valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' and fix conflicts

Browse Source
This commit is contained in:
Anton Kutepov 2021-03-07 23:36:13 +03:00
commit d7ef865bb9
11 changed files with 299 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
rules/web/web_exchange_exploitation_hafnium.yml Normal file
View File

@ -0,0 +1,62 @@
title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
status: experimental
description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Florian Roth
date: 2021/03/03
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection1:
cs-method: 'POST'
c-uri|contains: '/owa/auth/Current/themes/resources/'
selection2:
cs-method: 'POST'
c-uri|contains: '/owa/auth/Current/'
c-useragent:
- 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
- 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
- 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
- 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
- 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
- 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
- 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
selection3:
c-uri|contains: '/ecp/'
cs-method: 'POST'
c-useragent:
- 'ExchangeServicesClient/0.0.0.0'
- 'python-requests/2.19.1'
- 'python-requests/2.25.1'
selection4:
c-uri|contains:
- '/aspnet_client/'
- '/owa/'
cs-method: 'POST'
c-useragent:
- 'antSword/v2.1'
- 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
selection5:
c-uri|contains:
- '/owa/auth/Current/'
- '/ecp/default.flt'
- '/ecp/main.css'
cs-method: 'POST'
selection6:
cs-method: 'POST'
c-uri|contains|all:
- '/ecp/'
- '.js'
condition: 1 of them
falsepositives:
- Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
level: high

27
rules/web/web_vsphere_cve_2021_21972_unauth_rce_exploit.yml Normal file
View File

@ -0,0 +1,27 @@
title: CVE-2021-21972 VSphere Exploitation
id: 179ed852-0f9b-4009-93a7-68475910fd86
status: experimental
description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
author: Bhabesh Raj
date: 2021/02/24
references:
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://f5.pm/go-59627.html
- https://swarm.ptsecurity.com/unauth-rce-vmware
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
c-uri:
- '/ui/vropspluginui/rest/services/uploadova'
condition: selection
fields:
- c-ip
- c-dns
falsepositives:
- OVA uploads to your VSphere appliance
level: high
tags:
- attack.initial_access
- attack.t1190

35
rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml Normal file
View File

@ -0,0 +1,35 @@
title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for |
creation of non-standard files on disk by Exchange Servers Unified Messaging service |
which could indicate dropping web shells or other malicious content
author: Bhabesh Raj
status: experimental
level: critical
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
tags:
- attack.t1203
- attack.execution
- cve.2021-26858
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: 'UMWorkerProcess.exe'
filter:
TargetFilename|endswith:
- 'CacheCleanup.bin'
- '.txt'
- '.LOG'
- '.cfg'
- 'cleanup.bin'
condition: selection and not filter
fields:
- ComputerName
- TargetFileName
falsepositives:
- Unknown

28
rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml Normal file
View File

@ -0,0 +1,28 @@
title: CVE-2021-26857 Exchange Exploitation
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for |
abnormal subprocesses spawning by Exchange Servers Unified Messaging service
author: Bhabesh Raj
status: experimental
level: critical
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: 'UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown

25
rules/windows/process_creation/win_susp_procdump.yml
View File

@ -1,33 +1,24 @@
title: Suspicious Use of Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
id: 03795938-1387-481b-9f4c-3f6241e604fe
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2018/10/30
modified: 2020/11/28
date: 2021/02/02
tags:
- attack.defense_evasion
- attack.t1036
- attack.credential_access
- attack.t1003.001
- attack.t1003 # an old one
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' -ma '
selection2:
CommandLine|contains: ' lsass'
selection3:
CommandLine|contains|all:
selection:
CommandLine|contains:
- ' -ma '
- 'ls'
condition: ( selection1 and selection2 ) or selection3
condition: selection
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
level: high
- Legitimate use of procdump by a developer or administrator
level: medium

34
rules/windows/process_creation/win_susp_procdump_lsass.yml Normal file
View File

@ -0,0 +1,34 @@
title: Suspicious Use of Procdump on LSASS
id: 5afee48e-67dd-4e03-a783-f74259dcf998
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2018/10/30
modified: 2021/02/02
tags:
- attack.defense_evasion
- attack.t1036
- attack.credential_access
- attack.t1003.001
- attack.t1003 # an old one
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '* -ma *'
selection2:
CommandLine:
- '* lsass*'
selection3:
CommandLine:
- '* -ma ls*'
condition: ( selection1 and selection2 ) or selection3
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
level: critical

22
rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml Normal file
View File

@ -0,0 +1,22 @@
title: Suspicious Rundll32 Invoking Inline VBScript
id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth
date: 2021/03/05
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'Execute'
- 'RegRead'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high

25
rules/windows/process_creation/win_susp_rundll32_sys.yml Normal file
View File

@ -0,0 +1,25 @@
title: Suspicious Rundll32 Activity Invoking Sys File
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
tags:
- attack.defense_evasion
- attack.t1218.011
author: Florian Roth
date: 2021/03/05
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'rundll32.exe'
selection2:
CommandLine|contains:
- '.sys,'
- '.sys '
condition: selection1 and selection2
falsepositives:
- Unknown
level: high

26
rules/windows/process_creation/win_susp_vbscript_unc2452.yml Normal file
View File

@ -0,0 +1,26 @@
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
description: Detects suspicious inline VBScript keywords as used by UNC2452
status: experimental
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth
date: 2021/03/05
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Execute'
- 'CreateObject'
- 'RegRead'
- 'window.close'
- '\Microsoft\Windows\CurrentVersion'
filter:
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection and not filter
falsepositives:
- Unknown
level: high

1
rules/windows/process_creation/win_webshell_spawn.yml
View File

@ -16,6 +16,7 @@ detection:
- '\nginx.exe'
- '\php-cgi.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
Image|endswith:
- '\cmd.exe'
- '\sh.exe'

31
rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml Normal file
View File

@ -0,0 +1,31 @@
title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
status: experimental
date: 2021/03/05
author: Florian Roth
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
Details|contains:
- 'vbscript'
- 'jscript'
- 'mshtml'
- 'mshtml,'
- 'mshtml '
- 'RunHTMLApplication'
- 'Execute('
- 'CreateObject'
- 'RegRead'
- 'window.close'
filter:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection and not filter
falsepositives:
- Unknown
level: high