CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add: sigma rules (#175)

Browse Source
This commit is contained in:
itiB
2021-11-22 08:45:44 +09:00
committed by GitHub
parent b53342218c
commit 034f9c0957
1086 changed files with 40715 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
rules/sigma/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml Normal file
View File

@@ -0,0 +1,46 @@
title: Raw Disk Access Using Illegitimate Tools
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
description: Raw disk access using illegitimate tools, possible defence evasion
detection:
SELECTION_1:
EventID: 9
SELECTION_2:
Device: '*floppy*'
SELECTION_3:
Image:
- '*\wmiprvse.exe'
- '*\sdiagnhost.exe'
- '*\searchindexer.exe'
- '*\csrss.exe'
- '*\defrag.exe'
- '*\smss.exe'
- '*\vssvc.exe'
- '*\compattelrunner.exe'
- '*\wininit.exe'
- '*\autochk.exe'
- '*\taskhost.exe'
- '*\dfsrs.exe'
- '*\vds.exe'
- '*\lsass.exe'
condition: (SELECTION_1 and not (SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate Administrator using tool for raw access or ongoing forensic investigation
fields:
- ComputerName
- Image
- ProcessID
- Device
id: db809f10-56ce-4420-8c86-d6a7d793c79c
level: medium
logsource:
category: raw_access_thread
product: windows
modified: 2021/08/14
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
status: experimental
tags:
- attack.defense_evasion
- attack.t1006