Merge PR #4597 from @nasbench - Update Process Access Rules

fix: Potential NT API Stub Patching - Tune FP filter new: Credential Dumping Activity By Python Based Tool new: HackTool - Generic Process Access remove: Credential Dumping Tools Accessing LSASS Memory update: Credential Dumping Activity Via Lsass - Update selection to increase coverage and filters to tune false positives update: Credential Dumping Attempt Via WerFault - Update title update: Function Call From Undocumented COM Interface EditionUpgradeManager - Reduce level to medium update: HackTool - CobaltStrike BOF Injection Pattern - Update title update: HackTool - HandleKatz Duplicating LSASS Handle - Update title update: HackTool - LittleCorporal Generated Maldoc Injection - Update title update: HackTool - SysmonEnte Execution - Add additional location of Sysmon, update title and filters update: HackTool - winPEAS Execution - Add additional image names for winPEAS update: LSASS Access From Potentially White-Listed Processes - Update title and description update: LSASS Access From Program In Potentially Suspicious Folder - Update filters to take into account other drivers than C: update: LSASS Memory Access by Tool With Dump Keyword In Name - Update title and description update: Lsass Memory Dump via Comsvcs DLL - Reduce level and remove path from filter to account for any location of rundll32 update: Malware Shellcode in Verclsid Target Process - Move to hunting folder update: Potential Credential Dumping Attempt Via PowerShell - Reduce level to medium, update description and move to hunting folder update: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Update filters and metadata update: Potential Process Hollowing Activity - Update FP filter update: Potential Shellcode Injection - Update title and enhance false positive filter update: Potentially Suspicious GrantedAccess Flags On LSASS - update: Remote LSASS Process Access Through Windows Remote Management - Update title, description and filter to account for installation other than C: update: Suspicious Svchost Process Access - Enhance filter to account for installation in non C: locations update: Uncommon GrantedAccess Flags On LSASS - Enhance false positive filter --------- Co-authored-by: phantinuss <[email protected]> Thanks: swachchhanda000
SigmaHQ · Dec 4, 2023 · 19d271b · 19d271b
1 parent 0e27834
commit 19d271b
Show file tree

Hide file tree

Showing 39 changed files with 605 additions and 512 deletions.
diff --git a/...ss_win_lazagne_cred_dump_lsass_access.yml → ...ss_win_lazagne_cred_dump_lsass_access.yml b/...ss_win_lazagne_cred_dump_lsass_access.yml → ...ss_win_lazagne_cred_dump_lsass_access.yml
diff --git a/...roc_access_win_cred_dump_lsass_access.yml → ...ows/proc_access_win_lsass_susp_access.yml b/...roc_access_win_cred_dump_lsass_access.yml → ...ows/proc_access_win_lsass_susp_access.yml
@@ -1,6 +1,6 @@
 title: Credential Dumping Tools Accessing LSASS Memory
 id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
-status: experimental
+status: deprecated
 description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -9,7 +9,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
 date: 2017/02/16
-modified: 2023/03/22
+modified: 2023/11/30
 tags:
     - attack.credential_access
     - attack.t1003.001

diff --git a/...s_win_pypykatz_cred_dump_lsass_access.yml → ...s_win_pypykatz_cred_dump_lsass_access.yml b/...s_win_pypykatz_cred_dump_lsass_access.yml → ...s_win_pypykatz_cred_dump_lsass_access.yml
diff --git a/...access_win_malware_verclsid_shellcode.yml → ...access_win_malware_verclsid_shellcode.yml b/...access_win_malware_verclsid_shellcode.yml → ...access_win_malware_verclsid_shellcode.yml
@@ -11,22 +11,23 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1055
+    - detection.emerging_threats
 logsource:
     category: process_access
     product: windows
-    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
-    selection:
+    selection_target:
         TargetImage|endswith: '\verclsid.exe'
         GrantedAccess: '0x1FFFFF'
-    combination1:
+    selection_calltrace_1:
         CallTrace|contains|all:
             - '|UNKNOWN('
             - 'VBE7.DLL'
-    combination2:
+    selection_calltrace_2:
         SourceImage|contains: '\Microsoft Office\'
         CallTrace|contains: '|UNKNOWN'
-    condition: selection and 1 of combination*
+    condition: selection_target and 1 of selection_calltrace_*
 falsepositives:
     - Unknown
 level: high
diff --git a/...api_in_powershell_credentials_dumping.yml → ...oc_access_win_lsass_powershell_access.yml b/...api_in_powershell_credentials_dumping.yml → ...oc_access_win_lsass_powershell_access.yml
@@ -6,15 +6,16 @@ related:
     - id: fb656378-f909-47c1-8747-278bf09f4f4f
       type: similar
 status: test
-description: Detects PowerShell processes requesting access to "lsass.exe"
+description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/12/18
+modified: 2023/11/28
 tags:
     - attack.credential_access
     - attack.t1003.001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: process_access
@@ -27,4 +28,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium
diff --git a/...in_susp_proc_access_lsass_susp_source.yml → ..._access_win_lsass_susp_source_process.yml b/...in_susp_proc_access_lsass_susp_source.yml → ..._access_win_lsass_susp_source_process.yml
@@ -1,4 +1,4 @@
-title: LSASS Access From Program in Potentially Suspicious Folder
+title: LSASS Access From Program In Potentially Suspicious Folder
 id: fa34b441-961a-42fa-a100-ecc28c886725
 status: experimental
 description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
@@ -10,7 +10,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
 date: 2021/11/27
-modified: 2023/05/05
+modified: 2023/11/27
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -55,8 +55,9 @@ detection:
             - '\AppData\'
             - '\Temporary'
     filter_optional_generic_appdata:
-        SourceImage|startswith: 'C:\Users\'
-        SourceImage|contains: '\AppData\Local\'
+        SourceImage|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\'
         SourceImage|endswith:
             - '\Microsoft VS Code\Code.exe'
             - '\software_reporter_tool.exe'
@@ -67,26 +68,27 @@ detection:
             - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
         GrantedAccess: '0x410'
     filter_optional_dropbox_1:
-        SourceImage|startswith: 'C:\Windows\Temp\'
+        SourceImage|contains: ':\Windows\Temp\'
         SourceImage|endswith: '.tmp\DropboxUpdate.exe'
         GrantedAccess:
             - '0x410'
             - '0x1410'
     filter_optional_dropbox_2:
-        SourceImage|startswith: 'C:\Users\'
-        SourceImage|contains: '\AppData\Local\Temp\'
+        SourceImage|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Temp\'
         SourceImage|endswith: '.tmp\DropboxUpdate.exe'
         GrantedAccess: '0x1410'
     filter_optional_dropbox_3:
-        SourceImage|startswith:
-            - 'C:\Program Files (x86)\Dropbox\'
-            - 'C:\Program Files\Dropbox\'
+        SourceImage|contains:
+            - ':\Program Files (x86)\Dropbox\'
+            - ':\Program Files\Dropbox\'
         SourceImage|endswith: '\DropboxUpdate.exe'
         GrantedAccess: '0x1410'
     filter_optional_nextron:
-        SourceImage|startswith:
-            - 'C:\Windows\Temp\asgard2-agent\'
-            - 'C:\Windows\Temp\asgard2-agent-sc\'
+        SourceImage|contains:
+            - ':\Windows\Temp\asgard2-agent\'
+            - ':\Windows\Temp\asgard2-agent-sc\'
         SourceImage|endswith:
             - '\thor64.exe'
             - '\thor.exe'
@@ -97,42 +99,37 @@ detection:
             - '0x1010'
             - '0x101010'
     filter_optional_ms_products:
-        SourceImage|startswith: 'C:\Users\'
         SourceImage|contains|all:
+            - ':\Users\'
             - '\AppData\Local\Temp\'
             - '\vs_bootstrapper_'
         GrantedAccess: '0x1410'
     filter_optional_chrome_update:
-        SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
+        SourceImage|contains: ':\Program Files (x86)\Google\Temp\'
         SourceImage|endswith: '.tmp\GoogleUpdate.exe'
         GrantedAccess:
             - '0x410'
             - '0x1410'
     filter_optional_keybase:
-        SourceImage|startswith: 'C:\Users\'
+        SourceImage|contains: ':\Users\'
         SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
         GrantedAccess: '0x1fffff'
     filter_optional_avira:
         SourceImage|contains: '\AppData\Local\Temp\is-'
         SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
         GrantedAccess: '0x1410'
     filter_optional_viberpc_updater:
-        SourceImage|startswith: 'C:\Users\'
         SourceImage|contains: '\AppData\Roaming\ViberPC\'
         SourceImage|endswith: '\updater.exe'
         TargetImage|endswith: '\winlogon.exe'
         GrantedAccess: '0x1fffff'
     filter_optional_adobe_arm_helper:
-        SourceImage|startswith:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
-            - 'C:\Program Files\Common Files\Adobe\ARM\'
-            - 'C:\Program Files (x86)\Common Files\Adobe\ARM\'
+        SourceImage|contains:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
+            - ':\Program Files\Common Files\Adobe\ARM\'
+            - ':\Program Files (x86)\Common Files\Adobe\ARM\'
         SourceImage|endswith: '\AdobeARMHelper.exe'
         GrantedAccess: '0x1410'
     condition: selection and not 1 of filter_optional_*
-fields:
-    - User
-    - SourceImage
-    - GrantedAccess
 falsepositives:
     - Updaters and installers are typical false positives. Apply custom filters depending on your environment
 level: medium
diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
@@ -50,24 +50,6 @@ detection:
             - 138
             - 139
     condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
-fields:
-    - ts
-    - id.orig_h
-    - id.orig_p
-    - id.resp_h
-    - id.resp_p
-    - proto
-    - qtype_name
-    - qtype
-    - query
-    - answers
-    - rcode
-    - rcode_name
-    - trans_id
-    - qtype
-    - ttl
-    - AA
-    - uid
 falsepositives:
     - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
     - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'

diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
@@ -23,10 +23,6 @@ detection:
     selection:
         CallTrace|contains: 'cmlua.dll'
     condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Details
 falsepositives:
     - Legitimate CMSTP use (unlikely in modern enterprise environments)
 level: high
diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
diff --git a/...in_cobaltstrike_bof_injection_pattern.yml → ...tl_cobaltstrike_bof_injection_pattern.yml b/...in_cobaltstrike_bof_injection_pattern.yml → ...tl_cobaltstrike_bof_injection_pattern.yml
@@ -1,4 +1,4 @@
-title: CobaltStrike BOF Injection Pattern
+title: HackTool - CobaltStrike BOF Injection Pattern
 id: 09706624-b7f6-455d-9d02-adee024cee1d
 status: test
 description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
@@ -7,7 +7,7 @@ references:
     - https://github.com/boku7/spawn
 author: Christian Burkard (Nextron Systems)
 date: 2021/08/04
-modified: 2022/12/31
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1106