ルール更新 (#224)

2021-11-23 15:04:03 +09:00
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
@@ -0,0 +1,63 @@
+
+title: WMI Modules Loaded
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects non wmiprvse loading WMI modules
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\wmiclnt.dll'
+    - '*\WmiApRpl.dll'
+    - '*\wmiprov.dll'
+    - '*\wmiutils.dll'
+    - '*\wbemcomn.dll'
+    - '*\wbemprox.dll'
+    - '*\WMINet_Utils.dll'
+    - '*\wbemsvc.dll'
+    - '*\fastprox.dll'
+  SELECTION_3:
+    Image:
+    - '*\WmiPrvSE.exe'
+    - '*\WmiApSrv.exe'
+    - '*\svchost.exe'
+    - '*\DeviceCensus.exe'
+    - '*\CompatTelRunner.exe'
+    - '*\sdiagnhost.exe'
+    - '*\SIHClient.exe'
+    - '*\ngentask.exe'
+    - '*\windows\system32\taskhostw.exe'
+    - '*\windows\system32\MoUsoCoreWorker.exe'
+    - '*\windows\system32\wbem\WMIADAP.exe'
+    - '*C:\Windows\Sysmon64.exe'
+    - '*C:\Windows\Sysmon.exe'
+    - '*C:\Windows\System32\wbem\unsecapp.exe'
+    - '*\logman.exe'
+    - '*\systeminfo.exe'
+    - '*\nvcontainer.exe'
+    - '*C:\Windows\System32\wbem\WMIC.exe'
+  SELECTION_4:
+    Image:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/20
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047