CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add: sigma rules (#175)

Browse Source
This commit is contained in:
itiB
2021-11-22 08:45:44 +09:00
committed by GitHub
parent b53342218c
commit 034f9c0957
1086 changed files with 40715 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
rules/sigma/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Abusing Windows Telemetry For Persistence
author: Sreeman
date: 2020/09/29
description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
a variety of commands and perform the actual telemetry collections. This binary
was created to be easily extensible, and to that end, it relies on the registry
to instruct on which commands to run. The problem is, it will run any arbitrary
command without restriction of location or type.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine|re: (?i).*schtasks.*(-|/)r.*\\\\Application Experience\\\\Microsoft
Compatibility Appraiser.*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- none
fields:
- EventID
- CommandLine
- TargetObject
- Details
id: f548a603-c9f2-4c89-b511-b089f7e94549
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/09
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
status: experimental
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1112
- attack.t1053

30
rules/sigma/windows/process_creation/process_creation_advanced_ip_scanner.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Advanced IP Scanner
author: '@ROxPinTeddy'
date: 2020/05/12
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
ransomware groups.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\advanced_ip_scanner*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative use
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
status: experimental
tags:
- attack.discovery
- attack.t1046

51
rules/sigma/windows/process_creation/process_creation_alternate_data_streams.yml Normal file
View File

@@ -0,0 +1,51 @@
title: Execute From Alternate Data Streams
author: frack113
date: 2021/09/01
description: Adversaries may use NTFS file attributes to hide their malicious data
in order to evade detection
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '* /E *'
SELECTION_11:
CommandLine: '*esentutl *'
SELECTION_12:
CommandLine: '* /y *'
SELECTION_13:
CommandLine: '* /d *'
SELECTION_14:
CommandLine: '* /o *'
SELECTION_2:
CommandLine: '*txt:*'
SELECTION_3:
CommandLine: '*type *'
SELECTION_4:
CommandLine: '* > *'
SELECTION_5:
CommandLine: '*makecab *'
SELECTION_6:
CommandLine: '*.cab*'
SELECTION_7:
CommandLine: '*reg *'
SELECTION_8:
CommandLine: '* export *'
SELECTION_9:
CommandLine: '*regedit *'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)))
falsepositives:
- Unknown
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004

35
rules/sigma/windows/process_creation/process_creation_apt_gallium.yml Normal file
View File

@@ -0,0 +1,35 @@
title: GALLIUM Artefacts
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
sha1:
- e570585edc69f9074cb5e8a790708336bd45ca0f
SELECTION_3:
Image:
- '*:\Program Files(x86)\\*'
- '*:\Program Files\\*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
id: 18739897-21b1-41da-8ee4-5b786915a676
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: experimental
tags:
- attack.credential_access
- attack.command_and_control

46
rules/sigma/windows/process_creation/process_creation_apt_gallium_sha1.yml Normal file
View File

@@ -0,0 +1,46 @@
title: GALLIUM Artefacts
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
sha1:
- 53a44c2396d15c3a03723fa5e5db54cafd527635
- 9c5e496921e3bc882dc40694f1dcc3746a75db19
- aeb573accfd95758550cf30bf04f389a92922844
- 79ef78a797403a4ed1a616c68e07fff868a8650a
- 4f6f38b4cec35e895d91c052b1f5a83d665c2196
- 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
- e841a63e47361a572db9a7334af459ddca11347a
- c28f606df28a9bc8df75a4d5e5837fc5522dd34d
- 2e94b305d6812a9f96e6781c888e48c7fb157b6b
- dd44133716b8a241957b912fa6a02efde3ce3025
- 8793bf166cb89eb55f0593404e4e933ab605e803
- a39b57032dbb2335499a51e13470a7cd5d86b138
- 41cc2b15c662bc001c0eb92f6cc222934f0beeea
- d209430d6af54792371174e70e27dd11d3def7a7
- 1c6452026c56efd2c94cea7e0f671eb55515edb0
- c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
- 4923d460e22fbbf165bbbaba168e5a46b8157d9f
- f201504bd96e81d0d350c3a8332593ee1c9e09de
- ddd2db1127632a2a52943a2fe516a2e7d05d70d2
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 440a56bf-7873-4439-940a-1c8a671073c2
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
status: experimental
tags:
- attack.credential_access
- attack.command_and_control

36
rules/sigma/windows/process_creation/process_creation_apt_pandemic.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Pandemic Registry Key
author: Florian Roth
date: 2017/06/01
description: Detects Pandemic Windows Implant
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*loaddll -a *'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
id: 9fefd33c-339d-4495-9cba-b96ca006f512
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
related:
- id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
type: derived
status: experimental
tags:
- attack.lateral_movement
- attack.t1105

33
rules/sigma/windows/process_creation/process_creation_apt_slingshot.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Defrag Deactivation
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\schtasks.exe'
SELECTION_3:
CommandLine:
- '*/delete*'
- '*/change*'
SELECTION_4:
CommandLine: '*/TN*'
SELECTION_5:
CommandLine: '*\Microsoft\Windows\Defrag\ScheduledDefrag*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
tags:
- attack.persistence
- attack.s0111

35
rules/sigma/windows/process_creation/process_creation_apt_turla_commands_critical.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Turla Group Lateral Movement
author: Markus Neis
date: 2017/11/07
description: Detects automated lateral movement by Turla group
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- net use \\%DomainController%\C$ "P@ssw0rd" *
- dir c:\\*.doc* /s
- dir %TEMP%\\*.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://securelist.com/the-epic-turla-operation/65545/
status: experimental
tags:
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
- attack.discovery
- attack.t1083
- attack.t1135

48
rules/sigma/windows/process_creation/process_creation_apt_wocao.yml Normal file
View File

@@ -0,0 +1,48 @@
title: Operation Wocao Activity
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*checkadmin.exe 127.0.0.1 -all*'
- '*netsh advfirewall firewall add rule name=powershell dir=in*'
- '*cmd /c powershell.exe -ep bypass -file c:\s.ps1*'
- '*/tn win32times /f*'
- '*create win32times binPath=*'
- '*\c$\windows\system32\devmgr.dll*'
- '* -exec bypass -enc JgAg*'
- '*type *keepass\KeePass.config.xml*'
- '*iie.exe iie.txt*'
- '*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
related:
- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
type: derived
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086

45
rules/sigma/windows/process_creation/process_creation_automated_collection.yml Normal file
View File

@@ -0,0 +1,45 @@
title: Automated Collection Command Prompt
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*.doc*'
- '*.docx*'
- '*.xls*'
- '*.xlsx*'
- '*.ppt*'
- '*.pptx*'
- '*.rtf*'
- '*.pdf*'
- '*.txt*'
SELECTION_3:
CommandLine: '*dir *'
SELECTION_4:
CommandLine: '* /b *'
SELECTION_5:
CommandLine: '* /s *'
SELECTION_6:
OriginalFileName: FINDSTR.EXE
SELECTION_7:
CommandLine: '* /e *'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: f576a613-2392-4067-9d1a-9345fb58d8d1
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

28
rules/sigma/windows/process_creation/process_creation_c3_load_by_rundll32.yml Normal file
View File

@@ -0,0 +1,28 @@
title: F-Secure C3 Load by Rundll32
author: Alfie Champion (ajpc500)
date: 2021/06/02
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*rundll32.exe*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
CommandLine: '*StartNodeRelay*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
level: critical
logsource:
category: process_creation
product: windows
references:
- https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011

26
rules/sigma/windows/process_creation/process_creation_clip.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Use of CLIP
author: frack113
date: 2021/07/27
description: Adversaries may collect data stored in the clipboard from users copying
information within or between applications.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: clip.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
level: low
logsource:
category: process_creation
product: windows
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
status: experimental
tags:
- attack.collection
- attack.t1115

31
rules/sigma/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml Normal file
View File

@@ -0,0 +1,31 @@
title: CobaltStrike Load by Rundll32
author: Wojciech Lesicki
date: 2021/06/01
description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs
from the command line.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*rundll32.exe*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
CommandLine: '*StartW*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.cobaltstrike.com/help-windows-executable
- https://redcanary.com/threat-detection-report/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011

36
rules/sigma/windows/process_creation/process_creation_command_execution_by_office_applications.yml Normal file
View File

@@ -0,0 +1,36 @@
title: WMI Command Execution by Office Applications
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic Win32_Process::Create
to execute the file with regsvr32
detection:
SELECTION_1:
EventLog: EDR
SELECTION_2:
EventType: WMIExecution
SELECTION_3:
WMIcommand: '*Win32_Process\:\:Create*'
SELECTION_4:
Image:
- '*\winword.exe'
- '*\excel.exe'
- '*\powerpnt.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
level: high
logsource:
category: process_creation
product: EndPoint Detection Logs
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

37
rules/sigma/windows/process_creation/process_creation_conti_cmd_ransomware.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Conti Ransomware Execution
author: frack113
date: 2021/10/12
description: Conti ransomware command line ioc
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*-m *'
SELECTION_3:
CommandLine: '*-net *'
SELECTION_4:
CommandLine: '*-size *'
SELECTION_5:
CommandLine: '*-nomutex *'
SELECTION_6:
CommandLine: '*-p \\\*'
SELECTION_7:
CommandLine: '*$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7)
falsepositives:
- Unknown should be low
id: 689308fc-cfba-4f72-9897-796c1dc61487
level: critical
logsource:
category: process_creation
product: windows
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
status: experimental
tags:
- attack.impact
- attack.s0575
- attack.t1486

34
rules/sigma/windows/process_creation/process_creation_coti_sqlcmd.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Conti Backup Database
author: frack113
date: 2021/08/16
description: Detects a command used by conti to dump database
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*sqlcmd *'
- '*sqlcmd.exe*'
SELECTION_3:
CommandLine: '* -S localhost *'
SELECTION_4:
CommandLine:
- '*sys.sysprocesses*'
- '*master.dbo.sysdatabases*'
- '*BACKUP DATABASE*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
level: high
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
status: experimental
tags:
- attack.collection

44
rules/sigma/windows/process_creation/process_creation_discover_private_keys.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Discover Private Keys
author: frack113
date: 2021/07/20
description: Adversaries may search for private key certificate files on compromised
systems for insecurely stored credential
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*dir *'
- '*findstr *'
SELECTION_3:
CommandLine:
- '*.key*'
- '*.pgp*'
- '*.gpg*'
- '*.ppk*'
- '*.p12*'
- '*.pem*'
- '*.pfx*'
- '*.cer*'
- '*.p7b*'
- '*.asc*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
status: experimental
tags:
- attack.credential_access
- attack.t1552.004

43
rules/sigma/windows/process_creation/process_creation_dns_serverlevelplugindll.yml Normal file
View File

@@ -0,0 +1,43 @@
title: DNS ServerLevelPluginDll Install
author: Florian Roth
date: 2017/05/08
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
in Registry, which can be used to execute code in context of the DNS server (restart
required)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\dnscmd.exe'
SELECTION_3:
CommandLine: '*/config*'
SELECTION_4:
CommandLine: '*/serverlevelplugindll*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
- attack.t1112

37
rules/sigma/windows/process_creation/process_creation_dotnet.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
author: Beyu Denis, oscd.community
date: 2020/10/18
description: dotnet.exe will execute any DLL and execute unsigned code
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*.dll'
- '*.csproj'
SELECTION_3:
Image:
- '*\dotnet.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- System administrator Usage
- Penetration test
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
status: experimental
tags:
- attack.execution
- attack.t1218

28
rules/sigma/windows/process_creation/process_creation_hack_dumpert.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Dumpert Process Dumper
author: Florian Roth
date: 2020/02/04
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
process memory
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Imphash: 09D278F9DE118EF09163C6140255C690
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Very unlikely
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001

33
rules/sigma/windows/process_creation/process_creation_infdefaultinstall.yml Normal file
View File

@@ -0,0 +1,33 @@
title: InfDefaultInstall.exe .inf Execution
author: frack113
date: 2021/07/13
description: Executes SCT script using scrobj.dll from a command in entered into a
specially prepared INF file.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*InfDefaultInstall.exe *'
SELECTION_3:
CommandLine: '*.inf*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001

42
rules/sigma/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml Normal file
View File

@@ -0,0 +1,42 @@
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021/09/30
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*/in:*'
SELECTION_3:
CommandLine: '*/out:*'
SELECTION_4:
Image:
- '*\DataSvcUtil.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- DataSvcUtil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes
in your environment.
- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If
known behavior is causing false positives, it can be exempted from the rule.
- Penetration Testing
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
level: medium
logsource:
category: process_creation
product: windows
references:
- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
status: experimental
tags:
- attack.exfiltration
- attack.t1567

37
rules/sigma/windows/process_creation/process_creation_lolbins_by_office_applications.yml Normal file
View File

@@ -0,0 +1,37 @@
title: New Lolbin Process by Office Applications
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: This rule will monitor any office apps that spins up a new LOLBin process.
This activity is pretty suspicious and should be investigated.
detection:
SELECTION_1:
Image:
- '*regsvr32'
- '*rundll32'
- '*msiexec'
- '*mshta'
- '*verclsid'
SELECTION_2:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
level: high
logsource:
category: process_creation
product: Windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

34
rules/sigma/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Lolbins Process Creation with WmiPrvse
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: This rule will monitor LOLBin process creations by wmiprvse. Add more
LOLBins to rule logic if needed.
detection:
SELECTION_1:
Image:
- '*regsvr32'
- '*rundll32'
- '*msiexec'
- '*mshta'
- '*verclsid'
SELECTION_2:
ParentImage: '*\wbem\WmiPrvSE.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
level: high
logsource:
category: process_creation
product: Windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

39
rules/sigma/windows/process_creation/process_creation_msdeploy.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Execute Files with Msdeploy.exe
author: Beyu Denis, oscd.community
date: 2020/10/18
description: Detects file execution using the msdeploy.exe lolbin
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*verb:sync*'
SELECTION_3:
CommandLine: '*-source:RunCommand*'
SELECTION_4:
CommandLine: '*-dest:runCommand*'
SELECTION_5:
Image:
- '*\msdeploy.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- System administrator Usage
- Penetration test
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
status: experimental
tags:
- attack.execution
- attack.t1218

41
rules/sigma/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Office Applications Spawning Wmi Cli
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic to execute the file
with regsvr32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: \wbem\WMIC.exe
SELECTION_3:
CommandLine: '*wmic *'
SELECTION_4:
OriginalFileName: wmic.exe
SELECTION_5:
Description: WMI Commandline Utility
SELECTION_6:
ParentPrcessName:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
and SELECTION_6)
falsepositives:
- Unknown
id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
level: high
logsource:
category: process_creation
product: windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

55
rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml Normal file
View File

@@ -0,0 +1,55 @@
title: Excel Proxy Executing Regsvr32 With Payload
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
we have command-line in the event which allow us to "restore" this suspicious parent-child
chain and detect it. Monitor process creation with "wmic process call create" and
LOLBins in command-line with parent Office application processes.
detection:
SELECTION_1:
Image: '*\wbem\WMIC.exe'
SELECTION_2:
ProcessCommandLine: '*wmic *'
SELECTION_3:
OriginalFileName: wmic.exe
SELECTION_4:
Description: WMI Commandline Utility
SELECTION_5:
CommandLine:
- '*regsvr32*'
- '*rundll32*'
- '*msiexec*'
- '*mshta*'
- '*verclsid*'
SELECTION_6:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
SELECTION_7:
processCommandLine: '*process*'
SELECTION_8:
processCommandLine: '*create*'
SELECTION_9:
processCommandLine: '*call*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
falsepositives:
- Unknown
id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
level: high
logsource:
category: process_creation
product: Windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

51
rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml Normal file
View File

@@ -0,0 +1,51 @@
title: Excel Proxy Executing Regsvr32 With Payload
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
we have command-line in the event which allow us to "restore" this suspicious parent-child
chain and detect it. Monitor process creation with "wmic process call create" and
LOLBins in command-line with parent Office application processes.
detection:
SELECTION_1:
ProcessCommandLine:
- '*regsvr32*'
- '*rundll32*'
- '*msiexec*'
- '*mshta*'
- '*verclsid*'
SELECTION_2:
Image: '*\wbem\WMIC.exe'
SELECTION_3:
ProcessCommandLine: '*wmic *'
SELECTION_4:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
SELECTION_5:
processCommandLine: '*process*'
SELECTION_6:
processCommandLine: '*create*'
SELECTION_7:
processCommandLine: '*call*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7)
falsepositives:
- Unknown
id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
level: high
logsource:
category: process_creation
product: Windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

36
rules/sigma/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Office Applications Spawning Wmi Cli
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic to execute the file
with regsvr32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\wbem\WMIC.exe'
SELECTION_3:
ProcessCommandLine: '*wmic *'
SELECTION_4:
ParentImage:
- winword.exe
- excel.exe
- powerpnt.exe
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: 04f5363a-6bca-42ff-be70-0d28bf629ead
level: high
logsource:
category: process_creation
product: windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion

36
rules/sigma/windows/process_creation/process_creation_pingback_backdoor.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Pingback Backdoor
author: Bhabesh Raj
date: 2021/05/05
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
as described in the trustwave report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*updata.exe'
SELECTION_3:
CommandLine: '*config*'
SELECTION_4:
CommandLine: '*msdtc*'
SELECTION_5:
CommandLine: '*start*'
SELECTION_6:
CommandLine: '*auto*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Very unlikely
id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
status: experimental
tags:
- attack.persistence
- attack.t1574.001

34
rules/sigma/windows/process_creation/process_creation_powershell_web_request.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Windows PowerShell Web Request
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request methods (including aliases) via
Windows PowerShell command
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*Invoke-WebRequest*'
- '*iwr *'
- '*wget *'
- '*curl *'
- '*Net.WebClient*'
- '*Start-BitsTransfer*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

34
rules/sigma/windows/process_creation/process_creation_protocolhandler_suspicious_file.yml Normal file
View File

@@ -0,0 +1,34 @@
title: ProtocolHandler.exe Downloaded Suspicious File
author: frack113
date: 2021/07/13
description: Emulates attack via documents through protocol handler in Microsoft Office.
On successful execution you should see Microsoft Word launch a blank file.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\protocolhandler.exe'
SELECTION_3:
CommandLine: '*"ms-word*'
SELECTION_4:
CommandLine: '*.docx"*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

39
rules/sigma/windows/process_creation/process_creation_root_certificate_installed.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Root Certificate Installed
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/10
description: Adversaries may install a root certificate on a compromised system to
avoid warnings when connecting to adversary controlled web servers.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*root*'
SELECTION_3:
Image: '*\certutil.exe'
SELECTION_4:
CommandLine: '*-addstore*'
SELECTION_5:
Image: '*\CertMgr.exe'
SELECTION_6:
CommandLine: '*/add*'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6)))
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
test if GPO push doesn't trigger FP
id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1553.004

35
rules/sigma/windows/process_creation/process_creation_sdelete.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Sysinternals SDelete Delete File
author: frack113
date: 2021/06/03
description: Use of SDelete to erase a file not the free space
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: sdelete.exe
SELECTION_3:
CommandLine:
- '* -h*'
- '* -c*'
- '* -z*'
- '* /?*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- System administrator Usage
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: a4824fca-976f-4964-b334-0621379e84c4
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
status: experimental
tags:
- attack.impact
- attack.t1485

40
rules/sigma/windows/process_creation/process_creation_software_discovery.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Detected Windows Software Discovery
author: Nikita Nazarov, oscd.community
date: 2020/10/16
description: Adversaries may attempt to enumerate software for a variety of reasons,
such as figuring out what security measures are present or if the compromised system
has a version of software that is vulnerable.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\reg.exe'
SELECTION_3:
CommandLine: '*query*'
SELECTION_4:
CommandLine: '*\software\\*'
SELECTION_5:
CommandLine: '*/v*'
SELECTION_6:
CommandLine: '*svcversion*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Legitimate administration activities
id: e13f668e-7f95-443d-98d2-1816a7648a7b
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: experimental
tags:
- attack.discovery
- attack.t1518

43
rules/sigma/windows/process_creation/process_creation_stickykey_like_backdoor.yml Normal file
View File

@@ -0,0 +1,43 @@
title: Sticky Key Like Backdoor Usage
author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
description: Detects the usage and installation of a backdoor that uses an option
to register a malicious debugger for built-in tools that are accessible in the login
screen
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\winlogon.exe'
SELECTION_3:
Image: '*\cmd.exe'
SELECTION_4:
CommandLine:
- '*sethc.exe*'
- '*utilman.exe*'
- '*osk.exe*'
- '*Magnify.exe*'
- '*Narrator.exe*'
- '*DisplaySwitch.exe*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1015
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008

37
rules/sigma/windows/process_creation/process_creation_susp_7z.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
author: frack113
date: 2021/07/27
description: An adversary may compress or encrypt data that is collected prior to
exfiltration using 3rd party utilities
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*7z.exe*'
- '*7za.exe*'
SELECTION_3:
CommandLine: '* -p*'
SELECTION_4:
CommandLine:
- '* a *'
- '* u *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Command line parameter combinations that contain all included strings
fields:
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 9fbf5927-5261-4284-a71d-f681029ea574
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
status: experimental
tags:
- attack.collection
- attack.t1560.001

41
rules/sigma/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_3:
CommandLine:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

31
rules/sigma/windows/process_creation/process_creation_susp_recon.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Recon Information for Export with Command Prompt
author: frack113
date: 2021/07/30
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\tree.com'
- '*\WMIC.exe'
- '*\doskey.exe'
- '*\sc.exe'
SELECTION_3:
ParentCommandLine: '* > %TEMP%\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: aa2efee7-34dd-446e-8a37-40790a66efd7
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

34
rules/sigma/windows/process_creation/process_creation_susp_winzip.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Compress Data and Lock With Password for Exfiltration With WINZIP
author: frack113
date: 2021/07/27
description: An adversary may compress or encrypt data that is collected prior to
exfiltration using 3rd party utilities
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*winzip.exe*'
- '*winzip64.exe*'
SELECTION_3:
CommandLine:
- '*-s"*'
SELECTION_4:
CommandLine:
- '* -min *'
- '* -a *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
status: experimental
tags:
- attack.collection
- attack.t1560.001

35
rules/sigma/windows/process_creation/process_creation_susp_zip_compress.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Compress-Archive *'
SELECTION_3:
CommandLine: '* -Path *'
SELECTION_4:
CommandLine: '* -DestinationPath *'
SELECTION_5:
CommandLine: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001

36
rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml Normal file
View File

@@ -0,0 +1,36 @@
title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
author: frack113
date: 2021/07/12
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\SyncAppvPublishingServer.exe'
SELECTION_3:
CommandLine: '*"n; *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- App-V clients
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: fbd7c32d-db2a-4418-b92c-566eb8911133
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: obsoletes
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

34
rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml Normal file
View File

@@ -0,0 +1,34 @@
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
author: frack113
date: 2021/07/16
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\SyncAppvPublishingServer.vbs*'
SELECTION_3:
CommandLine: '*"n;*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
- attack.t1216

30
rules/sigma/windows/process_creation/process_creation_sysinternals_eula_accepted.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Usage of Sysinternals Tools
author: Markus Neis
date: 2017/08/28
description: Detects the usage of Sysinternals Tools due to accepteula key being added
to Registry
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '* -accepteula*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
level: low
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://twitter.com/Moti_B/status/1008587936735035392
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: experimental
tags:
- attack.resource_development
- attack.t1588.002

37
rules/sigma/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml Normal file
View File

