Skip to content

Commit

Permalink
Merge PR #4993 from @nasbench - Fix Issues
Browse files Browse the repository at this point in the history
new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79`
remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation.
remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`.
update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs
update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule.
  • Loading branch information
nasbench authored Sep 2, 2024
1 parent bd284a9 commit b86a494
Show file tree
Hide file tree
Showing 7 changed files with 95 additions and 24 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
id: 045b5f9c-49f7-4419-a236-9854fb3c827a
status: test
status: unsupported # This rule requires correlations. See /~https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
Expand All @@ -10,7 +10,7 @@ references:
- /~https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-09-17
modified: 2022-11-26
modified: 2024-09-02
tags:
- attack.privilege-escalation
- attack.initial-access
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
title: Potential Persistence Via COM Hijacking From Suspicious Locations
id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
related:
- id: 790317c0-0a36-4a6a-a105-6e576bf99a14
type: derived
status: deprecated
description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
references:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
title: Potential Persistence Via COM Search Order Hijacking
id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
status: test
related:
- id: 790317c0-0a36-4a6a-a105-6e576bf99a14
type: derived
status: deprecated
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020-04-14
modified: 2023-09-28
modified: 2024-09-02
tags:
- attack.persistence
- attack.t1546.015
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,18 @@
title: Remote WMI ActiveScriptEventConsumers
title: Potential Remote WMI ActiveScriptEventConsumers Activity
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
status: test
description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
description: |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
references:
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2021-11-27
modified: 2024-09-02
tags:
- attack.lateral-movement
- attack.privilege-escalation
- detection.threat-hunting
- attack.persistence
- attack.t1546.003
logsource:
Expand All @@ -20,9 +23,9 @@ detection:
EventID: 4624
LogonType: 3
ProcessName|endswith: 'scrcons.exe'
filter:
TargetLogonId: '0x3e7'
condition: selection and not filter
filter_main_local_system:
TargetLogonId: '0x3e7' # Local System
condition: selection and not 1 of filter_main_*
falsepositives:
- SCCM
level: high
level: medium
Original file line number Diff line number Diff line change
@@ -1,44 +1,45 @@
title: Potential Commandline Obfuscation Using Unicode Characters
title: Potential CommandLine Obfuscation Using Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
related:
- id: 584bca0f-3608-4402-80fd-4075ff6072e3
type: similar
- id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
type: obsolete
status: test
description: |
Detects potential commandline obfuscation using unicode characters.
Detects potential CommandLine obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- /~https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems)
date: 2022-01-15
modified: 2024-07-22
modified: 2024-09-02
tags:
- attack.defense-evasion
- attack.t1027
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_spacing_modifiers:
CommandLine|contains: # spacing modifier letters that get auto-replaced
selection:
CommandLine|contains:
# spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
selection_unicode_slashes: # forward slash alternatives
CommandLine|contains:
# Forward slash alternatives
- '' # 0x22FF
- '' # 0x206F
selection_unicode_hyphens: # hyphen alternatives
CommandLine|contains:
# Hyphen alternatives
- '' # 0x2015
- '' # 0x2014
selection_other:
CommandLine|contains:
# Other
- '¯'
- '®'
- ''
condition: 1 of selection_*
condition: selection
falsepositives:
- Unknown
level: high
level: medium
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: similar
- id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
type: obsolete
status: test
description: |
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- /~https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
tags:
- attack.defense-evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
OriginalFileName:
- 'Cmd.EXE'
- 'cscript.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
selection_special_chars:
CommandLine|contains:
# spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
# Forward slash alternatives
- '' # 0x22FF
- '' # 0x206F
# Hyphen alternatives
- '' # 0x2015
- '' # 0x2014
# Other
- '¯'
- '®'
- ''
condition: all of selection_*
falsepositives:
- Unknown
level: high
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
- id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
type: obsolete
- id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
Expand Down

0 comments on commit b86a494

Please sign in to comment.