Merge PR SigmaHQ#4614 from @X-Junior - updates for multiple rules 4-1…

…2-2023 update: PowerShell Execution With Potential Decryption Capabilities update: Malware User Agent --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
phantinuss · Dec 11, 2023 · 987a733 · 987a733
1 parent 63599c8
commit 987a733
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml
@@ -13,7 +13,7 @@ references:
     - https://twitter.com/crep1x/status/1635034100213112833
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2017/07/08
-modified: 2023/11/06
+modified: 2023/12/05
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -134,6 +134,7 @@ detection:
             - 'BunnyShell' # BunnyStealer
             - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
             - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
+            - 'SouthSide' # Racoon Stealer
     condition: selection
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml
@@ -6,6 +6,7 @@ references:
     - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
 author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/30
+modified: 2023/12/05
 tags:
     - attack.execution
 logsource:
@@ -31,12 +32,18 @@ detection:
             - "gc "
             - 'cat '
             - 'type '
+            - 'ReadAllBytes'
     selection_cli_specific:
-        CommandLine|contains|all:
-            - ' ^| '
-            - '\*.lnk'
-            - '-Recurse'
-            - '-Skip '
+        - CommandLine|contains|all:
+              - ' ^| '
+              - '\*.lnk'
+              - '-Recurse'
+              - '-Skip '
+        - CommandLine|contains|all:
+              - ' -ExpandProperty '
+              - '\*.lnk'
+              - 'WriteAllBytes'
+              - ' .length '
     condition: all of selection_*
 falsepositives:
     - Unlikely