Merge branch 'master' of github.com:quantum-sec/sigma into quantum-me…

…rge-upstream

rules/linux/auditd/lnx_auditd_data_exfil_wget.yml

@@ -0,0 +1,25 @@
+title: Data Exfiltration with Wget
+id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
+description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/11/18
+references:
+   - https://attack.mitre.org/tactics/TA0010/
+   - https://linux.die.net/man/1/wget
+   - https://gtfobins.github.io/gtfobins/wget/
+logsource:
+   product: linux
+   service: auditd
+detection:
+   wget:
+       type: EXECVE
+       a0: wget
+       a1|startswith: '--post-file='
+   condition: wget
+tags:
+   - attack.exfiltration
+   - attack.t1048.003
+falsepositives:
+   - legitimate usage of wget utility to post a file
+level: medium

rules/linux/builtin/lnx_susp_jexboss.yml

@@ -1,6 +1,7 @@
 title: JexBoss Command Sequence
 id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
+status: experimental
 author: Florian Roth
 date: 2017/08/24
 references:

rules/linux/process_creation/lnx_install_root_certificate.yml

@@ -1,6 +1,7 @@
 title: Install Root Certificate
 id: 78a80655-a51e-4669-bc6b-e9d206a462ee
 description: Detects installed new certificate
+status: experimental
 author: Ömer Günal, oscd.community
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md

rules/linux/process_creation/lnx_webshell_detection.yml

@@ -14,12 +14,6 @@ logsource:
    product: linux
    category: process_creation
 detection:
-   selection_sub_processes:
-      Image|endswith: 
-         - '/whoami'
-         - '/ifconfig'
-         - '/usr/bin/ip'
-         - '/bin/uname'
    selection_general:
       ParentImage|endswith:
          - '/httpd'
@@ -35,6 +29,12 @@ detection:
       ParentCommandLine|contains|all:
          - '/bin/java'
          - 'websphere'
+   selection_sub_processes:
+      Image|endswith: 
+         - '/whoami'
+         - '/ifconfig'
+         - '/usr/bin/ip'
+         - '/bin/uname'
    condition: selection_sub_processes and ( selection_general or selection_tomcat )
 falsepositives:
    - Web applications that invoke Linux command line tools 

rules/network/net_apt_equationgroup_c2.yml

@@ -1,6 +1,7 @@
 title: Equation Group C2 Communication
 id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
+status: experimental
 author: Florian Roth
 date: 2017/04/15
 references:

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -1,6 +1,7 @@
 title: MITRE BZAR Indicators for Execution
 id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
 description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
+status: experimental
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -1,6 +1,7 @@
 title: MITRE BZAR Indicators for Persistence
 id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+status: experimental
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:

rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml

@@ -5,6 +5,7 @@ description: |
     The usage of this RPC function should be rare if ever used at all.
     Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
      View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
+status: experimental
 author: '@neu5ron, @Antonlovesdnb, Mike Remen'
 date: 2021/08/17
 references:

rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml

@@ -1,6 +1,7 @@
 title: SMB Spoolss Name Piped Usage
 id: bae2865c-5565-470d-b505-9496c87d0c30
 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
+status: experimental
 author: OTR (Open Threat Research), @neu5ron
 references:
     - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1

rules/network/zeek/zeek_default_cobalt_strike_certificate.yml

@@ -1,6 +1,7 @@
 title: Default Cobalt Strike Certificate
 id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
+status: experimental
 author: Bhabesh Raj
 date: 2021/06/23
 modified: 2021/08/24

rules/network/zeek/zeek_dns_mining_pools.yml

@@ -1,6 +1,7 @@
 title: DNS Events Related To Mining Pools
 id: bf74135c-18e8-4a72-a926-0e4f47888c19
 description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
+status: experimental
 references:
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
 date: 2021/08/19

rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml

@@ -1,6 +1,7 @@
 title: Suspicious DNS Z Flag Bit Set
 id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
+status: experimental
 date: 2021/05/04
 modified: 2021/05/24
 references:

rules/network/zeek/zeek_dns_torproxy.yml

@@ -1,6 +1,7 @@
 title: DNS TOR Proxies
 id: a8322756-015c-42e7-afb1-436e85ed3ff5
 description: Identifies IPs performing DNS lookups associated with common Tor proxies.
+status: experimental
 references:
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
 date: 2021/08/15

rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

@@ -1,6 +1,7 @@
 title: Remote Task Creation via ATSVC Named Pipe - Zeek
 id: dde85b37-40cd-4a94-b00c-0b8794f956b5
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
+status: experimental
 author: 'Samir Bousseaden, @neu5rn'
 date: 2020/04/03
 references:

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

@@ -1,6 +1,7 @@
 title: Possible Impacket SecretDump Remote Activity - Zeek
 id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
 description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/03/19
 references:

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

@@ -1,6 +1,7 @@
 title: First Time Seen Remote Named Pipe - Zeek
 id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
 description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references:

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -1,6 +1,7 @@
 title: Suspicious PsExec Execution - Zeek
 id: f1b3a22a-45e6-4004-afb5-4291f9c21166
 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references:

rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml

@@ -1,6 +1,7 @@
 title: Suspicious Access to Sensitive File Extensions - Zeek
 id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
 description: Detects known sensitive file extensions via Zeek
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references: 

rules/web/web_apache_segfault.yml

@@ -1,6 +1,7 @@
 title: Apache Segmentation Fault
 id: 1da8ce0b-855d-4004-8860-7d64d42063b1
 description: Detects a segmentation fault error message caused by a creashing apache worker process
+status: experimental
 author: Florian Roth
 date: 2017/02/28
 modified: 2020/09/03

rules/web/web_cve_2021_42237_sitecore_report_ashx.yml

@@ -0,0 +1,23 @@
+title: Sitecore Pre-Auth RCE CVE-2021-42237
+id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
+status: experimental
+description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
+author: Florian Roth
+date: 2021/11/17
+references:
+    - https://blog.assetnote.io/2021/11/02/sitecore-rce/
+    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
+        sc-status: 200
+    condition: selection
+falsepositives:
+    - Vulnerability Scanning/Pentesting
+level: high

rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml

@@ -1,5 +1,6 @@
 title: Fortinet CVE-2018-13379 Exploitation
 description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
+status: experimental
 id: a2e97350-4285-43f2-a63f-d0daff291738
 references:
     - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/

rules/web/web_nginx_core_dump.yml

@@ -1,6 +1,7 @@
 title: Nginx Core Dump
 id: 59ec40bb-322e-40ab-808d-84fa690d7e56
 description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
+status: experimental
 author: Florian Roth
 date: 2021/05/31
 references:

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,7 @@
 title: Enabled User Right in AD to Control User Objects
 id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
+status: experimental
 tags:
     - attack.persistence
     - attack.t1098

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,6 +1,7 @@
 title: Active Directory User Backdoors
 id: 300bac00-e041-4ee2-9c36-e262656a6ecc
 description: Detects scenarios where one can control another users or computers account without having to use their credentials.
+status: experimental
 references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,7 @@
 title: Weak Encryption Enabled and Kerberoast
 id: f6de9536-0441-4b3f-a646-f4e00f300ffd
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
+status: experimental
 references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,6 +1,7 @@
 title: Mimikatz Use
 id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
+status: experimental
 author: Florian Roth
 date: 2017/01/10
 modified: 2021/08/26

rules/windows/builtin/win_alert_ruler.yml

@@ -1,6 +1,7 @@
 title: Hacktool Ruler
 id: 24549159-ac1b-479c-8175-d42aea947cae
 description: This events that are generated when using the hacktool Ruler by Sensepost
+status: experimental
 author: Florian Roth
 date: 2017/05/31
 modified: 2021/08/09

rules/windows/builtin/win_apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
 description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
+status: experimental
 references:
     - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 tags:

rules/windows/builtin/win_apt_chafer_mar18_security.yml

@@ -4,6 +4,7 @@ related:
     - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
       type: derived
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
+status: experimental
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:

rules/windows/builtin/win_apt_chafer_mar18_system.yml

@@ -1,6 +1,7 @@
 title: Chafer Activity
 id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
+status: experimental
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:

rules/windows/builtin/win_apt_gallium.yml

@@ -14,6 +14,7 @@ references:
 tags:
     - attack.credential_access
     - attack.command_and_control
+    - attack.t1071
 logsource:
     product: windows
     service: dns-server

rules/windows/builtin/win_apt_slingshot.yml

@@ -4,13 +4,15 @@ related:
     - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
       type: derived
 description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
+status: experimental
 author: Florian Roth, Bartlomiej Czyz (@bczyz1)
 date: 2019/03/04
 modified: 2021/09/19
 references:
     - https://securelist.com/apt-slingshot/84312/
 tags:
     - attack.persistence
+    - attack.t1053
     - attack.s0111
 logsource:
     product: windows

rules/windows/builtin/win_apt_stonedrill.yml

@@ -1,6 +1,7 @@
 title: StoneDrill Service Install
 id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
+status: experimental
 author: Florian Roth
 date: 2017/03/07
 references:

rules/windows/builtin/win_apt_turla_service_png.yml

@@ -1,6 +1,7 @@
 title: Turla PNG Dropper Service
 id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
 description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
+status: experimental
 references:
     - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 author: Florian Roth

rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml

@@ -1,6 +1,7 @@
 title: Arbitrary Shell Command Execution Via Settingcontent-Ms
 id: 24de4f3b-804c-4165-b442-5a06a2302c7e
 description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
+status: experimental
 author: Sreeman
 date: 2020/03/13
 modified: 2021/08/09

rules/windows/builtin/win_atsvc_task.yml

@@ -1,6 +1,7 @@
 title: Remote Task Creation via ATSVC Named Pipe
 id: f6de6525-4509-495a-8a82-1f8b0ed73a00
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:

rules/windows/builtin/win_av_relevant_match.yml

@@ -1,9 +1,10 @@
 title: Relevant Anti-Virus Event
 id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
 description: This detection method points out highly relevant Antivirus events
+status: experimental
 author: Florian Roth
 date: 2017/02/19
-modified: 2021/07/28
+modified: 2021/11/20
 logsource:
     product: windows
     service: application
@@ -32,6 +33,7 @@ detection:
     filter:
         - "Keygen"
         - "Crack"
+        - "wincredui"
     condition: keywords and not filter
 falsepositives:
     - Some software piracy tools (key generators, cracks) are classified as hack tools

rules/windows/builtin/win_cobaltstrike_service_installs.yml

@@ -1,6 +1,7 @@
 title: CobaltStrike Service Installations
 id: 5a105d34-05fc-401e-8553-272b45c1522d
 description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
+status: experimental
 author: Florian Roth, Wojciech Lesicki
 references:
     - https://www.sans.org/webcasts/119395

rules/windows/builtin/win_disable_event_logging.yml

@@ -1,6 +1,7 @@
 title: Disabling Windows Event Auditing
 id: 69aeb277-f15f-4d2d-b32a-55e883609563
 description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
+status: experimental
 references:
     - https://bit.ly/WinLogsZero2Hero
 tags:

rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml

@@ -12,6 +12,7 @@ date: 2021/06/30
 modified: 2021/07/08
 tags:
     - attack.execution
+    - attack.t1569    
     - cve.2021.1675
 logsource:
     product: windows

rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml

@@ -9,6 +9,7 @@ references:
 date: 2021/07/01
 tags:
     - attack.execution
+    - attack.t1569
     - cve.2021.1675
 logsource:
     product: windows