SigmaHQ Rules Release Highlights — r2023-10-23
https://github.com/SigmaHQ/sigma/releases/tag/r2023-10-23Sigma Rule Packages for 23-10-2023 are released and available for download. This release saw the addition of 21 new rules, 17 rule updates and 24 rule fixes.
New Rules
Some highlights for the newer rules include, detections for CVE-2023–27363 (Remote Code Execution in Foxit Reader) based on .hta file creation in the Startup directory.
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: experimental
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023/10/11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023.27363
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high
A generic rule that detects usage of curl to download files from IP based URLs as seen being abused in the wild
title: File Download From IP URL Via Curl.EXE
id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
related:
- id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
type: similar
status: experimental
description: Detects file downloads directly from IP address URL using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/18
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
filter_main_ext:
# Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043
CommandLine|endswith:
- '.bat'
- '.bat"'
- '.dat'
- '.dat"'
- '.dll'
- '.dll"'
- '.exe'
- '.exe"'
- '.gif'
- '.gif"'
- '.hta'
- '.hta"'
- '.jpeg'
- '.jpeg"'
- '.log'
- '.log"'
- '.msi'
- '.msi"'
- '.png'
- '.png"'
- '.ps1'
- '.ps1"'
- '.psm1'
- '.psm1"'
- '.vbe'
- '.vbe"'
- '.vbs'
- '.vbs"'
- ".bat'"
- ".dat'"
- ".dll'"
- ".exe'"
- ".gif'"
- ".hta'"
- ".jpeg'"
- ".log'"
- ".msi'"
- ".png'"
- ".ps1'"
- ".psm1'"
- ".vbe'"
- ".vbs'"
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
New Updates
Many older rules have seen multiple improvements as well. Some examples include and broader filter for “Renamed Curl.EXE” detection to cover additional naming in the form of curl-*.exe
title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: experimental
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
- https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023/09/11
modified: 2023/10/12
tags:
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'curl.exe'
- Description: 'The curl executable'
filter_main_img:
Image|contains: '\curl'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Another additional to multiple rules was the inclusion of the PowerShell 7 preview \Program Files\PowerShell\7-preview\path which can be installed on some systems and might cause unexpected false positives or negatives.
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019/10/24
modified: 2023/10/18
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\PowerShell\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selection
falsepositives:
- System administrator creating Powershell profile manually
level: medium
New Fixes
This release also saw a bunch of false positives fixes to multiple rules. Such as an undocumented flag of Sdbinst.EXE being run by an svchost.EXE parent.
filter_main_svchost1:
ParentImage|endswith: ':\Windows\System32\svchost.exe'
Image|endswith: ':\Windows\System32\sdbinst.exe'
CommandLine|contains: ' -m -bg'
As well as a couple of FPs from the Avira antivirus and some edge cases of child processes of Sysmon such as WerFaultSecure.EXE
You can check the full change-log on the release page below
Release Release r2023-10-23 · SigmaHQ/sigma
Contributors
This release was possible thanks to the many Sigma community contributors. A big thanks goes to following people:
- @frack113
- @netgrain
- @cyb3rjy0t
- @greg-workspace
- @mbabinski
- @nasbench
- @Neo23x0
- @phantinuss
- @swachchhanda000
- @ThureinOo
- @br4dy5
SigmaHQ Rule Release Highlights — r2023-10-23 was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: SigmaHQ Rules Release Highlights — r2023-10-23 | by Nasreddine Bencherchali | Oct, 2023 | Sigma_HQ