ルール更新 (#224)

rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml

@@ -0,0 +1,25 @@
+
+title: WMI Event Subscription
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation of WMI event subscription persistence method
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- exclude legitimate (vetted) use of WMI event subscription in your network
+id: 0f06a3a5-6a09-413f-8743-e6cf35561297
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+status: experimental
+tags:
+- attack.t1084
+- attack.persistence
+- attack.t1546.003

rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml

@@ -0,0 +1,42 @@
+
+title: Suspicious Encoded Scripts in a WMI Consumer
+author: Florian Roth
+date: 2021/09/01
+description: Detects suspicious encoded payloads in WMI Event Consumers
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  SELECTION_4:
+    Destination:
+    - '*V3JpdGVQcm9jZXNzTWVtb3J5*'
+    - '*dyaXRlUHJvY2Vzc01lbW9ye*'
+    - '*Xcml0ZVByb2Nlc3NNZW1vcn*'
+    - '*VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZG*'
+    - '*RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl*'
+    - '*UaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZ*'
+    - '*VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy*'
+    - '*RoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zM*'
+    - '*UaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMz*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- User
+- Operation
+id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.persistence
+- attack.t1546.003

rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml

@@ -0,0 +1,59 @@
+
+title: Suspicious Scripting in a WMI Consumer
+author: Florian Roth, Jonhnathan Ribeiro
+date: 2019/04/15
+description: Detects suspicious scripting in WMI Event Consumers
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_10:
+    Destination:
+    - '* iex(*'
+    - '*WScript.shell*'
+    - '* -nop *'
+    - '* -noprofile *'
+    - '* -decode *'
+    - '* -enc *'
+  SELECTION_11:
+    Destination:
+    - '*WScript.Shell*'
+    - '*System.Security.Cryptography.FromBase64Transform*'
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  SELECTION_4:
+    Destination: '*new-object*'
+  SELECTION_5:
+    Destination: '*net.webclient*'
+  SELECTION_6:
+    Destination: '*.downloadstring*'
+  SELECTION_7:
+    Destination: '*new-object*'
+  SELECTION_8:
+    Destination: '*net.webclient*'
+  SELECTION_9:
+    Destination: '*.downloadfile*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9) or SELECTION_10
+    or SELECTION_11))
+falsepositives:
+- Administrative scripts
+fields:
+- User
+- Operation
+id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+modified: 2021/09/01
+references:
+- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
+- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.t1086
+- attack.execution
+- attack.t1059.005