Merge PR SigmaHQ#4752 from @frack113 - Update rules to use the `winda…

…sh` modifier update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy. chore: update multiple rules to use the windash modifier --------- Co-authored-by: nasbench <[email protected]>
deFr0ggy · Mar 11, 2024 · 48baf11 · 48baf11
1 parent eac0426
commit 48baf11
Show file tree

Hide file tree

Showing 37 changed files with 104 additions and 212 deletions.
diff --git a/...ng-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/...ng-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
@@ -6,6 +6,7 @@ references:
     - https://github.com/pr0xylife/Qakbot/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/26
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -16,9 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regsvr32.exe'
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
+        CommandLine|contains|windash: ' -s'
         CommandLine|endswith: ' calc'
     condition: selection
 falsepositives:

diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
@@ -8,6 +8,7 @@ references:
     - https://github.com/diego-treitos/linux-smart-enumeration
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
+modified: 2024/03/05
 tags:
     - attack.discovery
     - attack.t1083
@@ -17,9 +18,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '/getcap'
-        CommandLine|contains:
-            - ' /r '
-            - ' -r '
+        CommandLine|contains|windash: ' -r '
     condition: selection
 falsepositives:
     - Unknown

diff --git a/...ws/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/...ws/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
-modified: 2024/02/23
+modified: 2024/03/05
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -20,12 +20,9 @@ detection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
     selection_cmd_flags:
-        ImagePath|contains:
-            - ' /c '
+        ImagePath|contains|windash:
             - ' -c '
-            - ' /r '
             - ' -r '
-            - ' /k '
             - ' -k '
     selection_binaries:
         ImagePath|contains:

diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml
@@ -1,7 +1,12 @@
 title: Indirect Inline Command Execution Via Bash.EXE
 id: 5edc2273-c26f-406c-83f3-f4d948e740dd
+related:
+    - id: 2d22a514-e024-4428-9dba-41505bd63a5b
+      type: similar
 status: experimental
-description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
+description: |
+    Detects execution of Microsoft bash launcher with the "-c" flag.
+    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Bash/
 author: frack113

diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml
@@ -4,7 +4,9 @@ related:
     - id: 5edc2273-c26f-406c-83f3-f4d948e740dd
       type: similar
 status: experimental
-description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
+description: |
+    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
+    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Bash/
     - https://linux.die.net/man/1/bash

diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
@@ -11,7 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Austin Songer @austinsonger
 date: 2021/10/23
-modified: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -23,9 +23,7 @@ detection:
         - Image|endswith: '\certoc.exe'
         - OriginalFileName: 'CertOC.exe'
     selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
     condition: all of selection_*
 fields:
     - CommandLine

diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml
@@ -11,6 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -22,9 +23,7 @@ detection:
         - Image|endswith: '\certoc.exe'
         - OriginalFileName: 'CertOC.exe'
     selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
     selection_paths:
         CommandLine|contains:
             - '\Appdata\Local\Temp\'

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml
@@ -13,6 +13,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
 author: oscd.community, @redcanary, Zach Stanford @svch0st
 date: 2023/03/05
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1553.004
@@ -25,9 +26,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli_add:
-        CommandLine|contains:
-            - '/addstore'
-            - '-addstore'
+        CommandLine|contains|windash: '-addstore'
     selection_cli_store:
         CommandLine|contains: 'root'
     condition: all of selection_*

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml
@@ -11,6 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 date: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -22,13 +23,9 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            # Decode Base64
-            - '-decode '
-            - '/decode '
-            # Decode Hex
-            - '-decodehex '
-            - '/decodehex '
+        CommandLine|contains|windash:
+            - '-decode ' # Decode Base64
+            - '-decodehex ' # Decode Hex
     condition: all of selection_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml
@@ -8,7 +8,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/02/24
-modified: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -20,9 +20,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     condition: all of selection_*
 falsepositives:
     - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml
@@ -12,6 +12,7 @@ references:
     - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -23,9 +24,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     selection_extension:
         CommandLine|contains:
             - '.acl'

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml
@@ -12,6 +12,7 @@ references:
     - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -23,9 +24,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     selection_extension:
         CommandLine|contains:
             # Note: Add more suspicious locations to increase coverage

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml
@@ -6,7 +6,7 @@ references:
     - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
-modified: 2023/02/20
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,9 +18,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-exportPFX '
-            - '/exportPFX '
+        CommandLine|contains|windash: '-exportPFX '
     condition: all of selection_*
 falsepositives:
     - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign

diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 author: _pete_0, TheDFIRReport
 date: 2022/02/21
-modified: 2024/02/16
+modified: 2024/03/05
 tags:
     - attack.discovery
     - attack.t1614.001
@@ -17,12 +17,9 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\cmd.exe'
-        ParentCommandLine|contains:
-            - ' /c '
+        ParentCommandLine|contains|windash:
             - ' -c '
-            - ' /r '
             - ' -r '
-            - ' /k '
             - ' -k '
         Image|endswith: '\chcp.com'
         CommandLine|endswith:

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
@@ -6,7 +6,7 @@ references:
     - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -17,9 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - ' /c '
-            - ' -c '
+        CommandLine|contains|windash: ' -c '
         CommandLine|contains|all:
             - 'curl '
             - 'http'

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 author: frack113
 date: 2022/01/15
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -27,13 +27,10 @@ detection:
             - 'del '
             - 'erase '
     selection_flags:
-        CommandLine|contains:
-            - ' /f' # Force deleting of read-only files.
-            - ' -f'
-            - ' /s' # Delete specified files from all subdirectories.
-            - ' -s'
-            - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
-            - ' -q'
+        CommandLine|contains|windash:
+            - ' -f' # Force deleting of read-only files.
+            - ' -s' # Delete specified files from all subdirectories.
+            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
     condition: all of selection_*
 falsepositives:
     - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml
@@ -1,30 +1,23 @@
-title: Files And Subdirectories Listing Using Dir
+title: File Enumeration Via Dir Command
 id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
 status: test
-description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories
+description: |
+    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2024/02/17
+modified: 2024/03/06
 tags:
     - attack.discovery
     - attack.t1217
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_dir:
-        CommandLine|contains: 'dir '
-    selection_cli_1:
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
-    selection_cli_2:
-        CommandLine|contains:
-            - ' /b'
-            - ' -b'
-    condition: all of selection_*
+    selection:
+        CommandLine|contains|windash: 'dir*-s'
+    condition: selection
 falsepositives:
-    - Unknown
+    - Likely
 level: low
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml
@@ -1,12 +1,13 @@
-title: Suspicious Ping/Copy Command Combination
+title: Potentially Suspicious Ping/Copy Command Combination
 id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
 status: experimental
-description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.
+description: |
+    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:
     - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
-modified: 2024/02/26
+modified: 2024/03/06
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -23,13 +24,9 @@ detection:
             - 'ping' # Covers "ping" and "ping.exe"
             - 'copy '
     selection_cli_1:
-        CommandLine|contains: # Count
-            - ' -n '
-            - ' /n '
+        CommandLine|contains|windash: ' -n ' # Count
     selection_cli_2:
-        CommandLine|contains:
-            - ' /y '
-            - ' -y '
+        CommandLine|contains|windash: ' -y '
     condition: all of selection_*
 falsepositives:
     - Unknown