ルール更新 (#224)

rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml

@@ -1,3 +1,4 @@
+
 title: Azure AD Health Monitoring Agent Registry Keys Access
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 date: 2021/08/26

rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml

@@ -0,0 +1,34 @@
+
+title: ADCS Certificate Template Configuration Vulnerability
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+detection:
+  SELECTION_1:
+    EventID: 4898
+  SELECTION_2:
+    TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  SELECTION_3:
+    EventID: 4899
+  SELECTION_4:
+    NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: 5ee3a654-372f-11ec-8d3d-0242ac130003
+level: low
+logsource:
+  definition: Certificate services loaded a template would trigger event ID 4898 and
+    certificate Services template was updated would trigger event ID 4899. A risk
+    permission seems to be comming if template contain specific flag.
+  product: windows
+  service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access

rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml

@@ -0,0 +1,48 @@
+
+title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+  and risky EKU
+detection:
+  SELECTION_1:
+    EventID: 4898
+  SELECTION_2:
+    TemplateContent:
+    - '*1.3.6.1.5.5.7.3.2*'
+    - '*1.3.6.1.5.2.3.4*'
+    - '*1.3.6.1.4.1.311.20.2.2*'
+    - '*2.5.29.37.0*'
+  SELECTION_3:
+    TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  SELECTION_4:
+    EventID: 4899
+  SELECTION_5:
+    NewTemplateContent:
+    - '*1.3.6.1.5.5.7.3.2*'
+    - '*1.3.6.1.5.2.3.4*'
+    - '*1.3.6.1.4.1.311.20.2.2*'
+    - '*2.5.29.37.0*'
+  SELECTION_6:
+    NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
+level: high
+logsource:
+  definition: Certificate services loaded a template would trigger event ID 4898 and
+    certificate Services template was updated would trigger event ID 4899. A risk
+    permission seems to be comming if template contain specific flag with risky EKU.
+  product: windows
+  service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access

rules/sigma/builtin/win_alert_active_directory_user_control.yml

@@ -25,6 +25,7 @@ logsource:
 modified: 2020/08/23
 references:
 - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+status: experimental
 tags:
 - attack.persistence
 - attack.t1098

rules/sigma/builtin/win_alert_ad_user_backdoors.yml

@@ -46,6 +46,7 @@ references:
 - https://msdn.microsoft.com/en-us/library/cc220234.aspx
 - https://adsecurity.org/?p=3466
 - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+status: experimental
 tags:
 - attack.t1098
 - attack.persistence

rules/sigma/builtin/win_alert_enable_weak_encryption.yml

@@ -83,6 +83,7 @@ logsource:
 references:
 - https://adsecurity.org/?p=2053
 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1089

rules/sigma/builtin/win_alert_lsass_access.yml

@@ -18,7 +18,9 @@ logsource:
   definition: 'Requirements:Enabled Block credential stealing from the Windows local
     security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
     9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
-  product: windows_defender
+  product: windows
+  service: windefend
+modified: 2021/11/13
 references:
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
 status: experimental

rules/sigma/builtin/win_alert_mimikatz_keywords.yml

@@ -31,6 +31,7 @@ level: critical
 logsource:
   product: windows
 modified: 2021/08/26
+status: experimental
 tags:
 - attack.s0002
 - attack.t1003

rules/sigma/builtin/win_alert_ruler.yml

@@ -29,6 +29,7 @@ references:
 - https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+status: experimental
 tags:
 - attack.discovery
 - attack.execution

rules/sigma/builtin/win_apt_carbonpaper_turla.yml

@@ -22,6 +22,7 @@ logsource:
   service: system
 references:
 - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+status: experimental
 tags:
 - attack.persistence
 - attack.g0010

rules/sigma/builtin/win_apt_chafer_mar18_security.yml

@@ -25,6 +25,7 @@ references:
 related:
 - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
   type: derived
+status: experimental
 tags:
 - attack.persistence
 - attack.g0049

rules/sigma/builtin/win_apt_chafer_mar18_system.yml

@@ -22,6 +22,7 @@ logsource:
 modified: 2021/09/19
 references:
 - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+status: experimental
 tags:
 - attack.persistence
 - attack.g0049

rules/sigma/builtin/win_apt_gallium.yml

@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.command_and_control
+- attack.t1071

rules/sigma/builtin/win_apt_slingshot.yml

@@ -24,6 +24,8 @@ references:
 related:
 - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
   type: derived
+status: experimental
 tags:
 - attack.persistence
+- attack.t1053
 - attack.s0111

rules/sigma/builtin/win_apt_stonedrill.yml

@@ -21,6 +21,7 @@ logsource:
   service: system
 references:
 - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+status: experimental
 tags:
 - attack.persistence
 - attack.g0064

rules/sigma/builtin/win_apt_turla_service_png.yml

@@ -19,6 +19,7 @@ logsource:
   service: system
 references:
 - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+status: experimental
 tags:
 - attack.persistence
 - attack.g0010

rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml

@@ -25,6 +25,7 @@ logsource:
 modified: 2021/08/09
 references:
 - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+status: experimental
 tags:
 - attack.t1204
 - attack.t1193

rules/sigma/builtin/win_atsvc_task.yml

@@ -25,6 +25,7 @@ logsource:
   service: security
 references:
 - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+status: experimental
 tags:
 - attack.lateral_movement
 - attack.persistence

rules/sigma/builtin/win_audit_cve.yml

@@ -6,7 +6,7 @@ description: Detects events generated by Windows to indicate the exploitation of
   known vulnerability (e.g. CVE-2020-0601)
 detection:
   SELECTION_1:
-    Source: Microsoft-Windows-Audit-CVE
+    Provider_Name: Microsoft-Windows-Audit-CVE
   condition: SELECTION_1
 falsepositives:
 - Unknown
@@ -15,7 +15,7 @@ level: critical
 logsource:
   product: windows
   service: application
-modified: 2020/08/23
+modified: 2021/10/13
 references:
 - https://twitter.com/mattifestation/status/1217179698008068096
 - https://twitter.com/VM_vivisector/status/1217190929330655232

rules/sigma/builtin/win_av_relevant_match.yml

@@ -16,7 +16,7 @@ detection:
   - Webshell
   - Portscan
   - Mimikatz
-  - WinCred
+  - .WinCred.
   - PlugX
   - Korplug
   - Pwdump
@@ -36,7 +36,8 @@ level: high
 logsource:
   product: windows
   service: application
-modified: 2021/07/28
+modified: 2021/11/20
+status: experimental
 tags:
 - attack.resource_development
 - attack.t1588

rules/sigma/builtin/win_cobaltstrike_service_installs.yml

@@ -38,6 +38,7 @@ references:
 - https://www.sans.org/webcasts/119395
 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+status: experimental
 tags:
 - attack.execution
 - attack.privilege_escalation

rules/sigma/builtin/win_disable_event_logging.yml

@@ -32,6 +32,7 @@ logsource:
   service: security
 references:
 - https://bit.ly/WinLogsZero2Hero
+status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1054

rules/sigma/builtin/win_event_log_cleared.yml

@@ -7,7 +7,7 @@ detection:
   SELECTION_1:
     EventID: 1102
   SELECTION_2:
-    Source: Microsoft-Windows-Eventlog
+    Provider_Name: Microsoft-Windows-Eventlog
   condition: (SELECTION_1 and SELECTION_2)
 falsepositives:
 - Legitimate administrative activity
@@ -21,7 +21,7 @@ level: medium
 logsource:
   product: windows
   service: security
-modified: 2021/10/08
+modified: 2021/10/13
 references:
 - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
 status: experimental

rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml

@@ -38,7 +38,8 @@ references:
 - https://github.com/hhlxf/PrintNightmare
 - https://github.com/afwu/PrintNightmare
 - https://twitter.com/fuzzyf10w/status/1410202370835898371
-- https://nvd.nist.gov/vuln/detail/cve-2021-1675
 status: experimental
 tags:
 - attack.execution
+- attack.t1569
+- cve.2021.1675

rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml

@@ -24,7 +24,8 @@ logsource:
   service: printservice-operational
 references:
 - https://twitter.com/MalwareJake/status/1410421967463731200
-- https://nvd.nist.gov/vuln/detail/cve-2021-1675
 status: experimental
 tags:
 - attack.execution
+- attack.t1569
+- cve.2021.1675

rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml

@@ -26,8 +26,9 @@ logsource:
   service: security
 references:
 - https://twitter.com/INIT_3/status/1410662463641731075
-- https://nvd.nist.gov/vuln/detail/cve-2021-1675
-- https://nvd.nist.gov/vuln/detail/cve-2021-34527
 status: experimental
 tags:
 - attack.execution
+- attack.t1569
+- cve.2021.1675
+- cve.2021.34527

rules/sigma/builtin/win_global_catalog_enumeration.yml

@@ -26,6 +26,7 @@ logsource:
 modified: 2021/06/01
 references:
 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
+status: experimental
 tags:
 - attack.discovery
 - attack.t1087

rules/sigma/builtin/win_gpo_scheduledtasks.yml

@@ -29,6 +29,7 @@ logsource:
 references:
 - https://twitter.com/menasec1/status/1106899890377052160
 - https://www.secureworks.com/blog/ransomware-as-a-distraction
+status: experimental
 tags:
 - attack.persistence
 - attack.lateral_movement

