From 2cc01b01132b5c304027a658c698ae09dd6a92bf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 19 Apr 2024 19:53:37 +0200 Subject: [PATCH] Add Detection Sigma ref (#368) --- yml/OSBinaries/Tar.yml | 2 ++ yml/OSBinaries/msedge_proxy.yml | 2 ++ yml/OSBinaries/msedgewebview2.yml | 1 + yml/OSLibraries/Scrobj.yml | 1 + yml/OSLibraries/Shimgvw.yml | 1 + 5 files changed, 7 insertions(+) diff --git a/yml/OSBinaries/Tar.yml b/yml/OSBinaries/Tar.yml index 5a35631..4165dfb 100644 --- a/yml/OSBinaries/Tar.yml +++ b/yml/OSBinaries/Tar.yml @@ -35,6 +35,8 @@ Full_Path: - Path: C:\Windows\System32\tar.exe - Path: C:\Windows\SysWOW64\tar.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_compression.yml + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_tar_extraction.yml - IOC: tar.exe extracting files from a remote host within the environment - IOC: Abnormal processes spawning tar.exe - IOC: tar.exe interacting with alternate data streams (ADS) diff --git a/yml/OSBinaries/msedge_proxy.yml b/yml/OSBinaries/msedge_proxy.yml index 3c0c04e..a8c118e 100644 --- a/yml/OSBinaries/msedge_proxy.yml +++ b/yml/OSBinaries/msedge_proxy.yml @@ -27,6 +27,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 10, Windows 11 +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml Acknowledgement: - Person: Mert Daş Handle: '@merterpreter' diff --git a/yml/OSBinaries/msedgewebview2.yml b/yml/OSBinaries/msedgewebview2.yml index 0a3c561..e693858 100644 --- a/yml/OSBinaries/msedgewebview2.yml +++ b/yml/OSBinaries/msedgewebview2.yml @@ -35,6 +35,7 @@ Commands: Full_Path: - Path: C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml - IOC: 'msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path' Resources: - Link: https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf diff --git a/yml/OSLibraries/Scrobj.yml b/yml/OSLibraries/Scrobj.yml index 6b94a49..405546f 100644 --- a/yml/OSLibraries/Scrobj.yml +++ b/yml/OSLibraries/Scrobj.yml @@ -17,6 +17,7 @@ Full_Path: - Path: c:\windows\system32\scrobj.dll - Path: c:\windows\syswow64\scrobj.dll Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line Resources: - Link: https://twitter.com/eral4m/status/1479106975967240209 diff --git a/yml/OSLibraries/Shimgvw.yml b/yml/OSLibraries/Shimgvw.yml index 1f58d66..257816c 100644 --- a/yml/OSLibraries/Shimgvw.yml +++ b/yml/OSLibraries/Shimgvw.yml @@ -17,6 +17,7 @@ Full_Path: - Path: c:\windows\system32\shimgvw.dll - Path: c:\windows\syswow64\shimgvw.dll Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/e1a713d264ac072bb76b5c4e5f41315a015d3f41/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml - IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line Resources: - Link: https://twitter.com/eral4m/status/1479080793003671557