Merge PR SigmaHQ#4406 from @nasbench - Multiple Updates & Additions

new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
new: CVE-2023-40477 Potential Exploitation - .REV File Creation
new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
new: LOL-Binary Copied From System Directory
new: LSASS Dump Keyword In CommandLine
new: Old TLS1.0/TLS1.1 Protocol Version Enabled
new: Potentially Suspicious Child Process Of WinRAR.EXE
new: VMMap Signed Dbghelp.DLL Potential Sideloading
update: 7Zip Compressing Dump Files - Reduce level
update: LOLBIN Execution From Abnormal Drive
update: LSASS Memory Dump File Creation - Deprecated
update: Potential Browser Data Stealing - Increase coverage with more browsers
update: Potentially Suspicious Compression Tool Parameters
update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
update: Suspicious Child Process Of Manage Engine ServiceDesk
update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
update: Winrar Execution in Non-Standard Folder
update: Wscript Execution from Non C Drive - Deprecated

---------

Co-authored-by: phantinuss <[email protected]>

rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml → deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml

@@ -1,12 +1,12 @@
 title: LSASS Memory Dump File Creation
 id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
-status: test
+status: deprecated
 description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2022/10/09
+modified: 2023/08/29
 tags:
     - attack.credential_access
     - attack.t1003.001

rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml → deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml

@@ -1,12 +1,13 @@
 title: Wscript Execution from Non C Drive
 id: 5b80cf53-3a46-4adc-960b-05ec19348d74
-status: experimental
+status: deprecated
 description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
 references:
     - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt
     - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/
 author: Aaron Herman
 date: 2022/10/01
+modified: 2023/08/29
 tags:
     - attack.execution
     - attack.t1059

rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml

@@ -0,0 +1,28 @@
+title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
+id: e4556676-fc5c-4e95-8c39-5ef27791541f
+related:
+    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+      type: similar
+status: experimental
+description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
+references:
+    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/30
+tags:
+    - attack.execution
+    - cve.2023.38331
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\WinRAR.exe'
+        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
+        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml

@@ -0,0 +1,42 @@
+title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
+id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
+related:
+    - id: e4556676-fc5c-4e95-8c39-5ef27791541f
+      type: similar
+status: experimental
+description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
+references:
+    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
+    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
+author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
+date: 2023/08/30
+tags:
+    - detection.emerging_threats
+    - attack.execution
+    - attack.t1203
+    - cve.2023.38331
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\WinRAR.exe'
+    selection_folder:
+        CommandLine|contains: '\AppData\Local\Temp\Rar$'
+    selection_double_ext:
+        CommandLine|re: '\.[a-zA-Z0-9]{1,4} \.'
+    selection_binaries:
+        # Note: add additional binaries that the attacker might use
+        - Image|endswith:
+            - '\cmd.exe'
+            - '\wscript.exe'
+        - OriginalFileName:
+            - 'Cmd.Exe'
+            - 'cscript.exe'
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+            - 'wscript.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml

@@ -0,0 +1,27 @@
+title: CVE-2023-40477 Potential Exploitation - .REV File Creation
+id: c3bd6c55-d495-4c34-918e-e03e8828c074
+status: experimental
+description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
+references:
+    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
+    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
+    - https://www.rarlab.com/vuln_rev3_names.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.execution
+    - cve.2023.40477
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\explorer.exe' # When extracted via context menu
+            - '\WinRAR.exe'
+        TargetFilename|endswith: '.rev'
+    condition: selection
+falsepositives:
+    - Legitimate extraction of multipart or recovery volumes ZIP files
+level: low

rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml

@@ -0,0 +1,34 @@
+title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
+id: e5a29b54-6fe7-4258-8a23-82960e31231a
+status: experimental
+description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
+references:
+    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
+    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
+    - https://www.rarlab.com/vuln_rev3_names.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.execution
+    - cve.2023.40477
+    - detection.emerging_threats
+logsource:
+    product: windows
+    service: application
+detection:
+    selection:
+        Provider_Name: 'Application Error'
+        EventID: 1000
+        AppName: 'WinRAR.exe'
+    filter_main_fixed_version:
+        # TODO: fix this when the "lt" modifier is implemented for software versions
+        AppVersion|startswith:
+            - '6.23.'
+            - '6.24.'
+            - '6.25.'
+            - '6.26.'
+            - '7.'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate crash for reasons other than exploitation of the vulnerability
+level: medium

rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml

@@ -0,0 +1,26 @@
+title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
+id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5
+status: experimental
+description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
+references:
+    - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
+    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/31
+tags:
+    - attack.defense_evasion
+    - attack.t1218.011
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith:
+            - '\1.dll, DllRegisterServer' # In case of full path exec
+            - ' 1.dll, DllRegisterServer' # In case of direct exec
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_compression_params.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml

@@ -1,12 +1,12 @@
-title: Suspicious Compression Tool Parameters
+title: Potentially Suspicious Compression Tool Parameters
 id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
 status: test
-description: Detects suspicious command line arguments of common data compression tools
+description: Detects potentially suspicious command line arguments of common data compression tools
 references:
     - https://twitter.com/SBousseaden/status/1184067445612535811
 author: Florian Roth (Nextron Systems), Samir Bousseaden
 date: 2019/10/15
-modified: 2021/11/27
+modified: 2023/08/29
 tags:
     - attack.collection
     - attack.t1560.001
@@ -26,9 +26,11 @@ detection:
             - ' -sdel'
             - ' -dw'
             - ' -hp'
-    falsepositive:
-        ParentImage|startswith: 'C:\Program'
-    condition: selection and not falsepositive
+    filter_main_generic:
+        ParentImage|contains:
+            - ':\Program Files\'
+            - ':\Program Files (x86)\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/file/file_event/file_event_win_lsass_dump.yml → rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml

@@ -3,8 +3,10 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391
 related:
     - id: db2110f3-479d-42a6-94fb-d35bc1e46492
       type: obsoletes
+    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+      type: obsoletes
 status: experimental
-description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
+description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
 references:
     - https://www.google.com/search?q=procdump+lsass
     - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
@@ -22,30 +24,30 @@ logsource:
     product: windows
     category: file_event
 detection:
-    selection1:
+    selection_1:
         TargetFilename|endswith:
             - '\lsass.dmp'
             - '\lsass.zip'
             - '\lsass.rar'
             - '\Andrew.dmp'
             - '\Coredump.dmp'
             - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
-    selection2:
+    selection_2:
         TargetFilename|contains:
             - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
             - '\lsassdump'
             - '\lsassdmp'
-    selection3:
+    selection_3:
         TargetFilename|contains|all:
             - '\lsass'
             - '.dmp'
-    selection4:
+    selection_4:
         TargetFilename|contains: 'SQLDmpr'
         TargetFilename|endswith: '.mdmp'
-    selection5:
+    selection_5:
         TargetFilename|startswith: 'nanodump'
         TargetFilename|endswith: '.dmp'
-    condition: 1 of selection*
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml

@@ -0,0 +1,31 @@
+title: VMMap Signed Dbghelp.DLL Potential Sideloading
+id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
+related:
+    - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
+      type: similar
+status: experimental
+description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
+references:
+    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/05
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll'
+        Image|endswith:
+            - '\vmmap.exe'
+            - '\vmmap64.exe'
+        Signed: 'true'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/image_load/image_load_side_load_vmmap_dbghelp.yml → rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml

@@ -1,11 +1,15 @@
-title: VMMap Dbghelp.DLL Potential Sideloading
+title: VMMap Unsigned Dbghelp.DLL Potential Sideloading
 id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
+related:
+    - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
+      type: similar
 status: experimental
-description: Detects potential DLL sideloading of dbghelp.dll by the Sysinternals VMMap.
+description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
 references:
     - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/07/28
+modified: 2023/09/05
 tags:
     - attack.defense_evasion
     - attack.persistence

rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml

@@ -4,12 +4,12 @@ related:
     - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
       type: derived
 status: experimental
-description: Detects a suspicious 7zip execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration
+description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
 references:
     - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/27
-modified: 2023/03/10
+modified: 2023/08/31
 tags:
     - attack.collection
     - attack.t1560.001
@@ -32,5 +32,6 @@ detection:
             - '.dump'
     condition: all of selection_*
 falsepositives:
-    - Unknown
-level: high
+    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
+    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
+level: medium