SigmaHQ Rules Release Highlights — r2023–11–06
https://github.com/SigmaHQ/sigma/releases/tag/r2023-11-06Sigma Rule Packages for 23–10–2023 are released and available for download. This release saw the addition of 27 new rules, 40 rule updates and 9 rule fixes.
New Rules
Some highlights for the newer rules include, emerging threat detections for Diamond Sleet APT based on Microsoft report covering IOCs and DLL sideloading activity.
title: Diamond Sleet APT DLL Sideloading Indicators
id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
status: experimental
description: Detects DLL sideloading activity seen used by Diamond Sleet APT
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/24
tags:
- attack.defense_evasion
- attack.t1574.002
- detection.emerging_threats
logsource:
product: windows
category: image_load
detection:
selection_1:
Image|endswith: ':\ProgramData\clip.exe'
ImageLoaded|endswith: ':\ProgramData\Version.dll'
selection_2:
Image|endswith: ':\ProgramData\wsmprovhost.exe'
ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Diamond Sleet APT File Creation Indicators
id: e1212b32-55ff-4dfb-a595-62b572248056
status: experimental
description: Detects file creation activity that is related to Diamond Sleet APT activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/24
tags:
- attack.execution
- detection.emerging_threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- ':\ProgramData\4800-84DC-063A6A41C5C'
- ':\ProgramData\clip.exe'
- ':\ProgramData\DSROLE.dll'
- ':\ProgramData\Forest64.exe'
- ':\ProgramData\readme.md'
- ':\ProgramData\Version.dll'
- ':\ProgramData\wsmprovhost.exe'
condition: selection
falsepositives:
- Unlikely
level: high
As well as some new detection rules related to the OKTA breach based on Beyond Trust reporting
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: experimental
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023/10/25
tags:
- attack.credential_access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
One of the interesting set of new rules is related to abuse of the VsCode tunnel activity. From service creation and remote file execution/creation to other interesting artifacts.
title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: experimental
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/25
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\servers\Stable-'
ParentImage|endswith: '\server\node.exe'
ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
# Note: Child processes (ie: shells) can be whatever technically (with some efforts)
selection_child_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
selection_child_2:
Image|endswith:
- '\wsl.exe'
- '\bash.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel and running code from there
level: medium
New Updates
Many older rules have seen multiple improvements as well. Some examples include:
Increased the coverage for the proxy rule that detects malicious user agents by adding new user agents seen used by different malware strains the last few weeks.
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
Updated coverage for “Obfuscated IP usage” with enhanced regular expressions to cover more ways an attacker can obfuscate an IP.
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
- https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022/08/03
modified: 2023/11/06
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_command:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
- 'curl '
- 'DownloadFile'
- 'DownloadString'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
New Fixes
This release also saw a couple of false positives fixes and tuning to some rules. Such as new filter for the rule “Potential System DLL Sideloading From Non System Locations” and exclusions for the threat hunting rule looking for potential droppers.
title: Creation of an Executable by an Executable
id: 297afac9-5d02-4138-8c58-b977bac60556
status: experimental
description: Detects the creation of an executable by another executable
references:
- Malware Sandbox
author: frack113
date: 2022/03/09
modified: 2023/11/06
tags:
- attack.resource_development
- attack.t1587.001
- detection.threat_hunting
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith: '.exe'
....
....
....
filter_optional_squirrel:
Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
TargetFilename|contains: '\AppData\Local'
filter_main_temp_installers:
- Image|contains: '\AppData\Local\Temp\'
- TargetFilename|contains: '\AppData\Local\Temp\'
filter_optional_chrome:
Image|endswith: '\ChromeSetup.exe'
TargetFilename|contains: '\Google'
filter_main_dot_net:
Image|contains: ':\Windows\Microsoft.NET\Framework'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly'
The rules leveraging the PowerShell Classic logs also saw a “logic” update to use the raw “Data” fields instead of “Parsed” fields. This change was discussed here. But the Tldr is that, since the original log doesn’t offer a parsed event, users were required to create their own parser or mapping in order to use the rules. Now “raw” matches work by default.
You can check the full changelog on the release page below.
Release Release r2023-11-06 · SigmaHQ/sigma
Contributors
This release was possible thanks to the many Sigma community contributors. A big thanks goes to following people:
- @citronninja
- @EzLucky
- @faisalusuf
- @frack113
- @fukusuket
- @gs3cl
- @nasbench
- @netgrain
- @phantinuss
- @sifex
- @sj-sec
- @tjgeorgen
- @ts-lbf
- @Tuutaans
- @wagga40
- @X-Junior
SigmaHQ Rules Release Highlights — r2023–11–06 was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: SigmaHQ Rules Release Highlights — r2023–11–06 | by Nasreddine Bencherchali | Nov, 2023 | Sigma_HQ