@@ -0,0 +1,37 @@
title: UAC Bypass via Event Viewer
author: Florian Roth
date: 2017/03/19
description: Detects UAC bypass method using Windows event viewer
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\eventvwr.exe'
SELECTION_3:
Image: '*\mmc.exe'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: be344333-921d-4c4d-8bb8-e584cf584780
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- attack.t1548.002
- car.2019-04-001

42
rules/sigma/windows/process_creation/process_creation_tool_psexec.yml Normal file
View File

@@ -0,0 +1,42 @@
title: PsExec Tool Execution
author: Thomas Patzke
date: 2017/06/12
description: Detects PsExec service installation and execution events (service and
Sysmon)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\PSEXESVC.exe'
SELECTION_3:
User: NT AUTHORITY\SYSTEM*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
level: low
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: experimental
tags:
- attack.execution
- attack.t1035
- attack.t1569.002
- attack.s0029

28
rules/sigma/windows/process_creation/process_creation_win_exchange_transportagent.yml Normal file
View File

@@ -0,0 +1,28 @@
title: MSExchange Transport Agent Installation
author: Tobias Michalski
date: 2021/06/08
description: Detects the Installation of a Exchange Transport Agent
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Install-TransportAgent*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
for this.
fields:
- AssemblyPath
id: 83809e84-4475-4b69-bc3e-4aad8568612f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
status: experimental
tags:
- attack.persistence
- attack.t1505.002

57
rules/sigma/windows/process_creation/process_creationn_apt_chafer_mar18.yml Normal file
View File

@@ -0,0 +1,57 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
ParentImage: '*\Autoit*'
SELECTION_2:
CommandLine: '*\Service.exe*'
SELECTION_3:
CommandLine:
- '*i'
- '*u'
SELECTION_4:
CommandLine: '*\microsoft\Taskbar\autoit3.exe'
SELECTION_5:
CommandLine: C:\wsc.exe*
SELECTION_6:
Image: '*\Windows\Temp\DB\\*'
SELECTION_7:
Image: '*.exe'
SELECTION_8:
CommandLine: '*\nslookup.exe*'
SELECTION_9:
CommandLine: '*-q=TXT*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 or SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
falsepositives:
- Unknown
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004

36
rules/sigma/windows/process_creation/process_mailboxexport_share.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Suspicious PowerShell Mailbox Export to Share
author: Florian Roth
date: 2021/08/07
description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
to a local share, as used in ProxyShell exploitations
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*New-MailboxExport*'
SELECTION_3:
CommandLine: '* -Mailbox *'
SELECTION_4:
CommandLine: '* -FilePath \\127.0.0.1\C$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
level: critical
logsource:
category: process_creation
product: windows
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.resource_development
- attack.t1584.006

36
rules/sigma/windows/process_creation/process_susp_esentutl_params.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Esentutl Gather Credentials
author: sam0x90
date: 2021/08/06
description: Conti recommendation to its affiliates to use esentult to access NTDS
dumped file. Trickbot also uses this utilities to get MSEdge info via its module
pwgrab.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*esentutl*'
SELECTION_3:
CommandLine: '* /p*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- To be determined
fields:
- User
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
level: medium
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://attack.mitre.org/software/S0404/
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.003

50
rules/sigma/windows/process_creation/sysmon_abusing_debug_privilege.yml Normal file
View File

@@ -0,0 +1,50 @@
title: Abused Debug Privilege by Arbitrary Parent Processes
author: Semanur Guneysu @semanurtg, oscd.community
date: 2020/10/28
description: Detection of unusual child processes by different system processes
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage:
- '*\winlogon.exe'
- '*\services.exe'
- '*\lsass.exe'
- '*\csrss.exe'
- '*\smss.exe'
- '*\wininit.exe'
- '*\spoolsv.exe'
- '*\searchindexer.exe'
SELECTION_3:
Image:
- '*\powershell.exe'
- '*\cmd.exe'
SELECTION_4:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_5:
CommandLine: '* route *'
SELECTION_6:
CommandLine: '* ADD *'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
(SELECTION_5 and SELECTION_6))
falsepositives:
- unknown
fields:
- ParentImage
- Image
- User
- CommandLine
id: d522eca2-2973-4391-a3e0-ef0374321dae
level: high
logsource:
category: process_creation
product: windows
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548

35
rules/sigma/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Accesschk Usage After Privilege Escalation
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: Accesschk is an access and privilege audit tool developed by SysInternal
and often being used by attacker to verify if a privilege escalation process successful
or not
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
IntegrityLevel: Medium
SELECTION_3:
Product: '*AccessChk'
SELECTION_4:
Description: '*Reports effective permissions*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- System administrator Usage
- Penetration test
fields:
- IntegrityLevel
- Product
- Description
id: c625d754-6a3d-4f65-9c9a-536aea960d37
level: high
logsource:
category: process_creation
product: windows
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
status: experimental
tags:
- attack.discovery
- attack.t1069.001

37
rules/sigma/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Always Install Elevated MSI Spawned Cmd And Powershell
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: This rule will looks for Windows Installer service (msiexec.exe) spawned
command line and/or powershell
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
SELECTION_3:
ParentImage: '*\Windows\Installer\\*'
SELECTION_4:
ParentImage: '*msi*'
SELECTION_5:
ParentImage:
- '*tmp'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Penetration test
fields:
- Image
- ParentImage
id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
level: medium
logsource:
category: process_creation
product: windows
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548.002

46
rules/sigma/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml Normal file
View File

@@ -0,0 +1,46 @@
title: Always Install Elevated Windows Installer
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: This rule will looks for Windows Installer service (msiexec.exe) when
it tries to install MSI packages with SYSTEM privilege
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_3:
Image: '*\Windows\Installer\\*'
SELECTION_4:
Image: '*msi*'
SELECTION_5:
Image:
- '*tmp'
SELECTION_6:
Image:
- '*\msiexec.exe'
SELECTION_7:
IntegrityLevel: System
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7)))
falsepositives:
- System administrator Usage
- Penetration test
fields:
- IntegrityLevel
- User
- Image
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/08/26
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548.002

33
rules/sigma/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml Normal file
View File

@@ -0,0 +1,33 @@
title: DNS Tunnel Technique from MuddyWater
author: '@caliskanfurkan_'
date: 2020/06/04
description: Detecting DNS tunnel activity for Muddywater actor
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\powershell.exe'
SELECTION_3:
ParentImage:
- '*\excel.exe'
SELECTION_4:
CommandLine:
- '*DataExchange.dll*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 36222790-0d43-4fe8-86e4-674b27809543
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
status: experimental
tags:
- attack.command_and_control
- attack.t1071
- attack.t1071.004

48
rules/sigma/windows/process_creation/sysmon_apt_sourgrum.yml Normal file
View File

@@ -0,0 +1,48 @@
title: SOURGUM Actor Behaviours
author: MSTIC, FPT.EagleEye
date: 2021/06/15
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*windows\system32\Physmem.sys*'
SELECTION_3:
Image:
- '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
- '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
- '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
SELECTION_4:
EventID: 1
SELECTION_5:
Image:
- '*windows\system32\filepath2*'
- '*windows\system32\ime*'
SELECTION_6:
CommandLine:
- '*reg add*'
SELECTION_7:
CommandLine:
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
level: high
logsource:
category: process_creation
product: windows
modified: 2021/07/30
references:
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
status: experimental
tags:
- attack.t1546
- attack.t1546.015
- attack.persistence
- attack.privilege_escalation

38
rules/sigma/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Atlassian Confluence CVE-2021-26084
author: Bhabesh Raj
date: 2021/09/08
description: Detects spawning of suspicious child processes by Atlassian Confluence
server which may indicate successful exploitation of CVE-2021-26084
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\Atlassian\Confluence\jre\bin\java.exe'
SELECTION_3:
CommandLine:
- '*cmd /c*'
- '*cmd /k*'
- '*powershell*'
- '*certutil*'
- '*curl*'
- '*whoami*'
- '*ipconfig*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 245f92e3-c4da-45f1-9070-bc552e06db11
level: high
logsource:
category: process_creation
product: windows
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
status: experimental
tags:
- attack.initial_access
- attack.execution
- attack.t1190
- attack.t1059

34
rules/sigma/windows/process_creation/sysmon_cmstp_execution_by_creation.yml Normal file
View File

@@ -0,0 +1,34 @@
title: CMSTP Execution Process Creation
author: Nik Seetharaman
date: 2018/07/16
description: Detects various indicators of Microsoft Connection Manager Profile Installer
execution
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\cmstp.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
fields:
- CommandLine
- ParentCommandLine
- Details
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
level: high
logsource:
category: process_creation
product: windows
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
status: stable
tags:
- attack.defense_evasion
- attack.execution
- attack.t1191
- attack.t1218.003
- attack.g0069
- car.2019-04-001

37
rules/sigma/windows/process_creation/sysmon_creation_mavinject_dll.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Mavinject Inject DLL Into Running Process
author: frack113
date: 2021/07/12
description: Injects arbitrary DLL into running process specified by process ID. Requires
Windows 10.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '* /INJECTRUNNING*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
OriginalFileName: '*mavinject*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.collection
- attack.t1218
- attack.t1056.004

32
rules/sigma/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml Normal file
View File

@@ -0,0 +1,32 @@
title: CVE-2021-26857 Exchange Exploitation
author: Bhabesh Raj
date: 2021/03/03
description: Detects possible successful exploitation for vulnerability described
in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Servers
Unified Messaging service
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*UMWorkerProcess.exe'
SELECTION_3:
Image:
- '*wermgr.exe'
- '*WerFault.exe'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- Unknown
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
level: critical
logsource:
category: process_creation
product: windows
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://nvd.nist.gov/vuln/detail/cve-2021-26857
status: experimental
tags:
- attack.t1203
- attack.execution

42
rules/sigma/windows/process_creation/sysmon_expand_cabinet_files.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Cabinet File Expansion
author: Bhabesh Raj
date: 2021/07/30
description: Adversaries can use the inbuilt expand utility to decompress cab files
as seen in recent Iranian MeteorExpress attack
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\expand.exe'
SELECTION_3:
CommandLine:
- '*.cab*'
- '*/F:*'
- '*-F:*'
- '*C:\ProgramData\\*'
- '*C:\Public\\*'
- '*\AppData\Local\Temp\\*'
- '*\AppData\Roaming\Temp\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- System administrator Usage
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 9f107a84-532c-41af-b005-8d12a607639f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/08/31
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
status: experimental
tags:
- attack.execution
- attack.t1218

37
rules/sigma/windows/process_creation/sysmon_hack_wce.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Windows Credential Editor
author: Florian Roth
date: 2019/12/31
description: Detects the use of Windows Credential Editor (WCE)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
EventID: 1
SELECTION_3:
Imphash:
- a53a02b997935fd8eedcb5f7abab9b9f
- e96a73c7bf33a464c510ede582318bf2
SELECTION_4:
CommandLine: '*.exe -S'
SELECTION_5:
ParentImage: '*\services.exe'
SELECTION_6:
Image: '*\clussvc.exe'
condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
and not (SELECTION_6))
falsepositives:
- Another service that uses a single -s command line switch
id: 7aa7009a-28b9-4344-8c1f-159489a390df
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/07/15
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.s0005

29
rules/sigma/windows/process_creation/sysmon_high_integrity_sdclt.yml Normal file
View File

@@ -0,0 +1,29 @@
title: High Integrity Sdclt Process
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for sdclt being spawned as an elevated process. This
could be an indicator of sdclt being used for bypass UAC techniques.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*sdclt.exe'
SELECTION_3:
IntegrityLevel: High
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
id: 40f9af16-589d-4984-b78d-8c2aec023197
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
status: experimental
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548.002

38
rules/sigma/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Logon Scripts (UserInitMprLogonScript)
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation or execution of UserInitMprLogonScript persistence method
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
EventID: 1
SELECTION_3:
ParentImage: '*\userinit.exe'
SELECTION_4:
Image: '*\explorer.exe'
SELECTION_5:
CommandLine:
- '*netlogon.bat*'
- '*UsrLogon.cmd*'
SELECTION_6:
CommandLine: '*UserInitMprLogonScript*'
condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 and not (SELECTION_4))
and not (SELECTION_5)) or SELECTION_6))
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
level: high
logsource:
category: process_creation
product: windows
modified: 2020/08/26
references:
- https://attack.mitre.org/techniques/T1037/
status: experimental
tags:
- attack.t1037
- attack.t1037.001
- attack.persistence

33
rules/sigma/windows/process_creation/sysmon_long_powershell_commandline.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Too Long PowerShell Commandlines
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects Too long PowerShell command lines
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*powershell*'
- '*pwsh*'
SELECTION_3:
Description: Windows Powershell
SELECTION_4:
Product: PowerShell Core 6
SELECTION_5:
CommandLine|re: .{1000,}
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
falsepositives:
- Unknown
id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/05/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001

33
rules/sigma/windows/process_creation/sysmon_netcat_execution.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Ncat Execution
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\ncat.exe'
SELECTION_3:
CommandLine:
- '* -lvp *'
- '* -l --proxy-type http *'
- '* --exec cmd.exe *'
- '* -vnl --exec *'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Legitimate ncat use
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
level: high
logsource:
category: process_creation
product: windows
references:
- https://nmap.org/ncat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
status: experimental
tags:
- attack.command_and_control
- attack.t1095

39
rules/sigma/windows/process_creation/sysmon_proxy_execution_wuauclt.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Proxy Execution via Wuauclt
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
date: 2020/10/12
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
proxy execute code.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*wuauclt*'
SELECTION_3:
OriginalFileName: wuauclt.exe
SELECTION_4:
CommandLine: '*UpdateDeploymentProvider*'
SELECTION_5:
CommandLine: '*.dll*'
SELECTION_6:
CommandLine: '*RunHandlerComServer*'
SELECTION_7:
CommandLine:
- '* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *'
- '* wuaueng.dll *'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
and SELECTION_6)) and not (SELECTION_7))
falsepositives:
- Unknown
id: af77cf95-c469-471c-b6a0-946c685c4798
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/05/10
references:
- https://dtm.uk/wuauclt/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

53
rules/sigma/windows/process_creation/sysmon_rclone_execution.yml Normal file
View File

@@ -0,0 +1,53 @@
title: RClone Execution
author: Bhabesh Raj, Sittikorn S
date: 2021/05/10
description: Detects execution of RClone utility for exfiltration as used by various
ransomwares strains like REvil, Conti, FiveHands, etc
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Description: Rsync for cloud storage
SELECTION_3:
CommandLine: '*--config *'
SELECTION_4:
CommandLine: '*--no-check-certificate *'
SELECTION_5:
CommandLine: '* copy *'
SELECTION_6:
Image:
- '*\rclone.exe'
SELECTION_7:
CommandLine:
- '*mega*'
- '*pcloud*'
- '*ftp*'
- '*--progress*'
- '*--ignore-existing*'
- '*--auto-confirm*'
- '*--transfers*'
- '*--multi-thread-streams*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7)))
falsepositives:
- Legitimate RClone use
fields:
- CommandLine
- ParentCommandLine
- Details
id: a0d63692-a531-4912-ad39-4393325b2a9c
level: high
logsource:
category: process_creation
product: windows
modified: 2021/06/29
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002

35
rules/sigma/windows/process_creation/sysmon_remove_windows_defender_definition_files.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Remove Windows Defender Definition Files
author: frack113
date: 2021/07/07
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by removing Windows Defender Definition Files
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: MpCmdRun.exe
SELECTION_3:
CommandLine: '* -RemoveDefinitions*'
SELECTION_4:
CommandLine: '* -All*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001

26
rules/sigma/windows/process_creation/sysmon_sdclt_child_process.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Sdclt Child Processes
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for sdclt spawning new processes. This could be an
indicator of sdclt being used for bypass UAC techniques.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\sdclt.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: da2738f2-fadb-4394-afa7-0a0674885afa
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548.002

29
rules/sigma/windows/process_creation/sysmon_susp_plink_remote_forward.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious Plink Remote Forwarding
author: Florian Roth
date: 2021/01/19
description: Detects suspicious Plink tunnel remote forarding to a local port
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Description: Command-line SSH, Telnet, and Rlogin client
SELECTION_3:
CommandLine: '* -R *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrative activity using a remote port forwarding to a local port
id: 48a61b29-389f-4032-b317-b30de6b95314
level: high
logsource:
category: process_creation
product: windows
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
status: experimental
tags:
- attack.command_and_control
- attack.t1572
- attack.lateral_movement
- attack.t1021.001

37
rules/sigma/windows/process_creation/sysmon_susp_service_modification.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Stop Or Remove Antivirus Service
author: frack113
date: 2021/07/07
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by stopping antivirus service
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*Stop-Service *'
- '*Remove-Service *'
SELECTION_3:
CommandLine:
- '* McAfeeDLPAgentService*'
- '* Trend Micro Deep Security Manager*'
- '* TMBMServer*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001

29
rules/sigma/windows/process_creation/sysmon_susp_webdav_client_execution.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious WebDav Client Execution
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for svchost.exe spawning rundll32.exe with command
arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator
of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\rundll32.exe'
SELECTION_3:
CommandLine: '*C:\windows\system32\davclnt.dll,DavSetCookie*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
- https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
status: experimental
tags:
- attack.exfiltration
- attack.t1048.003

34
rules/sigma/windows/process_creation/sysmon_uninstall_crowdstrike_falcon.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Uninstall Crowdstrike Falcon
author: frack113
date: 2021/07/12
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by uninstalling Crowdstrike Falcon
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\WindowsSensor.exe*'
SELECTION_3:
CommandLine: '* /uninstall*'
SELECTION_4:
CommandLine: '* /quiet*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Uninstall by admin
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001

45
rules/sigma/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml Normal file
View File

@@ -0,0 +1,45 @@
title: VMToolsd Suspicious Child Process
author: behops, Bhabesh Raj
date: 2021/10/08
description: Detects suspicious child process creations of VMware Tools process which
may indicate persistence setup
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\vmtoolsd.exe'
SELECTION_3:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\rundll32.exe'
- '*\regsvr32.exe'
- '*\wscript.exe'
- '*\cscript.exe'
SELECTION_4:
CommandLine:
- '*\VMware\VMware Tools\poweron-vm-default.bat*'
- '*\VMware\VMware Tools\poweroff-vm-default.bat*'
- '*\VMware\VMware Tools\resume-vm-default.bat*'
- '*\VMware\VMware Tools\suspend-vm-default.bat*'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
falsepositives:
- Legitimate use by adminstrator
fields:
- CommandLine
- ParentCommandLine
- Details
id: 5687f942-867b-4578-ade7-1e341c46e99a
level: high
logsource:
category: process_creation
product: windows
modified: 2021/10/10
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
status: experimental
tags:
- attack.execution
- attack.persistence
- attack.t1059

47
rules/sigma/windows/process_creation/win_ad_find_discovery.yml Normal file
View File

@@ -0,0 +1,47 @@
title: AdFind Usage Detection
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
description: AdFind continues to be seen across majority of breaches. It is used to
domain trust discovery to plan out subsequent steps in the attack chain.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*domainlist*'
- '*trustdmp*'
- '*dcmodes*'
- '*adinfo*'
- '* dclist *'
- '*computer_pwdnotreqd*'
- '*objectcategory=*'
- '*-subnets -f*'
- '*name="Domain Admins"*'
- '*-sc u:*'
- '*domainncs*'
- '*dompol*'
- '* oudmp *'
- '*subnetdmp*'
- '*gpodmp*'
- '*fspdmp*'
- '*users_noexpire*'
- '*computers_active*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Admin activity
id: 9a132afa-654e-11eb-ae93-0242ac130002
level: high
logsource:
category: process_creation
product: windows
modified: 2021/02/02
references:
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1018

33
rules/sigma/windows/process_creation/win_anydesk_silent_install.yml Normal file
View File

@@ -0,0 +1,33 @@
title: AnyDesk Silent Installation
author: Ján Trenčanský
date: 2021/08/06
description: AnyDesk Remote Desktop silent installation can be used by attacker to
gain remote access.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*--install*'
SELECTION_3:
CommandLine: '*--start-with-win*'
SELECTION_4:
CommandLine: '*--silent*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate deployment of AnyDesk
fields:
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
level: high
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
status: experimental
tags:
- attack.t1219

35
rules/sigma/windows/process_creation/win_apt_apt29_thinktanks.yml Normal file
View File

@@ -0,0 +1,35 @@
title: APT29
author: Florian Roth
date: 2018/12/04
description: This method detects a suspicious PowerShell command line combination
as used by APT29 in a campaign against U.S. think tanks.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*-noni*'
SELECTION_3:
CommandLine: '*-ep*'
SELECTION_4:
CommandLine: '*bypass*'
SELECTION_5:
CommandLine: '*$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- unknown
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/26
references:
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
tags:
- attack.execution
- attack.g0016
- attack.t1086
- attack.t1059
- attack.t1059.001

37
rules/sigma/windows/process_creation/win_apt_babyshark.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Baby Shark Activity
author: Florian Roth
date: 2019/02/24
description: Detects activity that could be related to Baby Shark malware
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
- powershell.exe mshta.exe http*
- cmd.exe /c taskkill /im cmd.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
level: high
logsource:
category: process_creation
product: windows
modified: 2020/08/26
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
status: experimental
tags:
- attack.execution
- attack.t1059
- attack.t1086
- attack.t1059.003
- attack.t1059.001
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1170
- attack.t1218
- attack.t1218.005

50
rules/sigma/windows/process_creation/win_apt_bear_activity_gtr19.yml Normal file
View File

@@ -0,0 +1,50 @@
title: Judgement Panda Credential Access Activity
author: Florian Roth
date: 2019/02/21
description: Detects Russian group activity as described in Global Threat Report 2019
by Crowdstrike
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*-snapshot*'
SELECTION_11:
CommandLine: '*""*'
SELECTION_12:
CommandLine: '*c:\users\\*'
SELECTION_2:
Image: '*\xcopy.exe'
SELECTION_3:
CommandLine: '*/S*'
SELECTION_4:
CommandLine: '*/E*'
SELECTION_5:
CommandLine: '*/C*'
SELECTION_6:
CommandLine: '*/Q*'
SELECTION_7:
CommandLine: '*/H*'
SELECTION_8:
CommandLine: '*\\\*'
SELECTION_9:
Image: '*\adexplorer.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12)))
falsepositives:
- unknown
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/26
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
tags:
- attack.credential_access
- attack.t1081
- attack.t1003
- attack.t1552.001
- attack.t1003.003

30
rules/sigma/windows/process_creation/win_apt_bluemashroom.yml Normal file
View File

@@ -0,0 +1,30 @@
title: BlueMashroom DLL Load
author: Florian Roth
date: 2019/10/02
description: Detects a suspicious DLL loading from AppData Local path as described
in BlueMashroom report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\AppData\Local\\*'
SELECTION_3:
CommandLine: '*\regsvr32*'
SELECTION_4:
CommandLine: '*,DllEntry*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Unlikely
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
status: experimental
tags:
- attack.defense_evasion
- attack.t1117
- attack.t1218.010

32
rules/sigma/windows/process_creation/win_apt_cloudhopper.yml Normal file
View File

@@ -0,0 +1,32 @@
title: WMIExec VBS Script
author: Florian Roth
date: 2017/04/07
description: Detects suspicious file execution by wscript and cscript
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\cscript.exe'
SELECTION_3:
CommandLine: '*.vbs*'
SELECTION_4:
CommandLine: '*/shell*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: 966e4016-627f-44f7-8341-f394905c361f
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
tags:
- attack.execution
- attack.g0045
- attack.t1064
- attack.t1059.005

24
rules/sigma/windows/process_creation/win_apt_dragonfly.yml Normal file
View File

@@ -0,0 +1,24 @@
title: CrackMapExecWin
author: Markus Neis
date: 2018/04/08
description: Detects CrackMapExecWin Activity as Described by NCSC
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\crackmapexec.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- None
id: 04d9079e-3905-4b70-ad37-6bdf11304965
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
status: experimental
tags:
- attack.g0035

33
rules/sigma/windows/process_creation/win_apt_elise.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Elise Backdoor
author: Florian Roth
date: 2018/01/31
description: Detects Elise backdoor acitivty as used by APT32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: C:\Windows\SysWOW64\cmd.exe
SELECTION_3:
CommandLine: '*\Windows\Caches\NavShExt.dll *'
SELECTION_4:
CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
falsepositives:
- Unknown
id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/26
references:
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
status: experimental
tags:
- attack.g0030
- attack.g0050
- attack.s0081
- attack.execution
- attack.t1059
- attack.t1059.003

30
rules/sigma/windows/process_creation/win_apt_emissarypanda_sep19.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Emissary Panda Malware SLLauncher
author: Florian Roth
date: 2018/09/03
description: Detects the execution of DLL side-loading malware used by threat group
Emissary Panda aka APT27
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\sllauncher.exe'
SELECTION_3:
Image: '*\svchost.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/27
references:
- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
- https://twitter.com/cyb3rops/status/1168863899531132929
status: experimental
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002

29
rules/sigma/windows/process_creation/win_apt_empiremonkey.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Empire Monkey
author: Markus Neis
date: 2019/04/02
description: Detects EmpireMonkey APT reported Activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*/i:%APPDATA%\logs.txt scrobj.dll'
SELECTION_3:
Image: '*\cutil.exe'
SELECTION_4:
Description: Microsoft(C) Registerserver
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Very Unlikely
id: 10152a7b-b566-438f-a33c-390b607d1c8d
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/27
references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
tags:
- attack.defense_evasion
- attack.t1218.010
- attack.t1117

32
rules/sigma/windows/process_creation/win_apt_equationgroup_dll_u_load.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Equation Group DLL_U Load
author: Florian Roth
date: 2019/03/04
description: Detects a specific tool and export used by EquationGroup
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\rundll32.exe'
SELECTION_3:
CommandLine: '*,dll_u'
SELECTION_4:
CommandLine: '* -export dll_u *'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
falsepositives:
- Unknown
id: d465d1d8-27a2-4cca-9621-a800f37cf72e
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/27
references:
- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
- https://securelist.com/apt-slingshot/84312/
- https://twitter.com/cyb3rops/status/972186477512839170
tags:
- attack.g0020
- attack.defense_evasion
- attack.t1085
- attack.t1218.011

37
rules/sigma/windows/process_creation/win_apt_evilnum_jul20.yml Normal file
View File

@@ -0,0 +1,37 @@
title: EvilNum Golden Chickens Deployment via OCX Files
author: Florian Roth
date: 2020/07/10
description: Detects Golden Chickens deployment method as used by Evilnum in report
published in July 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*regsvr32*'
SELECTION_3:
CommandLine: '*/s*'
SELECTION_4:
CommandLine: '*/i*'
SELECTION_5:
CommandLine: '*\AppData\Roaming\\*'
SELECTION_6:
CommandLine: '*.ocx*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Unknown
id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/27
references:
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
status: experimental
tags:
- attack.defense_evasion
- attack.t1085
- attack.t1218.011

62
rules/sigma/windows/process_creation/win_apt_greenbug_may20.yml Normal file
View File

@@ -0,0 +1,62 @@
title: Greenbug Campaign Indicators
author: Florian Roth
date: 2020/05/20
description: Detects tools and process executions as observed in a Greenbug campaign
in May 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*bitsadmin*'
SELECTION_3:
CommandLine: '*/transfer*'
SELECTION_4:
CommandLine: '*CSIDL_APPDATA*'
SELECTION_5:
CommandLine:
- '*CSIDL_SYSTEM_DRIVE*'
SELECTION_6:
CommandLine:
- '*\msf.ps1*'
- '*8989 -e cmd.exe*'
- '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
- '*-nop -w hidden -c $k=new-object*'
- '*[Net.CredentialCache]::DefaultCredentials;IEX *'
- '* -nop -w hidden -c $m=new-object net.webclient;$m*'
- '*-noninteractive -executionpolicy bypass whoami*'
- '*-noninteractive -executionpolicy bypass netstat -a*'
- '*L3NlcnZlcj1*'
SELECTION_7:
Image:
- '*\adobe\Adobe.exe'
- '*\oracle\local.exe'
- '*\revshell.exe'
- '*infopagesbackup\ncat.exe'
- '*CSIDL_SYSTEM\cmd.exe'
- '*\programdata\oracle\java.exe'
- '*CSIDL_COMMON_APPDATA\comms\comms.exe'
- '*\Programdata\VMware\Vmware.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5
or SELECTION_6 or SELECTION_7))
falsepositives:
- Unknown
id: 3711eee4-a808-4849-8a14-faf733da3612
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
status: experimental
tags:
- attack.g0049
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.command_and_control
- attack.t1105
- attack.defense_evasion
- attack.t1036
- attack.t1036.005

93
rules/sigma/windows/process_creation/win_apt_hafnium.yml Normal file
View File

@@ -0,0 +1,93 @@
title: Exchange Exploitation Activity
author: Florian Roth
date: 2021/03/09
description: Detects activity observed by different researchers to be HAFNIUM group
activity (or related) on Exchange servers
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*Temp\__output*'
SELECTION_11:
CommandLine: '*%TEMP%\execute.bat*'
SELECTION_12:
Image: '*Users\Public\opera\Opera_browser.exe'
SELECTION_13:
Image: '*Opera_browser.exe'
SELECTION_14:
ParentImage:
- '*\services.exe'
- '*\svchost.exe'
SELECTION_15:
Image: '*\ProgramData\VSPerfMon\\*'
SELECTION_16:
CommandLine: '* -t7z *'
SELECTION_17:
CommandLine: '*C:\Programdata\pst*'
SELECTION_18:
CommandLine: '*\it.zip*'
SELECTION_19:
Image: '*\makecab.exe'
SELECTION_2:
CommandLine: '*attrib*'
SELECTION_20:
CommandLine:
- '*Microsoft\Exchange Server\\*'
- '*inetpub\wwwroot*'
SELECTION_21:
CommandLine:
- '*\Temp\xx.bat*'
- '*Windows\WwanSvcdcs*'
- '*Windows\Temp\cw.exe*'
SELECTION_22:
CommandLine: '*\comsvcs.dll*'
SELECTION_23:
CommandLine: '*Minidump*'
SELECTION_24:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_25:
CommandLine: '*dsquery*'
SELECTION_26:
CommandLine: '* -uco *'
SELECTION_27:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_3:
CommandLine: '* +h *'
SELECTION_4:
CommandLine: '* +s *'
SELECTION_5:
CommandLine: '* +r *'
SELECTION_6:
CommandLine: '*.aspx*'
SELECTION_7:
CommandLine: '*schtasks*'
SELECTION_8:
CommandLine: '*VSPerfMon*'
SELECTION_9:
CommandLine: '*vssadmin list shadows*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or SELECTION_11 or SELECTION_12 or (SELECTION_13 and SELECTION_14) or SELECTION_15
or (SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
or SELECTION_21 or (SELECTION_22 and SELECTION_23 and SELECTION_24) or (SELECTION_25
and SELECTION_26 and SELECTION_27)))
falsepositives:
- Unknown
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
level: high
logsource:
category: process_creation
product: windows
modified: 2021/03/16
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
status: experimental
tags:
- attack.persistence
- attack.t1546
- attack.t1053

32
rules/sigma/windows/process_creation/win_apt_hurricane_panda.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Hurricane Panda Activity
author: Florian Roth
date: 2019/03/04
description: Detects Hurricane Panda Activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*localgroup*'
SELECTION_3:
CommandLine: '*admin*'
SELECTION_4:
CommandLine: '*/add*'
SELECTION_5:
CommandLine:
- '*\Win64.exe*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5))
falsepositives:
- Unknown
id: 0eb2107b-a596-422e-b123-b389d5594ed7
level: high
logsource:
category: process_creation
product: windows
references:
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
status: experimental
tags:
- attack.privilege_escalation
- attack.g0009
- attack.t1068

