Merge branch 'master' of https://github.com/redsand/sigma into HAWK_B…

…ackend
cyb3rplis · Oct 26, 2021 · 276961e · 276961e
2 parents 7fc2a6f + b48c525
commit 276961e
Show file tree

Hide file tree

Showing 49 changed files with 228 additions and 82 deletions.
diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
@@ -8,12 +8,11 @@ author: Bhabesh Raj
 date: 2021/02/01
 modified: 2021/09/14
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
     - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
-    - https://nvd.nist.gov/vuln/detail/cve-2021-3156
 tags:
     - attack.privilege_escalation
     - attack.t1068
+    - cve.2021.3156
 logsource:
     product: linux
     service: auditd

diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml
@@ -11,12 +11,11 @@ author: Bhabesh Raj
 date: 2021/02/01
 modified: 2021/09/14
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
     - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
-    - https://nvd.nist.gov/vuln/detail/cve-2021-3156
 tags:
     - attack.privilege_escalation
     - attack.t1068
+    - cve.2021.3156
 logsource:
     product: linux
     service: auditd

diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml
@@ -16,6 +16,7 @@ tags:
     - attack.t1068
     - attack.t1169 # an old one
     - attack.t1548.003
+    - cve.2019.14287
 detection:
     selection_keywords:
         - '* -u#*'

diff --git a/rules/linux/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/lnx_sudo_cve_2019_14287_user.yml
@@ -19,6 +19,7 @@ tags:
     - attack.t1068
     - attack.t1169 # an old one
     - attack.t1548.003
+    - cve.2019.14287
 detection:
     selection_user:
         USER:

diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml
@@ -13,10 +13,12 @@ references:
     - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
     - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
     - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1678
+
 tags:
     - attack.execution
+    - cve.2021.1678
+    - cve.2021.1675
+    - cve.2021.34527
 logsource:
     product: zeek
     service: dce_rpc

diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml
@@ -3,8 +3,6 @@ id: f0500377-bc70-425d-ac8c-e956cd906871
 status: experimental
 description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
 references:
-  - https://nvd.nist.gov/vuln/detail/cve-2021-20090
-  - https://nvd.nist.gov/vuln/detail/cve-2021-20091
   - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
   - https://www.tenable.com/security/research/tra-2021-13
   - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
@@ -17,6 +15,8 @@ level: critical
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2021.20090
+    - cve.2021.20091
 logsource: 
   category: webserver
 detection:

diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
@@ -6,10 +6,8 @@ author: Florian Roth
 date: 2018/07/22
 modified: 2021/08/09
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
     - https://twitter.com/pyn3rd/status/1020620932967223296
     - https://github.com/LandGrey/CVE-2018-2894
-    - https://nvd.nist.gov/vuln/detail/cve-2018-2894
 logsource:
     category: webserver
 detection:
@@ -28,3 +26,4 @@ tags:
     - attack.initial_access
     - attack.persistence
     - attack.t1505.003
+    - cve.2018.2894
diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml
@@ -6,11 +6,9 @@ author: Florian Roth
 date: 2020/11/02
 modified: 2020/11/04
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
     - https://isc.sans.edu/diary/26734
     - https://twitter.com/jas502n/status/1321416053050667009?s=20
     - https://twitter.com/sudo_sudoka/status/1323951871078223874
-    - https://nvd.nist.gov/vuln/detail/cve-2020-14882
 logsource:
     category: webserver
 detection:
@@ -29,3 +27,4 @@ tags:
     - attack.t1100 # an old one
     - attack.t1190
     - attack.initial_access
+    - cve.2020.14882
diff --git a/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml b/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
@@ -5,10 +5,8 @@ description: Detects exploitation attempts on Cisco ASA FTD systems exploiting C
 author: Florian Roth
 date: 2021/01/07
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
     - https://twitter.com/aboul3la/status/1286012324722155525
     - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
-    - https://nvd.nist.gov/vuln/detail/CVE-2020-3452
 logsource:
     category: webserver
 detection:
@@ -35,3 +33,4 @@ tags:
     - attack.t1100 # an old one
     - attack.t1190
     - attack.initial_access
+    - cve.2020.3452
diff --git a/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
@@ -7,7 +7,6 @@ date: 2021/01/20
 references:
     - https://twitter.com/pyn3rd/status/1351696768065409026
     - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
-    - https://nvd.nist.gov/vuln/detail/cve-2021-2109
 logsource:
     category: webserver
 detection:
@@ -27,3 +26,4 @@ level: critical
 tags:
     - attack.t1190
     - attack.initial_access
+    - cve.2021.2109
diff --git a/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
@@ -5,10 +5,8 @@ description: Detects the exploitation of the VMware View Planner vulnerability d
 author: Bhabesh Raj
 date: 2020/03/10
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
     - https://twitter.com/wugeej/status/1369476795255320580
     - https://paper.seebug.org/1495/
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-21978
 logsource:
     category: webserver
 detection:
@@ -28,3 +26,4 @@ level: high
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2021.21978
diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml
@@ -5,9 +5,7 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i
 author: Florian Roth
 date: 2021/05/22
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
     - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
-    - https://nvd.nist.gov/vuln/detail/cve-2021-21978
 logsource:
     category: webserver
 detection:
@@ -23,3 +21,5 @@ level: high
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2021.21978
+    - cve.2021.26814
diff --git a/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml b/rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml
@@ -6,9 +6,7 @@ author: Bhabesh Raj
 date: 2021/01/25
 references:
     - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
-    - https://nvd.nist.gov/vuln/detail/CVE-2020-28188
     - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
-    - https://nvd.nist.gov/vuln/detail/cve-2020-28188
 logsource:
     category: webserver
 detection:
@@ -35,3 +33,4 @@ level: critical
 tags:
     - attack.t1190
     - attack.initial_access
+    - cve.2020.28188
diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
@@ -8,11 +8,11 @@ references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/afwu/PrintNightmare
     - https://twitter.com/fuzzyf10w/status/1410202370835898371
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/30
 modified: 2021/07/08
 tags:
     - attack.execution
+    - cve.2021.1675
 logsource:
     product: windows
     service: printservice-admin

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -6,10 +6,10 @@ status: experimental
 level: critical
 references:
     - https://twitter.com/MalwareJake/status/1410421967463731200
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/07/01
 tags:
     - attack.execution
+    - cve.2021.1675
 logsource:
     product: windows
     service: printservice-operational

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -6,11 +6,11 @@ status: experimental
 level: critical
 references:
     - https://twitter.com/INIT_3/status/1410662463641731075
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
-    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 date: 2021/07/02
 tags:
     - attack.execution
+    - cve.2021.1675
+    - cve.2021.34527
 logsource:
     product: windows
     service: security

diff --git a/...cess_creation/sysmon_rclone_execution.yml → ...ws/deprecated/sysmon_rclone_execution.yml b/...cess_creation/sysmon_rclone_execution.yml → ...ws/deprecated/sysmon_rclone_execution.yml
diff --git a/...process_creation/win_susp_rclone_exec.yml → ...ndows/deprecated/win_susp_rclone_exec.yml b/...process_creation/win_susp_rclone_exec.yml → ...ndows/deprecated/win_susp_rclone_exec.yml
@@ -34,4 +34,4 @@ detection:
             - ' ls '
     description_selection:
       Description: 'Rsync for cloud storage'
-    condition: command_selection and ( description_selection or exec_selection )
+    condition: command_selection and ( description_selection or exec_selection )
diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml
@@ -5,12 +5,12 @@ author: Florian Roth
 date: 2021/05/05
 references:
     - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-21551
 logsource:
     category: driver_load
     product: windows
 tags:
     - attack.privilege_escalation
+    - cve.2021.21551
 detection:
     selection_image:
         ImageLoaded|contains: '\DBUtil_2_3.Sys'

diff --git a/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
@@ -5,7 +5,6 @@ description: Detect DLL deletions from Spooler Service driver folder
 references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 author: Bhabesh Raj
 date: 2021/07/01
 modified: 2021/08/24
@@ -14,6 +13,7 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1574
+    - cve.2021.1675
 logsource:
     category: file_delete
     product: windows

diff --git a/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -8,12 +8,12 @@ modified: 2021/09/09
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
     - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-33771
-    - https://nvd.nist.gov/vuln/detail/cve-2021-31979
 tags:
     - attack.credential_access
     - attack.t1566
     - attack.t1203
+    - cve.2021.33771
+    - cve.2021.31979
     # - threat_group.Sourgum
 logsource:
     product: windows

diff --git a/rules/windows/file_event/file_event_mal_vhd_download.yml b/rules/windows/file_event/file_event_mal_vhd_download.yml
@@ -0,0 +1,33 @@
+title: Suspicious VHD Image Download From Browser
+id: 8468111a-ef07-4654-903b-b863a80bbc95
+status: experimental
+description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls
+references:
+    - https://redcanary.com/blog/intelligence-insights-october-2021/
+    - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
+    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
+author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+date: 2021/10/25
+tags:
+    - attack.resource_development
+    - attack.t1587.001 
+logsource:
+    category: file_event
+    product: windows
+    definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename> <!--vhd files for ZLoader and lazarus malware vectors -->"   
+detection:
+    selection:
+        - Image|endswith:
+            - chrome.exe 
+            - firefox.exe
+            - microsoftedge.exe
+            - microsoftedgecp.exe
+            - msedge.exe
+            - iexplorer.exe
+            - brave.exe
+            - opera.exe
+        - TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier
+    condition: selection
+falsepositives:
+    - Legitimate user creation
+level: medium
diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
@@ -7,13 +7,12 @@ author: Bhabesh Raj
 status: experimental
 level: critical
 references:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-    - https://nvd.nist.gov/vuln/detail/cve-2021-26858
 date: 2021/03/03
 tags:
     - attack.t1203
     - attack.execution
+    - cve.2021.26858
 logsource:
     category: file_event
     product: windows

diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml
@@ -0,0 +1,25 @@
+title: PowerShell Writing Startup Shortcuts
+id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
+description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
+status: experimental
+references: 
+    - https://redcanary.com/blog/intelligence-insights-october-2021/
+    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+tags:
+    - attack.registry_run_keys_/_startup_folder
+    - attack.t1547.001
+date: 2021/10/24
+author: Christopher Peacock '@securepeacock', SCYTHE
+level: high
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\powershell.exe'
+        TargetFilename|contains: '\start menu\programs\startup\'
+        TargetFilename|endswith: '.lnk'
+    condition: selection
+falsepositives:
+    - Unknown
+    - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.
diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -8,12 +8,12 @@ references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
-    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/29
 modified: 2021/07/01
 tags:
     - attack.execution
     - attack.privilege_escalation
+    - cve.2021.1675
 logsource:
     category: file_event
     product: windows

diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml
@@ -9,13 +9,13 @@ references:
     - https://github.com/FireFart/hivenightmare/
     - https://github.com/WiredPulse/Invoke-HiveNightmare
     - https://twitter.com/cube0x0/status/1418920190759378944
-    - https://nvd.nist.gov/vuln/detail/cve-2021-36934
 logsource:
     product: windows
     category: file_event
 tags:
     - attack.credential_access
     - attack.t1552.001
+    - cve.2021.36934
 detection:
     selection:
         - TargetFilename|contains: