Add: sigma rules (#175)
This commit is contained in:
itiB
GitHub
@@ -0,0 +1,44 @@
|
||||
|
||||
title: Credential Dumping Tools Service Execution
|
||||
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2017/03/05
|
||||
description: Detects well-known credential dumping tools execution via service execution
|
||||
events
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_2:
|
||||
ImagePath:
|
||||
- '*fgexec*'
|
||||
- '*dumpsvc*'
|
||||
- '*cachedump*'
|
||||
- '*mimidrv*'
|
||||
- '*gsecdump*'
|
||||
- '*servpw*'
|
||||
- '*pwdump*'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- Legitimate Administrator using credential dumping tool for password recovery
|
||||
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
|
||||
level: critical
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
modified: 2021/10/14
|
||||
references:
|
||||
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
|
||||
related:
|
||||
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
|
||||
type: derived
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.execution
|
||||
- attack.t1003
|
||||
- attack.t1003.001
|
||||
- attack.t1003.002
|
||||
- attack.t1003.004
|
||||
- attack.t1003.005
|
||||
- attack.t1003.006
|
||||
- attack.t1035
|
||||
- attack.t1569.002
|
||||
- attack.s0005
|
||||
@@ -0,0 +1,67 @@
|
||||
|
||||
title: Meterpreter or Cobalt Strike Getsystem Service Installation
|
||||
author: Teymur Kheirkhabarov, Ecco, Florian Roth
|
||||
date: 2019/10/26
|
||||
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
|
||||
a specific service installation
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_10:
|
||||
ImagePath: '*cmd.exe*'
|
||||
SELECTION_11:
|
||||
ImagePath: '*/c*'
|
||||
SELECTION_12:
|
||||
ImagePath: '*echo*'
|
||||
SELECTION_13:
|
||||
ImagePath: '*\pipe\\*'
|
||||
SELECTION_14:
|
||||
ImagePath: '*rundll32*'
|
||||
SELECTION_15:
|
||||
ImagePath: '*.dll,a*'
|
||||
SELECTION_16:
|
||||
ImagePath: '*/p:*'
|
||||
SELECTION_2:
|
||||
ImagePath: '*cmd*'
|
||||
SELECTION_3:
|
||||
ImagePath: '*/c*'
|
||||
SELECTION_4:
|
||||
ImagePath: '*echo*'
|
||||
SELECTION_5:
|
||||
ImagePath: '*\pipe\\*'
|
||||
SELECTION_6:
|
||||
ImagePath: '*%COMSPEC%*'
|
||||
SELECTION_7:
|
||||
ImagePath: '*/c*'
|
||||
SELECTION_8:
|
||||
ImagePath: '*echo*'
|
||||
SELECTION_9:
|
||||
ImagePath: '*\pipe\\*'
|
||||
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
|
||||
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
|
||||
and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
|
||||
and SELECTION_16)))
|
||||
falsepositives:
|
||||
- Highly unlikely
|
||||
fields:
|
||||
- ComputerName
|
||||
- SubjectDomainName
|
||||
- SubjectUserName
|
||||
- ImagePath
|
||||
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
|
||||
level: critical
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
modified: 2021/09/21
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
|
||||
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
|
||||
related:
|
||||
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
|
||||
type: derived
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.t1134
|
||||
- attack.t1134.001
|
||||
- attack.t1134.002
|
||||
@@ -0,0 +1,30 @@
|
||||
|
||||
title: PowerShell Scripts Run by a Services
|
||||
author: oscd.community, Natalia Shornikova
|
||||
date: 2020/10/06
|
||||
description: Detects powershell script installed as a Service
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_2:
|
||||
ImageLoaded:
|
||||
- '*powershell*'
|
||||
- '*pwsh*'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- Unknown
|
||||
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
|
||||
level: high
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
modified: 2021/09/21
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
|
||||
related:
|
||||
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
|
||||
type: derived
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1569.002
|
||||
@@ -0,0 +1,24 @@
|
||||
|
||||
title: Suspicious Driver Load from Temp
|
||||
author: Florian Roth
|
||||
date: 2017/02/12
|
||||
description: Detects a driver load from a temporary directory
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_2:
|
||||
ImageLoaded: '*\Temp\\*'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- there is a relevant set of false positives depending on applications in the environment
|
||||
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
|
||||
level: high
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
modified: 2020/08/23
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.t1050
|
||||
- attack.t1543.003
|
||||
@@ -0,0 +1,32 @@
|
||||
|
||||
title: Vulnerable Dell BIOS Update Driver Load
|
||||
author: Florian Roth
|
||||
date: 2021/05/05
|
||||
description: Detects the load of the vulnerable Dell BIOS update driver as reported
|
||||
in CVE-2021-21551
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_2:
|
||||
ImageLoaded: '*\DBUtil_2_3.Sys*'
|
||||
SELECTION_3:
|
||||
Hashes:
|
||||
- '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
|
||||
- '*c948ae14761095e4d76b55d9de86412258be7afd*'
|
||||
- '*c996d7971c49252c582171d9380360f2*'
|
||||
- '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
|
||||
- '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
|
||||
- '*d2fd132ab7bbc6bbb87a84f026fa0244*'
|
||||
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
|
||||
falsepositives:
|
||||
- legitimate BIOS driver updates (should be rare)
|
||||
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
|
||||
level: high
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
references:
|
||||
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-21551
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
30
rules/sigma/windows/driver_load/driver_load_windivert.yml
Normal file
30
rules/sigma/windows/driver_load/driver_load_windivert.yml
Normal file
@@ -0,0 +1,30 @@
|
||||
|
||||
title: WinDivert Driver Load
|
||||
author: Florian Roth
|
||||
date: 2021/07/30
|
||||
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
|
||||
package for Windows
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6
|
||||
SELECTION_2:
|
||||
ImageLoaded:
|
||||
- '*\WinDivert.sys*'
|
||||
- '*\WinDivert64.sys*'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- legitimate WinDivert driver usage
|
||||
id: 679085d5-f427-4484-9f58-1dc30a7c426d
|
||||
level: high
|
||||
logsource:
|
||||
category: driver_load
|
||||
product: windows
|
||||
references:
|
||||
- https://reqrypt.org/windivert-doc.html
|
||||
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.collection
|
||||
- attack.defense_evasion
|
||||
- attack.t1599.001
|
||||
- attack.t1557.001
|
||||
Reference in New Issue
Block a user