42
rules/sigma/windows/process_creation/win_apt_judgement_panda_gtr19.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Judgement Panda Exfil Activity
author: Florian Roth
date: 2019/02/21
description: Detects Judgement Panda activity as described in Global Threat Report
2019 by Crowdstrike
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*eprod.ldf'
SELECTION_3:
CommandLine:
- '*\ldifde.exe -f -n *'
- '*\7za.exe a 1.7z *'
- '*\aaaa\procdump64.exe*'
- '*\aaaa\netsess.exe*'
- '*\aaaa\7za.exe*'
- '*copy .\1.7z \\*'
- '*copy \\client\c$\aaaa\\*'
SELECTION_4:
Image: C:\Users\Public\7za.exe
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
falsepositives:
- unknown
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/08/27
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
tags:
- attack.lateral_movement
- attack.g0010
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.exfiltration
- attack.t1002
- attack.t1560.001

31
rules/sigma/windows/process_creation/win_apt_ke3chang_regadd.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Ke3chang Registry Key Modifications
author: Markus Neis, Swisscom
date: 2020/06/18
description: Detects Registry modifications performed by Ke3chang malware in campaigns
running in 2019 and 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*'
- '*-Property String -name Check_Associations -value*'
- '*-Property DWORD -name IEHarden -value 0 -Force*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Will need to be looked for combinations of those processes
id: 7b544661-69fc-419f-9a59-82ccc328f205
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
status: experimental
tags:
- attack.g0004
- attack.defense_evasion
- attack.t1089
- attack.t1562.001

40
rules/sigma/windows/process_creation/win_apt_lazarus_activity_apr21.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Lazarus Activity
author: Bhabesh Raj
date: 2021/04/20
description: Detects different process creation events as described in Malwarebytes's
threat report on Lazarus group activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*mshta*'
SELECTION_3:
CommandLine: '*.zip*'
SELECTION_4:
ParentImage:
- C:\Windows\System32\wbem\wmiprvse.exe
SELECTION_5:
Image:
- C:\Windows\System32\mshta.exe
SELECTION_6:
ParentImage:
- '*:\Users\Public\\*'
SELECTION_7:
Image:
- C:\Windows\System32\rundll32.exe
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7)))
falsepositives:
- Should not be any false positives
id: 4a12fa47-c735-4032-a214-6fab5b120670
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/06/27
references:
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
status: experimental
tags:
- attack.g0032

43
rules/sigma/windows/process_creation/win_apt_lazarus_activity_dec20.yml Normal file
View File

@@ -0,0 +1,43 @@
title: Lazarus Activity
author: Florian Roth
date: 2020/12/23
description: Detects different process creation events as described in various threat
reports on Lazarus group activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*reg.exe save hklm\sam %temp%\~reg_sam.save*'
- '*1q2w3e4r@#$@#$@#$*'
- '* -hp1q2w3e4 *'
- '*.dat data03 10000 -p *'
SELECTION_3:
CommandLine: '*process call create*'
SELECTION_4:
CommandLine: '* > %temp%\~*'
SELECTION_5:
CommandLine: '*netstat -aon | find *'
SELECTION_6:
CommandLine: '* > %temp%\~*'
SELECTION_7:
CommandLine:
- '*.255 10 C:\ProgramData\\*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6) or SELECTION_7))
falsepositives:
- Overlap with legitimate process activity in some cases (especially selection 3 and
4)
id: 24c4d154-05a4-4b99-b57d-9b977472443a
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/06/27
references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
- https://www.hvs-consulting.de/lazarus-report/
status: experimental
tags:
- attack.g0032

45
rules/sigma/windows/process_creation/win_apt_lazarus_loader.yml Normal file
View File

@@ -0,0 +1,45 @@
title: Lazarus Loaders
author: Florian Roth, wagga
date: 2020/12/23
description: Detects different loaders as described in various threat reports on Lazarus
group activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*cmd.exe /c *'
SELECTION_3:
CommandLine: '* -p 0x*'
SELECTION_4:
CommandLine:
- '*C:\ProgramData\\*'
- '*C:\RECYCLER\\*'
SELECTION_5:
CommandLine: '*rundll32.exe *'
SELECTION_6:
CommandLine: '*C:\ProgramData\\*'
SELECTION_7:
CommandLine:
- '*.bin,*'
- '*.tmp,*'
- '*.dat,*'
- '*.io,*'
- '*.ini,*'
- '*.db,*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6 and SELECTION_7)))
falsepositives:
- unknown
id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/06/27
references:
- https://www.hvs-consulting.de/lazarus-report/
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
status: experimental
tags:
- attack.g0032

32
rules/sigma/windows/process_creation/win_apt_lazarus_session_highjack.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Lazarus Session Highjacker
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020/06/03
description: Detects executables launched outside their default directories as used
by Lazarus Group (Bluenoroff)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\msdtc.exe'
- '*\gpvc.exe'
SELECTION_3:
Image:
- C:\Windows\System32\\*
- C:\Windows\SysWOW64\\*
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
level: high
logsource:
category: process_creation
product: windows
references:
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1036.005

44
rules/sigma/windows/process_creation/win_apt_mustangpanda.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Mustang Panda Dropper
author: Florian Roth, oscd.community
date: 2019/10/30
description: Detects specific process parameters as used by Mustang Panda droppers
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*Temp\wtask.exe /create*'
- '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- '*/tn "Security Script *'
- '*%windir:~-1,1%*'
SELECTION_3:
CommandLine: '*/E:vbscript*'
SELECTION_4:
CommandLine: '*C:\Users\\*'
SELECTION_5:
CommandLine: '*.txt*'
SELECTION_6:
CommandLine: '*/F*'
SELECTION_7:
Image: '*Temp\winwsh.exe'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6) or SELECTION_7))
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
level: high
logsource:
category: process_creation
product: windows
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
status: experimental
tags:
- attack.t1587.001
- attack.resource_development

47
rules/sigma/windows/process_creation/win_apt_revil_kaseya.yml Normal file
View File

@@ -0,0 +1,47 @@
title: REvil Kaseya Incident Malware Patterns
author: Florian Roth
date: 2021/07/03
description: Detects process command line patterns and locations used by REvil group
in Kaseya incident (can also match on other malware)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*C:\Windows\cert.exe*'
- '*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem
$true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess
Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled*'
- '*del /q /f c:\kworking\agent.crt*'
- '*Kaseya VSA Agent Hot-fix*'
- '*\AppData\Local\Temp\MsMpEng.exe*'
- '*rmdir /s /q %SystemDrive%\inetpub\logs*'
- '*del /s /q /f %SystemDrive%\\*.log*'
- '*c:\kworking1\agent.exe*'
- '*c:\kworking1\agent.crt*'
SELECTION_3:
Image:
- C:\Windows\MsMpEng.exe
- C:\Windows\cert.exe
- C:\kworking\agent.exe
- C:\kworking1\agent.exe
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/07/05
references:
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
status: experimental
tags:
- attack.execution
- attack.g0115

39
rules/sigma/windows/process_creation/win_apt_sofacy.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Sofacy Trojan Loader Activity
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2018/03/01
description: Detects Trojan loader acitivty as used by APT28
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*rundll32.exe*'
SELECTION_3:
CommandLine: '*%APPDATA%\\*'
SELECTION_4:
CommandLine: '*.dat",*'
SELECTION_5:
CommandLine: '*.dll",#1'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
level: critical
logsource:
category: process_creation
product: windows
modified: 2020/11/28
references:
- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
- https://twitter.com/ClearskySec/status/960924755355369472
status: experimental
tags:
- attack.g0007
- attack.execution
- attack.t1059
- attack.t1059.003
- attack.defense_evasion
- attack.t1085
- car.2013-10-002
- attack.t1218.011

Some files were not shown because too many files have changed in this diff Show More