Merge PR #4738 from @nasbench - Small fixes and metadata updates

new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy remove: CobaltStrike Malformed UAs in Malleable Profiles remove: CobaltStrike Malleable (OCSP) Profile remove: CobaltStrike Malleable Amazon Browsing Traffic Profile remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile remove: iOS Implant URL Pattern update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
SigmaHQ · Feb 26, 2024 · 8af1ab8 · 8af1ab8
1 parent 49bd839
commit 8af1ab8
Show file tree

Hide file tree

Showing 32 changed files with 120 additions and 137 deletions.
diff --git a/...web/proxy_generic/proxy_cobalt_amazon.yml → deprecated/web/proxy_cobalt_amazon.yml b/...web/proxy_generic/proxy_cobalt_amazon.yml → deprecated/web/proxy_cobalt_amazon.yml
@@ -1,13 +1,13 @@
 title: CobaltStrike Malleable Amazon Browsing Traffic Profile
 id: 953b895e-5cc9-454b-b183-7f3db555452e
-status: test
+status: deprecated
 description: Detects Malleable Amazon Profile
 references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
     - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
 author: Markus Neis
 date: 2019/11/12
-modified: 2022/07/07
+modified: 2024/02/15
 tags:
     - attack.defense_evasion
     - attack.command_and_control

diff --git a/...xy_generic/proxy_cobalt_malformed_uas.yml → ...ecated/web/proxy_cobalt_malformed_uas.yml b/...xy_generic/proxy_cobalt_malformed_uas.yml → ...ecated/web/proxy_cobalt_malformed_uas.yml
@@ -1,12 +1,12 @@
 title: CobaltStrike Malformed UAs in Malleable Profiles
 id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
-status: test
+status: deprecated
 description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
 references:
     - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
 author: Florian Roth (Nextron Systems)
 date: 2021/05/06
-modified: 2022/12/25
+modified: 2024/02/15
 tags:
     - attack.defense_evasion
     - attack.command_and_control

diff --git a/...s/web/proxy_generic/proxy_cobalt_ocsp.yml → deprecated/web/proxy_cobalt_ocsp.yml b/...s/web/proxy_generic/proxy_cobalt_ocsp.yml → deprecated/web/proxy_cobalt_ocsp.yml
@@ -1,12 +1,12 @@
 title: CobaltStrike Malleable (OCSP) Profile
 id: 37325383-740a-403d-b1a2-b2b4ab7992e7
-status: test
+status: deprecated
 description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
 references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
 author: Markus Neis
 date: 2019/11/12
-modified: 2021/11/27
+modified: 2024/02/15
 tags:
     - attack.defense_evasion
     - attack.command_and_control

diff --git a/...b/proxy_generic/proxy_cobalt_onedrive.yml → deprecated/web/proxy_cobalt_onedrive.yml b/...b/proxy_generic/proxy_cobalt_onedrive.yml → deprecated/web/proxy_cobalt_onedrive.yml
@@ -1,12 +1,12 @@
 title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
 id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
-status: test
+status: deprecated
 description: Detects Malleable OneDrive Profile
 references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
 author: Markus Neis
 date: 2019/11/12
-modified: 2022/08/15
+modified: 2024/02/15
 tags:
     - attack.defense_evasion
     - attack.command_and_control

diff --git a/...s/web/proxy_generic/proxy_ios_implant.yml → deprecated/web/proxy_ios_implant.yml b/...s/web/proxy_generic/proxy_ios_implant.yml → deprecated/web/proxy_ios_implant.yml
@@ -1,13 +1,13 @@
 title: iOS Implant URL Pattern
 id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
-status: test
+status: deprecated # Deprecated to being related to Ios so logging will vary and its old
 description: Detects URL pattern used by iOS Implant
 references:
     - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
     - https://twitter.com/craiu/status/1167358457344925696
 author: Florian Roth (Nextron Systems)
 date: 2019/08/30
-modified: 2022/08/15
+modified: 2024/02/26
 tags:
     - attack.execution
     - attack.t1203

