Merge branch 'SigmaHQ:master' into fix-env-stuff

SigmaHQ · Dec 11, 2023 · 8d34ade · 8d34ade
2 parents b617b8d + 987a733
commit 8d34ade
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml
@@ -13,7 +13,7 @@ references:
     - https://twitter.com/crep1x/status/1635034100213112833
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2017/07/08
-modified: 2023/11/06
+modified: 2023/12/05
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -134,6 +134,7 @@ detection:
             - 'BunnyShell' # BunnyStealer
             - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
             - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
+            - 'SouthSide' # Racoon Stealer
     condition: selection
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml
@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
 author: Tim Rauch
 date: 2022/09/21
-modified: 2023/03/07
+modified: 2023/12/05
 tags:
     - attack.execution
     - attack.t1059
@@ -38,7 +38,7 @@ detection:
             - '\taskhostw.exe'
             - '\unsecapp.exe'
             - '\WerFault.exe'
-            - '\wergmgr.exe'
+            - '\wermgr.exe'
             - '\wlanext.exe'
             - '\WUDFHost.exe'
     condition: selection

diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -6,6 +6,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
 logsource:
@@ -31,12 +32,18 @@ detection:
             - "gc "
             - 'cat '
             - 'type '
+            - 'ReadAllBytes'
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - '\*.lnk'
-            - '-Recurse'
-            - '-Skip '
+        - CommandLine|contains|all:
+              - ' ^| '
+              - '\*.lnk'
+              - '-Recurse'
+              - '-Skip '
+        - CommandLine|contains|all:
+              - ' -ExpandProperty '
+              - '\*.lnk'
+              - 'WriteAllBytes'
+              - ' .length '
     condition: all of selection_*
 falsepositives:
     - Unlikely