SigmaHQ Rules Release Highlights — r2024–04–29

SigmaHQ Rules Release Highlights — r2024–04–29

https://github.com/SigmaHQ/sigma/releases/tag/r2024-04-29

Sigma Rule Packages for 29–04–2024 are released and available for download. This release saw the addition of 17 new rules, 35 rule updates and 8 rule fixes by 19 contributors.

New Rules

Some highlights for the newer rules include, rules covering exploitation indicators of CVE-2024–3400.

title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
status: experimental
description: |
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
references:
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
author: Andreas Braathen (mnemonic.io)
date: 2024/04/25
tags:
- attack.execution
- cve.2024.3400
- detection.emerging_threats
logsource:
product: paloalto
service: globalprotect
category: file_event
definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
detection:
selection:
TargetFilename|contains:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
condition: selection
falsepositives:
- The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
level: medium
title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
status: experimental
description: |
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
references:
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/04/18
modified: 2024/04/25
tags:
- attack.initial_access
- attack.persistence
- attack.privilege_escalation
- attack.defense_evasion
- cve.2024.3400
logsource:
category: appliance
product: paloalto
service: globalprotect
definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
detection:
keywords_generic:
- 'failed to unmarshal session(../'
- 'failed to unmarshal session(./../'
- 'failed to unmarshal session(/..'
- 'failed to unmarshal session(%2E%2E%2F'
- 'failed to unmarshal session(%2F%2E%2E'
- 'failed to unmarshal session(%2E%2F%2E%2E%2F'
- 'failed to unmarshal session(%252E%252E%252F'
- 'failed to unmarshal session(%252F%252E%252E'
- 'failed to unmarshal session(%252E%252F%252E%252E%252F'
keywords_telemetry_exploit:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
keywords_telemetry_path:
- '/opt/panlogs/tmp/device_telemetry/'
condition: keywords_generic or all of keywords_telemetry_*
falsepositives:
- Unknown
level: high

As well as CVE-2024–3094 exploitation indicator.

title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
status: experimental
description: |
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
references:
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
date: 2024/04/01
modified: 2024/04/12
tags:
- attack.execution
- cve.2024.3094
logsource:
category: process_creation
product: linux
detection:
selection_1:
ParentImage|endswith: '/sshd'
CommandLine|startswith:
- 'bash -c'
- 'sh -c'
User: 'root'
selection_2:
ParentImage|endswith: '/sshd'
Image|endswith: '/sshd'
User: 'sshd'
CommandLine|contains: 'root'
condition: 1 of selection_*
falsepositives:
- Administrative activity directly with root authentication might trigger selection_1 if it's unnecessarily prefixed with "sh -c" or "bash -c"
level: high

Rules covering recent activity observed by MSFT for the Forest Blizzard APT.

Note: Existing Sigma rules already cover most of the activity reported. The additional coverage is for this specific campaing(s)
title: Forest Blizzard APT - File Creation Activity
id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
status: experimental
description: |
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/04/23
tags:
- attack.defense_evasion
- attack.t1562.002
logsource:
category: file_event
product: windows
detection:
selection_programdata_driver_store:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\v'
- 'C:\ProgramData\Adobe\v'
- 'C:\ProgramData\Comms\v'
- 'C:\ProgramData\Intel\v'
- 'C:\ProgramData\Kaspersky Lab\v'
- 'C:\ProgramData\Bitdefender\v'
- 'C:\ProgramData\ESET\v'
- 'C:\ProgramData\NVIDIA\v'
- 'C:\ProgramData\UbiSoft\v'
- 'C:\ProgramData\Steam\v'
TargetFilename|contains:
- '\pnms003.inf_'
- '\pnms009.inf_'
selection_programdata_main:
TargetFilename|startswith: 'C:\ProgramData\'
selection_programdata_files_1:
TargetFilename|endswith:
- '.save'
- '\doit.bat'
- '\execute.bat'
- '\servtask.bat'
# Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
selection_programdata_files_2:
TargetFilename|contains: '\wayzgoose'
TargetFilename|endswith: '.dll'
condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
falsepositives:
- Unlikely
level: high
title: Forest Blizzard APT - Custom Protocol Handler Creation
id: 5cdeb555-65de-4767-99fe-e26807465148
status: experimental
description: |
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/04/23
tags:
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\PROTOCOLS\\Handler\rogue\CLSID'
Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'
condition: selection
falsepositives:
- Unlikely
level: high

Check the full release changelog for a complete list of new rules.

New Updates

Some older rules have seen improvements in coverage and metadata as well.

By default the pySigma implementation ensure that selections using the “re” modifier are matched as a “contains”. Which means no need to include a wildcard in at the start or end of the regex. The first is an update to multiple rules using taking care of this edge case

title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2024/04/16
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
condition: selection
falsepositives:
- Unknown
level: high

The next set of updates is part of the first batch aiming to refactor LOLBIN based rules (unified filename convention, enhanced metadata and updated logic).

title: C# IL Code Compilation Via Ilasm.EXE
id: 850d55f9-6eeb-4492-ad69-a72338f65ba4
status: test
description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
- https://www.echotrail.io/insights/search/ilasm.exe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022/05/07
modified: 2022/05/16
tags:
- attack.defense_evasion
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\ilasm.exe'
- OriginalFileName: 'ilasm.exe'
selection_cli:
CommandLine|contains:
- ' /dll'
- ' /exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium

Check the full release changelog for a complete list of updates.

Fixes

This release includes a couple of false positives fixes and tuning of older rules to enhance their quality.

Please check the full change-log on the release page below for the complete list of changes and additions

Release Release r2024-04-29 · SigmaHQ/sigma

Contributors

This release was possible thanks to the many Sigma community contributors. A big thanks goes to following people

SigmaHQ Rules Release Highlights — r2024–04–29 was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: SigmaHQ Rules Release Highlights — r2024–04–29 | by Nasreddine Bencherchali | Apr, 2024 | Sigma_HQ