Merge PR SigmaHQ#4993 from @nasbench - Fix Issues

new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.

rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml → deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml

@@ -1,6 +1,6 @@
 title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
 id: 045b5f9c-49f7-4419-a236-9854fb3c827a
-status: test
+status: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png
 description: |
     Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
     SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
@@ -10,7 +10,7 @@ references:
     - https://github.com/Azure/Azure-Sentinel/pull/3059
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2021-09-17
-modified: 2022-11-26
+modified: 2024-09-02
 tags:
     - attack.privilege-escalation
     - attack.initial-access

deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml

@@ -1,5 +1,8 @@
 title: Potential Persistence Via COM Hijacking From Suspicious Locations
 id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
+related:
+    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14
+      type: derived
 status: deprecated
 description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
 references:

rules/windows/registry/registry_set/registry_set_persistence_search_order.yml → deprecated/windows/registry_set_persistence_search_order.yml

@@ -1,12 +1,15 @@
 title: Potential Persistence Via COM Search Order Hijacking
 id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
-status: test
+related:
+    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14
+      type: derived
+status: deprecated
 description: Detects potential COM object hijacking leveraging the COM Search Order
 references:
     - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020-04-14
-modified: 2023-09-28
+modified: 2024-09-02
 tags:
     - attack.persistence
     - attack.t1546.015

rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml → rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml

@@ -1,15 +1,18 @@
-title: Remote WMI ActiveScriptEventConsumers
+title: Potential Remote WMI ActiveScriptEventConsumers Activity
 id: 9599c180-e3a8-4743-8f92-7fb96d3be648
 status: test
-description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
+description: |
+    Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
+    This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
 references:
     - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-09-02
-modified: 2021-11-27
+modified: 2024-09-02
 tags:
     - attack.lateral-movement
     - attack.privilege-escalation
+    - detection.threat-hunting
     - attack.persistence
     - attack.t1546.003
 logsource:
@@ -20,9 +23,9 @@ detection:
         EventID: 4624
         LogonType: 3
         ProcessName|endswith: 'scrcons.exe'
-    filter:
-        TargetLogonId: '0x3e7'
-    condition: selection and not filter
+    filter_main_local_system:
+        TargetLogonId: '0x3e7' # Local System
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - SCCM
-level: high
+level: medium

rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml

@@ -1,44 +1,45 @@
-title: Potential Commandline Obfuscation Using Unicode Characters
+title: Potential CommandLine Obfuscation Using Unicode Characters
 id: e0552b19-5a83-4222-b141-b36184bb8d79
 related:
+    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
 status: test
 description: |
-    Detects potential commandline obfuscation using unicode characters.
+    Detects potential CommandLine obfuscation using unicode characters.
     Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
 references:
     - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-01-15
-modified: 2024-07-22
+modified: 2024-09-02
 tags:
     - attack.defense-evasion
     - attack.t1027
+    - detection.threat-hunting
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_spacing_modifiers:
-        CommandLine|contains: # spacing modifier letters that get auto-replaced
+    selection:
+        CommandLine|contains:
+            # spacing modifier letters that get auto-replaced
             - 'ˣ' # 0x02E3
             - '˪' # 0x02EA
             - 'ˢ' # 0x02E2
-    selection_unicode_slashes: # forward slash alternatives
-        CommandLine|contains:
+            # Forward slash alternatives
             - '∕' # 0x22FF
             - '⁄' # 0x206F
-    selection_unicode_hyphens: # hyphen alternatives
-        CommandLine|contains:
+            # Hyphen alternatives
             - '―' # 0x2015
             - '—' # 0x2014
-    selection_other:
-        CommandLine|contains:
+            # Other
             - '¯'
             - '®'
             - '¶'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

@@ -0,0 +1,56 @@
+title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
+id: 584bca0f-3608-4402-80fd-4075ff6072e3
+related:
+    - id: e0552b19-5a83-4222-b141-b36184bb8d79
+      type: similar
+    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
+      type: obsolete
+status: test
+description: |
+    Detects potential commandline obfuscation using unicode characters.
+    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
+references:
+    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
+author: frack113, Florian Roth (Nextron Systems), Josh Nickels
+date: 2024-09-02
+tags:
+    - attack.defense-evasion
+    - attack.t1027
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\wscript.exe'
+        OriginalFileName:
+            - 'Cmd.EXE'
+            - 'cscript.exe'
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+            - 'wscript.exe'
+    selection_special_chars:
+        CommandLine|contains:
+            # spacing modifier letters that get auto-replaced
+            - 'ˣ' # 0x02E3
+            - '˪' # 0x02EA
+            - 'ˢ' # 0x02E2
+            # Forward slash alternatives
+            - '∕' # 0x22FF
+            - '⁄' # 0x206F
+            # Hyphen alternatives
+            - '―' # 0x2015
+            - '—' # 0x2014
+            # Other
+            - '¯'
+            - '®'
+            - '¶'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml

@@ -1,5 +1,10 @@
 title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
 id: 790317c0-0a36-4a6a-a105-6e576bf99a14
+related:
+    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
+      type: obsolete
+    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
+      type: obsolete
 status: experimental
 description: Detects potential COM object hijacking via modification of default system CLSID.
 references: