Sigma rules for CVE-2023-48795
57 rules · scoped to cve · back to CVE-2023-48795
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Disabling Security Tools - Builtin
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: syslog
detection:
keywords:
- 'stopping iptables'
- 'stopping ip6tables'
- 'stopping firewalld'
- 'stopping cbdaemon'
- 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
title: Manipulation of User Computer or Group Security Principals Across AD
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
status: test
description: |
Adversaries may create a domain account to maintain access to victim systems.
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
author: frack113
date: 2021-12-28
tags:
- attack.persistence
- attack.t1136.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: System.DirectoryServices.AccountManagement
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
selection_keywords:
ScriptBlockText|contains:
# Note: These strings are using wildcard assuming the search is using the "-like" operator.
# You can add specific variant with the actual process names to increase coverage
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
condition: all of selection_*
falsepositives:
- False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
- As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
# Note: Add additional keywords to increase and enhance coverage
# Note:
# We use the double quote variation because in cases of where the command is executed through cmd for example:
# cmd /c "tasklist | findstr virus"
# Logging utilties such as Sysmon would capture the end quote as part of findstr execution
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
- type: atomic-red-team
name: Security Software Discovery
technique: T1518.001
atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2
title: Service Security Descriptor Tampering Via Sc.EXE
id: 98c5aeef-32d5-492f-b174-64a691896d25
related:
- id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
type: similar
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
type: similar
status: test
description: Detection of sc.exe utility adding a new service with special permission which hides that service.
references:
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://twitter.com/0gtweet/status/1628720819537936386
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains: 'sdset'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: test
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-05-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\libwazuhshared.dll'
- '\libwinpthread-1.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_mingw64:
# Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
# In production its best to make a list of these apps and replace this filter with a specific one.
ImageLoaded|contains:
- '\AppData\Local\'
- '\ProgramData\'
ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium
title: Uncommon Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
related:
- id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
type: similar
status: test
description: |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort: 88
filter_main_lsass:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith: '\Windows\System32\lsass.exe'
filter_optional_chrome:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- '\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Mozilla Firefox\firefox.exe'
- '\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Application|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium