Merge pull request SigmaHQ#4250 from SigmaHQ/rule-devel

fix: issue with wildcard in rule, refactor: new LSASS dump outputs, more
SavinSpring · May 19, 2023 · ab24689 · ab24689
2 parents b249536 + d468c2f
commit ab24689
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 6 deletions.
diff --git a/...ws/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/...ws/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
@@ -8,6 +8,7 @@ description: Detects the download of suspicious file type from a well-known file
 references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
     - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
+    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
 modified: 2023/02/09
@@ -18,7 +19,6 @@ tags:
 logsource:
     product: windows
     category: create_stream_hash
-    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
     selection_domain:
         Contents|contains:

diff --git a/...create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/...create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
@@ -18,7 +18,6 @@ tags:
 logsource:
     product: windows
     category: create_stream_hash
-    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
     selection_domain:
         Contents|contains:

diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml
@@ -0,0 +1,42 @@
+title: Potentially Suspicious File Download From ZIP TLD
+id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe
+status: experimental
+description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
+references:
+    - https://twitter.com/cyb3rops/status/1659175181695287297
+    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
+author: Florian Roth (Nextron Systems)
+date: 2023/05/18
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: create_stream_hash
+detection:
+    selection:
+        Contents|contains: '.zip/'
+        TargetFilename|contains:
+            - '.bat:Zone'
+            - '.dat:Zone'
+            - '.dll:Zone'
+            - '.doc:Zone'
+            - '.docm:Zone'
+            - '.exe:Zone'
+            - '.hta:Zone'
+            - '.pptm:Zone'
+            - '.ps1:Zone'
+            - '.rar:Zone'
+            - '.rtf:Zone'
+            - '.sct:Zone'
+            - '.vbe:Zone'
+            - '.vbs:Zone'
+            - '.ws:Zone'
+            - '.wsf:Zone'
+            - '.xll:Zone'
+            - '.xls:Zone'
+            - '.xlsm:Zone'
+            - '.zip:Zone'
+    condition: selection
+falsepositives:
+    - Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml
@@ -11,9 +11,10 @@ references:
     - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
     - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
     - https://github.com/helpsystems/nanodump
+    - https://github.com/CCob/MirrorDump
 author: Florian Roth (Nextron Systems)
 date: 2021/11/15
-modified: 2022/06/27
+modified: 2023/05/17
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -26,9 +27,9 @@ detection:
             - '\lsass.dmp'
             - '\lsass.zip'
             - '\lsass.rar'
-            - '\Temp\dumpert.dmp'
             - '\Andrew.dmp'
             - '\Coredump.dmp'
+            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
     selection2:
         TargetFilename|contains:
             - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp

diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
@@ -13,7 +13,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
 date: 2021/11/22
-modified: 2023/03/22
+modified: 2023/05/17
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -57,7 +57,6 @@ detection:
             - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
             - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
             - 'C:\WINDOWS\system32\taskhostw.exe'
-            - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
             - 'C:\Program Files\Windows Defender\MsMpEng.exe'
             - 'C:\Windows\SysWOW64\msiexec.exe'
             - 'C:\Windows\System32\msiexec.exe'
@@ -66,6 +65,10 @@ detection:
             - 'C:\Windows\System32\MRT.exe'
             - 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
             - 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
+    # VSCode
+    filter_vscode:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
     # Windows Defender
     filter_windefend_1:
         SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'