Merge branch 'master' into EDRSilencer

README.md

@@ -93,6 +93,7 @@ If you find a false positive or would like to propose a new detection rule idea
 * [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM
 * [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps
 * [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018)
+* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/)
 * [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules
 * [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation)
 * [Impede Detection Platform](https://impede.ai/)

rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicator Of CVE-2022-42475
 id: 293ccb8c-bed8-4868-8296-bef30e303b7e
-status: experimental
+status: test
 description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
 references:
     - https://www.fortiguard.com/psirt/FG-IR-22-398

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml

@@ -1,6 +1,6 @@
 title: Qakbot Regsvr32 Calc Pattern
 id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
-status: experimental
+status: test
 description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml

@@ -3,7 +3,7 @@ id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
 related:
     - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
 references:

rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml

@@ -3,7 +3,7 @@ id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
 related:
     - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
     This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -3,7 +3,7 @@ id: 1a821580-588b-4323-9422-660f7e131020
 related:
     - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
       type: similar
-status: experimental
+status: test
 description: |
     Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml

@@ -1,6 +1,6 @@
 title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
 id: d27eabad-9068-401a-b0d6-9eac744d6e67
-status: experimental
+status: test
 description: |
     Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
 references:

rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -3,7 +3,7 @@ id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
 related:
     - id: 1a821580-588b-4323-9422-660f7e131020
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml

@@ -0,0 +1,33 @@
+title: CVE-2024-50623 Exploitation Attempt - Cleo
+id: f007b877-02e3-45b7-8501-1b78c2864029
+status: experimental
+description: |
+    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+date: 2024-12-09
+tags:
+    - attack.execution
+    - attack.t1190
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\javaw.exe'
+        ParentCommandLine|contains:
+            - 'Harmony'
+            - 'lexicom'
+            - 'VersaLex'
+            - 'VLTrader'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'powershell'
+            - ' -enc '
+            - ' -EncodedCommand'
+            - '.Download'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml

@@ -0,0 +1,34 @@
+title: File Creation Related To RAT Clients
+id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
+status: experimental
+description: |
+    File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
+references:
+    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
+    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-12-19
+tags:
+    - attack.execution
+logsource:
+    category: file_event
+    product: windows
+detection:
+    # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
+    # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
+    selection_required:
+        TargetFilename|contains: '\AppData\Roaming\'
+    selection_variants:
+        TargetFilename|contains:
+            - '\mydata\'
+            - '\datalogs\'
+            - '\hvnc\'
+            - '\dcrat\'
+        TargetFilename|endswith:
+            - '\datalogs.conf'
+            - '\hvnc.conf'
+            - '\dcrat.conf'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate software creating a file with the same name
+level: high

rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml

@@ -0,0 +1,31 @@
+title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
+id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
+status: experimental
+description: |
+    Detects the execution of more.com and vbc.exe in the process tree.
+    This behavior was observed by a set of samples related to Lummac Stealer.
+    The Lummac payload is injected into the vbc.exe process.
+references:
+    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
+    - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
+    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
+    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-12-19
+tags:
+    - attack.defense-evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
+    selection_parent:
+        ParentImage|endswith: '\more.com'
+    selection_child:
+        - Image|endswith: '\vbc.exe'
+        - OriginalFileName: 'vbc.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml

@@ -1,6 +1,6 @@
 title: Potential Raspberry Robin CPL Execution Activity
 id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
-status: experimental
+status: test
 description: |
     Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
     This behavior was observed in multiple Raspberry-Robin variants.

rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml

@@ -1,6 +1,6 @@
 title: DPRK Threat Actor - C2 Communication DNS Indicators
 id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
-status: experimental
+status: test
 description: Detects DNS queries for C2 domains used by DPRK Threat actors.
 references:
     - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2

rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: ScreenConnect - SlashAndGrab Exploitation Indicators
 id: 05164d17-8e11-4d7d-973e-9e4962436b87
-status: experimental
+status: test
 description: |
     Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
 references:

rules/linux/process_creation/proc_creation_lnx_kill_process.yml → rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml

@@ -5,21 +5,25 @@ description: Detects usage of command line tools such as "kill", "pkill" or "kil
 references:
     - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
     - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
+    - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
 author: Tuan Le (NCSGroup)
 date: 2023-03-16
+modified: 2024-12-12
 tags:
     - attack.defense-evasion
     - attack.t1562
+    - detection.threat-hunting
 logsource:
     product: linux
     category: process_creation
 detection:
     selection:
         Image|endswith:
             - '/kill'
-            - '/pkill'
             - '/killall'
+            - '/pkill'
+            - '/xkill'
     condition: selection
 falsepositives:
-    - Likely
-level: low
+    - Unknown
+level: medium

rules/linux/process_creation/proc_creation_lnx_process_discovery.yml → rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml

@@ -6,21 +6,27 @@ description: |
   Information obtained could be used to gain an understanding of common software/applications running on systems within the network
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
-author: Ömer Günal, oscd.community
+    - https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
+author: Ömer Günal, oscd.community, CheraaghiMilad
 date: 2020-10-06
 modified: 2022-07-07
 tags:
     - attack.discovery
     - attack.t1057
+    - detection.threat-hunting
 logsource:
     product: linux
     category: process_creation
 detection:
     selection:
         Image|endswith:
+            - '/atop'
+            - '/htop'
+            - '/pgrep'
             - '/ps'
+            - '/pstree'
             - '/top'
     condition: selection
 falsepositives:
     - Legitimate administration activities
-level: informational
+level: low

rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml

@@ -0,0 +1,29 @@
+title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
+id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+status: test
+description: |
+    Detects powershell execution with that make use of to the bxor (Bitwise XOR).
+    Attackers might use as an alternative obfuscation method to Base64 encoded commands.
+    Investigate the CommandLine and process tree to determine if the activity is malicious.
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
+author: Teymur Kheirkhabarov, Harish Segar
+date: 2020-06-29
+modified: 2024-12-11
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: ps_classic_start
+detection:
+    selection:
+        Data|contains|all:
+            - 'HostName=ConsoleHost'
+            - ' -bxor '
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
       type: derived
-status: experimental
+status: test
 description: |
     Detects remote binary or command execution via the ScreenConnect Service.
     Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect

rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml

@@ -1,6 +1,6 @@
 title: Shell Context Menu Command Tampering
 id: 868df2d1-0939-4562-83a7-27408c4a1ada
-status: experimental
+status: test
 description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
 references:
     - https://mrd0x.com/sentinelone-persistence-via-menu-context/

rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml

@@ -1,6 +1,6 @@
 title: AWS Console GetSigninToken Potential Abuse
 id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
-status: experimental
+status: test
 description: |
     Detects potentially suspicious events involving "GetSigninToken".
     An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml

@@ -0,0 +1,28 @@
+title: AWS SAML Provider Deletion Activity
+id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
+status: experimental
+description: |
+    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
+    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
+references:
+    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
+author: Ivan Saakov
+date: 2024-12-19
+tags:
+    - attack.t1078.004
+    - attack.privilege-escalation
+    - attack.t1531
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'iam.amazonaws.com'
+        eventName: 'DeleteSAMLProvider'
+        status: 'success'
+    condition: selection
+falsepositives:
+    - Automated processes using tools like Terraform may trigger this alert.
+    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
+    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
+level: medium

rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml

@@ -0,0 +1,27 @@
+title: AWS Key Pair Import Activity
+id: 92f84194-8d9a-4ee0-8699-c30bfac59780
+status: experimental
+description: |
+    Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
+references:
+    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
+author: Ivan Saakov
+date: 2024-12-19
+tags:
+    - attack.initial-access
+    - attack.t1078
+    - attack.persistence
+    - attack.privilege-escalation
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'ec2.amazonaws.com'
+        eventName: 'ImportKeyPair'
+    condition: selection
+falsepositives:
+    - Legitimate administrative actions by authorized users importing keys for valid purposes.
+    - Automated processes for infrastructure setup may trigger this alert.
+    - Verify the user identity, user agent, and source IP address to ensure they are expected.
+level: medium

rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml

@@ -0,0 +1,27 @@
+title: New AWS Lambda Function URL Configuration Created
+id: ec541962-c05a-4420-b9ea-84de072d18f4
+status: experimental
+description: |
+    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
+    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
+references:
+    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
+    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
+    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
+author: Ivan Saakov
+date: 2024-12-19
+tags:
+    - attack.initial-access
+    - attack.privilege-escalation
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: lambda.amazonaws.com
+        eventName: 'CreateFunctionUrlConfig'
+    condition: selection
+falsepositives:
+    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Full Data Export Triggered
 id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
-status: experimental
+status: test
 description: Detects when full data export is attempted.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html