search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.19k stars 2.17k forks source link

feat: lolbin updates #4832

Closed nasbench closed 5 months ago

nasbench commented 5 months ago

Summary of the Pull Request

This PR updates lolbin rules (update filename, metadata info, and logic where necessary)

Changelog

update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution update: COM Object Execution via Xwizard.EXE - Update logic update: JScript Compiler Execution - Update metadata update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end. update: Renamed ZOHO Dctask64 Execution - Add additional imphash values update: Windows Kernel Debugger Execution - Reduce level to "medium" update: Xwizard.EXE Execution From Non-Default Location - Update description

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

Carlos-mb commented 1 month ago

Hi, I hope you can help me.

I'm using Security Onion and the rule "Renamed ZOHO Dctask64 Execution" is generating about 100.000 alerts / hour.

It affects to all windows devices with elastic-endpoint software.

Is this the expected behavior?

Should I be warried or they are false positives?

Should I deactivate it because it has "status: test"?

Can I do something to help to improve the alert behavior?

Thanks!

nasbench commented 1 month ago

ZOHO

Hi @Carlos-mb it is not an expected behavior, last time i discussed this with Josh from Sec onion he said it was probably related to a windash bug in sec onion. Can you please open an issue and give me some redacted example logs so that i can troubleshoot this more accurately.

Cheers.

Carlos-mb commented 1 month ago

Wow!

I really thank your fast response and your offer to help me.

I'll open an issue and I'll give you all information you need.