CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ルール更新 (#224)

Browse Source
This commit is contained in:
Yamato Security
2021-11-23 15:04:03 +09:00
committed by GitHub
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
rules/sigma/create_remote_thread/sysmon_cactustorch.yml Normal file
View File

@@ -0,0 +1,41 @@
title: CACTUSTORCH Remote Thread Creation
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019/02/01
description: Detects remote thread creation from CACTUSTORCH as described in references.
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
SourceImage:
- '*\System32\cscript.exe'
- '*\System32\wscript.exe'
- '*\System32\mshta.exe'
- '*\winword.exe'
- '*\excel.exe'
SELECTION_3:
TargetImage: '*\SysWOW64\\*'
SELECTION_4:
StartModule|re: ^$
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
level: high
logsource:
category: create_remote_thread
product: windows
modified: 2021/11/12
references:
- https://twitter.com/SBousseaden/status/1090588499517079552
- https://github.com/mdsecactivebreach/CACTUSTORCH
status: experimental
tags:
- attack.defense_evasion
- attack.t1093
- attack.t1055.012
- attack.execution
- attack.t1064
- attack.t1059.005
- attack.t1059.007
- attack.t1218.005

31
rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml Normal file
View File

@@ -0,0 +1,31 @@
title: CobaltStrike Process Injection
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
description: Detects a possible remote threat creation with certain characteristics
which are typical for Cobalt Strike beacons
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
StartAddress:
- '*0B80'
- '*0C7C'
- '*0C88'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
level: high
logsource:
category: create_remote_thread
product: windows
modified: 2021/11/20
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
status: experimental
tags:
- attack.defense_evasion
- attack.t1055
- attack.t1055.001

29
rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml Normal file
View File

@@ -0,0 +1,29 @@
title: CreateRemoteThread API and LoadLibrary
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects potential use of CreateRemoteThread api and LoadLibrary function
to inject DLL into a process
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
StartModule: '*\kernel32.dll'
SELECTION_3:
StartFunction: LoadLibraryA
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
level: critical
logsource:
category: create_remote_thread
product: windows
modified: 2020/08/28
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1055
- attack.t1055.001

32
rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Password Dumper Remote Thread in LSASS
author: Thomas Patzke
date: 2017/02/19
description: Detects password dumper activity by monitoring remote thread creation
EventID 8 in combination with the lsass.exe process as TargetImage. The process
in field Process is the malicious program. A single execution can lead to hundreds
of events.
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
TargetImage: '*\lsass.exe'
SELECTION_3:
StartModule: ''
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Antivirus products
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
level: high
logsource:
category: create_remote_thread
product: windows
modified: 2021/06/21
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
status: stable
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
- attack.t1003.001

26
rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Accessing WinAPI in PowerShell. Code Injection.
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting Code injection with PowerShell in another process
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
SourceImage: '*\powershell.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
level: high
logsource:
category: create_remote_thread
definition: Note that you have to configure logging for CreateRemoteThread in Symson
config
product: windows
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001

31
rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell Rundll32 Remote Thread Creation
author: Florian Roth
date: 2018/06/25
description: Detects PowerShell remote thread creation in Rundll32.exe
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
SourceImage: '*\powershell.exe'
SELECTION_3:
TargetImage: '*\rundll32.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
level: high
logsource:
category: create_remote_thread
product: windows
modified: 2021/11/12
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1085
- attack.t1218.011
- attack.t1086
- attack.t1059.001

88
rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml Normal file
View File

@@ -0,0 +1,88 @@
title: Suspicious Remote Thread Created
author: Perez Diego (@darkquassar), oscd.community
date: 2019/10/27
description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
however, this is still largely observed in the wild. This rule aims to detect suspicious
processes (those we would not expect to behave in this way like word.exe or outlook.exe)
creating remote threads on other processes. It is a generalistic rule, but it should
have a low FP ratio due to the selected range of processes.
detection:
SELECTION_1:
EventID: 8
SELECTION_2:
SourceImage:
- '*\bash.exe'
- '*\cvtres.exe'
- '*\defrag.exe'
- '*\dnx.exe'
- '*\esentutl.exe'
- '*\excel.exe'
- '*\expand.exe'
- '*\explorer.exe'
- '*\find.exe'
- '*\findstr.exe'
- '*\forfiles.exe'
- '*\git.exe'
- '*\gpupdate.exe'
- '*\hh.exe'
- '*\iexplore.exe'
- '*\installutil.exe'
- '*\lync.exe'
- '*\makecab.exe'
- '*\mDNSResponder.exe'
- '*\monitoringhost.exe'
- '*\msbuild.exe'
- '*\mshta.exe'
- '*\msiexec.exe'
- '*\mspaint.exe'
- '*\outlook.exe'
- '*\ping.exe'
- '*\powerpnt.exe'
- '*\powershell.exe'
- '*\provtool.exe'
- '*\python.exe'
- '*\regsvr32.exe'
- '*\robocopy.exe'
- '*\runonce.exe'
- '*\sapcimc.exe'
- '*\schtasks.exe'
- '*\smartscreen.exe'
- '*\spoolsv.exe'
- '*\tstheme.exe'
- '*\userinit.exe'
- '*\vssadmin.exe'
- '*\vssvc.exe'
- '*\w3wp.exe'
- '*\winlogon.exe'
- '*\winscp.exe'
- '*\wmic.exe'
- '*\word.exe'
- '*\wscript.exe'
SELECTION_3:
SourceImage: '*Visual Studio*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- Unknown
fields:
- ComputerName
- User
- SourceImage
- TargetImage
id: 66d31e5f-52d6-40a4-9615-002d3789a119
level: high
logsource:
category: create_remote_thread
product: windows
modified: 2021/06/27
notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
for process injection for .NET in-memory offensive tools.
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
status: experimental
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055