Home/CVE-2023-41742/Sigma rules
Sigma

Sigma rules for CVE-2023-41742

109 rules · scoped to cve · back to CVE-2023-41742
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

9 of 109
direct medium
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
status test author bohops id 43103702-5886-11ed-9b6a-0242ac120002 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
id: 43103702-5886-11ed-9b6a-0242ac120002
status: test
description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
references:
    - https://twitter.com/bohops/status/1583916360404729857
author: bohops
date: 2022-10-30
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vsls-agent.exe'
        CommandLine|contains: '--agentExtensionPath'
    filter:
        CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
    condition: selection and not filter
falsepositives:
    - False positives depend on custom use of vsls-agent.exe
level: medium
direct medium
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
status test author Tobias Michalski (Nextron Systems) id 83809e84-4475-4b69-bc3e-4aad8568612f license Sigma · DRL-1.1
view Sigma YAML 
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
direct medium
MSExchange Transport Agent Installation - Builtin
Detects the Installation of a Exchange Transport Agent
status test author Tobias Michalski (Nextron Systems) id 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 license Sigma · DRL-1.1
view Sigma YAML 
title: MSExchange Transport Agent Installation - Builtin
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: derived
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        - 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
direct medium
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id ff151c33-45fa-475d-af4f-c2f93571f4fe license Sigma · DRL-1.1
view Sigma YAML 
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
    - https://o365blog.com/post/hybridhealthagent/
    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1012
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectType: 'Key'
        ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
    filter:
        ProcessName|contains:
            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
direct medium
Mesh Agent Service Installation
Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
status test author Nasreddine Bencherchali (Nextron Systems) id e0d1ad53-c7eb-48ec-a87a-72393cc6cedc license Sigma · DRL-1.1
view Sigma YAML 
title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'MeshAgent.exe'
        - ServiceName|contains: 'Mesh Agent'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
direct medium
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
status test author Nasreddine Bencherchali (Nextron Systems) id d443095b-a221-4957-a2c4-cd1756c9b747 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
      type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
    condition: selection
falsepositives:
    - Unknown
level: medium
direct medium
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
status test author Florian Roth (Nextron Systems) id c8557060-9221-4448-8794-96320e6f3e74 license Sigma · DRL-1.1
view Sigma YAML 
title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains: ' WindowsPowerShell/'
    condition: selection
falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
level: medium
direct medium
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
status test author Florian Roth (Nextron Systems), Brian Ingram (update) id 894a8613-cf12-48b3-8e57-9085f54aa0c3 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
    - id: d443095b-a221-4957-a2c4-cd1756c9b747
      type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
    - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|endswith: '='
    condition: selection
falsepositives:
    - Unknown
level: medium
direct medium
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
status test author Florian Roth (Nextron Systems) id 21e44d78-95e7-421b-a464-ffd8395659c4 license Sigma · DRL-1.1
view Sigma YAML 
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
    Detects a potentially suspicious empty user agent strings in proxy log.
    Could potentially indicate an uncommon request method.
references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
        c-useragent: ''
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 101-109 of 109
Prev 3 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin