CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ルール更新 (#224)

Browse Source
This commit is contained in:
Yamato Security
2021-11-23 15:04:03 +09:00
committed by GitHub
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
rules/sigma/file_delete/sysmon_delete_prefetch.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Prefetch File Deletion
author: Cedric MAURUGEON
date: 2021/09/29
description: Detects the deletion of a prefetch file (AntiForensic)
detection:
SELECTION_1:
EventID: 23
SELECTION_2:
EventID: 26
SELECTION_3:
TargetFilename: C:\Windows\Prefetch\\*
SELECTION_4:
TargetFilename: '*.pf'
SELECTION_5:
Image: C:\windows\system32\svchost.exe
SELECTION_6:
User: NT AUTHORITY\SYSTEM
condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and not
(SELECTION_5 and SELECTION_6))
falsepositives:
- Unknown
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
level: high
logsource:
category: file_delete
product: windows
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.004

30
rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Sysinternals SDelete File Deletion
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection to trigger for the deletion of files by Sysinternals
SDelete. It looks for the common name pattern used to rename files.
detection:
SELECTION_1:
EventID: 23
SELECTION_2:
EventID: 26
SELECTION_3:
TargetFilename:
- '*.AAA'
- '*.ZZZ'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
falsepositives:
- Legitime usage of SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
level: medium
logsource:
category: file_delete
product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.004

33
rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Windows Spooler Service Suspicious File Deletion
author: Bhabesh Raj
date: 2021/07/01
description: Detect DLL deletions from Spooler Service driver folder
detection:
SELECTION_1:
EventID: 23
SELECTION_2:
EventID: 26
SELECTION_3:
Image: '*spoolsv.exe'
SELECTION_4:
TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
level: high
logsource:
category: file_delete
product: windows
modified: 2021/08/24
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
status: experimental
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021.1675