diff --git a/...eb/proxy_generic/proxy_chafer_malware.yml → ...afer/proxy_malware_chafer_url_pattern.yml b/...eb/proxy_generic/proxy_chafer_malware.yml → ...afer/proxy_malware_chafer_url_pattern.yml
@@ -1,12 +1,12 @@
 title: Chafer Malware URL Pattern
 id: fb502828-2db0-438e-93e6-801c7548686d
 status: test
-description: Detects HTTP requests used by Chafer malware
+description: Detects HTTP request used by Chafer malware to receive data from its C2.
 references:
     - https://securelist.com/chafer-used-remexi-malware/89538/
 author: Florian Roth (Nextron Systems)
 date: 2019/01/31
-modified: 2022/08/15
+modified: 2024/02/15
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -16,10 +16,6 @@ detection:
     selection:
         c-uri|contains: '/asp.asp\?ui='
     condition: selection
-fields:
-    - ClientIP
-    - c-uri
-    - c-useragent
 falsepositives:
     - Unknown
-level: critical
+level: high
diff --git a/...y_generic/proxy_ursnif_malware_c2_url.yml → ...re/Ursnif/proxy_malware_ursnif_c2_url.yml b/...y_generic/proxy_ursnif_malware_c2_url.yml → ...re/Ursnif/proxy_malware_ursnif_c2_url.yml
@@ -26,11 +26,6 @@ detection:
             - '.avi'
             - '/images/'
     condition: b64encoding and urlpatterns
-fields:
-    - c-ip
-    - c-uri
-    - sc-bytes
-    - c-ua
 falsepositives:
     - Unknown
 level: critical
diff --git a/...ric/proxy_ursnif_malware_download_url.yml → ...nif/proxy_malware_ursnif_download_url.yml b/...ric/proxy_ursnif_malware_download_url.yml → ...nif/proxy_malware_ursnif_download_url.yml
diff --git a/rules/web/proxy_generic/proxy_apt40.yml → ...APT40/proxy_apt_apt40_dropbox_tool_ua.yml b/rules/web/proxy_generic/proxy_apt40.yml → ...APT40/proxy_apt_apt40_dropbox_tool_ua.yml
@@ -19,9 +19,6 @@ detection:
         c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
         cs-host: 'api.dropbox.com'
     condition: selection
-fields:
-    - c-ip
-    - c-uri
 falsepositives:
     - Old browsers
 level: high
diff --git a/.../web/proxy_generic/proxy_turla_comrat.yml → ...oxy_malware_comrat_network_indicators.yml b/.../web/proxy_generic/proxy_turla_comrat.yml → ...oxy_malware_comrat_network_indicators.yml
@@ -1,12 +1,12 @@
-title: Turla ComRAT
+title: ComRAT Network Communication
 id: 7857f021-007f-4928-8b2c-7aedbe64bb82
 status: test
-description: Detects Turla ComRAT patterns
+description: Detects Turla ComRAT network communication.
 references:
     - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: Florian Roth (Nextron Systems)
 date: 2020/05/26
-modified: 2022/08/15
+modified: 2024/02/26
 tags:
     - attack.defense_evasion
     - attack.command_and_control

