Merge branch 'SigmaHQ:master' into master

.github/workflows/known-FPs.csv

@@ -58,3 +58,5 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.*
 0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.*
 e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*
+ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe
+9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\.exe

README.md

@@ -120,6 +120,9 @@ E.g.
 * Tell us about false positives (issues section)
 * Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule
 
+In order to enhance or fix some issues with a specific PR we might ask the author for some additional input.
+In such cases, the PR will be tagged with "Author Input Required". If the author of the PR does not respond in a timely manner the PR will automatically be closed after 1 month of inactivity.
+
 ## Work on open issues
 
 The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation.

deprecated/windows/proc_creation_win_service_stop.yml

@@ -1,7 +1,7 @@
 title: Stop Windows Service
 id: eb87818d-db5d-49cc-a987-d5da331fbd90
 status: deprecated
-description: Detects a windows service to be stopped
+description: Detects a Windows service to be stopped
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
 date: 2019/10/23
 modified: 2023/03/05

rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml → deprecated/windows/registry_set_disable_microsoft_office_security_features.yml

@@ -1,14 +1,14 @@
 title: Disable Microsoft Office Security Features
 id: 7c637634-c95d-4bbf-b26c-a82510874b34
-status: test
+status: deprecated
 description: Disable Microsoft Office Security Features by registry
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
     - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
     - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
 author: frack113
 date: 2021/06/08
-modified: 2022/03/26
+modified: 2023/06/21
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/windows/registry/registry_set/registry_set_office_security.yml → deprecated/windows/registry_set_office_security.yml

@@ -1,14 +1,14 @@
 title: Office Security Settings Changed
 id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
-status: experimental
+status: deprecated
 description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
 references:
     - https://twitter.com/inversecos/status/1494174785621819397
     - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
     - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2022/06/26
+modified: 2023/06/21
 tags:
     - attack.defense_evasion
     - attack.t1112

deprecated/windows/sysmon_mimikatz_detection_lsass.yml

@@ -5,7 +5,7 @@ description: Detects process access to LSASS which is typical for Mimikatz (0x10
     versions", 0x0010 PROCESS_VM_READ)
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
 tags:
     - attack.t1003
     - attack.s0002

rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml

@@ -12,6 +12,8 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2010.5278
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -14,6 +14,7 @@ tags:
     - attack.t1190
     - attack.t1505.003
     - cve.2014.6287
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

@@ -15,6 +15,7 @@ tags:
     - attack.t1218.011
     - attack.s0412
     - attack.g0001
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml

@@ -16,6 +16,7 @@ tags:
     - attack.discovery
     - attack.t1083
     - attack.t1135
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml

@@ -13,6 +13,7 @@ tags:
     - attack.t1059.001
     - attack.t1053.005
     - attack.t1027
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml

@@ -11,6 +11,8 @@ modified: 2021/11/27
 tags:
     - attack.defense_evasion
     - attack.t1036.005
+    - cve.2015.1641
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml

@@ -13,6 +13,8 @@ tags:
     - attack.t1204.002
     - attack.initial_access
     - attack.t1566.001
+    - cve.2017.0261
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml

@@ -14,6 +14,8 @@ tags:
     - attack.t1204.002
     - attack.initial_access
     - attack.t1566.001
+    - cve.2017.11882
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml

@@ -14,6 +14,8 @@ tags:
     - attack.t1204.002
     - attack.initial_access
     - attack.t1566.001
+    - cve.2017.8759
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml

@@ -12,6 +12,7 @@ tags:
     - attack.execution
     - attack.t1059.005
     - attack.t1059.007
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml

@@ -12,6 +12,7 @@ tags:
     - attack.execution
     - attack.defense_evasion
     - attack.t1218.011
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml

@@ -1,7 +1,7 @@
 title: NotPetya Ransomware Activity
 id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
 status: test
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
 references:
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
@@ -15,6 +15,7 @@ tags:
     - attack.credential_access
     - attack.t1003.001
     - car.2016-04-002
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml

@@ -12,6 +12,7 @@ tags:
     - attack.s0013
     - attack.defense_evasion
     - attack.t1574.002
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml

@@ -17,6 +17,7 @@ tags:
     - attack.impact
     - attack.t1486
     - attack.t1490
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml

@@ -11,6 +11,7 @@ tags:
     - attack.execution
     - attack.g0045
     - attack.t1059.005
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml

@@ -12,6 +12,7 @@ tags:
     - attack.g0035
     - attack.t1036.003
     - car.2013-05-009
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml

@@ -10,6 +10,7 @@ modified: 2023/03/10
 tags:
     - attack.defense_evasion
     - attack.t1036.005
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml

@@ -10,6 +10,8 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2018.13379
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml

@@ -14,6 +14,7 @@ tags:
     - attack.persistence
     - attack.t1505.003
     - cve.2018.2894
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml

@@ -14,6 +14,7 @@ tags:
     - attack.s0081
     - attack.execution
     - attack.t1059.003
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml

@@ -13,6 +13,7 @@ tags:
     - attack.defense_evasion
     - attack.t1574.002
     - attack.g0027
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml

@@ -16,6 +16,7 @@ tags:
     - attack.t1059.003
     - attack.t1218.011
     - car.2013-10-002
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml

@@ -14,6 +14,7 @@ modified: 2023/02/20
 tags:
     - attack.execution
     - attack.t1218.011
+    - detection.emerging_threats
 logsource:
     product: windows
     category: file_event

rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml

@@ -15,6 +15,7 @@ modified: 2023/03/08
 tags:
     - attack.execution
     - attack.t1218.011
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml

@@ -10,6 +10,7 @@ tags:
     - attack.defense_evasion
     - attack.execution
     - attack.g0069
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml

@@ -24,6 +24,7 @@ tags:
     - attack.t1112
     - attack.command_and_control
     - attack.t1071.004
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml

@@ -24,6 +24,7 @@ tags:
     - attack.t1112
     - attack.command_and_control
     - attack.t1071.004
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security

rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml

@@ -24,6 +24,7 @@ tags:
     - attack.t1112
     - attack.command_and_control
     - attack.t1071.004
+    - detection.emerging_threats
 logsource:
     product: windows
     service: system

rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml

@@ -11,6 +11,7 @@ tags:
     - attack.persistence
     - attack.t1053.005
     - attack.s0111
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml

@@ -14,6 +14,7 @@ tags:
     - attack.persistence
     - attack.t1053
     - attack.s0111
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security

rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml

@@ -10,6 +10,7 @@ modified: 2020/08/27
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml

@@ -11,6 +11,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1053.005
     - car.2013-08-001
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml

@@ -10,6 +10,8 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2019.11510
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml

@@ -14,6 +14,7 @@ tags:
     - attack.t1059.003
     - attack.t1574
     - cve.2019.1378
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml

@@ -11,6 +11,8 @@ modified: 2022/05/27
 tags:
     - attack.privilege_escalation
     - attack.t1068
+    - cve.2019.1388
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml

@@ -14,6 +14,8 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2019.19781
+    - detection.emerging_threats
 logsource:
     category: webserver
     definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'

rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml

@@ -10,6 +10,8 @@ modified: 2023/01/02
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2019.3398
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml

@@ -15,6 +15,7 @@ tags:
     - attack.t1059.003
     - attack.t1059.001
     - attack.t1218.005
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml

@@ -15,6 +15,7 @@ tags:
     - attack.discovery
     - attack.t1135
     - attack.t1033
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows