Merge pull request SigmaHQ#4252 from nasbench/small-sieve-rules

feat: add new rules related to small sieve

rules-emerging-threats/2021/Malware/Small-Sieve/README.md

@@ -0,0 +1,16 @@
+# Small-Sieve
+
+## Summary
+
+Small Sieve is a simple – possibly disposable – Python backdoor which is distributed using an NSIS installer that performs persistence. It provides basic functionality required to maintain and expand a foothold in victim infrastructure using custom string and traffic obfuscation schemes together with the Telegram Bot API to avoid detection.
+
+You can find more information on the threat in the following articles:
+
+- [Small Sieve - Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf)
+
+## Rules
+
+- [Small Sieve Malware File Indicator Creation](./file_event_win_malware_small_sieve_evasion_typo.yml)
+- [Small Sieve Malware CommandLine Indicator](./proc_creation_win_malware_small_sieve_cli_arg.yml)
+- [Small Sieve Malware Potential C2 Communication](./proxy_malware_small_sieve_telegram_communication.yml)
+- [Small Sieve Malware Registry Persistence](./registry_set_malware_small_sieve_evasion_typo.yml)

rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml

@@ -0,0 +1,30 @@
+title: Small Sieve Malware File Indicator Creation
+id: 39466c42-c189-476a-989f-8cdb135c163a
+status: experimental
+description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2023/05/19
+tags:
+    - attack.defense_evasion
+    - attack.t1036.005
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_typo_path:
+        TargetFilename|contains|all:
+            - ':\Users\'
+            - '\AppData\'
+        TargetFilename|contains:
+            - '\Roaming\'
+            - '\Local\'
+    selection_typo_keyword:
+        TargetFilename|contains: 'Microsift'
+    selection_ioc:
+        TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
+    condition: all of selection_typo_* or selection_ioc
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml

@@ -0,0 +1,21 @@
+title: Small Sieve Malware CommandLine Indicator
+id: 21117127-21c8-437a-ae03-4b51e5a8a088
+status: test
+description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/19
+tags:
+    - attack.persistence
+    - attack.t1574.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|endswith: '.exe Platypus'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml

@@ -0,0 +1,23 @@
+title: Small Sieve Malware Potential C2 Communication
+id: b0422664-37a4-4e78-949a-4a139309eaf0
+status: experimental
+description: Detects potential C2 communication related to Small Sieve malware
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/19
+tags:
+    - attack.command_and_control
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-method: 'GET'
+        cs-host: 'api.telegram.org'
+        cs-uri|contains|all:
+            - 'chat_id=2090761833'
+            - 'text=com/'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml

@@ -0,0 +1,24 @@
+title: Small Sieve Malware Registry Persistence
+id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
+status: experimental
+description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/19
+tags:
+    - attack.persistence
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_path:
+        EventType: SetValue
+        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
+    selection_value:
+        - TargetObject|contains: 'Microsift'
+        - Details|contains: '.exe Platypus'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml

@@ -0,0 +1,62 @@
+title: Suspicious Non-Browser Network Communication With Telegram API
+id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
+status: experimental
+description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/19
+tags:
+    - attack.command_and_control
+    - attack.t1102
+logsource:
+    product: windows
+    category: network_connection
+detection:
+    selection:
+        DestinationHostname|contains: 'api.telegram.org'
+    # Other browsers or apps known to use telegram should be added
+    # TODO: Add full paths for default install locations
+    filter_main_brave:
+        Image|endswith: '\brave.exe'
+    filter_main_chrome:
+        Image:
+            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
+    filter_main_firefox:
+        Image:
+            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
+    filter_main_ie:
+        Image:
+            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - 'C:\Program Files\Internet Explorer\iexplore.exe'
+    filter_main_maxthon:
+        Image|endswith: '\maxthon.exe'
+    filter_main_edge_1:
+        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
+        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
+        - Image:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
+    filter_main_edge_2:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
+            - 'C:\Program Files\Microsoft\EdgeCore\'
+        Image|endswith:
+            - '\msedge.exe'
+            - '\msedgewebview2.exe'
+    filter_main_opera:
+        Image|endswith: '\opera.exe'
+    filter_main_safari:
+        Image|endswith: '\safari.exe'
+    filter_main_seamonkey:
+        Image|endswith: '\seamonkey.exe'
+    filter_main_vivaldi:
+        Image|endswith: '\vivaldi.exe'
+    filter_main_whale:
+        Image|endswith: '\whale.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
+level: medium