sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Create proc_creation_win_code_devtunnel_tunneling.yaml

Open 0xAnalyst opened this issue 1 year ago • 11 comments

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

0xAnalyst avatar Sep 09 '24 11:09 0xAnalyst

HI, There are allready some rules :

  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

frack113 avatar Sep 10 '24 04:09 frack113

HI, There are allready some rules :

  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

This is not only vscode it also cater for devtunnel commandline parameters https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2. I didn't see that in the repo hence the new rule

0xAnalyst avatar Sep 10 '24 06:09 0xAnalyst

@frack113 Thank you I commited the changes. this is my first sigma rule so your help is much appreciated

0xAnalyst avatar Sep 11 '24 09:09 0xAnalyst

HI, There are allready some rules :

  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
  • https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

Apart from EDR ProcessVersionInfoProductName this will be available in sysmon log so not sure if I should keep it to windows events or put sysmon in there? @frack113 @nasbench. can also change it to Image if that works

0xAnalyst avatar Sep 12 '24 08:09 0xAnalyst

ProcessVersionInfoProductName

In the sysmon event (but not in the windows 4688) you have:

  • Description
  • Product
  • Company
  • OriginalFileName

Can be somethink like this

    selection_exe:
        - Image|endswith:
            - '\code.exe'
            - '\devtunnel.exe'
        - OriginalFileName:
            - 'code.exe' ???
            - 'devtunnel.exe' ???
    selection_cli_tunel:
        CommandLine|contains: 'tunnel'
    selection_cli_temporary:
    selection_cli_persistent:
    condition: selection_exe and 1 of selection_cli_*

frack113 avatar Sep 12 '24 16:09 frack113

ProcessVersionInfoProductName

In the sysmon event (but not in the windows 4688) you have:

  • Description
  • Product
  • Company
  • OriginalFileName

Can be somethink like this

    selection_exe:
        - Image|endswith:
            - '\code.exe'
            - '\devtunnel.exe'
        - OriginalFileName:
            - 'code.exe' ???
            - 'devtunnel.exe' ???
    selection_cli_tunel:
        CommandLine|contains: 'tunnel'
    selection_cli_temporary:
    selection_cli_persistent:
    condition: selection_exe and 1 of selection_cli_*

I changed it to reflect windows event logs now with Image so all should be ok now

|  selection_cli:
        Image|endswith: 'code.exe'
        CommandLine|contains: 'tunnel'
    selection_temporary:
        CommandLine|contains|all:
            - 'host'
            - 'allow-anonymous'
    selection_persistent:
        CommandLine|contains|all:
            - 'port'
            - 'create'
            - '-p'

0xAnalyst avatar Sep 15 '24 08:09 0xAnalyst

Sorry, As the file extension was yaml not yml , some validation workflows were not used.

frack113 avatar Sep 15 '24 12:09 frack113

Can this get merged?

0xAnalyst avatar Oct 28 '24 10:10 0xAnalyst

Can this get merged?

Are you in a rush or something?

nasbench avatar Oct 28 '24 10:10 nasbench

Can this get merged?

Are you in a rush or something?

hahhaha nope all good

0xAnalyst avatar Oct 28 '24 10:10 0xAnalyst

I think I am unable to create pull request can you help me add this new sigma rule

https://github.com/0xAnalyst/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_Bublup.yml

@nasbench @frack113 title: Potential Data Exfiltration to Bublup.com id: 61b9d488-49f6-44e5-a9fa-d0a4dfdbfd85 status: experimental description: Detects network connections to bublup.com, a legitimate cloud storage platform abused by threat actors (e.g., BlackSuit ransomware) for data exfiltration. references:

  • https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/
  • https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/ author: 0xAnalyst date: 2025/04/09 logsource: category: network_connection product: windows detection: selection: Initiated: 'true' DestinationHostname|endswith: '.bublup.com' condition: selection falsepositives:
  • Legitimate use of bublup.com for personal or approved business activity level: high tags:
  • attack.exfiltration
  • attack.t1567.002

0xAnalyst avatar Apr 13 '25 07:04 0xAnalyst