Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Rule Updates & New Rules #4557

Merged
merged 4 commits into from
Nov 14, 2023
Merged

Multiple Rule Updates & New Rules #4557

merged 4 commits into from
Nov 14, 2023

Conversation

swachchhanda000
Copy link
Contributor

@swachchhanda000 swachchhanda000 commented Nov 9, 2023
edited by nasbench
Loading

Summary of the Pull Request

This PR updates multiple rules that are related to living of the land binaries and can be abused to perform download actions.

Changelog

new: Arbitrary File Download Via IMEWDBLD.EXE
new: Arbitrary File Download Via MSEDGE_PROXY.EXE
new: Arbitrary File Download Via Squirrel.EXE - This is a split rule from "45239e6a-b035-4aaf-b339-8ad379fcb67e"
new: Msxsl.EXE Execution
new: Potential File Download Via MS-AppInstaller Protocol Handler
new: Remote XSL Execution Via Msxsl.EXE
update: AppX Package Installation Attempts Via AppInstaller.EXE - Update description and title
update: Arbitrary File Download Via MSOHTMED.EXE - Update title
update: Arbitrary File Download Via PresentationHost.EXE - Update title
update: File Download And Execution Via IEExec.EXE - Update title and description
update: File Download From Browser Process Via Inline URL - Enhance accuracy by using the "endswith" modifier and incrasing coverage by adding new extensions to the list
update: File Download Using ProtocolHandler.exe - Update logic by removing unecessary the "selection_cli_1"
update: File Download Via InstallUtil.EXE - Update title and description
update: File Download Via Windows Defender MpCmpRun.EXE - Update metadata information and add additional fields to the image selection
update: Network Connection Initiated By IMEWDBLD.EXE - Update description and title
update: Potentially Suspicious Electron Application CommandLine - Add "msedge_proxy.exe" to list of processes
update: Process Proxy Execution Via Squirrel.EXE - Moved the logic that covers the "download" aspect into a new rule "1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c"
update: Suspicious Calculator Usage - Update filter to remove the "C:" prefix, which increase coverage of other partitions
update: Uncommon Child Process Of Appvlp.EXE - Update description, title and enahnce false positives filters
update: XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Update title and description
update: XSL Script Execution Via WMIC.EXE - Removed the selection that covers "Msxsl" and moved to a seperate rules "9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0"

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 9, 2023
@swachchhanda000 swachchhanda000 force-pushed the Suspicious-windows-binaries-usage-for-ingress-tool-transfer branch from 6d88661 to 3054b3a Compare November 9, 2023 07:57
@nasbench nasbench added the Work In Progress Some changes are needed label Nov 9, 2023
@nasbench nasbench self-requested a review November 9, 2023 10:16
@nasbench nasbench self-assigned this Nov 9, 2023
@nasbench nasbench removed the Work In Progress Some changes are needed label Nov 9, 2023
@nasbench
Copy link
Member

nasbench commented Nov 9, 2023

Thanks for the PR @swachchhanda000

Just FYI 80% of the processes in your original rule were covered. I only left the ones that were not and moved them to separate rules. (You can find them with your name as author). And I did some house cleanup :)

Cheers.

@nasbench nasbench added the 2nd Review Needed PR need a second approval label Nov 9, 2023
@nasbench nasbench requested a review from phantinuss November 9, 2023 12:28
@nasbench nasbench changed the title Added a generic rule that detect the usage of windows in-built tools for ingress tool transfer Multiple Rule Updates & New Rules Nov 10, 2023
phantinuss
phantinuss approved these changes Nov 14, 2023
View reviewed changes
rules/windows/dns_query/dns_query_win_appinstaller.yml Outdated Show resolved Hide resolved
rules/windows/network_connection/net_connection_win_imewdbld.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_installutil_download.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_squirrel_download.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_squirrel_download.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml Outdated Show resolved Hide resolved
rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml Outdated Show resolved Hide resolved
@phantinuss phantinuss merged commit fc716d1 into SigmaHQ:master Nov 14, 2023
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
2nd Review Needed PR need a second approval Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swachchhanda000 @nasbench @phantinuss