diff --git a/...c/proxy_exchange_owassrf_exploitation.yml → ...2_36804_exchange_owassrf_exploitation.yml b/...c/proxy_exchange_owassrf_exploitation.yml → ...2_36804_exchange_owassrf_exploitation.yml
diff --git a/...oxy_exchange_owassrf_poc_exploitation.yml → ...804_exchange_owassrf_poc_exploitation.yml b/...oxy_exchange_owassrf_poc_exploitation.yml → ...804_exchange_owassrf_poc_exploitation.yml
diff --git a/...oit/web_exchange_owassrf_exploitation.yml → ...2_36804_exchange_owassrf_exploitation.yml b/...oit/web_exchange_owassrf_exploitation.yml → ...2_36804_exchange_owassrf_exploitation.yml
diff --git a/...web_exchange_owassrf_poc_exploitation.yml → ...804_exchange_owassrf_poc_exploitation.yml b/...web_exchange_owassrf_poc_exploitation.yml → ...804_exchange_owassrf_poc_exploitation.yml
diff --git a/...oxy_generic/proxy_java_class_download.yml → ...ic/proxy_susp_class_extension_request.yml b/...oxy_generic/proxy_java_class_download.yml → ...ic/proxy_susp_class_extension_request.yml
@@ -1,14 +1,17 @@
-title: Java Class Proxy Download
+title: .Class Extension URI Ending Request
 id: 53c15703-b04c-42bb-9055-1937ddfb3392
 status: test
-description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.
+description: |
+    Detects requests to URI ending with the ".class" extension in proxy logs.
+    This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/
 author: Andreas Hunkeler (@Karneades)
 date: 2021/12/21
-modified: 2022/12/25
+modified: 2024/02/26
 tags:
     - attack.initial_access
+    - detection.threat_hunting
 logsource:
     category: proxy
 detection:
@@ -17,4 +20,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium
diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml
@@ -2,7 +2,7 @@ title: Github Delete Action Invoked
 id: 16a71777-0b2e-4db7-9888-9d59cb75200b
 status: test
 description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/19
 references:
     - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
@@ -22,11 +22,6 @@ detection:
             - 'project.delete'
             - 'repo.destroy'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
 falsepositives:
     - Validate the deletion activity is permitted. The "actor" field need to be validated.
 level: medium
diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml
@@ -2,7 +2,7 @@ title: Github High Risk Configuration Disabled
 id: 8622c92d-c00e-463c-b09d-fd06166f6794
 status: test
 description: Detects when a user disables a critical security feature for an organization.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/29
 references:
     - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
@@ -20,21 +20,11 @@ logsource:
 detection:
     selection:
         action:
+            - 'org.advanced_security_policy_selected_member_disabled'
             - 'org.disable_oauth_app_restrictions'
             - 'org.disable_two_factor_requirement'
             - 'repo.advanced_security_disabled'
-            - 'org.advanced_security_policy_selected_member_disabled'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
-    - 'transport_protocol_name'
-    - 'repository'
-    - 'repo'
-    - 'repository_public'
-    - '@timestamp'
 falsepositives:
     - Approved administrator/owner activities.
 level: high
diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml
@@ -4,7 +4,7 @@ status: test
 description: |
     Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
     This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/27
 references:
     - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
@@ -19,22 +19,12 @@ logsource:
 detection:
     selection:
         action:
-            - 'dependabot_alerts.disable'
             - 'dependabot_alerts_new_repos.disable'
-            - 'dependabot_security_updates.disable'
+            - 'dependabot_alerts.disable'
             - 'dependabot_security_updates_new_repos.disable'
+            - 'dependabot_security_updates.disable'
             - 'repository_vulnerability_alerts.disable'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
-    - 'transport_protocol_name'
-    - 'repository'
-    - 'repo'
-    - 'repository_public'
-    - '@timestamp'
 falsepositives:
     - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
 level: high
diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml
@@ -2,7 +2,7 @@ title: New Github Organization Member Added
 id: 3908d64a-3c06-4091-b503-b3a94424533b
 status: test
 description: Detects when a new member is added or invited to a github organization.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/29
 references:
     - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
@@ -19,16 +19,6 @@ detection:
             - 'org.add_member'
             - 'org.invite_member'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
-    - 'transport_protocol_name'
-    - 'repository'
-    - 'repo'
-    - 'repository_public'
-    - '@timestamp'
 falsepositives:
     - Organization approved new members
 level: informational
diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml
@@ -2,7 +2,7 @@ title: Github New Secret Created
 id: f9405037-bc97-4eb7-baba-167dad399b83
 status: test
 description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/20
 references:
     - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
@@ -19,16 +19,11 @@ logsource:
 detection:
     selection:
         action:
-            - 'org.create_actions_secret'
-            - 'environment.create_actions_secret'
             - 'codespaces.create_an_org_secret'
+            - 'environment.create_actions_secret'
+            - 'org.create_actions_secret'
             - 'repo.create_actions_secret'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
 falsepositives:
     - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
 level: low
diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml
@@ -3,7 +3,7 @@ id: eaa9ac35-1730-441f-9587-25767bde99d7
 status: test
 description: |
     Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/20
 references:
     - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
@@ -21,14 +21,9 @@ logsource:
 detection:
     selection:
         action:
-            - 'project.update_user_permission'
             - 'org.remove_outside_collaborator'
+            - 'project.update_user_permission'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
 falsepositives:
     - Validate the actor if permitted to access the repo.
     - Validate the Multifactor Authentication changes.

diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml
@@ -5,7 +5,7 @@ description: |
     A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on github.com.
     This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
     it should be validated from GitHub UI because the log entry may not provide full context.
-author: Muhammad Faisal
+author: Muhammad Faisal (@faisalusuf)
 date: 2023/01/27
 references:
     - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
@@ -31,23 +31,13 @@ detection:
             - 'org.remove_self_hosted_runner'
             - 'org.runner_group_created'
             - 'org.runner_group_removed'
-            - 'org.runner_group_updated'
-            - 'org.runner_group_runners_added'
             - 'org.runner_group_runner_removed'
+            - 'org.runner_group_runners_added'
             - 'org.runner_group_runners_updated'
+            - 'org.runner_group_updated'
             - 'repo.register_self_hosted_runner'
             - 'repo.remove_self_hosted_runner'
     condition: selection
-fields:
-    - 'action'
-    - 'actor'
-    - 'org'
-    - 'actor_location.country_code'
-    - 'transport_protocol_name'
-    - 'repository'
-    - 'repo'
-    - 'repository_public'
-    - '@timestamp'
 falsepositives:
     - Allowed self-hosted runners changes in the environment.
     - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.

diff --git a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml
@@ -17,11 +17,6 @@ detection:
         c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
         cs-method: 'GET'
     condition: selection
-fields:
-    - ClientIP
-    - c-uri
-    - c-useragent
-    - cs-method
 falsepositives:
     - Administrative scripts that download files from the Internet
     - Administrative scripts that retrieve certain website contents