Merge branch 'SigmaHQ:master' into ps_regex_fix

SigmaHQ · Dec 28, 2024 · e32b711 · e32b711
2 parents 5afebe9 + 1df3c34
commit e32b711
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 6 deletions.
diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml
@@ -10,7 +10,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017-02-19
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.resource-development
     - attack.t1588
@@ -43,7 +43,9 @@ detection:
         - 'GrandCrab '
         - 'HackTool'
         - 'HKTL'
-        - 'HTool'
+        - 'HTool-'
+        - '/HTool'
+        - '.HTool'
         - 'IISExchgSpawnCMD'
         - 'Impacket'
         - 'JSP/BackDoor '

diff --git a/...ws/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/...ws/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
@@ -9,7 +9,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
 logsource:
@@ -33,6 +33,7 @@ detection:
             - 'https://statics.teams.cdn.live.net/'
             - 'https://statics.teams.cdn.office.net/'
             - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
+            - 'https://installer.teams.static.microsoft/'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/malmoeb/status/1535142803075960832
 author: Florian Roth (Nextron Systems)
 date: 2022-06-10
-modified: 2023-03-27
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -24,6 +24,8 @@ detection:
             - '.com/'
             - '.sfx.ms/'
             - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&amp;os=win64&amp;lang=en-US
+            - 'cdn.onenote.net/'
+            - 'cdn.office.net/'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-20
-modified: 2024-10-08
+modified: 2024-12-25
 tags:
     - attack.execution
 logsource:
@@ -104,6 +104,17 @@ detection:
         - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
         # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
         - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
+    filter_optional_national_instruments:
+        # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
+        FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
+    filter_optional_kaspersky:
+        # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
+        - ProcessNameBuffer|contains|all:
+              - '\Kaspersky Lab\'
+              - '\avp.exe'
+        - FileNameBuffer|contains|all:
+              - '\Kaspersky Lab\'
+              - '\antimalware_provider.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.

diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -18,10 +18,11 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-10-21
+modified: 2024-12-23
 tags:
     - attack.defense-evasion
     - attack.t1489
+    - attack.t1562.001
 logsource:
     category: process_creation
     product: windows
@@ -148,6 +149,7 @@ detection:
             - 'mfewc'
             - 'MMS'
             - 'mozyprobackup'
+            - 'mpssvc'
             - 'MSComplianceAudit'
             - 'MSDTC'
             - 'MsDtsServer'
@@ -235,6 +237,7 @@ detection:
             - 'swi_service'
             - 'swi_update'
             - 'Symantec'
+            - 'sysmon'
             - 'TeamViewer'
             - 'Telemetryserver'
             - 'ThreatLockerService'
@@ -277,6 +280,7 @@ detection:
             - 'WRSVC'
             - 'wsbexchange'
             - 'WSearch'
+            - 'wscsvc'
             - 'Zoolz 2 Service'
     condition: all of selection_*
 falsepositives: