CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ルール更新 (#224)

Browse Source
This commit is contained in:
Yamato Security
2021-11-23 15:04:03 +09:00
committed by GitHub
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/AboutRuleCreation-English.md
View File

@@ -26,7 +26,7 @@ updated_date: 2020/11/8
* description [optional]: A description of the rule. This does not get displayed so you can make this long. * description [optional]: A description of the rule. This does not get displayed so you can make this long.
* author [optional]: The name of the person or persons who created the logic for the rule. * author [optional]: The name of the person or persons who created the logic for the rule.
* detection [required]: The detection logic goes here. * detection [required]: The detection logic goes here.
* falsepositives [optional]: The possibilities for false positives. For example: unknown、system administratornormal user usagenormal system usagelegacy applicationsecurity team. If it is unknown, write "unknown". * falsepositives [optional]: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`. If it is unknown, write `unknown`.
* level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical` * level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical`
* output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.) * output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.)
* creation_date [optional]: The creation date. * creation_date [optional]: The creation date.
@@ -317,8 +317,8 @@ In addition, the following can be specified for the above operator:
* `<=`: If the value is less than or equal to the specified value, the condition is considered to have been met. * `<=`: If the value is less than or equal to the specified value, the condition is considered to have been met.
* `<`: If the value is less than the specified value, it will be treated as if the condition is met. * `<`: If the value is less than the specified value, it will be treated as if the condition is met.
# output notation # Alert details
You can specify the message that will be outputted when the detection condition is met. You can specify the message (alert details) that will be outputted when the detection condition is met.
In addition to outputting a fixed string, it is also possible to display the value in the event log by enclosing the eventkey in a `%`. In addition to outputting a fixed string, it is also possible to display the value in the event log by enclosing the eventkey in a `%`.
In the example below, the eventkey value ScriptBlockText is used in the message when a detection is made. In the example below, the eventkey value ScriptBlockText is used in the message when a detection is made.

18
rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
View File

@@ -1,18 +0,0 @@
title: Bits Job Creation
title_jp: Bits Jobの作成
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
author: James Takai, itiB
contributor: Zach Mathis
mitre_attack: T1197
level: medium
detection:
selection:
Channel: Microsoft-Windows-Bits-Client/Operational
EventID: 59
falsepositives:
- normal system usage
output: 'Job Title:%JobTitle% : URL:%Url%'
output_jp: 'Job名:%JobTitle% : URL:%Url%'
creation_date: 2021/07/15
updated_date: 2021/11/18

18
rules/alert-rules/hayabusa/Security/4673.yml
View File

@@ -1,18 +0,0 @@
title: Sensitive Privilede Use (Mimikatz)
description: hogehoge
author: Eric Conrad, Zach Mathis
level: medium
detection:
selection:
Channel: Security
EventID: 4673
# condition: selection | count(EventID) > 4
falsepositives:
- unknown
output: |
Sensitive Privilege Use Exceeds Threshold
Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
UserName:%SubjectUserName% Domain Name:%DomainName%
creation_date: 2020/11/8
updated_date: 2020/11/8
comments:

21
rules/alert-rules/hayabusa/Security/4674.yml
View File

@@ -1,21 +0,0 @@
title: An operation was attempted on a privileged object
description: hogehoge
author: Eric Conrad, Zach Mathis
level: informational
detection:
selection:
Channel: Security
EventID: 4674
ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
AccessMask: '%%1539'
# condition: selection
falsepositives:
- unknown
output: |
Possible Hidden Service Attempt
User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
User: %SubjectUserName%
Target service:%ObjectName
Desired Access:WRITE_DAC
creation_date: 2020/11/8
updated_date: 2020/11/8

15
rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml
View File

@@ -1,15 +0,0 @@
title: Hidden computer account created! (Possible Backdoor)
description: A local user account was created
author: Eric Conrad, Zach Mathis
level: high
detection:
selection:
Channel: Security
EventID: 4720
TargetUserName|endswith: "$"
falsepositives:
- unknown
output: 'User: %TargetUserName% : SID:%TargetSid%'
creation_date: 2020/11/8
updated_date: 2021/11/18

16
rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml
View File

@@ -1,16 +0,0 @@
title: User account created
description: A local user account was created
author: Eric Conrad, Zach Mathis
level: low
detection:
selection:
Channel: Security
EventID: 4720
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- unknown
output: 'User: %TargetUserName% : SID:%TargetSid%'
creation_date: 2020/11/8
updated_date: 2021/11/18

15
rules/alert-rules/hayabusa/Security/4728.yml
View File

@@ -1,15 +0,0 @@
title: User added to local Administrators group
description: A user was added to a group.
author: Eric Conrad, Zach Mathis
level: high
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
output: 'User: %MemberName% : SID: %MemberSid%'
creation_date: 2020/11/8
updated_date: 2021/11/18

15
rules/alert-rules/hayabusa/Security/4756.yml
View File

@@ -1,15 +0,0 @@
title: User added to Administrators universal group.
description: hogehoge
author: Eric Conrad, Zach Mathis
level: high
detection:
selection:
Channel: Security
EventID: 4756
TargetUserName: Administrators
# condition: selection
falsepositives:
- unknown
output: 'UserName: %MemberName% : SID: %MemberSid%'
creation_date: 2020/11/8
updated_date: 2021/11/8

14
rules/alert-rules/hayabusa/Security/_4625.yml
View File

@@ -1,14 +0,0 @@
title: An account failed to log on
description: Logon Failure
ignore: true
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Security
EventID: 4625
# condition: selection | count(TargetUserName) > 3
falsepositives:
- unknown
output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
creation_date: 2020/11/8
updated_date: 2020/11/8

14
rules/alert-rules/hayabusa/Security/_4648.yml
View File

@@ -1,14 +0,0 @@
title: An account failed to log on
description: hogehoge
ignore: true
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Security
EventID: 4648
# condition: selection | count(TargetUserName) > 3
falsepositives:
- unknown
output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
creation_date: 2020/11/8
updated_date: 2020/11/8

15
rules/alert-rules/hayabusa/Security/_4672.yml
View File

@@ -1,15 +0,0 @@
title: Command Line Logging
description: Command Line Logging
ignore: true
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Security
EventID: 4672
PrivilegeList|contains: SeDebugPrivilege
# condition: selection
falsepositives:
- unknown
output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%'
creation_date: 2020/11/8
updated_date: 2020/11/8

15
rules/alert-rules/hayabusa/Sysmon/1.yml
View File

@@ -1,15 +0,0 @@
title: Command line execution
description: Command line execution
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Sysmon
EventID: 1
CommandLine|re: '.+'
# condition: selection
falsepositives:
- unknown
output: 'CommandLine: %CommandLine% : ParentImage:%ParentImage%'
creation_date: 2020/11/8
uodated_date: 2021/11/8

14
rules/alert-rules/hayabusa/Sysmon/7.yml
View File

@@ -1,14 +0,0 @@
title: Unsigned EXEs/DLLs
description: Detects usage of unsigned exe and dlls.
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Sysmon
EventID: 7
Signed: "false" # Compare by string
# condition: selection
falsepositives:
- unknown
output: 'Unsigned Image(DLL): %event_data.Image : Command: %event_data.ImageLoaded%'
creation_date: 2020/11/8
uodated_date: 2021/11/8

16
rules/alert-rules/hayabusa/System/7030.yml
View File

@@ -1,16 +0,0 @@
title: Interactive service may not function properly
description: Uses a blocklist of suspicious services to detect malware. 7030 happens when a service is marked as an interactive service but the system is not configured to allow interactive services so it might not function properly.
author: Eric Conrad, Zach Mathis
level: low
detection:
selection:
Channel: System
EventID: 7030
param1:
regexes: ./config/regex/regexes_suspicous_service.txt
# condition: selection
falsepositives:
- unknown
output: 'Service: %ServiceName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

18
rules/alert-rules/hayabusa/System/7040.yml
View File

@@ -1,18 +0,0 @@
title: Windows Event Log service start type changed from auto start to disabled
description: Possible anti-forensics disabling the log service.
author: Eric Conrad, Zach Mathis
level: high
detection:
selection:
Channel: System
EventID: 7040
param1: 'Windows Event Log'
param2:
- "disabled"
- "auto start"
condition: selection
falsepositives:
- unknown
output: 'Service: %param1%'
creation_date: 2020/11/8
uodated_date: 2021/11/8

19
rules/alert-rules/hayabusa/System/7045.yml
View File

@@ -1,19 +0,0 @@
title: Service installed
description: A service was installed. Malware often will install itself as malware.
author: Eric Conrad, Zach Mathis
level: low
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
regexes: ./config/regex/regexes_suspicous_service.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
condition: selection
falsepositives:
- unknown
output: 'Service: %ServiceName% : Image path: %ImagePath'
creation_date: 2020/11/8
uodated_date: 2021/11/8

55
rules/alert-rules/sigma/av_exploiting.yml
View File

@@ -1,55 +0,0 @@
title: Antivirus Exploitation Framework Detection
author: Florian Roth
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports an exploitation
framework
detection:
SELECTION_1:
Signature: '*MeteTool*'
SELECTION_10:
Signature: '*CobaltStr*'
SELECTION_11:
Signature: '*COBEACON*'
SELECTION_12:
Signature: '*Cometer*'
SELECTION_13:
Signature: '*Razy*'
SELECTION_2:
Signature: '*MPreter*'
SELECTION_3:
Signature: '*Meterpreter*'
SELECTION_4:
Signature: '*Metasploit*'
SELECTION_5:
Signature: '*PowerSploit*'
SELECTION_6:
Signature: '*CobaltSrike*'
SELECTION_7:
Signature: '*Swrort*'
SELECTION_8:
Signature: '*Rozena*'
SELECTION_9:
Signature: '*Backdoor.Cobalt*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13)
falsepositives:
- Unlikely
fields:
- FileName
- User
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
level: critical
logsource:
product: antivirus
modified: 2019/01/16
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.execution
- attack.t1203
- attack.command_and_control
- attack.t1219
yml_filename: av_exploiting.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

33
rules/alert-rules/sigma/av_hacktool.yml
View File

@@ -1,33 +0,0 @@
title: Antivirus Hacktool Detection
author: Florian Roth
date: 2021/08/16
description: Detects a highly relevant Antivirus alert that reports a hack tool or
other attack tool
detection:
SELECTION_1:
Signature: HTOOL*
SELECTION_2:
Signature: HKTL*
SELECTION_3:
Signature: SecurityTool*
SELECTION_4:
Signature: ATK/*
SELECTION_5:
Signature: '*Hacktool*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5))
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
level: high
logsource:
product: antivirus
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
tags:
- attack.execution
yml_filename: av_hacktool.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

54
rules/alert-rules/sigma/av_password_dumper.yml
View File

@@ -1,54 +0,0 @@
title: Antivirus Password Dumper Detection
author: Florian Roth
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports a password dumper
detection:
SELECTION_1:
Signature: '*DumpCreds*'
SELECTION_10:
Signature: '*Kekeo*'
SELECTION_11:
Signature: '*LsassDump*'
SELECTION_12:
Signature: '*Outflank*'
SELECTION_2:
Signature: '*Mimikatz*'
SELECTION_3:
Signature: '*PWCrack*'
SELECTION_4:
Signature: '*HTool/WCE*'
SELECTION_5:
Signature: '*PSWtool*'
SELECTION_6:
Signature: '*PWDump*'
SELECTION_7:
Signature: '*SecurityTool*'
SELECTION_8:
Signature: '*PShlSpy*'
SELECTION_9:
Signature: '*Rubeus*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12)
falsepositives:
- Unlikely
fields:
- FileName
- User
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
level: critical
logsource:
product: antivirus
modified: 2019/10/04
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
yml_filename: av_password_dumper.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

31
rules/alert-rules/sigma/av_printernightmare_cve_2021_34527.yml
View File

@@ -1,31 +0,0 @@
title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
author: Sittikorn S, Nuttakorn T
date: 2021/07/01
description: Detects the suspicious file that is created from PoC code against Windows
Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
CVE-2021-1675 .
detection:
SELECTION_1:
FileName: '*C:\Windows\System32\spool\drivers\x64\\*'
condition: SELECTION_1
falsepositives:
- Unlikely
fields:
- Signature
- FileName
- ComputerName
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
level: critical
logsource:
product: antivirus
references:
- https://twitter.com/mvelazco/status/1410291741241102338
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
status: stable
tags:
- attack.privilege_escalation
- attack.t1055
yml_filename: av_printernightmare_cve_2021_34527.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

137
rules/alert-rules/sigma/av_relevant_files.yml
View File

@@ -1,137 +0,0 @@
title: Antivirus Relevant File Paths Alerts
author: Florian Roth, Arnim Rupp
date: 2018/09/09
description: Detects an Antivirus alert in a highly relevant file path or with a relevant
file name
detection:
SELECTION_1:
FileName: C:\Windows\\*
SELECTION_10:
FileName: '*apache*'
SELECTION_11:
FileName: '*tomcat*'
SELECTION_12:
FileName: '*nginx*'
SELECTION_13:
FileName: '*weblogic*'
SELECTION_14:
Filename: '*.ps1'
SELECTION_15:
Filename: '*.psm1'
SELECTION_16:
Filename: '*.vbs'
SELECTION_17:
Filename: '*.bat'
SELECTION_18:
Filename: '*.cmd'
SELECTION_19:
Filename: '*.sh'
SELECTION_2:
FileName: C:\Temp\\*
SELECTION_20:
Filename: '*.chm'
SELECTION_21:
Filename: '*.xml'
SELECTION_22:
Filename: '*.txt'
SELECTION_23:
Filename: '*.jsp'
SELECTION_24:
Filename: '*.jspx'
SELECTION_25:
Filename: '*.asp'
SELECTION_26:
Filename: '*.aspx'
SELECTION_27:
Filename: '*.ashx'
SELECTION_28:
Filename: '*.asax'
SELECTION_29:
Filename: '*.asmx'
SELECTION_3:
FileName: C:\PerfLogs\\*
SELECTION_30:
Filename: '*.php'
SELECTION_31:
Filename: '*.cfm'
SELECTION_32:
Filename: '*.py'
SELECTION_33:
Filename: '*.pyc'
SELECTION_34:
Filename: '*.pl'
SELECTION_35:
Filename: '*.rb'
SELECTION_36:
Filename: '*.cgi'
SELECTION_37:
Filename: '*.war'
SELECTION_38:
Filename: '*.ear'
SELECTION_39:
Filename: '*.hta'
SELECTION_4:
FileName: C:\Users\Public\\*
SELECTION_40:
Filename: '*.lnk'
SELECTION_41:
Filename: '*.scf'
SELECTION_42:
Filename: '*.sct'
SELECTION_43:
Filename: '*.vbe'
SELECTION_44:
Filename: '*.wsf'
SELECTION_45:
Filename: '*.wsh'
SELECTION_46:
Filename: '*.gif'
SELECTION_47:
Filename: '*.png'
SELECTION_48:
Filename: '*.jpg'
SELECTION_49:
Filename: '*.jpeg'
SELECTION_5:
FileName: C:\Users\Default\\*
SELECTION_50:
Filename: '*.svg'
SELECTION_51:
Filename: '*.dat'
SELECTION_6:
FileName: '*\Client\\*'
SELECTION_7:
FileName: '*\tsclient\\*'
SELECTION_8:
FileName: '*\inetpub\\*'
SELECTION_9:
FileName: '*/www/*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
or SELECTION_51))
falsepositives:
- Unlikely
fields:
- Signature
- User
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
level: high
logsource:
product: antivirus
modified: 2021/05/09
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
tags:
- attack.resource_development
- attack.t1588
yml_filename: av_relevant_files.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

126
rules/alert-rules/sigma/av_webshell.yml
View File

@@ -1,126 +0,0 @@
title: Antivirus Web Shell Detection
author: Florian Roth, Arnim Rupp
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports a web shell. It's
highly recommended to tune this rule to the specific strings used by your anti
virus solution by downloading a big webshell repo from e.g. github and checking
the matches.
detection:
SELECTION_1:
Signature: PHP/*
SELECTION_10:
Signature: IIS/BackDoor*
SELECTION_11:
Signature: JAVA/Backdoor*
SELECTION_12:
Signature: Troj/ASP*
SELECTION_13:
Signature: Troj/PHP*
SELECTION_14:
Signature: Troj/JSP*
SELECTION_15:
Signature: '*Webshell*'
SELECTION_16:
Signature: '*Chopper*'
SELECTION_17:
Signature: '*SinoChoper*'
SELECTION_18:
Signature: '*ASPXSpy*'
SELECTION_19:
Signature: '*Aspdoor*'
SELECTION_2:
Signature: JSP/*
SELECTION_20:
Signature: '*filebrowser*'
SELECTION_21:
Signature: '*PHP_*'
SELECTION_22:
Signature: '*JSP_*'
SELECTION_23:
Signature: '*ASP_*'
SELECTION_24:
Signature: '*PHP:*'
SELECTION_25:
Signature: '*JSP:*'
SELECTION_26:
Signature: '*ASP:*'
SELECTION_27:
Signature: '*Perl:*'
SELECTION_28:
Signature: '*PHPShell*'
SELECTION_29:
Signature: '*Trojan.PHP*'
SELECTION_3:
Signature: ASP/*
SELECTION_30:
Signature: '*Trojan.ASP*'
SELECTION_31:
Signature: '*Trojan.JSP*'
SELECTION_32:
Signature: '*Trojan.VBS*'
SELECTION_33:
Signature: '*PHP?Agent*'
SELECTION_34:
Signature: '*ASP?Agent*'
SELECTION_35:
Signature: '*JSP?Agent*'
SELECTION_36:
Signature: '*VBS?Agent*'
SELECTION_37:
Signature: '*Backdoor?PHP*'
SELECTION_38:
Signature: '*Backdoor?JSP*'
SELECTION_39:
Signature: '*Backdoor?ASP*'
SELECTION_4:
Signature: Perl/*
SELECTION_40:
Signature: '*Backdoor?VBS*'
SELECTION_41:
Signature: '*Backdoor?Java*'
SELECTION_5:
Signature: PHP.*
SELECTION_6:
Signature: JSP.*
SELECTION_7:
Signature: ASP.*
SELECTION_8:
Signature: Perl.*
SELECTION_9:
Signature: VBS/Uxor*
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) or (SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41))
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fdf135a2-9241-4f96-a114-bb404948f736
level: critical
logsource:
product: antivirus
modified: 2021/05/08
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
yml_filename: av_webshell.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

75
rules/alert-rules/sigma/dns_net_susp_ipify.yml
View File

@@ -1,75 +0,0 @@
title: Suspicious DNS Query for IP Lookup Service APIs
author: Brandon George (blog post), Thomas Patzke (rule)
date: 2021/07/08
description: Detects DNS queries for ip lookup services such as api.ipify.org not
originating from a browser process.
detection:
SELECTION_1:
EventID: 22
SELECTION_10:
QueryName: api.ipify.org
SELECTION_11:
QueryName: ip-api.com
SELECTION_12:
QueryName: checkip.amazonaws.com
SELECTION_13:
QueryName: ipecho.net
SELECTION_14:
QueryName: ipinfo.io
SELECTION_15:
QueryName: ipv4bot.whatismyipaddress.com
SELECTION_16:
QueryName: freegeoip.app
SELECTION_17:
Image: '*\chrome.exe'
SELECTION_18:
Image: '*\iexplore.exe'
SELECTION_19:
Image: '*\firefox.exe'
SELECTION_2:
QueryName: canireachthe.net
SELECTION_20:
Image: '*\brave.exe'
SELECTION_21:
Image: '*\opera.exe'
SELECTION_22:
Image: '*\msedge.exe'
SELECTION_23:
Image: '*\vivaldi.exe'
SELECTION_3:
QueryName: ipv4.icanhazip.com
SELECTION_4:
QueryName: ip.anysrc.net
SELECTION_5:
QueryName: edns.ip-api.com
SELECTION_6:
QueryName: wtfismyip.com
SELECTION_7:
QueryName: checkip.dyndns.org
SELECTION_8:
QueryName: api.2ip.ua
SELECTION_9:
QueryName: icanhazip.com
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16) and not ((SELECTION_17 or SELECTION_18 or SELECTION_19 or
SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23)))
falsepositives:
- Legitimate usage of ip lookup services such as ipify API
id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
level: medium
logsource:
category: dns_query
product: windows
modified: 2021/09/10
references:
- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
- https://twitter.com/neonprimetime/status/1436376497980428318
status: experimental
tags:
- attack.reconnaissance
- attack.t1590
yml_filename: dns_net_susp_ipify.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query

29
rules/alert-rules/sigma/dns_query_hybridconnectionmgr_servicebus.yml
View File

@@ -1,29 +0,0 @@
title: DNS HybridConnectionManager Service Bus
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Detects Azure Hybrid Connection Manager services querying the Azure service
bus service
detection:
SELECTION_1:
EventID: 22
SELECTION_2:
QueryName: '*servicebus.windows.net*'
SELECTION_3:
Image: '*HybridConnectionManager*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
level: high
logsource:
category: dns_query
product: windows
modified: 2021/06/10
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence
yml_filename: dns_query_hybridconnectionmgr_servicebus.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query

26
rules/alert-rules/sigma/dns_query_mega_nz.yml
View File

@@ -1,26 +0,0 @@
title: DNS Query for MEGA.io Upload Domain
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
description: Detects DNS queries for subdomains used for upload to MEGA.io
detection:
SELECTION_1:
EventID: 22
SELECTION_2:
QueryName: '*userstorage.mega.co.nz*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate Mega upload
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
level: high
logsource:
category: dns_query
product: windows
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002
yml_filename: dns_query_mega_nz.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query

118
rules/alert-rules/sigma/dns_query_possible_dns_rebinding.yml
View File

@@ -1,118 +0,0 @@
title: Possible DNS Rebinding
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
description: Detects several different DNS-answers by one domain with IPs from internal
and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will
saved in host cache for a while TTL).
detection:
SELECTION_1:
EventID: 22
SELECTION_10:
QueryResults: (::ffff:)?172.20.*
SELECTION_11:
QueryResults: (::ffff:)?172.21.*
SELECTION_12:
QueryResults: (::ffff:)?172.22.*
SELECTION_13:
QueryResults: (::ffff:)?172.23.*
SELECTION_14:
QueryResults: (::ffff:)?172.24.*
SELECTION_15:
QueryResults: (::ffff:)?172.25.*
SELECTION_16:
QueryResults: (::ffff:)?172.26.*
SELECTION_17:
QueryResults: (::ffff:)?172.27.*
SELECTION_18:
QueryResults: (::ffff:)?172.28.*
SELECTION_19:
QueryResults: (::ffff:)?172.29.*
SELECTION_2:
QueryName: '*'
SELECTION_20:
QueryResults: (::ffff:)?172.30.*
SELECTION_21:
QueryResults: (::ffff:)?172.31.*
SELECTION_22:
QueryResults: (::ffff:)?127.*
SELECTION_23:
QueryName: '*'
SELECTION_24:
QueryStatus: '0'
SELECTION_25:
QueryResults: (::ffff:)?10.*
SELECTION_26:
QueryResults: (::ffff:)?192.168.*
SELECTION_27:
QueryResults: (::ffff:)?172.16.*
SELECTION_28:
QueryResults: (::ffff:)?172.17.*
SELECTION_29:
QueryResults: (::ffff:)?172.18.*
SELECTION_3:
QueryStatus: '0'
SELECTION_30:
QueryResults: (::ffff:)?172.19.*
SELECTION_31:
QueryResults: (::ffff:)?172.20.*
SELECTION_32:
QueryResults: (::ffff:)?172.21.*
SELECTION_33:
QueryResults: (::ffff:)?172.22.*
SELECTION_34:
QueryResults: (::ffff:)?172.23.*
SELECTION_35:
QueryResults: (::ffff:)?172.24.*
SELECTION_36:
QueryResults: (::ffff:)?172.25.*
SELECTION_37:
QueryResults: (::ffff:)?172.26.*
SELECTION_38:
QueryResults: (::ffff:)?172.27.*
SELECTION_39:
QueryResults: (::ffff:)?172.28.*
SELECTION_4:
QueryResults: (::ffff:)?10.*
SELECTION_40:
QueryResults: (::ffff:)?172.29.*
SELECTION_41:
QueryResults: (::ffff:)?172.30.*
SELECTION_42:
QueryResults: (::ffff:)?172.31.*
SELECTION_43:
QueryResults: (::ffff:)?127.*
SELECTION_5:
QueryResults: (::ffff:)?192.168.*
SELECTION_6:
QueryResults: (::ffff:)?172.16.*
SELECTION_7:
QueryResults: (::ffff:)?172.17.*
SELECTION_8:
QueryResults: (::ffff:)?172.18.*
SELECTION_9:
QueryResults: (::ffff:)?172.19.*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22) and (SELECTION_23 and SELECTION_24) and not
((SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43)))| count(QueryName)
by ComputerName > 3
id: eb07e747-2552-44cd-af36-b659ae0958e4
level: medium
logsource:
category: dns_query
product: windows
modified: 2020/08/28
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
status: experimental
tags:
- attack.initial_access
- attack.t1189
yml_filename: dns_query_possible_dns_rebinding.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query

42
rules/alert-rules/sigma/dns_query_regsvr32_network_activity.yml
View File

@@ -1,42 +0,0 @@
title: Regsvr32 Network Activity
author: Dmitriy Lifanov, oscd.community
date: 2019/10/25
description: Detects network connections and DNS queries initiated by Regsvr32.exe
detection:
SELECTION_1:
EventID: 22
SELECTION_2:
Image: '*\regsvr32.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- ComputerName
- User
- Image
- DestinationIp
- DestinationPort
id: 36e037c4-c228-4866-b6a3-48eb292b9955
level: high
logsource:
category: dns_query
product: windows
modified: 2021/09/21
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
type: derived
status: experimental
tags:
- attack.execution
- attack.t1559.001
- attack.t1175
- attack.defense_evasion
- attack.t1218.010
- attack.t1117
yml_filename: dns_query_regsvr32_network_activity.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query

52
rules/alert-rules/sigma/driver_load_mal_creddumper.yml
View File

@@ -1,52 +0,0 @@
title: Credential Dumping Tools Service Execution
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
description: Detects well-known credential dumping tools execution via service execution
events
detection:
SELECTION_1:
EventID: 6
SELECTION_2:
ImageLoaded: '*fgexec*'
SELECTION_3:
ImageLoaded: '*dumpsvc*'
SELECTION_4:
ImageLoaded: '*cachedump*'
SELECTION_5:
ImageLoaded: '*mimidrv*'
SELECTION_6:
ImageLoaded: '*gsecdump*'
SELECTION_7:
ImageLoaded: '*servpw*'
SELECTION_8:
ImageLoaded: '*pwdump*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
level: critical
logsource:
category: driver_load
product: windows
modified: 2021/11/10
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1035
- attack.t1569.002
- attack.s0005
yml_filename: driver_load_mal_creddumper.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

69
rules/alert-rules/sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@@ -1,69 +0,0 @@
title: Meterpreter or Cobalt Strike Getsystem Service Installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
a specific service installation
detection:
SELECTION_1:
EventID: 6
SELECTION_10:
ImagePath: '*cmd.exe*'
SELECTION_11:
ImagePath: '*/c*'
SELECTION_12:
ImagePath: '*echo*'
SELECTION_13:
ImagePath: '*\pipe\\*'
SELECTION_14:
ImagePath: '*rundll32*'
SELECTION_15:
ImagePath: '*.dll,a*'
SELECTION_16:
ImagePath: '*/p:*'
SELECTION_2:
ImagePath: '*cmd*'
SELECTION_3:
ImagePath: '*/c*'
SELECTION_4:
ImagePath: '*echo*'
SELECTION_5:
ImagePath: '*\pipe\\*'
SELECTION_6:
ImagePath: '*%COMSPEC%*'
SELECTION_7:
ImagePath: '*/c*'
SELECTION_8:
ImagePath: '*echo*'
SELECTION_9:
ImagePath: '*\pipe\\*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14
and SELECTION_15 and SELECTION_16)))
falsepositives:
- Highly unlikely
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ImagePath
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
level: critical
logsource:
category: driver_load
product: windows
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
tags:
- attack.privilege_escalation
- attack.t1134
- attack.t1134.001
- attack.t1134.002
yml_filename: driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

32
rules/alert-rules/sigma/driver_load_powershell_script_installed_as_service.yml
View File

@@ -1,32 +0,0 @@
title: PowerShell Scripts Run by a Services
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects powershell script installed as a Service
detection:
SELECTION_1:
EventID: 6
SELECTION_2:
ImageLoaded: '*powershell*'
SELECTION_3:
ImageLoaded: '*pwsh*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
level: high
logsource:
category: driver_load
product: windows
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
status: experimental
tags:
- attack.execution
- attack.t1569.002
yml_filename: driver_load_powershell_script_installed_as_service.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

26
rules/alert-rules/sigma/driver_load_susp_temp_use.yml
View File

@@ -1,26 +0,0 @@
title: Suspicious Driver Load from Temp
author: Florian Roth
date: 2017/02/12
description: Detects a driver load from a temporary directory
detection:
SELECTION_1:
EventID: 6
SELECTION_2:
ImageLoaded: '*\Temp\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
level: high
logsource:
category: driver_load
product: windows
modified: 2020/08/23
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- attack.t1543.003
yml_filename: driver_load_susp_temp_use.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

39
rules/alert-rules/sigma/driver_load_vuln_dell_driver.yml
View File

@@ -1,39 +0,0 @@
title: Vulnerable Dell BIOS Update Driver Load
author: Florian Roth
date: 2021/05/05
description: Detects the load of the vulnerable Dell BIOS update driver as reported
in CVE-2021-21551
detection:
SELECTION_1:
EventID: 6
SELECTION_2:
ImageLoaded: '*\DBUtil_2_3.Sys*'
SELECTION_3:
Hashes: '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
SELECTION_4:
Hashes: '*c948ae14761095e4d76b55d9de86412258be7afd*'
SELECTION_5:
Hashes: '*c996d7971c49252c582171d9380360f2*'
SELECTION_6:
Hashes: '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
SELECTION_7:
Hashes: '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
SELECTION_8:
Hashes: '*d2fd132ab7bbc6bbb87a84f026fa0244*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8)))
falsepositives:
- legitimate BIOS driver updates (should be rare)
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
level: high
logsource:
category: driver_load
product: windows
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
tags:
- attack.privilege_escalation
- cve.2021.21551
yml_filename: driver_load_vuln_dell_driver.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

32
rules/alert-rules/sigma/driver_load_windivert.yml
View File

@@ -1,32 +0,0 @@
title: WinDivert Driver Load
author: Florian Roth
date: 2021/07/30
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
package for Windows
detection:
SELECTION_1:
EventID: 6
SELECTION_2:
ImageLoaded: '*\WinDivert.sys*'
SELECTION_3:
ImageLoaded: '*\WinDivert64.sys*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- legitimate WinDivert driver usage
id: 679085d5-f427-4484-9f58-1dc30a7c426d
level: high
logsource:
category: driver_load
product: windows
references:
- https://reqrypt.org/windivert-doc.html
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
status: experimental
tags:
- attack.collection
- attack.defense_evasion
- attack.t1599.001
- attack.t1557.001
yml_filename: driver_load_windivert.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load

41
rules/alert-rules/sigma/edr_command_execution_by_office_applications.yml
View File

@@ -1,41 +0,0 @@
title: EDR WMI Command Execution by Office Applications
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic Win32_Process::Create
to execute the file with regsvr32
detection:
SELECTION_1:
EventLog: EDR
SELECTION_2:
EventType: WMIExecution
SELECTION_3:
WMIcommand: '*Win32_Process\:\:Create*'
SELECTION_4:
Image: '*\winword.exe'
SELECTION_5:
Image: '*\excel.exe'
SELECTION_6:
Image: '*\powerpnt.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
or SELECTION_6))
falsepositives:
- Unknown
id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
level: high
logsource:
category: edr
product: windows
modified: 2021/11/09
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
yml_filename: edr_command_execution_by_office_applications.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/edr

35
rules/alert-rules/sigma/file_event_advanced_ip_scanner.yml
View File

@@ -1,35 +0,0 @@
title: Advanced IP Scanner
author: '@ROxPinTeddy'
date: 2020/05/12
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
ransomware groups.
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative use
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
level: medium
logsource:
category: file_event
product: windows
modified: 2021/09/11
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
type: derived
status: experimental
tags:
- attack.discovery
- attack.t1046
yml_filename: file_event_advanced_ip_scanner.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

31
rules/alert-rules/sigma/file_event_apt_unidentified_nov_18.yml
View File

@@ -1,31 +0,0 @@
title: Unidentified Attacker November 2018
author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
description: A sigma rule detecting an unidetefied attacker who used phishing emails
to target high profile orgs on November 2018. The Actor shares some TTPs with
YYTRIUM/APT29 campaign in 2016.
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*ds7002.lnk*'
condition: (SELECTION_1 and SELECTION_2)
id: 3a3f81ca-652c-482b-adeb-b1c804727f74
level: high
logsource:
category: file_event
product: windows
modified: 2021/09/19
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
related:
- id: 7453575c-a747-40b9-839b-125a0aae324b
type: derived
status: stable
tags:
- attack.execution
- attack.t1218.011
- attack.t1085
yml_filename: file_event_apt_unidentified_nov_18.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

52
rules/alert-rules/sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
View File

@@ -1,52 +0,0 @@
title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
author: Sittikorn S
date: 2021/07/16
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
detection:
SELECTION_1:
EventID: 11
SELECTION_10:
TargetFilename: '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
SELECTION_11:
TargetFilename: '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
SELECTION_2:
TargetFilename: '*C:\Windows\system32\physmem.sys*'
SELECTION_3:
TargetFilename: '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
SELECTION_4:
TargetFilename: '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
SELECTION_5:
TargetFilename: '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
SELECTION_6:
TargetFilename: '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
SELECTION_7:
TargetFilename: '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
SELECTION_8:
TargetFilename: '*C:\Windows\system32\config\config\startwus.dat*'
SELECTION_9:
TargetFilename: '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11))
falsepositives:
- Unlikely
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
level: critical
logsource:
category: file_event
product: windows
modified: 2021/09/09
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
status: experimental
tags:
- attack.credential_access
- attack.t1566
- attack.t1203
- cve.2021.33771
- cve.2021.31979
yml_filename: file_event_cve_2021_31979_cve_2021_33771_exploits.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

33
rules/alert-rules/sigma/file_event_hack_dumpert.yml
View File

@@ -1,33 +0,0 @@
title: Dumpert Process Dumper
author: Florian Roth
date: 2020/02/04
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
process memory
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: C:\Windows\Temp\dumpert.dmp
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Very unlikely
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
level: critical
logsource:
category: file_event
product: windows
modified: 2021/09/21
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
yml_filename: file_event_hack_dumpert.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

31
rules/alert-rules/sigma/file_event_hktl_createminidump.yml
View File

@@ -1,31 +0,0 @@
title: CreateMiniDump Hacktool
author: Florian Roth
date: 2019/12/22
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
memory for credential extraction on the attacker's machine
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\lsass.dmp'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: db2110f3-479d-42a6-94fb-d35bc1e46492
level: high
logsource:
category: file_event
product: windows
modified: 2021/09/19
references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
related:
- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
type: derived
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
yml_filename: file_event_hktl_createminidump.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

38
rules/alert-rules/sigma/file_event_mal_adwind.yml
View File

@@ -1,38 +0,0 @@
title: Adwind RAT / JRAT
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
SELECTION_3:
TargetFilename: '*.exe*'
SELECTION_4:
TargetFilename: '*\Retrive*'
SELECTION_5:
TargetFilename: '*.vbs*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
SELECTION_5)))
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
level: high
logsource:
category: file_event
product: windows
modified: 2021/09/19
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- attack.t1064
yml_filename: file_event_mal_adwind.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

28
rules/alert-rules/sigma/file_event_mal_octopus_scanner.yml
View File

@@ -1,28 +0,0 @@
title: Octopus Scanner Malware
author: NVISO
date: 2020/06/09
description: Detects Octopus Scanner Malware.
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\AppData\Local\Microsoft\Cache134.dat'
SELECTION_3:
TargetFilename: '*\AppData\Local\Microsoft\ExplorerSync.db'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: 805c55d9-31e6-4846-9878-c34c75054fe9
level: high
logsource:
category: file_event
product: windows
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
status: experimental
tags:
- attack.t1195
- attack.t1195.001
yml_filename: file_event_mal_octopus_scanner.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware

49
rules/alert-rules/sigma/file_event_mal_vhd_download.yml
View File

@@ -1,49 +0,0 @@
title: Suspicious VHD Image Download From Browser
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021/10/25
description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate
payloads and evade security controls
detection:
SELECTION_1:
EventID: 11
SELECTION_10:
TargetFilename: '*.vhd*'
SELECTION_2:
Image: '*chrome.exe'
SELECTION_3:
Image: '*firefox.exe'
SELECTION_4:
Image: '*microsoftedge.exe'
SELECTION_5:
Image: '*microsoftedgecp.exe'
SELECTION_6:
Image: '*msedge.exe'
SELECTION_7:
Image: '*iexplorer.exe'
SELECTION_8:
Image: '*brave.exe'
SELECTION_9:
Image: '*opera.exe'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10)
falsepositives:
- Legitimate user creation
id: 8468111a-ef07-4654-903b-b863a80bbc95
level: medium
logsource:
category: file_event
definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename>
<!--vhd files for ZLoader and lazarus malware vectors -->"
product: windows
modified: 2021/10/29
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
status: test
tags:
- attack.resource_development
- attack.t1587.001
yml_filename: file_event_mal_vhd_download.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

32
rules/alert-rules/sigma/file_event_moriya_rootkit.yml
View File

@@ -1,32 +0,0 @@
title: Moriya Rootkit
author: Bhabesh Raj
date: 2021/05/06
description: Detects the use of Moriya rootkit as described in the securelist's Operation
TunnelSnake report
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- None
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
level: critical
logsource:
category: file_event
product: windows
modified: 2021/09/21
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
related:
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
type: derived
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
yml_filename: file_event_moriya_rootkit.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

31
rules/alert-rules/sigma/file_event_pingback_backdoor.yml
View File

@@ -1,31 +0,0 @@
title: Pingback Backdoor
author: Bhabesh Raj
date: 2021/05/05
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
as described in the trustwave report
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
Image: '*updata.exe'
SELECTION_3:
TargetFilename: C:\Windows\oci.dll
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Very unlikely
id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
level: high
logsource:
category: file_event
product: windows
modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
status: experimental
tags:
- attack.persistence
- attack.t1574.001
yml_filename: file_event_pingback_backdoor.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

59
rules/alert-rules/sigma/file_event_script_creation_by_office_using_file_ext.yml
View File

@@ -1,59 +0,0 @@
title: Created Files by Office Applications
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: This rule will monitor executable and script file creation by office
applications. Please add more file extensions or magic bytes to the logic of your
choice.
detection:
SELECTION_1:
EventID: 11
SELECTION_10:
TargetFilename: '*.vbs'
SELECTION_11:
TargetFilename: '*.sys'
SELECTION_12:
TargetFilename: '*.bat'
SELECTION_13:
TargetFilename: '*.scr'
SELECTION_14:
TargetFilename: '*.proj'
SELECTION_2:
Image: '*winword.exe'
SELECTION_3:
Image: '*excel.exe'
SELECTION_4:
Image: '*powerpnt.exe'
SELECTION_5:
TargetFilename: '*.exe'
SELECTION_6:
TargetFilename: '*.dll'
SELECTION_7:
TargetFilename: '*.ocx'
SELECTION_8:
TargetFilename: '*.com'
SELECTION_9:
TargetFilename: '*.ps1'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
falsepositives:
- Unknown
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
level: high
logsource:
category: file_event
product: windows
modified: 2021/11/10
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
yml_filename: file_event_script_creation_by_office_using_file_ext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

42
rules/alert-rules/sigma/file_event_tool_psexec.yml
View File

@@ -1,42 +0,0 @@
title: PsExec Tool Execution
author: Thomas Patzke
date: 2017/06/12
description: Detects PsExec service installation and execution events (service and
Sysmon)
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\PSEXESVC.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
level: low
logsource:
category: file_event
product: windows
modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: experimental
tags:
- attack.execution
- attack.t1035
- attack.t1569.002
- attack.s0029
yml_filename: file_event_tool_psexec.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

32
rules/alert-rules/sigma/file_event_uac_bypass_winsat.yml
View File

@@ -1,32 +0,0 @@
title: UAC Bypass Abusing Winsat Path Parsing - File
author: Christian Burkard
date: 2021/08/30
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
(UACMe 52)
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: C:\Users\\*
SELECTION_3:
TargetFilename: '*\AppData\Local\Temp\system32\winsat.exe'
SELECTION_4:
TargetFilename: '*\AppData\Local\Temp\system32\winmm.dll'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Unknown
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
level: high
logsource:
category: file_event
product: windows
references:
- https://github.com/hfiref0x/UACME
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
yml_filename: file_event_uac_bypass_winsat.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

35
rules/alert-rules/sigma/file_event_uac_bypass_wmp.yml
View File

@@ -1,35 +0,0 @@
title: UAC Bypass Using Windows Media Player - File
author: Christian Burkard
date: 2021/08/23
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
(UACMe 32)
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: C:\Users\\*
SELECTION_3:
TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
SELECTION_4:
Image: C:\Windows\system32\DllHost.exe
SELECTION_5:
TargetFilename: C:\Program Files\Windows Media Player\osk.exe
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
SELECTION_5)))
falsepositives:
- Unknown
id: 68578b43-65df-4f81-9a9b-92f32711a951
level: high
logsource:
category: file_event
product: windows
references:
- https://github.com/hfiref0x/UACME
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
yml_filename: file_event_uac_bypass_wmp.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

38
rules/alert-rules/sigma/file_event_winrm_awl_bypass.yml
View File

@@ -1,38 +0,0 @@
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
author: Julia Fomina, oscd.community
date: 2020/10/06
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
winrm.vbs and copied cscript.exe (can be renamed)
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*WsmPty.xsl'
SELECTION_3:
TargetFilename: '*WsmTxt.xsl'
SELECTION_4:
TargetFilename: C:\Windows\System32\\*
SELECTION_5:
TargetFilename: C:\Windows\SysWOW64\\*
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not ((SELECTION_4
or SELECTION_5)))
falsepositives:
- Unlikely
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
level: medium
logsource:
category: file_event
product: windows
modified: 2021/09/19
references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
related:
- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
yml_filename: file_event_winrm_awl_bypass.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

32
rules/alert-rules/sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
View File

@@ -1,32 +0,0 @@
title: Wmiprvse Wbemcomn DLL Hijack
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/12
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
directory over the network and loading it for a WMI DLL Hijack scenario.
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
Image: System
SELECTION_3:
TargetFilename: '*\wbem\wbemcomn.dll'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
level: critical
logsource:
category: file_event
product: windows
modified: 2021/09/09
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1021.002
yml_filename: file_event_wmiprvse_wbemcomn_dll_hijack.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event

31
rules/alert-rules/sigma/image_load_pingback_backdoor.yml
View File

@@ -1,31 +0,0 @@
title: Pingback Backdoor
author: Bhabesh Raj
date: 2021/05/05
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
as described in the trustwave report
detection:
SELECTION_1:
EventID: 7
SELECTION_2:
Image: '*msdtc.exe'
SELECTION_3:
ImageLoaded: C:\Windows\oci.dll
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Very unlikely
id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
level: high
logsource:
category: image_load
product: windows
modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
status: experimental
tags:
- attack.persistence
- attack.t1574.001
yml_filename: image_load_pingback_backdoor.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load

29
rules/alert-rules/sigma/image_load_silenttrinity_stage_use.yml
View File

@@ -1,29 +0,0 @@
title: SILENTTRINITY Stager Execution
author: Aleksey Potapov, oscd.community
date: 2019/10/22
description: Detects SILENTTRINITY stager use
detection:
SELECTION_1:
EventID: 7
SELECTION_2:
Description: '*st2stager*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
level: high
logsource:
category: image_load
product: windows
modified: 2021/10/04
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be
type: derived
status: experimental
tags:
- attack.command_and_control
yml_filename: image_load_silenttrinity_stage_use.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load

32
rules/alert-rules/sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
View File

@@ -1,32 +0,0 @@
title: Wmiprvse Wbemcomn DLL Hijack
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/12
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
directory over the network and loading it for a WMI DLL Hijack scenario.
detection:
SELECTION_1:
EventID: 7
SELECTION_2:
Image: '*\wmiprvse.exe'
SELECTION_3:
ImageLoaded: '*\wbem\wbemcomn.dll'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
level: critical
logsource:
category: image_load
product: windows
modified: 2021/09/09
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1021.002
yml_filename: image_load_wmiprvse_wbemcomn_dll_hijack.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load

50
rules/alert-rules/sigma/pipe_created_tool_psexec.yml
View File

@@ -1,50 +0,0 @@
title: PsExec Tool Execution
author: Thomas Patzke
date: 2017/06/12
description: Detects PsExec service installation and execution events (service and
Sysmon)
detection:
SELECTION_1:
EventID: 17
SELECTION_2:
EventID: 18
SELECTION_3:
PipeName: \PSEXESVC
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
level: low
logsource:
category: pipe_created
definition: Note that you have to configure logging for Named Pipe Events in Sysmon
config (Event ID 17 and Event ID 18). The basic configuration is in popular
sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
https://github.com/olafhartong/sysmon-modular. How to test detection? You
can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
product: windows
modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: experimental
tags:
- attack.execution
- attack.t1035
- attack.t1569.002
- attack.s0029
yml_filename: pipe_created_tool_psexec.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created

128
rules/alert-rules/sigma/powershell_accessing_win_api.yml
View File

@@ -1,128 +0,0 @@
title: Accessing WinAPI in PowerShell
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting use WinAPI Functions in PowerShell
detection:
SELECTION_1:
ScriptBlockText: '*WaitForSingleObject*'
SELECTION_10:
ScriptBlockText: '*GetDelegateForFunctionPointer*'
SELECTION_11:
ScriptBlockText: '*CreateThread*'
SELECTION_12:
ScriptBlockText: '*memcpy*'
SELECTION_13:
ScriptBlockText: '*LoadLibrary*'
SELECTION_14:
ScriptBlockText: '*GetModuleHandle*'
SELECTION_15:
ScriptBlockText: '*GetProcAddress*'
SELECTION_16:
ScriptBlockText: '*VirtualProtect*'
SELECTION_17:
ScriptBlockText: '*FreeLibrary*'
SELECTION_18:
ScriptBlockText: '*ReadProcessMemory*'
SELECTION_19:
ScriptBlockText: '*CreateRemoteThread*'
SELECTION_2:
ScriptBlockText: '*QueueUserApc*'
SELECTION_20:
ScriptBlockText: '*AdjustTokenPrivileges*'
SELECTION_21:
ScriptBlockText: '*WriteByte*'
SELECTION_22:
ScriptBlockText: '*WriteInt32*'
SELECTION_23:
ScriptBlockText: '*OpenThreadToken*'
SELECTION_24:
ScriptBlockText: '*PtrToString*'
SELECTION_25:
ScriptBlockText: '*FreeHGlobal*'
SELECTION_26:
ScriptBlockText: '*ZeroFreeGlobalAllocUnicode*'
SELECTION_27:
ScriptBlockText: '*OpenProcessToken*'
SELECTION_28:
ScriptBlockText: '*GetTokenInformation*'
SELECTION_29:
ScriptBlockText: '*SetThreadToken*'
SELECTION_3:
ScriptBlockText: '*RtlCreateUserThread*'
SELECTION_30:
ScriptBlockText: '*ImpersonateLoggedOnUser*'
SELECTION_31:
ScriptBlockText: '*RevertToSelf*'
SELECTION_32:
ScriptBlockText: '*GetLogonSessionData*'
SELECTION_33:
ScriptBlockText: '*CreateProcessWithToken*'
SELECTION_34:
ScriptBlockText: '*DuplicateTokenEx*'
SELECTION_35:
ScriptBlockText: '*OpenWindowStation*'
SELECTION_36:
ScriptBlockText: '*OpenDesktop*'
SELECTION_37:
ScriptBlockText: '*MiniDumpWriteDump*'
SELECTION_38:
ScriptBlockText: '*AddSecurityPackage*'
SELECTION_39:
ScriptBlockText: '*EnumerateSecurityPackages*'
SELECTION_4:
ScriptBlockText: '*OpenProcess*'
SELECTION_40:
ScriptBlockText: '*GetProcessHandle*'
SELECTION_41:
ScriptBlockText: '*DangerousGetHandle*'
SELECTION_42:
ScriptBlockText: '*kernel32*'
SELECTION_43:
ScriptBlockText: '*Advapi32*'
SELECTION_44:
ScriptBlockText: '*msvcrt*'
SELECTION_45:
ScriptBlockText: '*ntdll*'
SELECTION_46:
ScriptBlockText: '*user32*'
SELECTION_47:
ScriptBlockText: '*secur32*'
SELECTION_5:
ScriptBlockText: '*VirtualAlloc*'
SELECTION_6:
ScriptBlockText: '*VirtualFree*'
SELECTION_7:
ScriptBlockText: '*WriteProcessMemory*'
SELECTION_8:
ScriptBlockText: '*CreateUserThread*'
SELECTION_9:
ScriptBlockText: '*CloseHandle*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47)
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
id: 03d83090-8cba-44a0-b02f-0b756a050306
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
yml_filename: powershell_accessing_win_api.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_adrecon_execution.yml
View File

@@ -1,31 +0,0 @@
title: PowerShell ADRecon Execution
author: Bhabesh Raj
date: 2021/07/16
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
reported to be actively used by FIN7
detection:
SELECTION_1:
ScriptBlockText: '*Function Get-ADRExcelComOb*'
SELECTION_2:
ScriptBlockText: '*ADRecon-Report.xlsx*'
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unknown
id: bf72941a-cba0-41ea-b18c-9aca3925690d
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/sense-of-security/ADRecon
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1059.001
yml_filename: powershell_adrecon_execution.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

32
rules/alert-rules/sigma/powershell_alternate_powershell_hosts.yml
View File

@@ -1,32 +0,0 @@
title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
ContextInfo: '*'
SELECTION_2:
ContextInfo: '*powershell.exe*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: 64e8e417-c19a-475a-8d19-98ea705394cc
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_alternate_powershell_hosts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

51
rules/alert-rules/sigma/powershell_automated_collection.yml
View File

@@ -1,51 +0,0 @@
title: Automated Collection Command PowerShell
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
ScriptBlockText: '*.doc*'
SELECTION_10:
ScriptBlockText: '*Get-ChildItem*'
SELECTION_11:
ScriptBlockText: '* -Recurse *'
SELECTION_12:
ScriptBlockText: '* -Include *'
SELECTION_2:
ScriptBlockText: '*.docx*'
SELECTION_3:
ScriptBlockText: '*.xls*'
SELECTION_4:
ScriptBlockText: '*.xlsx*'
SELECTION_5:
ScriptBlockText: '*.ppt*'
SELECTION_6:
ScriptBlockText: '*.pptx*'
SELECTION_7:
ScriptBlockText: '*.rtf*'
SELECTION_8:
ScriptBlockText: '*.pdf*'
SELECTION_9:
ScriptBlockText: '*.txt*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
and SELECTION_11 and SELECTION_12)
falsepositives:
- Unknown
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119
yml_filename: powershell_automated_collection.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

47
rules/alert-rules/sigma/powershell_bad_opsec_artifacts.yml
View File

@@ -1,47 +0,0 @@
title: Bad Opsec Powershell Code Artifacts
author: ok @securonix invrep_de, oscd.community
date: 2020/10/09
description: Focuses on trivial artifacts observed in variants of prevalent offensive
ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
Powersploit, and other attack payloads that often undergo minimal changes by attackers
due to bad opsec.
detection:
SELECTION_1:
Payload: '*$DoIt*'
SELECTION_2:
Payload: '*harmj0y*'
SELECTION_3:
Payload: '*mattifestation*'
SELECTION_4:
Payload: '*_RastaMouse*'
SELECTION_5:
Payload: '*tifkin_*'
SELECTION_6:
Payload: '*0xdeadbeef*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6)
falsepositives:
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
of high specificity, fp appears to be fairly limited in many environments.
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
level: critical
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_bad_opsec_artifacts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

29
rules/alert-rules/sigma/powershell_cl_invocation_lolscript.yml
View File

@@ -1,29 +0,0 @@
title: Execution via CL_Invocation.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Invocation.ps1*'
SELECTION_2:
ScriptBlockText: '*SyncInvoke*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
yml_filename: powershell_cl_invocation_lolscript.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

30
rules/alert-rules/sigma/powershell_cl_invocation_lolscript_count.yml
View File

@@ -1,30 +0,0 @@
title: Execution via CL_Invocation.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Invocation.ps1*'
SELECTION_2:
ScriptBlockText: '*SyncInvoke*'
condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
2
falsepositives:
- Unknown
id: f588e69b-0750-46bb-8f87-0e9320d57536
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
yml_filename: powershell_cl_invocation_lolscript_count.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

30
rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript.yml
View File

@@ -1,30 +0,0 @@
title: Execution via CL_Mutexverifiers.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Mutexverifiers.ps1*'
SELECTION_2:
ScriptBlockText: '*runAfterCancelProcess*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
yml_filename: powershell_cl_mutexverifiers_lolscript.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_cl_mutexverifiers_lolscript_count.yml
View File

@@ -1,31 +0,0 @@
title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Mutexverifiers.ps1*'
SELECTION_2:
ScriptBlockText: '*runAfterCancelProcess*'
condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
2
falsepositives:
- Unknown
id: 6609c444-9670-4eab-9636-fe4755a851ce
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216
yml_filename: powershell_cl_mutexverifiers_lolscript_count.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

35
rules/alert-rules/sigma/powershell_classic_alternate_powershell_hosts.yml
View File

@@ -1,35 +0,0 @@
title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
HostApplication: '*'
SELECTION_2:
HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: d7326048-328b-4d5e-98af-86e84b17c765
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
related:
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_classic_alternate_powershell_hosts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

34
rules/alert-rules/sigma/powershell_classic_powercat.yml
View File

@@ -1,34 +0,0 @@
title: Netcat The Powershell Version
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
HostApplication: '*powercat *'
SELECTION_2:
HostApplication: '*powercat.ps1*'
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unknown
id: c5b20776-639a-49bf-94c7-84f912b91c15
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
related:
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: derived
status: experimental
tags:
- attack.command_and_control
- attack.t1095
yml_filename: powershell_classic_powercat.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

35
rules/alert-rules/sigma/powershell_classic_remote_powershell_session.yml
View File

@@ -1,35 +0,0 @@
title: Remote PowerShell Session
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
HostName: ServerRemoteHost
SELECTION_2:
HostApplication: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
related:
- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028
yml_filename: powershell_classic_remote_powershell_session.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

44
rules/alert-rules/sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
View File

@@ -1,44 +0,0 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_2:
HostApplication: '*-ModuleName *'
SELECTION_3:
HostApplication: '*-ModulePath *'
SELECTION_4:
HostApplication: '*-ScriptBlock *'
SELECTION_5:
HostApplication: '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
yml_filename: powershell_classic_susp_athremotefxvgpudisablementcommand.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

36
rules/alert-rules/sigma/powershell_classic_susp_zip_compress.yml
View File

@@ -1,36 +0,0 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
HostApplication: '*Compress-Archive *'
SELECTION_2:
HostApplication: '* -Path *'
SELECTION_3:
HostApplication: '* -DestinationPath *'
SELECTION_4:
HostApplication: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 71ff406e-b633-4989-96ec-bc49d825a412
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001
yml_filename: powershell_classic_susp_zip_compress.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

32
rules/alert-rules/sigma/powershell_classic_suspicious_download.yml
View File

@@ -1,32 +0,0 @@
title: Suspicious PowerShell Download
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
HostApplication: '*System.Net.WebClient*'
SELECTION_2:
HostApplication: '*.DownloadFile(*'
SELECTION_3:
HostApplication: '*.DownloadString(*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- PowerShell scripts that download content from the Internet
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_classic_suspicious_download.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

43
rules/alert-rules/sigma/powershell_clear_powershell_history.yml
View File

@@ -1,43 +0,0 @@
title: Clear PowerShell History
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
description: Detects keywords that could indicate clearing PowerShell history
detection:
SELECTION_1:
Payload: '*del*'
SELECTION_2:
Payload: '*Remove-Item*'
SELECTION_3:
Payload: '*rm*'
SELECTION_4:
Payload: '*(Get-PSReadlineOption).HistorySavePath*'
SELECTION_5:
Payload: '*Set-PSReadlineOption*'
SELECTION_6:
Payload: "*\u2013HistorySaveStyle*"
SELECTION_7:
Payload: '*SaveNothing*'
condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) or (SELECTION_5
and SELECTION_6 and SELECTION_7))
falsepositives:
- Legitimate PowerShell scripts
id: f99276ad-d122-4989-a09a-d00904a5f9d2
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.003
- attack.t1146
yml_filename: powershell_clear_powershell_history.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

