Merge pull request SigmaHQ#4161 from SigmaHQ/emerging-threats

feat: new folder structure and other updates

rules-compliance/README.md

@@ -0,0 +1 @@
+TBD

rules-deprecated/README.md

@@ -0,0 +1 @@
+TBD

rules/web/proxy_generic/proxy_apt_domestic_kitten.yml → rules-deprecated/web/proxy_apt_domestic_kitten.yml

@@ -1,12 +1,12 @@
 title: Domestic Kitten FurBall Malware Pattern
 id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
-status: test
+status: deprecated
 description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
 references:
     - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
 author: Florian Roth (Nextron Systems)
 date: 2021/02/08
-modified: 2022/10/09
+modified: 2023/04/20
 tags:
     - attack.command_and_control
 logsource:

rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml → rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml

@@ -1,12 +1,12 @@
 title: TA505 Dropper Load Pattern
 id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
-status: test
+status: deprecated
 description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
 references:
     - https://twitter.com/ForensicITGuy/status/1334734244120309760
 author: Florian Roth (Nextron Systems)
 date: 2020/12/08
-modified: 2022/03/31
+modified: 2023/04/05
 tags:
     - attack.execution
     - attack.g0092

rules-dfir/README.md

@@ -0,0 +1 @@
+TBD

rules/windows/image_load/image_load_usp_svchost_clfsw32.yml → rules-emerging-threats/2021/PRIVATELOG/image_load_usp_svchost_clfsw32.yml

@@ -3,7 +3,7 @@ id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
 status: test
 description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
 references:
-    - https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
+    - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
 author: Florian Roth (Nextron Systems)
 date: 2021/09/07
 modified: 2022/10/09

rules-emerging-threats/2023/3CX-Supply-Chain/README.md

@@ -0,0 +1,13 @@
+# 3CX Supply Chain Attack
+
+On March 29, 2023 CrowdStrike detected malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX.
+The observed malicious activity consisted of beaconing to infrastructure controlled by the actors, leading to the deployment of second-stage payloads and in a few cases direct on-keyboard activity from the attackers.
+
+You can find more information on the threat in the following articles:
+
+- [CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers - By Crowdstrike](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/)
+- [3CX Supply Chain Compromise Leads to ICONIC Incident - By Volexity](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/)
+- [3CX VoIP Software Compromise & Supply Chain Threats - By Huntress](https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats)
+- [Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise - By Nextron Systems](https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/)
+- [Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack - By Kaspersky](https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/)
+- [Elastic users protected from SUDDENICON’s supply chain attack - By Elastic](https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack)

rules-emerging-threats/README.md

@@ -0,0 +1 @@
+TBD

rules-placeholder/README.md

@@ -0,0 +1 @@
+TBD

rules-threat-hunting/README.md

@@ -0,0 +1 @@
+TBD

rules-unsupported/README.md

@@ -0,0 +1 @@
+TBD

rules/README.md

@@ -0,0 +1 @@
+TBD

rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml

@@ -5,13 +5,16 @@ related:
       type: similar
     - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
       type: similar
+    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
+      type: obsoletes
 status: test
 description: Detects suspicious and uncommon child processes of WmiPrvSE
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
     - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng
+    - https://twitter.com/ForensicITGuy/status/1334734244120309760
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
 date: 2021/08/23
 modified: 2023/03/23
 tags:

tests/test_logsource.py

@@ -16,13 +16,18 @@
 
 class TestRules(unittest.TestCase):
 
-    path_to_rules = "rules"
-
+    path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"]
+    path_to_rules = []
+    for path_ in path_to_rules_:
+        path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_))
+
     # Helper functions
-    def yield_next_rule_file_path(self, path_to_rules: str) -> str:
-        for root, _, files in os.walk(path_to_rules):
-            for file in files:
-                yield os.path.join(root, file)
+    def yield_next_rule_file_path(self, path_to_rules: list) -> str:
+        for path_ in path_to_rules:
+            for root, _, files in os.walk(path_):
+                for file in files:
+                    if file.endswith('.yml'):
+                        yield os.path.join(root, file)
 
     def get_rule_yaml(self, file_path: str) -> dict:
         data = []

tests/test_rules.py

@@ -33,14 +33,18 @@ def setUpClass(cls):
     # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules
     TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"}
 
-    path_to_rules = "../rules"
-    path_to_rules = os.path.join(os.path.dirname(os.path.realpath(__file__)), path_to_rules)
+    path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"]
+    path_to_rules = []
+    for path_ in path_to_rules_:
+        path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_))
 
     # Helper functions
-    def yield_next_rule_file_path(self, path_to_rules: str) -> str:
-        for root, _, files in os.walk(path_to_rules):
-            for file in files:
-                yield os.path.join(root, file)
+    def yield_next_rule_file_path(self, path_to_rules: list) -> str:
+        for path_ in path_to_rules:
+            for root, _, files in os.walk(path_):
+                for file in files:
+                    if file.endswith('.yml'):
+                        yield os.path.join(root, file)
 
     def get_rule_part(self, file_path: str, part_name: str):
         yaml_dicts = self.get_rule_yaml(file_path)
@@ -59,7 +63,7 @@ def get_rule_yaml(self, file_path: str) -> dict:
                 data.append(part)
 
         return data
-
+    
     # Tests
     # def test_confirm_extension_is_yml(self):
         # files_with_incorrect_extensions = []