sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Multiple ambiguous event references in Windows rules

Open b1t-hunter opened this issue 4 years ago • 0 comments

There are multiple rules that have event references with multiple possible matches. I have found the current cases in the repository:

win_susp_sam_dump.yml

Event 16 in the system channel has at least 18 possible events that match the criteria, the additional specification of the Provider_Name would solve the issue.

Current detection:

detection:
  selection:
    EventID: 16
  keywords:
    - '\AppData\Local\Temp\SAM-'
    - '.dmp'
  condition: selection and all of keywords

Proposed detection:

detection:
  selection:
    Provider_Name: Microsoft-Windows-Kernel-General
    EventID: 16
  keywords:
    - '\AppData\Local\Temp\SAM-'
    - '.dmp'
  condition: selection and all of keywords

win_quarkspwdump_clearing_hive_access_history.yml

Event 16 in the system channel has at least 18 possible events that match the criteria, the additional specification of the Provider_Name would solve the issue.

Current detection:

detection:
  selection:
    EventID: 16
    HiveName|contains: '\AppData\Local\Temp\SAM'
    HiveName|endswith: '.dmp'
  condition: selection

Proposed detection:

detection:
  selection:
    EventID: 16
    Provider_Name: Microsoft-Windows-Kernel-General
    HiveName|contains: '\AppData\Local\Temp\SAM'
    HiveName|endswith: '.dmp'
  condition: selection

win_arbitrary_shell_execution_via_settingcontent.yml

There is no event code or provider given, resulting in a large number of tested events. Also, the field FilePath and CommandLine do not exist in the same event. It would more efficient and clearer if this rule could reference a specific event, i.e., 4688.

Current detection:

detection:
    selection:
        CommandLine|contains: '.SettingContent-ms'
    filter:
        FilePath|contains: 'immersivecontrolpanel'
    condition: selection and not filter

Proposed detection:

detection:
    selection:
        EventID: 4688
        CommandLine|contains: '.SettingContent-ms'
    filter:
        NewProcessName|contains: 'immersivecontrolpanel'
    condition: selection and not filter

win_asr_bypass_via_appvlp_re.yml

There is no event code or provider given, resulting in a large number of tested events. It would more efficient and clearer if this rule could reference a specific event, i.e., 4688.

Current detection:

detection: 
    selection_1:
        CommandLine|contains: 'appvlp.exe'
    selection_2:
        CommandLine|contains:        
            - 'cmd.exe'
            - 'powershell.exe'
    selection_3:
        CommandLine|contains:        
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh'
            - '.reg'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
            - '.inf'
    condition: all of selection_*

Proposed detection:

detection: 
    selection_eventid:
        EventID: 4688
    selection_1:
        CommandLine|contains: 'appvlp.exe'
    selection_2:
        CommandLine|contains:        
            - 'cmd.exe'
            - 'powershell.exe'
    selection_3:
        CommandLine|contains:        
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh'
            - '.reg'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
            - '.inf'
    condition: all of selection_*

b1t-hunter avatar Apr 14 '22 14:04 b1t-hunter