Merge PR #4853 from @nasbench - Add some cosmetic changes and small u…

…pdates update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
SigmaHQ · May 13, 2024 · ed789f5 · ed789f5
1 parent 2837671
commit ed789f5
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 29 deletions.
diff --git a/...ation/proc_creation_win_attrib_system.yml → ...ation/proc_creation_win_attrib_system.yml b/...ation/proc_creation_win_attrib_system.yml → ...ation/proc_creation_win_attrib_system.yml
@@ -15,6 +15,7 @@ modified: 2023/03/14
 tags:
     - attack.defense_evasion
     - attack.t1564.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows

diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml
@@ -20,13 +20,13 @@ detection:
         - OriginalFileName: 'ATTRIB.EXE'
     selection_cli:
         CommandLine|contains: ' +h '
-    filter_msiexec:
+    filter_main_msiexec:
         CommandLine|contains: '\desktop.ini '
-    filter_intel:
+    filter_optional_intel:
         ParentImage|endswith: '\cmd.exe'
         CommandLine: '+R +H +S +A \\\*.cui'
         ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
     - Msiexec.exe hiding desktop.ini

diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
@@ -42,11 +42,11 @@ detection:
             - '.ps1'
             - '.vbe'
             - '.vbs'
-    filter:
+    filter_optional_installer:
         CommandLine|contains|all:
             - '\Windows\TEMP\'
             - '.exe'
-    condition: all of selection* and not filter
+    condition: all of selection* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml
@@ -6,6 +6,7 @@ references:
     - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
 author: frack113
 date: 2022/07/18
+modified: 2024/04/29
 tags:
     - attack.defense_evasion
     - attack.t1564.001
@@ -18,10 +19,9 @@ detection:
         - Image|endswith: '\icacls.exe'
     selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
         CommandLine|contains|all:
-            - 'C:\Users\'
             - '/deny'
             - '*S-1-1-0:'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
-    - Legitimate use
+    - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution Of PDQDeployRunner
+title: Potentially Suspicious Execution Of PDQDeployRunner
 id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
 related:
     - id: d679950c-abb7-43a6-80fb-2a480c4fc450
@@ -9,46 +9,48 @@ references:
     - https://twitter.com/malmoeb/status/1550483085472432128
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/22
+modified: 2024/05/02
 tags:
     - attack.execution
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_parent:
-        ParentImage|contains: 'PDQDeployRunner-'
-    selection_susp:
+        ParentImage|contains: '\PDQDeployRunner-'
+    selection_child:
         # Improve this section by adding other suspicious processes, commandlines or paths
         - Image|endswith:
               # If you use any of the following processes legitimately comment them out
-              - '\wscript.exe'
-              - '\cscript.exe'
-              - '\rundll32.exe'
-              - '\regsvr32.exe'
-              - '\wmic.exe'
-              - '\msiexec.exe'
-              - '\mshta.exe'
+              - '\bash.exe'
+              - '\certutil.exe'
+              - '\cmd.exe'
               - '\csc.exe'
+              - '\cscript.exe'
               - '\dllhost.exe'
-              - '\certutil.exe'
+              - '\mshta.exe'
+              - '\msiexec.exe'
+              - '\regsvr32.exe'
+              - '\rundll32.exe'
               - '\scriptrunner.exe'
-              - '\bash.exe'
+              - '\wmic.exe'
+              - '\wscript.exe'
               - '\wsl.exe'
         - Image|contains:
-              - 'C:\Users\Public\'
-              - 'C:\ProgramData\'
-              - 'C:\Windows\TEMP\'
+              - ':\ProgramData\'
+              - ':\Users\Public\'
+              - ':\Windows\TEMP\'
               - '\AppData\Local\Temp'
         - CommandLine|contains:
-              - 'iex '
-              - 'Invoke-'
-              - 'DownloadString'
-              - 'http'
+              - ' -decode '
               - ' -enc '
               - ' -encodedcommand '
-              - 'FromBase64String'
-              - ' -decode '
               - ' -w hidden'
+              - 'DownloadString'
+              - 'FromBase64String'
+              - 'http'
+              - 'iex '
+              - 'Invoke-'
     condition: all of selection_*
 falsepositives:
     - Legitimate use of the PDQDeploy tool to execute these commands