30
rules/alert-rules/sigma/powershell_create_local_user.yml
View File

@@ -1,30 +0,0 @@
title: PowerShell Create Local User
author: '@ROxPinTeddy'
date: 2020/04/11
description: Detects creation of a local user via PowerShell
detection:
SELECTION_1:
ScriptBlockText: '*New-LocalUser*'
condition: SELECTION_1
falsepositives:
- Legitimate user creation
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.persistence
- attack.t1136.001
- attack.t1136
yml_filename: powershell_create_local_user.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

33
rules/alert-rules/sigma/powershell_data_compressed.yml
View File

@@ -1,33 +0,0 @@
title: Data Compressed - PowerShell
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: An adversary may compress data (e.g., sensitive documents) that is collected
prior to exfiltration in order to make it portable and minimize the amount of
data sent over the network.
detection:
SELECTION_1:
ScriptBlockText: '*-Recurse*'
SELECTION_2:
ScriptBlockText: '*|*'
SELECTION_3:
ScriptBlockText: '*Compress-Archive*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Highly likely if archive operations are done via PowerShell.
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
level: low
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
status: experimental
tags:
- attack.exfiltration
- attack.t1560
- attack.t1002
yml_filename: powershell_data_compressed.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_decompress_commands.yml
View File

@@ -1,31 +0,0 @@
title: PowerShell Decompress Commands
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for specific decompress commands in PowerShell logs.
This could be an adversary decompressing files.
detection:
SELECTION_1:
Payload: '*Expand-Archive*'
condition: SELECTION_1
falsepositives:
- unknown
id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
level: informational
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/8
- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
related:
- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1140
yml_filename: powershell_decompress_commands.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

37
rules/alert-rules/sigma/powershell_delete_volume_shadow_copies.yml
View File

@@ -1,37 +0,0 @@
title: Delete Volume Shadow Copies Via WMI With PowerShell
author: frack113
date: 2021/06/03
description: Shadow Copies deletion using operating systems utilities via PowerShell
detection:
SELECTION_1:
HostApplication: '*Get-WmiObject*'
SELECTION_2:
HostApplication: '* Win32_Shadowcopy*'
SELECTION_3:
HostApplication: '*Delete()*'
SELECTION_4:
HostApplication: '*Remove-WmiObject*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities
for legitimate reason
fields:
- HostApplication
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
level: critical
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
status: experimental
tags:
- attack.impact
- attack.t1490
yml_filename: powershell_delete_volume_shadow_copies.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

34
rules/alert-rules/sigma/powershell_detect_vm_env.yml
View File

@@ -1,34 +0,0 @@
title: Powershell Detect Virtualization Environment
author: frack113
date: 2021/08/03
description: Adversaries may employ various system checks to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the results
of checks for the presence of artifacts indicative of a virtual machine environment
(VME) or sandbox
detection:
SELECTION_1:
ScriptBlockText: '*Get-WmiObject*'
SELECTION_2:
ScriptBlockText: '*MSAcpi_ThermalZoneTemperature*'
SELECTION_3:
ScriptBlockText: '*Win32_ComputerSystem*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001
yml_filename: powershell_detect_vm_env.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

27
rules/alert-rules/sigma/powershell_dnscat_execution.yml
View File

@@ -1,27 +0,0 @@
title: Dnscat Execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
description: Dnscat exfiltration tool execution
detection:
SELECTION_1:
ScriptBlockText: '*Start-Dnscat2*'
condition: SELECTION_1
falsepositives:
- "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)"
id: a6d67db4-6220-436d-8afc-f3842fe05d43
level: critical
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_dnscat_execution.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

32
rules/alert-rules/sigma/powershell_downgrade_attack.yml
View File

@@ -1,32 +0,0 @@
title: PowerShell Downgrade Attack
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
description: Detects PowerShell downgrade attack by comparing the host versions with
the actually used engine version 2.0
detection:
SELECTION_1:
EngineVersion: 2.*
SELECTION_2:
HostVersion: 2.*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration Test
- Unknown
id: 6331d09b-4785-4c13-980f-f96661356249
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_downgrade_attack.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

36
rules/alert-rules/sigma/powershell_exe_calling_ps.yml
View File

@@ -1,36 +0,0 @@
title: PowerShell Called from an Executable Version Mismatch
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects PowerShell called from an executable by the version mismatch
method
detection:
SELECTION_1:
EngineVersion: 2.*
SELECTION_2:
EngineVersion: 4.*
SELECTION_3:
EngineVersion: 5.*
SELECTION_4:
HostVersion: 3.*
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Penetration Tests
- Unknown
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_exe_calling_ps.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic

31
rules/alert-rules/sigma/powershell_get_clipboard.yml
View File

@@ -1,31 +0,0 @@
title: PowerShell Get Clipboard
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for the Get-Clipboard commands in PowerShell logs.
This could be an adversary capturing clipboard contents.
detection:
SELECTION_1:
Payload: '*Get-Clipboard*'
condition: SELECTION_1
falsepositives:
- unknown
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
related:
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
type: derived
status: experimental
tags:
- attack.collection
- attack.t1115
yml_filename: powershell_get_clipboard.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

32
rules/alert-rules/sigma/powershell_icmp_exfiltration.yml
View File

@@ -1,32 +0,0 @@
title: PowerShell ICMP Exfiltration
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/10
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
steal data by exfiltrating it over an un-encrypted network protocol other than
that of the existing command and control channel.
detection:
SELECTION_1:
ScriptBlockText: '*New-Object*'
SELECTION_2:
ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
SELECTION_3:
ScriptBlockText: '*.Send(*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
status: experimental
tags:
- attack.exfiltration
- attack.t1048.003
yml_filename: powershell_icmp_exfiltration.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

25
rules/alert-rules/sigma/powershell_invoke_nightmare.yml
View File

@@ -1,25 +0,0 @@
title: PrintNightmare Powershell Exploitation
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet name for PrintNightmare exploitation.
detection:
SELECTION_1:
ScriptBlockText: '*Invoke-Nightmare*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
status: test
tags:
- attack.privilege_escalation
yml_filename: powershell_invoke_nightmare.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_clip.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
condition: SELECTION_1
falsepositives:
- Unknown
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_clip.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
condition: SELECTION_1
falsepositives:
- Unknown
id: 73e67340-0d25-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

45
rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
View File

@@ -1,45 +0,0 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: "Detects all variations of obfuscated powershell IEX invocation code\
\ generated by Invoke-Obfuscation framework from the following code block \u2014\
\ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
detection:
SELECTION_1:
Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
Payload|re: \$VerbosePreference\.ToString\(
SELECTION_7:
Payload|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 2f211361-7dce-442d-b78a-c04039677378
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_invoke_obfuscation_obfuscated_iex.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

42
rules/alert-rules/sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
View File

@@ -1,42 +0,0 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: "Detects all variations of obfuscated powershell IEX invocation code\
\ generated by Invoke-Obfuscation framework from the following code block \u2014\
\ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
detection:
SELECTION_1:
ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
ScriptBlockText|re: \$VerbosePreference\.ToString\(
SELECTION_7:
ScriptBlockText|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
condition: SELECTION_1
falsepositives:
- Unknown
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_stdin.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
condition: SELECTION_1
falsepositives:
- Unknown
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_var.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
condition: SELECTION_1
falsepositives:
- Unknown
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_var.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
condition: SELECTION_1
falsepositives:
- Unknown
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_var_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_compress.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
condition: SELECTION_1
falsepositives:
- Unknown
id: a23791fe-8846-485a-b16b-ca691e1b03d4
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_rundll.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
condition: SELECTION_1
falsepositives:
- Unknown
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_stdin.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_use_clip.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_use_mhsta.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

28
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: e55a5195-4724-480e-a77e-3ebe64bd3759
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script

31
rules/alert-rules/sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
yml_filename: powershell_invoke_obfuscation_via_use_rundll32.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module

Some files were not shown because too many files have changed in this diff Show More