CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add: sigma rules (#175)

Browse Source
This commit is contained in:
itiB
2021-11-22 08:45:44 +09:00
committed by GitHub
parent b53342218c
commit 034f9c0957
1086 changed files with 40715 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
rules/sigma/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

41
rules/sigma/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Azure AD Health Service Agents Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

34
rules/sigma/windows/builtin/win_account_backdoor_dcsync_rights.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
date: 2019/04/03
description: backdooring domain object to grant the rights associated with DCSync
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeLDAPDisplayName: ntSecurityDescriptor
SELECTION_3:
AttributeValue:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute
of event 5136 and verify if it's a regular user or DC computer account.
id: 2c99737c-585d-4431-b61a-c911d86ff32f
level: critical
logsource:
product: windows
service: security
modified: 2021/07/09
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
status: experimental
tags:
- attack.persistence
- attack.t1098

43
rules/sigma/windows/builtin/win_account_discovery.yml Normal file
View File

@@ -0,0 +1,43 @@
title: AD Privileged Users or Groups Reconnaissance
author: Samir Bousseaden
date: 2019/04/03
description: Detect priv users or groups recon based on 4661 eventid and known privileged
users or groups SIDs
detection:
SELECTION_1:
EventID: 4661
SELECTION_2:
ObjectType:
- SAM_USER
- SAM_GROUP
SELECTION_3:
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
SELECTION_4:
ObjectName: '*admin*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- if source account name is not an admin then its super suspicious
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
level: high
logsource:
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
product: windows
service: security
modified: 2021/09/08
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

31
rules/sigma/windows/builtin/win_ad_object_writedac_access.yml Normal file
View File

@@ -0,0 +1,31 @@
title: AD Object WriteDAC Access
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects WRITE_DAC access to a domain object
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectServer: DS
SELECTION_3:
AccessMask: '0x40000'
SELECTION_4:
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001

41
rules/sigma/windows/builtin/win_ad_replication_non_machine_account.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Active Directory Replication from Non Machine Account
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/07/26
description: Detects potential abuse of Active Directory Replication Service (ADRS)
from a non machine account to request credentials.
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
AccessMask: '0x100'
SELECTION_3:
Properties:
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
SELECTION_4:
SubjectUserName: '*$'
SELECTION_5:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 17d619c1-e020-4347-957e-1d1207455c93
level: critical
logsource:
product: windows
service: security
modified: 2020/08/23
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.006

34
rules/sigma/windows/builtin/win_ad_user_enumeration.yml Normal file
View File

@@ -0,0 +1,34 @@
title: AD User Enumeration
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
SELECTION_3:
SubjectUserName: '*$'
SELECTION_4:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
definition: Requires the "Read all properties" permission on the user object to
be audited for the "Everyone" principal
product: windows
service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

36
rules/sigma/windows/builtin/win_admin_rdp_login.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Admin User Remote Logon
author: juju4
date: 2017/10/29
description: Detect remote login by Administrator user (depending on internal pattern).
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 10
SELECTION_3:
AuthenticationPackageName: Negotiate
SELECTION_4:
TargetUserName: Admin*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administrative activity.
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
level: low
logsource:
definition: 'Requirements: Identifiable administrators usernames (pattern or special
unique character. ex: "Admin-*"), internal policy mandating use only as secondary
account'
product: windows
service: security
modified: 2021/07/07
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005

28
rules/sigma/windows/builtin/win_admin_share_access.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Access to ADMIN$ Share
author: Florian Roth
date: 2017/03/04
description: Detects access to $ADMIN share
detection:
SELECTION_1:
EventID: 5140
SELECTION_2:
ShareName: Admin$
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate administrative activity
id: 098d7118-55bc-4912-a836-dc6483a8d150
level: low
logsource:
definition: The advanced audit policy setting "Object Access > Audit File Share"
must be configured for Success/Failure
product: windows
service: security
modified: 2020/08/23
status: experimental
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002

30
rules/sigma/windows/builtin/win_alert_active_directory_user_control.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Enabled User Right in AD to Control User Objects
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
right in Active Directory it would allow control of other AD user objects.
detection:
SELECTION_1:
EventID: 4704
SELECTION_2:
PrivilegeList:
- '*SeEnableDelegationPrivilege*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
level: high
logsource:
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2020/08/23
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
tags:
- attack.persistence
- attack.t1098

51
rules/sigma/windows/builtin/win_alert_ad_user_backdoors.yml Normal file
View File

@@ -0,0 +1,51 @@
title: Active Directory User Backdoors
author: '@neu5ron'
date: 2017/04/13
description: Detects scenarios where one can control another users or computers account
without having to use their credentials.
detection:
SELECTION_1:
EventID: 4738
SELECTION_10:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
SELECTION_2:
AllowedToDelegateTo: '-'
SELECTION_3:
AllowedToDelegateTo|re: ^$
SELECTION_4:
EventID: 5136
SELECTION_5:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
SELECTION_6:
EventID: 5136
SELECTION_7:
ObjectClass: user
SELECTION_8:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_9:
EventID: 5136
condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or (SELECTION_4
and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9
and SELECTION_10))
falsepositives:
- Unknown
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\DS Access\Audit Directory Service Changes'
product: windows
service: security
modified: 2020/08/23
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
tags:
- attack.t1098
- attack.persistence

89
rules/sigma/windows/builtin/win_alert_enable_weak_encryption.yml Normal file
View File

@@ -0,0 +1,89 @@
title: Weak Encryption Enabled and Kerberoast
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where weak encryption is enabled for a user profile
which could be used for hash/password cracking.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
NewUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_3:
OldUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_4:
NewUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_5:
OldUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_6:
NewUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
SELECTION_7:
OldUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
falsepositives:
- Unknown
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management'
product: windows
service: security
references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001

28
rules/sigma/windows/builtin/win_alert_lsass_access.yml Normal file
View File

@@ -0,0 +1,28 @@
title: LSASS Access Detected via Attack Surface Reduction
author: Markus Neis
date: 2018/08/26
description: Detects Access to LSASS Process
detection:
SELECTION_1:
EventID: 1121
SELECTION_2:
Path: '*\lsass.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
level: high
logsource:
definition: 'Requirements:Enabled Block credential stealing from the Windows local
security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
product: windows_defender
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001

44
rules/sigma/windows/builtin/win_alert_mimikatz_keywords.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Mimikatz Use
author: Florian Roth
date: 2017/01/10
description: This method detects mimikatz keywords in different Eventlogs (some of
them only appear in older Mimikatz version that are however still used by different
threat groups)
detection:
SELECTION_1:
- \mimikatz
- mimikatz.exe
- \mimilib.dll
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
- ' p::d '
- ' s::l '
- gentilkiwi.com
- Kiwi Legit Printer
condition: (SELECTION_1)
falsepositives:
- Naughty administrators
- Penetration test
- AV Signature updates
- Files with Mimikatz in their filename
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
level: critical
logsource:
product: windows
modified: 2021/08/26
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006

39
rules/sigma/windows/builtin/win_alert_ruler.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Hacktool Ruler
author: Florian Roth
date: 2017/05/31
description: This events that are generated when using the hacktool Ruler by Sensepost
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
Workstation: RULER
SELECTION_3:
EventID: 4624
SELECTION_4:
EventID: 4625
SELECTION_5:
WorkstationName: RULER
condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
falsepositives:
- Go utilities that use staaldraad awesome NTLM library
id: 24549159-ac1b-479c-8175-d42aea947cae
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
tags:
- attack.discovery
- attack.execution
- attack.t1087
- attack.t1075
- attack.t1114
- attack.t1059
- attack.t1550.002

47
rules/sigma/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml Normal file
View File

@@ -0,0 +1,47 @@
title: File Was Not Allowed To Run
author: Pushkarev Dmitry
date: 2020/06/28
description: Detect run not allowed files. Applocker is a very useful tool, especially
on servers where unprivileged users have access. For example terminal servers. You
need configure applocker and log collect to receive these events.
detection:
SELECTION_1:
EventID: 8004
SELECTION_2:
EventID: 8007
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- need tuning applocker or add exceptions in SIEM
fields:
- PolicyName
- RuleId
- RuleName
- TargetUser
- TargetProcessId
- FilePath
- FileHash
- Fqbn
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
level: medium
logsource:
product: windows
service: applocker
modified: 2020/08/23
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1064
- attack.t1204
- attack.t1035
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007

29
rules/sigma/windows/builtin/win_apt_carbonpaper_turla.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Turla Service Install
author: Florian Roth
date: 2017/03/31
description: This method detects a service install of malicious services mentioned
in Carbon Paper - Turla report by ESET
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- srservice
- ipvpn
- hkmsvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
level: high
logsource:
product: windows
service: system
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003

40
rules/sigma/windows/builtin/win_apt_chafer_mar18_security.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 4698
SELECTION_2:
TaskName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
level: critical
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004

37
rules/sigma/windows/builtin/win_apt_chafer_mar18_system.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
level: critical
logsource:
product: windows
service: system
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004

37
rules/sigma/windows/builtin/win_apt_gallium.yml Normal file
View File

@@ -0,0 +1,37 @@
title: GALLIUM Artefacts
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 257
SELECTION_2:
QNAME:
- asyspy256.ddns.net
- hotkillmail9sddcc.ddns.net
- rosaf112.ddns.net
- cvdfhjh1231.myftp.biz
- sz2016rose.ddns.net
- dffwescwer4325.myftp.biz
- cvdfhjh1231.ddns.net
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 3db10f25-2527-4b79-8d4b-471eb900ee29
level: high
logsource:
product: windows
service: dns-server
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: experimental
tags:
- attack.credential_access
- attack.command_and_control

29
rules/sigma/windows/builtin/win_apt_slingshot.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Defrag Deactivation
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 4701
SELECTION_2:
TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
level: medium
logsource:
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
product: windows
service: security
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
tags:
- attack.persistence
- attack.s0111

28
rules/sigma/windows/builtin/win_apt_stonedrill.yml Normal file
View File

@@ -0,0 +1,28 @@
title: StoneDrill Service Install
author: Florian Roth
date: 2017/03/07
description: This method detects a service install of the malicious Microsoft Network
Realtime Inspection Service service described in StoneDrill report by Kaspersky
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: NtsSrv
SELECTION_3:
ServiceFileName: '* LocalService'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unlikely
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
level: high
logsource:
product: windows
service: system
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
tags:
- attack.persistence
- attack.g0064
- attack.t1050
- attack.t1543.003

26
rules/sigma/windows/builtin/win_apt_turla_service_png.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Turla PNG Dropper Service
author: Florian Roth
date: 2018/11/23
description: This method detects malicious services mentioned in Turla PNG dropper
report by NCC Group in November 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: WerFaultSvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unlikely
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
level: critical
logsource:
product: windows
service: system
references:
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003

37
rules/sigma/windows/builtin/win_apt_wocao.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Operation Wocao Activity
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 4799
SELECTION_2:
TargetUserName: Administr*
SELECTION_3:
CallerProcessName: '*\checkadmin.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
level: high
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086

33
rules/sigma/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
author: Sreeman
date: 2020/03/13
description: The .SettingContent-ms file type was introduced in Windows 10 and allows
a user to create "shortcuts" to various Windows 10 setting pages. These files are
simply XML and contain paths to various Windows 10 settings binaries.
detection:
SELECTION_1:
CommandLine: '*.SettingContent-ms*'
SELECTION_2:
FilePath: '*immersivecontrolpanel*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
level: medium
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
tags:
- attack.t1204
- attack.t1193
- attack.t1566.001
- attack.execution
- attack.initial_access

29
rules/sigma/windows/builtin/win_asr_bypass_via_appvlp_re.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Using AppVLP To Circumvent ASR File Path Rule
author: Sreeman
date: 2020/03/13
description: Application Virtualization Utility is included with Microsoft Office.We
are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
for Application Virtualization, but we can use it as an abuse binary to circumvent
the ASR file path rule folder or to mark a file as a system file
detection:
SELECTION_1:
CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
condition: SELECTION_1
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
level: medium
logsource:
product: windows
service: security
modified: 2021/06/11
status: experimental
tags:
- attack.t1218
- attack.defense_evasion
- attack.execution

34
rules/sigma/windows/builtin/win_atsvc_task.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Remote Task Creation via ATSVC Named Pipe
author: Samir Bousseaden
date: 2019/04/03
description: Detects remote task creation via at.exe or API interacting with ATSVC
namedpipe
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName: atsvc
SELECTION_4:
Accesses: '*WriteData*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
level: medium
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002

38
rules/sigma/windows/builtin/win_audit_cve.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Audit CVE Event
author: Florian Roth
date: 2020/01/15
description: Detects events generated by Windows to indicate the exploitation of a
known vulnerability (e.g. CVE-2020-0601)
detection:
SELECTION_1:
Source: Microsoft-Windows-Audit-CVE
condition: SELECTION_1
falsepositives:
- Unknown
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
level: critical
logsource:
product: windows
service: application
modified: 2020/08/23
references:
- https://twitter.com/mattifestation/status/1217179698008068096
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
status: experimental
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004

42
rules/sigma/windows/builtin/win_av_relevant_match.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Relevant Anti-Virus Event
author: Florian Roth
date: 2017/02/19
description: This detection method points out highly relevant Antivirus events
detection:
SELECTION_1:
- HTool-
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- WinCred
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
SELECTION_2:
- Keygen
- Crack
condition: ((SELECTION_1) and not (SELECTION_2))
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
level: high
logsource:
product: windows
service: application
modified: 2021/07/28
tags:
- attack.resource_development
- attack.t1588

31
rules/sigma/windows/builtin/win_camera_microphone_access.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Processes Accessing the Microphone and Webcam
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
SELECTION_5:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: experimental
tags:
- attack.collection
- attack.t1123

47
rules/sigma/windows/builtin/win_cobaltstrike_service_installs.yml Normal file
View File

@@ -0,0 +1,47 @@
title: CobaltStrike Service Installations
author: Florian Roth, Wojciech Lesicki
date: 2021/05/26
description: Detects known malicious service installs that appear in cases in which
a Cobalt Strike beacon elevates privileges or lateral movement
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath: '*ADMIN$*'
SELECTION_3:
ImagePath: '*.exe*'
SELECTION_4:
ImagePath: '*%COMSPEC%*'
SELECTION_5:
ImagePath: '*start*'
SELECTION_6:
ImagePath: '*powershell*'
SELECTION_7:
ImagePath: '*powershell -nop -w hidden -encodedcommand*'
SELECTION_8:
ImagePath:
- '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
- '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
- '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6) or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 5a105d34-05fc-401e-8553-272b45c1522d
level: critical
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
tags:
- attack.execution
- attack.privilege_escalation
- attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002

30
rules/sigma/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml Normal file
View File

@@ -0,0 +1,30 @@
title: DCERPC SMB Spoolss Named Pipe
author: OTR (Open Threat Research)
date: 2018/11/28
description: Detects the use of the spoolss named pipe over SMB. This can be used
to trigger the authentication via NTLM of any machine that has the spoolservice
enabled.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Domain Controllers acting as printer servers too? :)
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
level: medium
logsource:
product: windows
service: security
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002

29
rules/sigma/windows/builtin/win_dcom_iertutil_dll_hijack.yml Normal file
View File

@@ -0,0 +1,29 @@
title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020/10/12
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
DLL Hijack scenario.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
RelativeTargetName: '*\Internet Explorer\iertutil.dll'
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Unknown
id: c39f0c81-7348-4965-ab27-2fde35a1b641
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003

40
rules/sigma/windows/builtin/win_dcsync.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Mimikatz DC Sync
author: Benjamin Delpy, Florian Roth, Scott Dermott
date: 2018/06/03
description: Detects Mimikatz DC sync security events
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
Properties:
- '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
SELECTION_3:
SubjectDomainName: Window Manager
SELECTION_4:
SubjectUserName:
- NT AUTHORITY*
- MSOL_*
SELECTION_5:
SubjectUserName: '*$'
condition: ((((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) and not (SELECTION_4))
and not (SELECTION_5))
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
status: experimental
tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006

38
rules/sigma/windows/builtin/win_disable_event_logging.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Disabling Windows Event Auditing
author: '@neu5ron'
date: 2017/11/19
description: 'Detects scenarios where system auditing (ie: windows event log auditing)
is disabled. This may be used in a scenario where an entity would want to bypass
local logging to evade detection when windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
which will make sure that Active Directory GPOs take precedence over local/edited
computer policies via something such as "gpedit.msc". Please note, that disabling
"Local Group Policy Object Processing" may cause an issue in scenarios of one off
specific GPO modifications -- however it is recommended to perform these modifications
in Active Directory anyways.'
detection:
SELECTION_1:
EventID: 4719
SELECTION_2:
AuditPolicyChanges:
- '*%%8448*'
- '*%%8450*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 69aeb277-f15f-4d2d-b32a-55e883609563
level: high
logsource:
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
references:
- https://bit.ly/WinLogsZero2Hero
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.002

30
rules/sigma/windows/builtin/win_dpapi_domain_backupkey_extraction.yml Normal file
View File

@@ -0,0 +1,30 @@
title: DPAPI Domain Backup Key Extraction
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/06/20
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
Controllers
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: SecretObject
SELECTION_3:
AccessMask: '0x2'
SELECTION_4:
ObjectName: BCKUPKEY
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004

28
rules/sigma/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml Normal file
View File

@@ -0,0 +1,28 @@
title: DPAPI Domain Master Key Backup Attempt
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects anyone attempting a backup for the DPAPI Master Key. This events
gets generated at the source and not the Domain Controller.
detection:
SELECTION_1:
EventID: 4692
condition: SELECTION_1
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004

36
rules/sigma/windows/builtin/win_etw_modification.yml Normal file
View File

@@ -0,0 +1,36 @@
title: COMPlus_ETWEnabled Registry Modification
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
SELECTION_3:
ObjectValueName: ETWEnabled
SELECTION_4:
NewValue: '0'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
level: critical
logsource:
product: windows
service: security
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
status: experimental
tags:
- attack.defense_evasion
- attack.t1112

30
rules/sigma/windows/builtin/win_event_log_cleared.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Security Event Log Cleared
author: Saw Winn Naung
date: 2021/08/15
description: Checks for event id 1102 which indicates the security event log was cleared.
detection:
SELECTION_1:
EventID: 1102
SELECTION_2:
Source: Microsoft-Windows-Eventlog
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative activity
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
id: a122ac13-daf8-4175-83a2-72c387be339d
level: medium
logsource:
product: windows
service: security
modified: 2021/10/08
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
status: experimental
tags:
- attack.t1107
- attack.t1070.001

27
rules/sigma/windows/builtin/win_exchange_transportagent.yml Normal file
View File

@@ -0,0 +1,27 @@
title: MSExchange Transport Agent Installation
author: Tobias Michalski
date: 2021/06/08
description: Detects the Installation of a Exchange Transport Agent
detection:
condition: Install-TransportAgent
falsepositives:
- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
for this.
fields:
- AssemblyPath
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
level: medium
logsource:
product: windows
service: msexchange-management
modified: 2021/09/19
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: derived
status: experimental
tags:
- attack.persistence
- attack.t1505.002

44
rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Possible CVE-2021-1675 Print Spooler Exploitation
author: Florian Roth, KevTheHermit, fuzzyf10w
date: 2021/06/30
description: Detects events of driver load errors in print service logs that could
be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
detection:
SELECTION_1:
EventID: 808
SELECTION_2:
EventID: 4909
SELECTION_3:
ErrorCode:
- '0x45A'
- '0x7e'
SELECTION_4:
- The print spooler failed to load a plug-in module
- MyExploit.dll
- evil.dll
- \addCube.dll
- \rev.dll
- \rev2.dll
- \main64.dll
- \mimilib.dll
- \mimispool.dll
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4))
falsepositives:
- Problems with printer drivers
fields:
- PluginDllName
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
level: high
logsource:
product: windows
service: printservice-admin
modified: 2021/07/08
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://twitter.com/fuzzyf10w/status/1410202370835898371
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
status: experimental
tags:
- attack.execution

30
rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml Normal file
View File

@@ -0,0 +1,30 @@
title: CVE-2021-1675 Print Spooler Exploitation
author: Florian Roth
date: 2021/07/01
description: Detects driver load events print service operational log that are a sign
of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
detection:
SELECTION_1:
EventID: '316'
SELECTION_2:
- 'UNIDRV.DLL, kernelbase.dll, '
- ' 123 '
- ' 1234 '
- mimispool
condition: (SELECTION_1 and (SELECTION_2))
falsepositives:
- Unknown
fields:
- DriverAdded
id: f34d942d-c8c4-4f1f-b196-22471aecf10a
level: critical
logsource:
product: windows
service: printservice-operational
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
status: experimental
tags:
- attack.execution

33
rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml Normal file
View File

@@ -0,0 +1,33 @@
title: CVE-2021-1675 Print Spooler Exploitation IPC Access
author: INIT_6
date: 2021/07/02
description: Detects remote printer driver load from Detailed File Share in Security
logs that are a sign of successful exploitation attempts against print spooler vulnerability
CVE-2021-1675 and CVE-2021-34527
detection:
SELECTION_1:
EventID: '5145'
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
SELECTION_4:
AccessMask: '0x3'
SELECTION_5:
ObjectType: File
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- nothing observed so far
id: 8fe1c584-ee61-444b-be21-e9054b229694
level: critical
logsource:
product: windows
service: security
references:
- https://twitter.com/INIT_3/status/1410662463641731075
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
status: experimental
tags:
- attack.execution

28
rules/sigma/windows/builtin/win_external_device.yml Normal file
View File

@@ -0,0 +1,28 @@
title: External Disk Drive Or USB Storage Device
author: Keith Wright
date: 2019/11/20
description: Detects external diskdrives or plugged in USB devices , EventID 6416
on windows 10 or later
detection:
SELECTION_1:
EventID: 6416
SELECTION_2:
ClassName: DiskDrive
SELECTION_3:
DeviceDescription: USB Mass Storage Device
condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
falsepositives:
- Legitimate administrative activity
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
level: low
logsource:
product: windows
service: security
modified: 2021/08/09
status: experimental
tags:
- attack.t1091
- attack.t1200
- attack.lateral_movement
- attack.initial_access

32
rules/sigma/windows/builtin/win_global_catalog_enumeration.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Enumeration via the Global Catalog
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/11
description: Detects enumeration of the global catalog (that can be performed using
BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
width.
detection:
SELECTION_1:
EventID: 5156
SELECTION_2:
DestinationPort: 3268
SELECTION_3:
DestinationPort: 3269
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
> 2000
falsepositives:
- Exclude known DCs.
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
level: medium
logsource:
definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
Platform Connection" must be configured for Success
product: windows
service: security
modified: 2021/06/01
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

36
rules/sigma/windows/builtin/win_gpo_scheduledtasks.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Persistence and Execution at Scale via GPO Scheduled Task
author: Samir Bousseaden
date: 2019/04/03
description: Detect lateral movement using GPO scheduled task, usually used to deploy
ransomware at scale
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\SYSVOL
SELECTION_3:
RelativeTargetName: '*ScheduledTasks.xml'
SELECTION_4:
Accesses:
- '*WriteData*'
- '*%%4417*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor
both local and remote changes to GPO scheduledtasks
id: a8f29a7b-b137-4446-80a0-b804272f3da2
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
- attack.t1053.005

34
rules/sigma/windows/builtin/win_hack_smbexec.yml Normal file
View File

@@ -0,0 +1,34 @@
title: smbexec.py Service Installation
author: Omer Faruk Celik
date: 2018/03/20
description: Detects the use of smbexec.py tool by detecting a specific service installation
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: BTOBTO
SELECTION_3:
ServiceFileName: '*\execute.bat'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration Test
- Unknown
fields:
- ServiceName
- ServiceFileName
id: 52a85084-6989-40c3-8f32-091e12e13f09
level: critical
logsource:
product: windows
service: system
modified: 2020/08/23
references:
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
tags:
- attack.lateral_movement
- attack.execution
- attack.t1077
- attack.t1021.002
- attack.t1035
- attack.t1569.002

28
rules/sigma/windows/builtin/win_hidden_user_creation.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Hidden Local User Creation
author: Christian Burkard
date: 2021/05/03
description: Detects the creation of a local hidden user account which should not
happen for event ID 4720.
detection:
SELECTION_1:
EventID: 4720
SELECTION_2:
TargetUserName: '*$'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventCode
- AccountName
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
level: high
logsource:
product: windows
service: security
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
status: experimental
tags:
- attack.persistence
- attack.t1136.001

26
rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_installation.yml Normal file
View File

@@ -0,0 +1,26 @@
title: HybridConnectionManager Service Installation
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Rule to detect the Hybrid Connection Manager service installation.
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceName: HybridConnectionManager
SELECTION_3:
ServiceFileName: '*HybridConnectionManager*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence

30
rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_running.yml Normal file
View File

@@ -0,0 +1,30 @@
title: HybridConnectionManager Service Running
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
detection:
SELECTION_1:
EventID: 40300
SELECTION_2:
EventID: 40301
SELECTION_3:
EventID: 40302
SELECTION_4:
- HybridConnection
- sb://
- servicebus.windows.net
- HybridConnectionManage
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
id: b55d23e5-6821-44ff-8a6e-67218891e49f
level: high
logsource:
product: windows
service: Microsoft-ServiceBus-Client
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence

30
rules/sigma/windows/builtin/win_impacket_psexec.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Impacket PsExec Execution
author: Bhabesh Raj
date: 2020/12/14
description: Detects execution of Impacket's psexec.py.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName:
- '*RemCom_stdint*'
- '*RemCom_stdoutt*'
- '*RemCom_stderrt*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- nothing observed so far
id: 32d56ea1-417f-44ff-822b-882873f5f43b
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags:
- attack.lateral_movement
- attack.t1021.002

33
rules/sigma/windows/builtin/win_impacket_secretdump.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Possible Impacket SecretDump Remote Activity
author: Samir Bousseaden, wagga
date: 2019/04/03
description: Detect AD credential dumping using impacket secretdump HKTL
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\ADMIN$
SELECTION_3:
RelativeTargetName: '*SYSTEM32\\*'
SELECTION_4:
RelativeTargetName: '*.tmp*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
modified: 2021/06/27
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003

27
rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
level: high
logsource:
product: windows
service: system
modified: 2021/09/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
level: high
logsource:
product: windows
service: security
modified: 2021/09/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

37
rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ImagePath|re: \\*mdr\*\W\s*\)\.Name
SELECTION_7:
ImagePath|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ImagePath|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
level: high
logsource:
product: windows
service: system
modified: 2021/09/16
status: experimental
tags:
- attack.defense_evasion
- attack.t1027

40
rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
SELECTION_7:
ServiceFileName|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ServiceFileName|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
level: high
logsource:
product: windows
service: security
modified: 2021/09/16
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027

27
rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
product: windows
service: system
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
level: high
logsource:
product: windows
service: security
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_var_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
level: high
logsource:
product: windows
service: system
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_var_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: dcf2db1f-f091-425b-a821-c05875b8925a
level: high
logsource:
product: windows
service: security
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 175997c5-803c-4b08-8bb0-70b099f47595
level: medium
logsource:
product: windows
service: system
modified: 2021/08/09
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
level: medium
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
level: medium
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
level: medium
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 487c7524-f892-4054-b263-8a0ace63fc25
level: high
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
level: high
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
level: high
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
level: high
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
level: high
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
level: high
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
level: high
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
level: high
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
level: high
logsource:
product: windows
service: system
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
level: high
logsource:
product: windows
service: security
modified: 2021/09/18
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

32
rules/sigma/windows/builtin/win_iso_mount.yml Normal file
View File

@@ -0,0 +1,32 @@
title: ISO Image Mount
author: Syed Hasan (@syedhasan009)
date: 2021/05/29
description: Detects the mount of ISO images on an endpoint
detection:
SELECTION_1:
EventID: 4663
SELECTION_2:
ObjectServer: Security
SELECTION_3:
ObjectType: File
SELECTION_4:
ObjectName: \Device\CdRom*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Software installation ISO files
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
level: medium
logsource:
definition: The advanced audit policy setting "Object Access > Audit Removable Storage"
must be configured for Success/Failure
product: windows
service: security
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
status: experimental
tags:
- attack.initial_access
- attack.t1566.001

52
rules/sigma/windows/builtin/win_lm_namedpipe.yml Normal file
View File

@@ -0,0 +1,52 @@
title: First Time Seen Remote Named Pipe
author: Samir Bousseaden
date: 2019/04/03
description: This detection excludes known namped pipes accessible remotely and notify
on newly observed ones, may help to detect lateral movement and remote exec using
named pipes
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
EventID: 5145
SELECTION_4:
ShareName: \\*\IPC$
SELECTION_5:
RelativeTargetName:
- atsvc
- samr
- lsarpc
- winreg
- netlogon
- srvsvc
- protected_storage
- wkssvc
- browser
- netdfs
- svcctl
- spoolss
- ntsvcs
- LSM_API_service
- HydraLsPipe
- TermSrv_API_service
- MsFteWds
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 and SELECTION_4
and SELECTION_5))
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://twitter.com/menasec1/status/1104489274387451904
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002

34
rules/sigma/windows/builtin/win_lolbas_execution_of_nltest.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Correct Execution of Nltest.exe
author: Arun Chauhan
date: 2021/10/04
description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers,
domain trusts, parent domain and the current user permissions.
detection:
SELECTION_1:
EventID: 4689
SELECTION_2:
ProcessName: '*nltest.exe'
SELECTION_3:
Status: '0x0'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Red team activity
- rare legitimate use by an administrator
fields:
- SubjectUserName
- SubjectDomainName
id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
level: high
logsource:
product: windows
service: security
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
- https://attack.mitre.org/software/S0359/
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1018
- attack.t1016

69
rules/sigma/windows/builtin/win_lsass_access_non_system_account.yml Normal file
View File

@@ -0,0 +1,69 @@
title: LSASS Access from Non System Account
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/06/20
description: Detects potential mimikatz-like tools accessing LSASS from non system
account
detection:
SELECTION_1:
EventID: 4663
SELECTION_2:
EventID: 4656
SELECTION_3:
AccessMask:
- '0x40'
- '0x1400'
- '0x1000'
- '0x100000'
- '0x1410'
- '0x1010'
- '0x1438'
- '0x143a'
- '0x1418'
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '40'
- '1400'
- '1000'
- '100000'
- '1410'
- '1010'
- '1438'
- 143a
- '1418'
- 1f0fff
- 1f1fff
- 1f2fff
- 1f3fff
SELECTION_4:
ObjectType: Process
SELECTION_5:
ObjectName: '*\lsass.exe'
SELECTION_6:
SubjectUserName: '*$'
SELECTION_7:
ProcessName: C:\Program Files*
condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
and not (SELECTION_6)) and not (SELECTION_7))
falsepositives:
- Unknown
fields:
- ComputerName
- ObjectName
- SubjectUserName
- ProcessName
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
level: critical
logsource:
product: windows
service: security
modified: 2021/03/17
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001

41
rules/sigma/windows/builtin/win_mal_creddumper.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Credential Dumping Tools Service Execution
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017/03/05
description: Detects well-known credential dumping tools execution via service execution
events
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath:
- '*fgexec*'
- '*dumpsvc*'
- '*cachedump*'
- '*mimidrv*'
- '*gsecdump*'
- '*servpw*'
- '*pwdump*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
level: high
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1035
- attack.t1569.002
- attack.s0005

33
rules/sigma/windows/builtin/win_mal_wceaux_dll.yml Normal file
View File

@@ -0,0 +1,33 @@
title: WCE wceaux.dll Access
author: Thomas Patzke
date: 2017/06/14
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution
on source host
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4658
SELECTION_3:
EventID: 4660
SELECTION_4:
EventID: 4663
SELECTION_5:
ObjectName: '*\wceaux.dll'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
falsepositives:
- Penetration testing
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
level: critical
logsource:
product: windows
service: security
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.s0005

38
rules/sigma/windows/builtin/win_metasploit_authentication.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Metasploit SMB Authentication
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/06
description: Alerts on Metasploit host's authentications on the domain.
detection:
SELECTION_1:
EventID: 4625
SELECTION_2:
EventID: 4624
SELECTION_3:
LogonType: 3
SELECTION_4:
AuthenticationPackageName: NTLM
SELECTION_5:
WorkstationName|re: ^[A-Za-z0-9]{16}$
SELECTION_6:
ProcessName|re: ^$
SELECTION_7:
EventID: 4776
SELECTION_8:
Workstation|re: ^[A-Za-z0-9]{16}$
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8))
falsepositives:
- Linux hostnames composed of 16 characters.
id: 72124974-a68b-4366-b990-d30e0b2a190d
level: high
logsource:
product: windows
service: security
modified: 2021/07/07
references:
- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002

64
rules/sigma/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml Normal file
View File

@@ -0,0 +1,64 @@
title: Meterpreter or Cobalt Strike Getsystem Service Installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
a specific service installation
detection:
SELECTION_1:
EventID: 7045
SELECTION_10:
ImagePath: '*cmd.exe*'
SELECTION_11:
ImagePath: '*/c*'
SELECTION_12:
ImagePath: '*echo*'
SELECTION_13:
ImagePath: '*\pipe\\*'
SELECTION_14:
ImagePath: '*rundll32*'
SELECTION_15:
ImagePath: '*.dll,a*'
SELECTION_16:
ImagePath: '*/p:*'
SELECTION_2:
ImagePath: '*cmd*'
SELECTION_3:
ImagePath: '*/c*'
SELECTION_4:
ImagePath: '*echo*'
SELECTION_5:
ImagePath: '*\pipe\\*'
SELECTION_6:
ImagePath: '*%COMSPEC%*'
SELECTION_7:
ImagePath: '*/c*'
SELECTION_8:
ImagePath: '*echo*'
SELECTION_9:
ImagePath: '*\pipe\\*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
and SELECTION_16)))
falsepositives:
- Highly unlikely
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ImagePath
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
level: critical
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134
- attack.t1134.001
- attack.t1134.002

