Add: sigma rules (#175)

rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml

@@ -0,0 +1,37 @@
+
+title: CMSTP Execution Process Access
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*cmlua.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001

rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml.yml

@@ -0,0 +1,37 @@
+
+title: CMSTP Execution Process Access
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*cmlua.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001

rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml

@@ -0,0 +1,32 @@
+
+title: CobaltStrike BOF Injection Pattern
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+  processes
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+  SELECTION_3:
+    GrantedAccess:
+    - '0x1028'
+    - '0x1fffff'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001

rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml.yml

@@ -0,0 +1,32 @@
+
+title: CobaltStrike BOF Injection Pattern
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+  processes
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+  SELECTION_3:
+    GrantedAccess: '0x1028'
+  SELECTION_4:
+    GrantedAccess: '0x1fffff'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001

rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml

@@ -0,0 +1,65 @@
+
+title: Credentials Dumping Tools Accessing LSASS Memory
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+  (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+  dumping tools
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '*0x40*'
+    - '*0x1000*'
+    - '*0x1400*'
+    - '*0x100000*'
+    - '*0x1410*'
+    - '*0x1010*'
+    - '*0x1438*'
+    - '*0x143a*'
+    - '*0x1418*'
+    - '*0x1f0fff*'
+    - '*0x1f1fff*'
+    - '*0x1f2fff*'
+    - '*0x1f3fff*'
+  SELECTION_4:
+    ProcessName:
+    - '*\wmiprvse.exe'
+    - '*\taskmgr.exe'
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\lsm.exe'
+    - '*\MsMpEng.exe'
+    - '*\csrss.exe'
+    - '*\wininit.exe'
+    - '*\vmtoolsd.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+  with it
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004

rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml.yml

@@ -0,0 +1,92 @@
+
+title: Credentials Dumping Tools Accessing LSASS Memory
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+  (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+  dumping tools
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    GrantedAccess: '*0x1438*'
+  SELECTION_11:
+    GrantedAccess: '*0x143a*'
+  SELECTION_12:
+    GrantedAccess: '*0x1418*'
+  SELECTION_13:
+    GrantedAccess: '*0x1f0fff*'
+  SELECTION_14:
+    GrantedAccess: '*0x1f1fff*'
+  SELECTION_15:
+    GrantedAccess: '*0x1f2fff*'
+  SELECTION_16:
+    GrantedAccess: '*0x1f3fff*'
+  SELECTION_17:
+    EventID: 10
+  SELECTION_18:
+    ProcessName: '*\wmiprvse.exe'
+  SELECTION_19:
+    ProcessName: '*\taskmgr.exe'
+  SELECTION_2:
+    EventID: 10
+  SELECTION_20:
+    ProcessName: '*\procexp64.exe'
+  SELECTION_21:
+    ProcessName: '*\procexp.exe'
+  SELECTION_22:
+    ProcessName: '*\lsm.exe'
+  SELECTION_23:
+    ProcessName: '*\MsMpEng.exe'
+  SELECTION_24:
+    ProcessName: '*\csrss.exe'
+  SELECTION_25:
+    ProcessName: '*\wininit.exe'
+  SELECTION_26:
+    ProcessName: '*\vmtoolsd.exe'
+  SELECTION_3:
+    TargetImage: '*\lsass.exe'
+  SELECTION_4:
+    GrantedAccess: '*0x40*'
+  SELECTION_5:
+    GrantedAccess: '*0x1000*'
+  SELECTION_6:
+    GrantedAccess: '*0x1400*'
+  SELECTION_7:
+    GrantedAccess: '*0x100000*'
+  SELECTION_8:
+    GrantedAccess: '*0x1410*'
+  SELECTION_9:
+    GrantedAccess: '*0x1010*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
+    SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
+    SELECTION_16)) and  not ((SELECTION_17 and (SELECTION_18 or SELECTION_19 or SELECTION_20
+    or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+    or SELECTION_26))))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+  with it
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004

rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml

@@ -0,0 +1,25 @@
+
+title: Direct Syscall of NtOpenProcess
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+  be done from a CobaltStrike BOF.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: UNKNOWN*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106

rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml.yml

@@ -0,0 +1,25 @@
+
+title: Direct Syscall of NtOpenProcess
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+  be done from a CobaltStrike BOF.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: UNKNOWN*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106

rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml

@@ -0,0 +1,76 @@
+
+title: Suspicious In-Memory Module Execution
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+  reflectively loaded libraries in their memory space. An example is SilentTrinity
+  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+  call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+  the module name. Usually this means the stack call points to a module that was reflectively
+  loaded in memory. Adding to this, it is not common to see such few calls in the
+  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most
+  of the functions required by the process to execute certain routines are already
+  present in memory, not requiring any calls to external libraries. The latter should
+  also be considered suspicious.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    EventID: 10
+  SELECTION_11:
+    CallTrace: '*UNKNOWN*'
+  SELECTION_12:
+    GrantedAccess:
+    - '0x1F0FFF'
+    - '0x1F1FFF'
+    - '0x143A'
+    - '0x1410'
+    - '0x1010'
+    - '0x1F2FFF'
+    - '0x1F3FFF'
+    - '0x1FFFFF'
+  SELECTION_13:
+    SourceImage:
+    - '*\Windows\System32\sdiagnhost.exe'
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_6:
+    CallTrace: '*)*'
+  SELECTION_7:
+    CallTrace: '*UNKNOWN(*'
+  SELECTION_8:
+    CallTrace: '*)|UNKNOWN(*'
+  SELECTION_9:
+    CallTrace: '*)'
+  condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+    SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+    or ((SELECTION_10 and SELECTION_11 and SELECTION_12) and  not (SELECTION_13))))
+falsepositives:
+- Low
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055

rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml.yml

@@ -0,0 +1,83 @@
+
+title: Suspicious In-Memory Module Execution
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+  reflectively loaded libraries in their memory space. An example is SilentTrinity
+  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+  call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+  the module name. Usually this means the stack call points to a module that was reflectively
+  loaded in memory. Adding to this, it is not common to see such few calls in the
+  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most
+  of the functions required by the process to execute certain routines are already
+  present in memory, not requiring any calls to external libraries. The latter should
+  also be considered suspicious.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    CallTrace: '*UNKNOWN*'
+  SELECTION_11:
+    GrantedAccess: '0x1F0FFF'
+  SELECTION_12:
+    GrantedAccess: '0x1F1FFF'
+  SELECTION_13:
+    GrantedAccess: '0x143A'
+  SELECTION_14:
+    GrantedAccess: '0x1410'
+  SELECTION_15:
+    GrantedAccess: '0x1010'
+  SELECTION_16:
+    GrantedAccess: '0x1F2FFF'
+  SELECTION_17:
+    GrantedAccess: '0x1F3FFF'
+  SELECTION_18:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_19:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_20:
+    SourceImage: '*\Windows\System32\sdiagnhost.exe'
+  SELECTION_3:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*)*'
+  SELECTION_6:
+    CallTrace: '*UNKNOWN(*'
+  SELECTION_7:
+    CallTrace: '*)|UNKNOWN(*'
+  SELECTION_8:
+    CallTrace: '*)'
+  SELECTION_9:
+    EventID: 10
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9 and SELECTION_10
+    and (SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+    or SELECTION_16 or SELECTION_17 or SELECTION_18)) and  not ((SELECTION_19 and
+    SELECTION_20)))))
+falsepositives:
+- Low
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055

rules/sigma/windows/process_access/sysmon_invoke_phantom.yml

@@ -0,0 +1,33 @@
+
+title: Suspect Svchost Memory Asccess
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+  Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\windows\system32\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1f3fff'
+  SELECTION_4:
+    CallTrace:
+    - '*unknown*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089

rules/sigma/windows/process_access/sysmon_invoke_phantom.yml.yml

@@ -0,0 +1,32 @@
+
+title: Suspect Svchost Memory Asccess
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+  Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\windows\system32\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1f3fff'
+  SELECTION_4:
+    CallTrace: '*unknown*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089

rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml

@@ -0,0 +1,36 @@
+
+title: Credential Dumping by LaZagne
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_6:
+    CallTrace: '*python27.dll+*'
+  SELECTION_7:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349

rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml.yml

@@ -0,0 +1,36 @@
+
+title: Credential Dumping by LaZagne
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_6:
+    CallTrace: '*python27.dll+*'
+  SELECTION_7:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349

rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml

@@ -0,0 +1,29 @@
+
+title: LittleCorporal Generated Maldoc Injection
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*winword.exe'
+  SELECTION_3:
+    CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003

rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml.yml

@@ -0,0 +1,29 @@
+
+title: LittleCorporal Generated Maldoc Injection
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*winword.exe'
+  SELECTION_3:
+    CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003

rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml

@@ -0,0 +1,32 @@
+
+title: Load Undocumented Autoelevated COM Interface
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*editionupgrademanagerobj.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml.yml

