Add files via upload

SigmaHQ · skaynum · Nov 25, 2023 · Nov 25, 2023 · Dec 1, 2023 · Dec 1, 2023
commit 8f6c1cc3a393af5fda47d95061d7ec2883743781
diff --git a/rules/windows/process_creation/proc_creation_win_data_exfiltration_via_curl_command.yml b/rules/windows/process_creation/proc_creation_win_data_exfiltration_via_curl_command.yml
@@ -0,0 +1,23 @@
+title: Potential Data Exfiltration Via Curl Command
+id: 2865f507-d5d9-48dc-9047-a8a4d0962350
+status: experimental
+description: Detects the usage of the curl command and a clear text protocol to conduct exfiltration as detected in attacks targeting high level organizations in South China sea countries
+references:
+    - https://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-Report-DeepDive-creat7721-en_EN.pdf?_gl=1*1s0av4k*_ga*NjI0NjA4MDgwLjE3MTYzODg4OTk.*_ga_6M0GWNLLWF*MTcxNjM4ODg5Ni4xLjAuMTcxNjM4ODg5Ni42MC4wLjA.
+    - https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/
+author: Joseph Kamau
+date: 2024/07/12
+tags:
+    - attack.exfiltration
+    - attack.command_and_control
+    - attack.t1071.002
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    CommandLine|contains|all:
+        - curl
+        - ftp://
+falsepositives:
+    - Unlikely, any match should be investigated to rule out malicious file transfers since FTP is not allowed in most security conscious organizations
+level: high
diff --git a/...indows/process_creation/proc_creation_win_susp_child_process_of_file_compression_tool.yml b/...indows/process_creation/proc_creation_win_susp_child_process_of_file_compression_tool.yml
@@ -0,0 +1,29 @@
+title: Suspicious Child Process of a File Compression Utility
+id: 01874a97-faf4-430a-9632-8270d875ef52
+status: experimental
+description: Detects when a file compression tool spawns a child process(script host) that is used to execute scripts that are malicious.
+references:
+    - ' https://app.any.run/tasks/dd775fc4-ff87-4723-88e2-bb9f2bb4ec96/'
+author: Joseph Kamau
+date: 2024/07/12
+tags:
+    - attack.execution
+    - attack.t1204.002
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        ParentImage|endswith:
+            - \winrar.exe
+            - \rar.exe
+            - \winzip.exe
+            - \7z.exe
+        Image|endswith:
+            - \wscript.exe
+            - \cscript.exe
+            - \jscript.exe
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_uncommon_browser_parent_process.yml b/rules/windows/process_creation/proc_creation_win_uncommon_browser_parent_process.yml
@@ -0,0 +1,33 @@
+title: Uncommon Web Browser Parent Process
+id: 7b18de5f-2a17-42d8-8a2a-df6243a7a97d
+status: experimental
+description: Detects when browser process is launched by a script executing process(script host) that rarely launches browser processes.This technique has been spotted in phishing campaigns using double extension email attachments.
+references:
+    - https://app.any.run/tasks/fcdf6d63-0cb8-4047-9966-dc276ed5a640/
+author: Joseph Kamau
+date: 2024/07/12
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        ParentImage|endswith:
+            - \wscript.exe
+            - \cscript.exe
+            - \jscript.exe
+        Image|endswith:
+            - \msedge.exe
+            - \brave.exe
+            - \firefox.exe
+            - \vivaldi.exe
+            - \chrome.exe
+            - \maxthon.exe
+            - \seamonkey.exe
+            - \opera.exe
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high