rules/sigma/builtin/win_hack_smbexec.yml

@@ -25,6 +25,7 @@ logsource:
 modified: 2020/08/23
 references:
 - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+status: experimental
 tags:
 - attack.lateral_movement
 - attack.execution

rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml

@@ -24,3 +24,4 @@ references:
 status: experimental
 tags:
 - attack.persistence
+- attack.t1554

rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml

@@ -22,9 +22,10 @@ id: b55d23e5-6821-44ff-8a6e-67218891e49f
 level: high
 logsource:
   product: windows
-  service: Microsoft-ServiceBus-Client
+  service: microsoft-servicebus-client
 references:
 - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 status: experimental
 tags:
 - attack.persistence
+- attack.t1554

rules/sigma/builtin/win_impacket_psexec.yml

@@ -25,6 +25,7 @@ logsource:
   service: security
 references:
 - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1021.002

rules/sigma/builtin/win_impacket_secretdump.yml

@@ -25,6 +25,7 @@ logsource:
 modified: 2021/06/27
 references:
 - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+status: experimental
 tags:
 - attack.credential_access
 - attack.t1003

rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml

@@ -3,7 +3,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
 description: Detects all variations of obfuscated powershell IEX invocation code generated
-  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+  by Invoke-Obfuscation framework from the code block linked in the references
 detection:
   SELECTION_1:
     EventID: 4697
@@ -31,6 +31,8 @@ logsource:
   product: windows
   service: security
 modified: 2021/09/16
+references:
+- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 related:
 - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
   type: derived

rules/sigma/builtin/win_iso_mount.yml

@@ -12,7 +12,10 @@ detection:
     ObjectType: File
   SELECTION_4:
     ObjectName: \Device\CdRom*
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+  SELECTION_5:
+    ObjectName: \Device\CdRom0\setup.exe
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
 falsepositives:
 - Software installation ISO files
 id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
@@ -22,6 +25,7 @@ logsource:
     must be configured for Success/Failure
   product: windows
   service: security
+modified: 2021/11/20
 references:
 - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
 - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages

rules/sigma/builtin/win_lm_namedpipe.yml

@@ -46,6 +46,7 @@ logsource:
   service: security
 references:
 - https://twitter.com/menasec1/status/1104489274387451904
+status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1077

rules/sigma/builtin/win_mal_creddumper.yml

@@ -27,6 +27,7 @@ logsource:
 modified: 2021/09/21
 references:
 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
 tags:
 - attack.credential_access
 - attack.execution

rules/sigma/builtin/win_metasploit_authentication.yml

@@ -32,6 +32,7 @@ logsource:
 modified: 2021/07/07
 references:
 - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1077

rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

@@ -57,6 +57,7 @@ modified: 2021/09/21
 references:
 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1134

rules/sigma/builtin/win_mmc20_lateral_movement.yml

@@ -26,6 +26,7 @@ modified: 2020/08/23
 references:
 - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
+status: experimental
 tags:
 - attack.execution
 - attack.t1175

rules/sigma/builtin/win_net_ntlm_downgrade.yml

@@ -32,6 +32,7 @@ references:
 related:
 - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
   type: derived
+status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1089

rules/sigma/builtin/win_ntfs_vuln_exploit.yml

@@ -6,14 +6,16 @@ description: This the exploitation of a NTFS vulnerability as reported without m
   details via Twitter
 detection:
   SELECTION_1:
-    EventID: 55
+    Provider_Name: Ntfs
   SELECTION_2:
-    Origin: File System Driver
+    EventID: 55
   SELECTION_3:
-    Description: '*contains a corrupted file record*'
+    Origin: File System Driver
   SELECTION_4:
+    Description: '*contains a corrupted file record*'
+  SELECTION_5:
     Description: '*The name of the file is "\"*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
 falsepositives:
 - Unlikely
 id: f14719ce-d3ab-4e25-9ce6-2899092260b0
@@ -21,9 +23,11 @@ level: critical
 logsource:
   product: windows
   service: system
+modified: 2021/11/17
 references:
 - https://twitter.com/jonasLyk/status/1347900440000811010
 - https://twitter.com/wdormann/status/1347958161609809921
+status: experimental
 tags:
 - attack.impact
 - attack.t1499.001

rules/sigma/builtin/win_petitpotam_network_share.yml

@@ -27,6 +27,7 @@ logsource:
 references:
 - https://github.com/topotam/PetitPotam
 - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
+status: experimental
 tags:
 - attack.credential_access
 - attack.t1187

rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml

@@ -37,6 +37,7 @@ references:
 - https://github.com/topotam/PetitPotam
 - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
 - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+status: experimental
 tags:
 - attack.credential_access
 - attack.t1187