sigma
sigma copied to clipboard
Published
20 hours ago •
SigmaHQ
SigmaHQ
Add Rule: proc_creation_win_renamed_ssh.yml
Summary of the Pull Request
This PR adds detection for the renaming of the SSH client on Windows, based on the following reference: Rapid7 Blog on Black Basta Ransomware.
Black Basta ransomware operators downloaded a zip archive containing a legitimate copy of OpenSSH for Windows, which was ultimately renamed to RuntimeBroker.exe.
Changelog
new: Renamed SSH Client of Windows
Example Log Event
Execution of SSH client for Windows renamed to asdf.exe
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2024-08-15T08:46:16.9016070Z'/>
<EventRecordID>158024818</EventRecordID>
<Correlation/>
<Execution ProcessID='6312' ThreadID='8660'/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>REDACTED</Computer>
<Security UserID='S-1-5-18'/>
</System>
<EventData>
<Data Name='RuleName'>-</Data>
<Data Name='UtcTime'>2024-08-15 08:46:16.887</Data>
<Data Name='ProcessGuid'>{f3beb03c-c058-66bd-f486-000000002601}</Data>
<Data Name='ProcessId'>21876</Data>
<Data Name='Image'>C:\Users\redacted\Desktop\asdf.exe</Data>
<Data Name='ImageLoaded'>C:\Users\redacted\Desktop\asdf.exe</Data>
<Data Name='FileVersion'>8.1.0.1</Data>
<Data Name='Description'>-</Data>
<Data Name='Product'>OpenSSH for Windows</Data>
<Data Name='Company'>-</Data>
<Data Name='OriginalFileName'>-</Data>
<Data Name='Hashes'>SHA1=A0D1A4F068ED3ED585E5CEC6C787521B1C0D2D64,MD5=C05426E6F6DFB30FB78FBA874A2FF7DC,SHA256=722BEE41CCF54B88660C0E67ADEB2C9612C18D739E5A8EB8C35C3D7066A95871,IMPHASH=91C272778494F545A220F3E427777252</Data>
<Data Name='Signed'>true</Data>
<Data Name='Signature'>Microsoft Windows</Data>
<Data Name='SignatureStatus'>Valid</Data>
<Data Name='User'>REDACTED</Data>
</EventData>
</Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2024-08-15T08:46:16.8874100Z'/>
<EventRecordID>158024792</EventRecordID>
<Correlation/>
<Execution ProcessID='6312' ThreadID='8504'/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>REDACTED</Computer>
<Security UserID='S-1-5-18'/>
</System>
<EventData>
<Data Name='RuleName'>-</Data>
<Data Name='UtcTime'>2024-08-15 08:46:16.878</Data>
<Data Name='ProcessGuid'>{f3beb03c-c058-66bd-f486-000000002601}</Data>
<Data Name='ProcessId'>21876</Data>
<Data Name='Image'>C:\Users\redacted\Desktop\asdf.exe</Data>
<Data Name='FileVersion'>8.1.0.1</Data>
<Data Name='Description'>-</Data>
<Data Name='Product'>OpenSSH for Windows</Data>
<Data Name='Company'>-</Data>
<Data Name='OriginalFileName'>-</Data>
<Data Name='CommandLine'>asdf.exe</Data>
<Data Name='CurrentDirectory'>C:\Users\redacted\Desktop\</Data>
<Data Name='User'>REDACTED</Data>
<Data Name='LogonGuid'>{f3beb03c-cacc-66bc-b6da-450000000000}</Data>
<Data Name='LogonId'>0x45dab6</Data>
<Data Name='TerminalSessionId'>1</Data>
<Data Name='IntegrityLevel'>High</Data>
<Data Name='Hashes'>SHA1=A0D1A4F068ED3ED585E5CEC6C787521B1C0D2D64,MD5=C05426E6F6DFB30FB78FBA874A2FF7DC,SHA256=722BEE41CCF54B88660C0E67ADEB2C9612C18D739E5A8EB8C35C3D7066A95871,IMPHASH=91C272778494F545A220F3E427777252</Data>
<Data Name='ParentProcessGuid'>{f3beb03c-c053-66bd-f186-000000002601}</Data>
<Data Name='ParentProcessId'>44336</Data>
<Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data>
<Data Name='ParentCommandLine'>"C:\Windows\system32\cmd.exe" </Data>
<Data Name='ParentUser'>REDACTED</Data>
</EventData>
</Event>
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
