Sigma rules for CVE-2023-28756
18 rules · scoped to cve · back to CVE-2023-28756
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
- id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
filter_keywords:
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection and not 1 of filter_*
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains:
- 'wscript'
- 'vbscript'
- 'cscript'
- 'wmic '
- 'wmic.exe'
- 'regsvr32.exe'
- 'powershell'
- '\AppData\'
selection_time:
CommandLine|contains|all:
- 'once'
- '00:00'
condition: all of selection_*
falsepositives:
- Software installation
level: high
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'lsass'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'sql\query'
- 'eventlog'
condition: selection1 and not false_positives
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
title: Windows Defender Real-time Protection Disabled
id: b28e58e4-2a72-4fae-bdee-0fbe904db642
related:
- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
type: obsolete
status: stable
description: |
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5001 # Real-time protection is disabled.
condition: selection
falsepositives:
- Administrator actions (should be investigated)
- Seen being triggered occasionally during Windows 8 Defender Updates
level: high
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'addexclusion'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'delete'
condition: all of selection_*
falsepositives:
- Legitimate activities
level: medium
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection
falsepositives:
- Unknown
level: medium
title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'disable'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Set a file's access timestamp
technique: T1070.006
atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
- type: atomic-red-team
name: Set a file's modification timestamp
technique: T1070.006
atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
- type: atomic-red-team
name: Modify file timestamps using reference file
technique: T1070.006
atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
title: Windows Defender Real-Time Protection Failure/Restart
id: dd80db93-6ec2-4f4c-a017-ad40da6ffe81
status: stable
description: Detects issues with Windows Defender Real-Time Protection features
references:
- Internal Research
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
- https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes)
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)
date: 2023-03-28
modified: 2023-05-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 3002 # Real-Time Protection feature has encountered an error and failed
- 3007 # Real-time Protection feature has restarted
filter_optional_network_inspection:
Feature_Name: '%%886' # Network Inspection System
Reason:
- '%%892' # The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the device.
- '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required
level: medium
title: Discovery of a System Time
id: b243b280-65fe-48df-ba07-6ddea7646427
status: test
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-06-28
tags:
- attack.discovery
- attack.t1124
logsource:
category: process_creation
product: windows
detection:
selection_time:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'time'
selection_w32tm:
Image|endswith: '\w32tm.exe'
CommandLine|contains: 'tz'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the system utilities to discover system time for legitimate reason
level: low
title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
selection:
EventID: 4616
filter_main_svchost:
ProcessName: 'C:\Windows\System32\svchost.exe'
SubjectUserSid: 'S-1-5-19'
filter_optional_vmtools:
ProcessName:
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Windows\System32\VBoxService.exe'
- 'C:\Windows\System32\oobe\msoobe.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: ruby_on_rails
detection:
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
condition: keywords
falsepositives:
- Application bugs
level: medium
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium