From 185d9fe64d03260502a300e56c95556e847d6be8 Mon Sep 17 00:00:00 2001 From: wagga40 Date: Sat, 17 Aug 2024 02:07:01 +0000 Subject: [PATCH] Rules Update --- rules_windows_generic_full.json | 20 ++++++++++++++++++++ rules_windows_generic_medium.json | 20 ++++++++++++++++++++ rules_windows_generic_pysigma.json | 20 ++++++++++++++++++++ rules_windows_sysmon_full.json | 20 ++++++++++++++++++++ rules_windows_sysmon_medium.json | 20 ++++++++++++++++++++ rules_windows_sysmon_pysigma.json | 20 ++++++++++++++++++++ sigma | 2 +- 7 files changed, 121 insertions(+), 1 deletion(-) diff --git a/rules_windows_generic_full.json b/rules_windows_generic_full.json index 3310757..03c1067 100755 --- a/rules_windows_generic_full.json +++ b/rules_windows_generic_full.json @@ -11862,6 +11862,26 @@ ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_udl_exec.yml" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/rules_windows_generic_medium.json b/rules_windows_generic_medium.json index ec1f363..a0f3f8c 100755 --- a/rules_windows_generic_medium.json +++ b/rules_windows_generic_medium.json @@ -10859,6 +10859,26 @@ ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_udl_exec.yml" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/rules_windows_generic_pysigma.json b/rules_windows_generic_pysigma.json index 2fae8c9..7e58d86 100644 --- a/rules_windows_generic_pysigma.json +++ b/rules_windows_generic_pysigma.json @@ -35306,6 +35306,26 @@ ], "filename": "" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName='RUNDLL32.EXE') AND ((CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\%' ESCAPE '\\') AND CommandLine LIKE '%.udl' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/rules_windows_sysmon_full.json b/rules_windows_sysmon_full.json index cecd62c..6f9992d 100755 --- a/rules_windows_sysmon_full.json +++ b/rules_windows_sysmon_full.json @@ -11862,6 +11862,26 @@ ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_udl_exec.yml" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/rules_windows_sysmon_medium.json b/rules_windows_sysmon_medium.json index 16dccc3..b99711f 100755 --- a/rules_windows_sysmon_medium.json +++ b/rules_windows_sysmon_medium.json @@ -10859,6 +10859,26 @@ ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.udl' ESCAPE '\\'))" + ], + "filename": "proc_creation_win_rundll32_udl_exec.yml" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/rules_windows_sysmon_pysigma.json b/rules_windows_sysmon_pysigma.json index 5a60bf4..9eb0849 100644 --- a/rules_windows_sysmon_pysigma.json +++ b/rules_windows_sysmon_pysigma.json @@ -35306,6 +35306,26 @@ ], "filename": "" }, + { + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File", + "id": "0ea52357-cd59-4340-9981-c46c7e900428", + "status": "experimental", + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "author": "@kostastsale", + "tags": [ + "attack.execution", + "attack.t1218.011", + "attack.t1071" + ], + "falsepositives": [ + "UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios." + ], + "level": "medium", + "rule": [ + "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (ParentImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (Image LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName='RUNDLL32.EXE') AND ((CommandLine LIKE '%oledb32.dll%' ESCAPE '\\' AND CommandLine LIKE '%,OpenDSLFile %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%\\\\Downloads\\\\%' ESCAPE '\\') AND CommandLine LIKE '%.udl' ESCAPE '\\')))" + ], + "filename": "" + }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", diff --git a/sigma b/sigma index 8bf0ef1..7e93682 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 8bf0ef1253580e37d85098b0ae51ebb1581c74ca +Subproject commit 7e93682e0d87324a49408d0d76a70192c3890e26