32
rules/sigma/windows/builtin/win_mmc20_lateral_movement.yml Normal file
View File

@@ -0,0 +1,32 @@
title: MMC20 Lateral Movement
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020/03/04
description: Detects MMC20.Application Lateral Movement; specifically looks for the
spawning of the parent MMC.exe with a command line of "-Embedding" as a child of
svchost.exe
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\svchost.exe'
SELECTION_3:
Image: '*\mmc.exe'
SELECTION_4:
CommandLine: '*-Embedding*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
level: high
logsource:
category: process_creation
product: windows
modified: 2020/08/23
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
tags:
- attack.execution
- attack.t1175
- attack.t1021.003

27
rules/sigma/windows/builtin/win_moriya_rootkit.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Moriya Rootkit
author: Bhabesh Raj
date: 2021/05/06
description: Detects the use of Moriya rootkit as described in the securelist's Operation
TunnelSnake report
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: ZzNetSvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- None
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
level: critical
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003

39
rules/sigma/windows/builtin/win_net_ntlm_downgrade.yml Normal file
View File

@@ -0,0 +1,39 @@
title: NetNTLM Downgrade Attack
author: Florian Roth, wagga
date: 2018/03/20
description: Detects NetNTLM downgrade attack
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
ObjectName: '*\REGISTRY\MACHINE\SYSTEM*'
SELECTION_3:
ObjectName: '*ControlSet*'
SELECTION_4:
ObjectName: '*\Control\Lsa*'
SELECTION_5:
ObjectValueName:
- LmCompatibilityLevel
- NtlmMinClientSec
- RestrictSendingNTLMTraffic
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
level: critical
logsource:
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
product: windows
service: security
modified: 2021/06/27
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
- attack.t1112

32
rules/sigma/windows/builtin/win_net_use_admin_share.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Mounted Windows Admin Shares with net.exe
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st,
wagga
date: 2020/10/05
description: Detects when an admin share is mounted using net.exe
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\net.exe'
- '*\net1.exe'
SELECTION_3:
CommandLine: '* use *'
SELECTION_4:
CommandLine: '*\\\*\\*$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Administrators
id: 3abd6094-7027-475f-9630-8ab9be7b9725
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/06/27
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002

29
rules/sigma/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml Normal file
View File

@@ -0,0 +1,29 @@
title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
description: Detects possible bypass EDR and SIEM via abnormal user account name.
detection:
SELECTION_1:
EventID: 4720
SELECTION_2:
EventID: 4781
SELECTION_3:
SamAccountName: '*$*'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
falsepositives:
- Unknown
fields:
- EventID
- SamAccountName
- SubjectUserName
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
level: high
logsource:
product: windows
service: security
modified: 2021/07/07
status: experimental
tags:
- attack.defense_evasion
- attack.t1036

30
rules/sigma/windows/builtin/win_not_allowed_rdp_access.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Denied Access To Remote Desktop
author: Pushkarev Dmitry
date: 2020/06/27
description: This event is generated when an authenticated user who is not allowed
to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows
servers in the network.
detection:
SELECTION_1:
EventID: 4825
condition: SELECTION_1
falsepositives:
- Valid user was not added to RDP group
fields:
- EventCode
- AccountName
- ClientAddress
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
level: medium
logsource:
product: windows
service: security
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
status: experimental
tags:
- attack.lateral_movement
- attack.t1076
- attack.t1021.001

29
rules/sigma/windows/builtin/win_ntfs_vuln_exploit.yml Normal file
View File

@@ -0,0 +1,29 @@
title: NTFS Vulnerability Exploitation
author: Florian Roth
date: 2021/01/11
description: This the exploitation of a NTFS vulnerability as reported without many
details via Twitter
detection:
SELECTION_1:
EventID: 55
SELECTION_2:
Origin: File System Driver
SELECTION_3:
Description: '*contains a corrupted file record*'
SELECTION_4:
Description: '*The name of the file is "\"*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
level: critical
logsource:
product: windows
service: system
references:
- https://twitter.com/jonasLyk/status/1347900440000811010
- https://twitter.com/wdormann/status/1347958161609809921
tags:
- attack.impact
- attack.t1499.001

31
rules/sigma/windows/builtin/win_overpass_the_hash.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Successful Overpass the Hash Attempt
author: Roberto Rodriguez (source), Dominik Schaudel (rule)
date: 2018/02/12
description: Detects successful logon with logon type 9 (NewCredentials) which matches
the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 9
SELECTION_3:
LogonProcessName: seclogo
SELECTION_4:
AuthenticationPackageName: Negotiate
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Runas command-line tool using /netonly parameter
id: 192a0330-c20b-4356-90b6-7b7049ae0b87
level: high
logsource:
product: windows
service: security
references:
- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1075
- attack.s0002
- attack.t1550.002

42
rules/sigma/windows/builtin/win_pass_the_hash.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Pass the Hash Activity
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017/03/08
description: Detects the attack technique pass the hash which is used to move laterally
inside the network
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
EventID: 4625
SELECTION_3:
LogonType: '3'
SELECTION_4:
LogonProcessName: NtLmSsp
SELECTION_5:
WorkstationName: '%Workstations%'
SELECTION_6:
ComputerName: '%Workstations%'
SELECTION_7:
AccountName: ANONYMOUS LOGON
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6) and not (SELECTION_7))
falsepositives:
- Administrator activity
- Penetration tests
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
level: medium
logsource:
definition: The successful use of PtH for lateral movement between workstations
would trigger event ID 4624, a failed logon attempt would trigger an event ID
4625
product: windows
service: security
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
status: experimental
tags:
- attack.lateral_movement
- attack.t1075
- car.2016-04-004
- attack.t1550.002

44
rules/sigma/windows/builtin/win_pass_the_hash_2.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Pass the Hash Activity 2
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019/06/14
description: Detects the attack technique pass the hash which is used to move laterally
inside the network
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
SubjectUserSid: S-1-0-0
SELECTION_3:
LogonType: '3'
SELECTION_4:
LogonProcessName: NtLmSsp
SELECTION_5:
KeyLength: '0'
SELECTION_6:
LogonType: '9'
SELECTION_7:
LogonProcessName: seclogo
SELECTION_8:
AccountName: ANONYMOUS LOGON
condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7))) and not (SELECTION_8))
falsepositives:
- Administrator activity
- Penetration tests
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
level: medium
logsource:
definition: The successful use of PtH for lateral movement between workstations
would trigger event ID 4624
product: windows
service: security
references:
- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
status: stable
tags:
- attack.lateral_movement
- attack.t1075
- attack.t1550.002

32
rules/sigma/windows/builtin/win_petitpotam_network_share.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Possible PetitPotam Coerce Authentication Attempt
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
description: Detect PetitPotam coerced authentication activity.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*
SELECTION_3:
ShareName: '*\IPC$'
SELECTION_4:
RelativeTargetName: lsarpc
SELECTION_5:
SubjectUserName: ANONYMOUS LOGON
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown. Feedback welcomed.
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Detailed File Share"
must be configured for Success/Failure
product: windows
service: security
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
tags:
- attack.credential_access
- attack.t1187

42
rules/sigma/windows/builtin/win_petitpotam_susp_tgt_request.yml Normal file
View File

@@ -0,0 +1,42 @@
title: PetitPotam Suspicious Kerberos TGT Request
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
certificate by abusing Active Directory Certificate Services in combination with
PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
like Rubeus. This request will generate a 4768 event with some unusual fields depending
on the environment. This analytic will require tuning, we recommend filtering Account_Name
to the Domain Controller computer accounts.
detection:
SELECTION_1:
EventID: 4768
SELECTION_2:
TargetUserName: '*$'
SELECTION_3:
CertThumbprint: '*'
SELECTION_4:
IpAddress: ::1
SELECTION_5:
CertThumbprint: ''
condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
and not (SELECTION_5))
falsepositives:
- False positives are possible if the environment is using certificates for authentication.
We recommend filtering Account_Name to the Domain Controller computer accounts.
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
level: high
logsource:
definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
Service" must be configured for Success/Failure
product: windows
service: security
modified: 2021/09/07
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
tags:
- attack.credential_access
- attack.t1187

34
rules/sigma/windows/builtin/win_possible_dc_shadow.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Possible DC Shadow
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019/10/25
description: Detects DCShadow via create new SPN
detection:
SELECTION_1:
EventID: 4742
SELECTION_2:
ServicePrincipalNames: '*GC/*'
SELECTION_3:
EventID: 5136
SELECTION_4:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_5:
AttributeValue: GC/*
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
falsepositives:
- Exclude known DCs
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
level: high
logsource:
product: windows
service: security
modified: 2021/07/06
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
status: experimental
tags:
- attack.credential_access
- attack.t1207

27
rules/sigma/windows/builtin/win_powershell_script_installed_as_service.yml Normal file
View File

@@ -0,0 +1,27 @@
title: PowerShell Scripts Installed as Services
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects powershell script installed as a Service
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath:
- '*powershell*'
- '*pwsh*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
level: high
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1569.002

31
rules/sigma/windows/builtin/win_privesc_cve_2020_1472.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Possible Zerologon (CVE-2020-1472) Exploitation
author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
date: 2020/10/15
description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
detection:
SELECTION_1:
EventID: 4742
SELECTION_2:
SubjectUserName: ANONYMOUS LOGON
SELECTION_3:
TargetUserName: '%DC-MACHINE-NAME%'
SELECTION_4:
PasswordLastSet: '-'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
falsepositives:
- automatic DC computer account password change
- legitimate DC computer account password change
id: dd7876d8-0f09-11eb-adc1-0242ac120002
level: high
logsource:
product: windows
service: security
modified: 2021/07/07
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
status: experimental
tags:
- attack.t1068
- attack.privilege_escalation

29
rules/sigma/windows/builtin/win_protected_storage_service_access.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Protected Storage Service Access
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects access to a protected_storage service over the network. Potential
abuse of DPAPI to extract domain backup keys from Domain Controllers
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: '*IPC*'
SELECTION_3:
RelativeTargetName: protected_storage
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 45545954-4016-43c6-855e-eae8f1c369dc
level: critical
logsource:
product: windows
service: security
modified: 2020/08/23
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021
- attack.t1021.002

26
rules/sigma/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml Normal file
View File

@@ -0,0 +1,26 @@
title: QuarksPwDump Clearing Access History
author: Florian Roth
date: 2017/05/15
description: Detects QuarksPwDump clearing access history in hive
detection:
SELECTION_1:
EventID: 16
SELECTION_2:
HiveName: '*\AppData\Local\Temp\SAM*'
SELECTION_3:
HiveName: '*.dmp'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
level: critical
logsource:
product: windows
service: system
modified: 2019/11/13
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002

31
rules/sigma/windows/builtin/win_rare_schtasks_creations.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Rare Schtasks Creations
author: Florian Roth
date: 2017/03/23
description: Detects rare scheduled tasks creations that only appear a few times per
time frame and could reveal password dumpers, backdoor installs or other types of
malicious code
detection:
SELECTION_1:
EventID: 4698
condition: SELECTION_1 | count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
id: b0d77106-7bb0-41fe-bd94-d1752164d066
level: low
logsource:
definition: The Advanced Audit Policy setting Object Access > Audit Other Object
Access Events has to be configured to allow this detection (not in the baseline
recommendations by Microsoft). We also recommend extracting the Command field
from the embedded XML in the event data.
product: windows
service: security
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005

Some files were not shown because too many files have changed in this diff Show More