@@ -0,0 +1,32 @@
+
+title: Load Undocumented Autoelevated COM Interface
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*editionupgrademanagerobj.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml

@@ -0,0 +1,31 @@
+
+title: Lsass Memory Dump via Comsvcs DLL
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+  via rundll32 to perform a memory dump from lsass.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\System32\rundll32.exe
+  SELECTION_4:
+    CallTrace: '*comsvcs.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml.yml

@@ -0,0 +1,31 @@
+
+title: Lsass Memory Dump via Comsvcs DLL
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+  via rundll32 to perform a memory dump from lsass.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\System32\rundll32.exe
+  SELECTION_4:
+    CallTrace: '*comsvcs.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/windows/process_access/sysmon_lsass_memdump.yml

@@ -0,0 +1,34 @@
+
+title: LSASS Memory Dump
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace:
+    - '*dbghelp.dll*'
+    - '*dbgcore.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002

rules/sigma/windows/process_access/sysmon_lsass_memdump.yml.yml

@@ -0,0 +1,37 @@
+
+title: LSASS Memory Dump
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\lsass.exe'
+  SELECTION_4:
+    GrantedAccess: '0x1fffff'
+  SELECTION_5:
+    CallTrace: '*dbghelp.dll*'
+  SELECTION_6:
+    CallTrace: '*dbgcore.dll*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002

rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml

@@ -0,0 +1,40 @@
+
+title: Malware Shellcode in Verclsid Target Process
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_6:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_7:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml.yml

@@ -0,0 +1,42 @@
+
+title: Malware Shellcode in Verclsid Target Process
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_4:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_5:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_6:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_7:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_8:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and ((SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml

@@ -0,0 +1,36 @@
+
+title: Mimikatz through Windows Remote Management
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+  to lsass process by wsmprovhost.exe.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\system32\wsmprovhost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002

rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml.yml

@@ -0,0 +1,36 @@
+
+title: Mimikatz through Windows Remote Management
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+  to lsass process by wsmprovhost.exe.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\system32\wsmprovhost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002

rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml

@@ -0,0 +1,37 @@
+
+title: Credential Dumping by Pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*libffi-7.dll*'
+  SELECTION_6:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_7:
+    CallTrace: '*python3*.dll+*'
+  SELECTION_8:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml.yml

@@ -0,0 +1,37 @@
+
+title: Credential Dumping by Pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*libffi-7.dll*'
+  SELECTION_6:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_7:
+    CallTrace: '*python3*.dll+*'
+  SELECTION_8:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml

@@ -0,0 +1,27 @@
+
+title: SVCHOST Credential Dump
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+  to dump credentials
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x143a'
+  SELECTION_4:
+    SourceImage:
+    - '*\services.exe'
+    - '*\msiexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+  category: process_access
+  product: windows
+tags:
+- attack.t1548

rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml.yml

@@ -0,0 +1,32 @@
+
+title: SVCHOST Credential Dump
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+  to dump credentials
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\svchost.exe'
+  SELECTION_4:
+    GrantedAccess: '0x143a'
+  SELECTION_5:
+    EventID: 10
+  SELECTION_6:
+    SourceImage: '*\services.exe'
+  SELECTION_7:
+    SourceImage: '*\msiexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    ((SELECTION_5 and (SELECTION_6 or SELECTION_7))))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+  category: process_access
+  product: windows
+tags:
+- attack.t1548

rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml

@@ -0,0 +1,30 @@
+
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+  30)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*:\Windows\SysWOW64\\*'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml.yml

@@ -0,0 +1,30 @@
+
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+  30)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*:\Windows\SysWOW64\\*'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml

@@ -0,0 +1,35 @@
+
+title: Suspicious Shells Spawn by WinRM
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\wsmprovhost.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\powershell.exe'
+    - '*\schtasks.exe'
+    - '*\certutil.exe'
+    - '*\whoami.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation

rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml.yml

@@ -0,0 +1,42 @@
+
+title: Suspicious Shells Spawn by WinRM
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\bitsadmin.exe'
+  SELECTION_2:
+    ParentImage: '*\wsmprovhost.exe'
+  SELECTION_3:
+    Image: '*\cmd.exe'
+  SELECTION_4:
+    Image: '*\sh.exe'
+  SELECTION_5:
+    Image: '*\bash.exe'
+  SELECTION_6:
+    Image: '*\powershell.exe'
+  SELECTION_7:
+    Image: '*\schtasks.exe'
+  SELECTION_8:
+    Image: '*\certutil.exe'
+  SELECTION_9:
+    Image: '*\whoami.exe'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation