Merge PR #5168 from @defensivedepth - Prepend algo to hash values

fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
SigmaHQ · Jan 22, 2025 · 48d5c50 · 48d5c50
1 parent fb27bee
commit 48d5c50
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 15 deletions.
diff --git a/...erging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/...erging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml
@@ -8,7 +8,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-04-23
-modified: 2024-05-11
+modified: 2025-01-22
 tags:
     - attack.defense-evasion
     - attack.execution
@@ -18,8 +18,8 @@ logsource:
 detection:
     selection_hashes:
         Hashes|contains:
-            - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
-            - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
+            - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
+            - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
     selection_schtasks_create:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains|all:

diff --git a/...ndows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/...ndows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/gN3mes1s/status/1222095371175911424
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2020-01-28
-modified: 2024-04-22
+modified: 2025-01-22
 tags:
     - attack.defense-evasion
     - attack.t1055.001
@@ -21,10 +21,10 @@ detection:
     selection_img:
         - Image|endswith: '\dctask64.exe'
         - Hashes|contains:
-              - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash
-              - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash
-              - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash
-              - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash
+              - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
+              - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
+              - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
+              - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
     selection_cli:
         CommandLine|contains:
             - ' executecmd64 '

diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml
@@ -7,7 +7,7 @@ references:
     - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
 author: Florian Roth (Nextron Systems)
 date: 2020-02-04
-modified: 2023-02-04
+modified: 2025-01-22
 tags:
     - attack.credential-access
     - attack.t1003.001
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        - Hashes|contains: '09D278F9DE118EF09163C6140255C690'
+        - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
         - CommandLine|contains: 'Dumpert.dll'
     condition: selection
 falsepositives:

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/gN3mes1s/status/1222095371175911424
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2020-01-28
-modified: 2024-04-22
+modified: 2025-01-22
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -23,10 +23,10 @@ logsource:
 detection:
     selection:
         Hashes|contains:
-            - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash
-            - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash
-            - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash
-            - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash
+            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
+            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
+            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
+            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
     filter_main_legit_name:
         Image|endswith: '\dctask64.exe'
     condition: selection and not 1 of filter_main_*