feat: more updates

nasbench · nasbench · commit 247ea1c1a6df · 2024-03-13T13:31:34.000+01:00
diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
@@ -6,6 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/04/05
+modified: 2024/03/13
 tags:
     - attack.exfiltration
     - cve.2023.23397
@@ -23,27 +24,12 @@ detection:
             - 30806 # The client re-established its session to the server.
             # - 31001 # Error (Doesn't contain the "ServerAddress" field)
     filter_main_local_ips:
-        ServerAddress|startswith:
-            - '10.' # 10.0.0.0/8
-            - '192.168.' # 192.168.0.0/16
-            - '172.16.' # 172.16.0.0/12
-            - '172.17.'
-            - '172.18.'
-            - '172.19.'
-            - '172.20.'
-            - '172.21.'
-            - '172.22.'
-            - '172.23.'
-            - '172.24.'
-            - '172.25.'
-            - '172.26.'
-            - '172.27.'
-            - '172.28.'
-            - '172.29.'
-            - '172.30.'
-            - '172.31.'
-            - '127.' # 127.0.0.0/8
-            - '169.254.' # 169.254.0.0/16
+        ServerAddress|cidr:
+            - '10.0.0.0/8'
+            - '127.0.0.0/8'
+            - '169.254.0.0/16'
+            - '172.16.0.0/12'
+            - '192.168.0.0/16'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Some false positives may occur from external trusted servers. Apply additional filters accordingly
diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml
@@ -9,7 +9,7 @@ references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 author: Florian Roth (Nextron Systems)
 date: 2017/03/13
-modified: 2023/09/07
+modified: 2024/03/13
 tags:
     - attack.execution
     - attack.t1059.001
@@ -23,55 +23,23 @@ detection:
             - '\powershell.exe'
             - '\pwsh.exe'
         Initiated: 'true'
-    filter_main_local_ipv4:
-        DestinationIp|startswith:
-            - '10.'
-            - '192.168.'
-            - '172.16.'
-            - '172.17.'
-            - '172.18.'
-            - '172.19.'
-            - '172.20.'
-            - '172.21.'
-            - '172.22.'
-            - '172.23.'
-            - '172.24.'
-            - '172.25.'
-            - '172.26.'
-            - '172.27.'
-            - '172.28.'
-            - '172.29.'
-            - '172.30.'
-            - '172.31.'
-            - '127.0.0.1'
+    filter_main_local_ip:
+        DestinationIp|cidr:
+            - '127.0.0.0/8'
+            - '10.0.0.0/8'
+            - '169.254.0.0/16'  # link-local address
+            - '172.16.0.0/12'
+            - '192.168.0.0/16'
+            - '::1/128'  # IPv6 loopback
+            - 'fe80::/10'  # IPv6 link-local addresses
+            - 'fc00::/7'  # IPv6 private addresses
         User|contains: # covers many language settings
             - 'AUTHORI'
             - 'AUTORI'
-    filter_main_local_ipv6:
-        DestinationIp|startswith:
-            - '::1'  # IPv6 loopback variant
-            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
-            - 'fe80:'  # link-local address
-            - 'fc'  # private address range fc00::/7
-            - 'fd'  # private address range fc00::/7
     filter_main_msrange:
-        DestinationIp|startswith:
-            # Subnet: 20.184.0.0/13
-            - '20.184.'
-            - '20.185.'
-            - '20.186.'
-            - '20.187.'
-            - '20.188.'
-            - '20.189.'
-            - '20.190.'
-            - '20.191.'
-            - '23.79.'
-            - '51.10.'
-            # Subnet: 51.103.210.0/23
-            - '51.103.'
-            - '51.104.'
-            - '51.105.'
-            - '52.239.'
+        DestinationIp|cidr:
+            - '20.184.0.0/13'
+            - '51.103.210.0/23'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Administrative scripts
diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2024/03/11
+modified: 2024/03/13
 tags:
     - attack.exfiltration
     - attack.t1048.003
@@ -19,9 +19,11 @@ detection:
         method: 'PUT'
     filter:
         id.resp_h|cidr:
-            - 10.0.0.0/8
-            - 172.16.0.0/12
-            - 192.168.0.0/16
+            - '10.0.0.0/8'
+            - '127.0.0.0/8'
+            - '172.16.0.0/12'
+            - '192.168.0.0/16'
+            - '169.254.0.0/16'
     condition: selection and not filter
 falsepositives:
     - Unknown
diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml
@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1021/001/
 author: Josh Brower @DefensiveDepth
 date: 2020/08/22
-modified: 2024/03/11
+modified: 2024/03/13
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -22,6 +22,7 @@ detection:
             - '127.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '2620:83:8000::/48'
             - 'fc00::/7'  # IPv6 private addresses
             - 'fe80::/10'  # IPv6 link-local addresses
diff --git a/rules/web/proxy_generic/proxy_webdav_search_ms.yml b/rules/web/proxy_generic/proxy_webdav_search_ms.yml
@@ -7,7 +7,7 @@ references:
     - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
 author: Micah Babinski
 date: 2023/08/21
-modified: 2023/08/25
+modified: 2024/03/13
 tags:
     - attack.initial_access
     - attack.t1584
@@ -33,6 +33,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml
@@ -9,7 +9,7 @@ references:
     - https://corelight.com/blog/detecting-cve-2021-42292
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
 date: 2021/11/10
-modified: 2024/03/12
+modified: 2024/03/13
 tags:
     - attack.execution
     - attack.t1203
@@ -30,6 +30,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
@@ -6,7 +6,7 @@ references:
     - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
 author: Florian Roth (Nextron Systems)
 date: 2017/11/04
-modified: 2024/03/11
+modified: 2024/03/13
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -24,6 +24,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_script_wan.yml b/rules/windows/network_connection/net_connection_win_script_wan.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022/08/28
-modified: 2024/03/12
+modified: 2024/03/13
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -25,6 +25,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml
@@ -10,7 +10,7 @@ references:
     - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth (Nextron Systems)
 date: 2017/03/19
-modified: 2024/03/11
+modified: 2024/03/12
 tags:
     - attack.persistence
     - attack.command_and_control
@@ -80,6 +80,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml
@@ -9,7 +9,7 @@ references:
     - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth (Nextron Systems)
 date: 2017/03/19
-modified: 2024/03/11
+modified: 2024/03/12
 tags:
     - attack.persistence
     - attack.command_and_control
@@ -29,6 +29,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml
@@ -6,7 +6,7 @@ references:
     - https://redcanary.com/blog/intelligence-insights-november-2021/
 author: elhoim
 date: 2022/04/28
-modified: 2024/03/11
+modified: 2024/03/12
 tags:
     - attack.t1055
     - attack.t1218
@@ -24,6 +24,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml
@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
 author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
 date: 2023/04/28
-modified: 2024/03/11
+modified: 2024/03/12
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -25,6 +25,7 @@ detection:
             - '10.0.0.0/8'
             - '172.16.0.0/12'
             - '192.168.0.0/16'
+            - '169.254.0.0/16'
             - '::1/128'  # IPv6 loopback
             - 'fe80::/10'  # IPv6 link-local addresses
             - 'fc00::/7'  # IPv6 private addresses
