exe
+description: |
+    Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
     - https://twitter.com/harr0ey/status/992008180904419328

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml
diff --git a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml
@@ -10,9 +10,10 @@ references:
     - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
     - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
     - https://twitter.com/0gtweet/status/1299071304805560321?s=21
+    - https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
 author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
 date: 2021-09-24
-modified: 2023-04-24
+modified: 2024-08-15
 tags:
     - attack.credential-access
     - attack.t1003.001
@@ -24,19 +25,14 @@ detection:
         - Image|endswith: '\rdrleakdiag.exe'
         - OriginalFileName: RdrLeakDiag.exe
     selection_cli_dump:
-        CommandLine|contains:
-            - 'fullmemdmp'
+        CommandLine|contains|windash:
             - '/memdmp'
-            - '-memdmp'
-    selection_cli_output:
-        CommandLine|contains:
-            - ' -o '
-            - ' /o '
-    selection_cli_process:
-        CommandLine|contains:
-            - ' -p '
-            - ' /p '
-    condition: all of selection_cli_* or (selection_img and selection_cli_dump)
+            - 'fullmemdmp'
+    selection_cli_output_process:
+        CommandLine|contains|windash:
+            - ' /o ' # Output
+            - ' /p ' # Process
+    condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
diff --git a/...ion/proc_creation_win_lolbin_sigverif.yml → ...n_win_sigverif_uncommon_child_process.yml b/...ion/proc_creation_win_lolbin_sigverif.yml → ...n_win_sigverif_uncommon_child_process.yml
@@ -1,12 +1,14 @@
-title: Suspicious Sigverif Execution
+title: Uncommon Sigverif.EXE Child Process
 id: 7d4aaec2-08ed-4430-8b96-28420e030e04
 status: test
-description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
+description: |
+    Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
 references:
     - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
     - https://twitter.com/0gtweet/status/1457676633809330184
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-19
+modified: 2024-08-27
 tags:
     - attack.defense-evasion
     - attack.t1216
@@ -16,7 +18,11 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\sigverif.exe'
-    condition: selection
+    filter_main_werfault:
+        Image:
+            - 'C:\Windows\System32\WerFault.exe'
+            - 'C:\Windows\SysWOW64\WerFault.exe'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/...creation/proc_creation_win_lolbin_ssh.yml → ...proc_creation_win_ssh_proxy_execution.yml b/...creation/proc_creation_win_lolbin_ssh.yml → ...proc_creation_win_ssh_proxy_execution.yml
@@ -1,7 +1,7 @@
-title: Lolbin Ssh.exe Use As Proxy
+title: Program Executed Using Proxy/Local Command Via SSH.EXE
 id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
 status: test
-description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs
+description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
     - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
@@ -13,7 +13,7 @@ date: 2022-12-29
 modified: 2023-01-25
 tags:
     - attack.defense-evasion
-    - attack.t1202
+    - attack.t1218
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml
@@ -18,7 +18,7 @@ references:
     - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
 author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
 date: 2020-10-23
-modified: 2023-12-02
+modified: 2024-08-15
 tags:
     - attack.defense-evasion
     - attack.t1218.011
@@ -41,20 +41,20 @@ detection:
     selection_regsvr32:
         Image|endswith: '\regsvr32.exe'
         CommandLine|endswith: 'regsvr32.exe'
-    filter_main_edge_update:
-        ParentImage|contains|all:
-            - ':\Users\'
-            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
-    filter_optional_chrome_installer:
-        # As reported in https://github.com/SigmaHQ/sigma/issues/4570
-        ParentImage|contains|all:
-            - ':\Users\'
+    filter_optional_edge_update:
+        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith: 'rundll32.exe'
+    filter_optional_chromium_installer:
+        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
+        ParentImage|contains:
+            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
             - '\AppData\Local\Google\Chrome\Application\'
         ParentImage|endswith: '\Installer\setup.exe'
-        ParentCommandLine|contains: '--uninstall --channel=stable'
+        ParentCommandLine|contains: '--uninstall '
         Image|endswith: '\rundll32.exe'
         CommandLine|endswith: 'rundll32.exe'
-    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
+    condition: 1 of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Unlikely
 level: high