From 0bce3800b7562663541e8318bc08e526d8187466 Mon Sep 17 00:00:00 2001 From: itiB Date: Sun, 19 Dec 2021 20:50:20 +0900 Subject: [PATCH] separate rules to submodule (#304) * rm: rules * Add: hayabusa-rules to submodule --- .gitmodules | 3 + rules | 1 + ...radeAttack_PowershellV2DowngradeAttack.yml | 29 --- ...earWindowsEventLogs_SecurityLogCleared.yml | 28 --- ...eralMovement_LogonFailure-UnknownError.yml | 28 --- ...ralMovement_LogonFailure-WrongPassword.yml | 25 -- ...ralMovement_LogonFailure-WrongUsername.yml | 25 -- ...ltiple_UnknownProcessUsedHighPrivilege.yml | 48 ---- ...nt-LocalAccount_ComputerAccountCreated.yml | 28 --- ...ccount-LocalAccount_UserAccountCreated.yml | 30 --- ...pulation_UserAddedToGlobalDomainAdmins.yml | 31 --- ...ulation_UserAddedToGlobalSecurityGroup.yml | 30 --- ...on_UserAddedToLocalAdministratorsGroup.yml | 29 --- ...tion_UserAddedToLocalDomainAdminsGroup.yml | 29 --- ...pulation_UserAddedToLocalSecurityGroup.yml | 32 --- ...OrForgeKerberosTickets_AS-REP-Roasting.yml | 29 --- ...alOrForgeKerberosTickets_Kerberoasting.yml | 29 --- ...ClearWindowsEventLogs_SystemLogCleared.yml | 27 -- ...Logging_EventLogServiceStartupDisabled.yml | 27 -- ...ndowsService_MaliciousServiceInstalled.yml | 32 --- .../59_BITS-Jobs_BitsJobCreation.yml | 30 --- ...PowerShell_PowershellExecutionPipeline.yml | 30 --- .../Logons/4624_LogonType-0-System.yml | 25 -- .../4624_LogonType-10-RemoteInteractive.yml | 25 -- .../4624_LogonType-11-CachedInteractive.yml | 25 -- ...4_LogonType-12-CachedRemoteInteractive.yml | 25 -- .../Logons/4624_LogonType-13-CachedUnlock.yml | 25 -- .../Logons/4624_LogonType-2-Interactive.yml | 25 -- .../Logons/4624_LogonType-3-Network.yml | 30 --- .../Logons/4624_LogonType-4-Batch.yml | 25 -- .../Logons/4624_LogonType-5-Service.yml | 30 --- .../Logons/4624_LogonType-7-Unlock.yml | 25 -- .../4624_LogonType-8-NetworkCleartext.yml | 25 -- .../4624_LogonType-9-NewInteractive.yml | 25 -- .../events/Security/Logons/4634_Logoff.yml | 27 -- .../Logons/4647_LogoffUserInitiated.yml | 24 -- .../Security/Logons/4672_AdminLogon.yml | 30 --- .../Logons/4768_KerberosTGT-Request.yml | 24 -- .../4769_KerberosServiceTicketRequest.yml | 24 -- .../Logons/4776_NTLM-LogonToLocalAccount.yml | 24 -- .../8001_WirelessAP-Connect.yml | 24 -- .../win_aadhealth_mon_agent_regkey_access.yml | 40 --- .../win_aadhealth_svc_agent_regkey_access.yml | 42 ---- .../win_account_backdoor_dcsync_rights.yml | 35 --- rules/sigma/builtin/win_account_discovery.yml | 44 ---- .../builtin/win_ad_object_writedac_access.yml | 32 --- ...win_ad_replication_non_machine_account.yml | 42 ---- .../sigma/builtin/win_ad_user_enumeration.yml | 35 --- ...e_template_configuration_vulnerability.yml | 35 --- ...mplate_configuration_vulnerability_eku.yml | 49 ---- rules/sigma/builtin/win_admin_rdp_login.yml | 37 --- .../sigma/builtin/win_admin_share_access.yml | 29 --- ...in_alert_active_directory_user_control.yml | 32 --- .../builtin/win_alert_ad_user_backdoors.yml | 53 ---- .../win_alert_enable_weak_encryption.yml | 91 ------- .../sigma/builtin/win_alert_lsass_access.yml | 31 --- .../builtin/win_alert_mimikatz_keywords.yml | 46 ---- rules/sigma/builtin/win_alert_ruler.yml | 41 --- ..._applocker_file_was_not_allowed_to_run.yml | 48 ---- .../builtin/win_apt_carbonpaper_turla.yml | 31 --- .../builtin/win_apt_chafer_mar18_security.yml | 42 ---- .../builtin/win_apt_chafer_mar18_system.yml | 39 --- rules/sigma/builtin/win_apt_gallium.yml | 39 --- rules/sigma/builtin/win_apt_slingshot.yml | 32 --- rules/sigma/builtin/win_apt_stonedrill.yml | 30 --- .../builtin/win_apt_turla_service_png.yml | 28 --- rules/sigma/builtin/win_apt_wocao.yml | 38 --- ...ary_shell_execution_via_settingcontent.yml | 35 --- .../builtin/win_asr_bypass_via_appvlp_re.yml | 30 --- rules/sigma/builtin/win_atsvc_task.yml | 36 --- rules/sigma/builtin/win_audit_cve.yml | 39 --- rules/sigma/builtin/win_av_relevant_match.yml | 44 ---- .../builtin/win_camera_microphone_access.yml | 32 --- .../win_cobaltstrike_service_installs.yml | 49 ---- .../win_dce_rpc_smb_spoolss_named_pipe.yml | 31 --- .../builtin/win_dcom_iertutil_dll_hijack.yml | 30 --- rules/sigma/builtin/win_dcsync.yml | 41 --- .../builtin/win_disable_event_logging.yml | 40 --- .../win_dpapi_domain_backupkey_extraction.yml | 31 --- ..._dpapi_domain_masterkey_backup_attempt.yml | 29 --- rules/sigma/builtin/win_etw_modification.yml | 37 --- rules/sigma/builtin/win_event_log_cleared.yml | 31 --- .../builtin/win_exchange_transportagent.yml | 28 --- ...win_exploit_cve_2021_1675_printspooler.yml | 46 ---- ...cve_2021_1675_printspooler_operational.yml | 32 --- ...it_cve_2021_1675_printspooler_security.yml | 35 --- rules/sigma/builtin/win_external_device.yml | 29 --- .../win_global_catalog_enumeration.yml | 34 --- .../sigma/builtin/win_gpo_scheduledtasks.yml | 38 --- rules/sigma/builtin/win_hack_smbexec.yml | 36 --- .../builtin/win_hidden_user_creation.yml | 28 --- ...n_hybridconnectionmgr_svc_installation.yml | 28 --- .../win_hybridconnectionmgr_svc_running.yml | 32 --- rules/sigma/builtin/win_impacket_psexec.yml | 32 --- .../sigma/builtin/win_impacket_secretdump.yml | 35 --- .../win_invoke_obfuscation_clip_services.yml | 28 --- ...oke_obfuscation_clip_services_security.yml | 31 --- ...ke_obfuscation_obfuscated_iex_services.yml | 38 --- ...ation_obfuscated_iex_services_security.yml | 43 ---- .../win_invoke_obfuscation_stdin_services.yml | 28 --- ...ke_obfuscation_stdin_services_security.yml | 31 --- .../win_invoke_obfuscation_var_services.yml | 28 --- ...voke_obfuscation_var_services_security.yml | 31 --- ...voke_obfuscation_via_compress_services.yml | 28 --- ...scation_via_compress_services_security.yml | 31 --- ...invoke_obfuscation_via_rundll_services.yml | 28 --- ...fuscation_via_rundll_services_security.yml | 31 --- ..._invoke_obfuscation_via_stdin_services.yml | 28 --- ...bfuscation_via_stdin_services_security.yml | 31 --- ...voke_obfuscation_via_use_clip_services.yml | 28 --- ...scation_via_use_clip_services_security.yml | 31 --- ...oke_obfuscation_via_use_mshta_services.yml | 28 --- ...cation_via_use_mshta_services_security.yml | 31 --- ..._obfuscation_via_use_rundll32_services.yml | 28 --- ...ion_via_use_rundll32_services_security.yml | 31 --- ...in_invoke_obfuscation_via_var_services.yml | 28 --- ..._obfuscation_via_var_services_security.yml | 31 --- rules/sigma/builtin/win_iso_mount.yml | 37 --- rules/sigma/builtin/win_lm_namedpipe.yml | 54 ---- .../win_lolbas_execution_of_nltest.yml | 35 --- .../win_lsass_access_non_system_account.yml | 70 ------ rules/sigma/builtin/win_mal_creddumper.yml | 43 ---- rules/sigma/builtin/win_mal_wceaux_dll.yml | 34 --- .../builtin/win_metasploit_authentication.yml | 40 --- ...tstrike_getsystem_service_installation.yml | 66 ----- .../builtin/win_mmc20_lateral_movement.yml | 34 --- rules/sigma/builtin/win_moriya_rootkit.yml | 28 --- .../sigma/builtin/win_net_ntlm_downgrade.yml | 41 --- .../sigma/builtin/win_net_use_admin_share.yml | 33 --- ..._renamed_user_account_with_dollar_sign.yml | 30 --- .../builtin/win_not_allowed_rdp_access.yml | 31 --- rules/sigma/builtin/win_ntfs_vuln_exploit.yml | 34 --- rules/sigma/builtin/win_overpass_the_hash.yml | 32 --- rules/sigma/builtin/win_pass_the_hash.yml | 43 ---- rules/sigma/builtin/win_pass_the_hash_2.yml | 45 ---- .../builtin/win_petitpotam_network_share.yml | 34 --- .../win_petitpotam_susp_tgt_request.yml | 44 ---- .../sigma/builtin/win_possible_dc_shadow.yml | 35 --- ...powershell_script_installed_as_service.yml | 28 --- .../builtin/win_privesc_cve_2020_1472.yml | 32 --- .../win_protected_storage_service_access.yml | 30 --- ...rkspwdump_clearing_hive_access_history.yml | 27 -- .../builtin/win_rare_schtasks_creations.yml | 32 --- .../builtin/win_rare_service_installs.yml | 27 -- .../builtin/win_rdp_bluekeep_poc_scanner.yml | 29 --- .../sigma/builtin/win_rdp_localhost_login.yml | 32 --- .../win_rdp_potential_cve_2019_0708.yml | 30 --- .../sigma/builtin/win_rdp_reverse_tunnel.yml | 45 ---- ...n_register_new_logon_process_by_rubeus.yml | 28 --- .../builtin/win_remote_powershell_session.yml | 32 --- ..._registry_management_using_reg_utility.yml | 33 --- .../win_root_certificate_installed.yml | 32 --- .../win_sam_registry_hive_handle_request.yml | 36 --- .../builtin/win_scheduled_task_deletion.yml | 32 --- .../win_scm_database_handle_failure.yml | 30 --- .../win_scm_database_privileged_operation.yml | 32 --- ...scrcons_remote_wmi_scripteventconsumer.yml | 32 --- ...security_cobaltstrike_service_installs.yml | 52 ---- .../builtin/win_security_mal_creddumper.yml | 46 ---- .../win_security_mal_service_installs.yml | 38 --- ...or_impacket_smb_psexec_service_install.yml | 49 ---- ...cobaltstrike_getsystem_service_install.yml | 69 ------ ...powershell_script_installed_as_service.yml | 31 --- .../win_security_tap_driver_installation.yml | 28 --- ...in_set_oabvirtualdirectory_externalurl.yml | 31 --- .../win_smb_file_creation_admin_shares.yml | 31 --- .../win_software_atera_rmm_agent_install.yml | 28 --- .../builtin/win_susp_add_domain_trust.yml | 21 -- .../builtin/win_susp_add_sid_history.yml | 36 --- .../sigma/builtin/win_susp_backup_delete.yml | 28 --- .../win_susp_codeintegrity_check_failure.yml | 25 -- rules/sigma/builtin/win_susp_dhcp_config.yml | 30 --- .../builtin/win_susp_dhcp_config_failed.yml | 34 --- rules/sigma/builtin/win_susp_dns_config.yml | 29 --- .../builtin/win_susp_dsrm_password_change.yml | 25 -- .../builtin/win_susp_eventlog_cleared.yml | 37 --- .../builtin/win_susp_failed_guest_logon.yml | 36 --- .../builtin/win_susp_failed_logon_reasons.yml | 41 --- .../builtin/win_susp_failed_logon_source.yml | 57 ----- ...usp_failed_logons_explicit_credentials.yml | 29 --- .../win_susp_failed_logons_single_process.yml | 35 --- .../win_susp_failed_logons_single_source.yml | 34 --- .../win_susp_failed_logons_single_source2.yml | 35 --- ...p_failed_logons_single_source_kerberos.yml | 35 --- ..._failed_logons_single_source_kerberos2.yml | 35 --- ..._failed_logons_single_source_kerberos3.yml | 35 --- ..._susp_failed_logons_single_source_ntlm.yml | 34 --- ...susp_failed_logons_single_source_ntlm2.yml | 34 --- ...usp_failed_remote_logons_single_source.yml | 34 --- .../builtin/win_susp_interactive_logons.yml | 38 --- .../win_susp_kerberos_manipulation.yml | 60 ----- .../builtin/win_susp_ldap_dataexchange.yml | 36 --- .../win_susp_local_anon_logon_created.yml | 32 --- .../win_susp_logon_explicit_credentials.yml | 36 --- rules/sigma/builtin/win_susp_lsass_dump.yml | 32 --- .../builtin/win_susp_lsass_dump_generic.yml | 85 ------- .../builtin/win_susp_mshta_execution.yml | 41 --- .../sigma/builtin/win_susp_msmpeng_crash.yml | 39 --- ...susp_multiple_files_renamed_or_deleted.yml | 35 --- .../builtin/win_susp_net_recon_activity.yml | 46 ---- rules/sigma/builtin/win_susp_ntlm_auth.yml | 30 --- rules/sigma/builtin/win_susp_ntlm_rdp.yml | 34 --- rules/sigma/builtin/win_susp_proceshacker.yml | 30 --- rules/sigma/builtin/win_susp_psexec.yml | 42 ---- .../win_susp_raccess_sensitive_fext.yml | 43 ---- rules/sigma/builtin/win_susp_rc4_kerberos.yml | 33 --- rules/sigma/builtin/win_susp_rottenpotato.yml | 35 --- rules/sigma/builtin/win_susp_sam_dump.yml | 28 --- rules/sigma/builtin/win_susp_sdelete.yml | 41 --- .../builtin/win_susp_time_modification.yml | 41 --- rules/sigma/builtin/win_susp_wmi_login.yml | 24 -- ...uspicious_outbound_kerberos_connection.yml | 34 --- .../builtin/win_svcctl_remote_service.yml | 34 --- .../builtin/win_syskey_registry_access.yml | 35 --- .../win_sysmon_channel_reference_deletion.yml | 40 --- .../win_system_susp_eventlog_cleared.yml | 37 --- .../builtin/win_tap_driver_installation.yml | 25 -- ...ith_credential_data_via_network_shares.yml | 37 --- .../sigma/builtin/win_usb_device_plugged.yml | 28 --- ...win_user_added_to_local_administrators.yml | 30 --- ...ileged_service_lsaregisterlogonprocess.yml | 32 --- rules/sigma/builtin/win_user_creation.yml | 31 --- .../sigma/builtin/win_user_driver_loaded.yml | 52 ---- .../builtin/win_volume_shadow_copy_mount.yml | 28 --- ..._vssaudit_secevent_source_registration.yml | 28 --- rules/sigma/builtin/win_vul_cve_2020_0688.yml | 32 --- rules/sigma/builtin/win_vul_cve_2020_1472.yml | 27 -- .../win_wmiprvse_wbemcomn_dll_hijack.yml | 30 --- .../sysmon_cactustorch.yml | 42 ---- .../sysmon_cobaltstrike_process_injection.yml | 32 --- .../sysmon_createremotethread_loadlibrary.yml | 30 --- .../sysmon_password_dumper_lsass.yml | 33 --- .../sysmon_powershell_code_injection.yml | 27 -- .../sysmon_susp_powershell_rundll32.yml | 32 --- .../sysmon_suspicious_remote_thread.yml | 89 ------- .../sysmon_ads_executable.yml | 35 --- .../sysmon_regedit_export_to_ads.yml | 29 --- .../dns_query/dns_net_mal_cobaltstrike.yml | 35 --- rules/sigma/dns_query/dns_net_susp_ipify.yml | 52 ---- ...s_query_hybridconnectionmgr_servicebus.yml | 29 --- rules/sigma/dns_query/dns_query_mega_nz.yml | 25 -- .../dns_query_possible_dns_rebinding.yml | 76 ------ .../dns_query_regsvr32_network_activity.yml | 41 --- .../driver_load_mal_creddumper.yml | 46 ---- ...tstrike_getsystem_service_installation.yml | 69 ------ ...powershell_script_installed_as_service.yml | 31 --- .../driver_load/driver_load_susp_temp_use.yml | 26 -- .../driver_load_vuln_dell_driver.yml | 35 --- .../driver_load/driver_load_windivert.yml | 31 --- ...mmand_execution_by_office_applications.yml | 37 --- .../file_delete/sysmon_delete_prefetch.yml | 32 --- ...mon_sysinternals_sdelete_file_deletion.yml | 31 --- .../win_cve_2021_1675_printspooler_del.yml | 34 --- .../file_event_advanced_ip_scanner.yml | 34 --- .../file_event_apt_unidentified_nov_18.yml | 30 --- ...cve_2021_31979_cve_2021_33771_exploits.yml | 41 --- .../file_event/file_event_hack_dumpert.yml | 32 --- .../file_event_hktl_createminidump.yml | 31 --- .../file_event/file_event_lsass_dump.yml | 38 --- .../file_event/file_event_mal_adwind.yml | 36 --- .../file_event_mal_vhd_download.yml | 41 --- ...ile_event_mimikatz_kirbi_file_creation.yml | 26 -- .../file_event/file_event_moriya_rootkit.yml | 31 --- .../file_event_pingback_backdoor.yml | 30 --- ...ript_creation_by_office_using_file_ext.yml | 47 ---- .../file_event/file_event_susp_task_write.yml | 31 --- .../file_event/file_event_tool_psexec.yml | 41 --- .../file_event_uac_bypass_winsat.yml | 31 --- .../file_event/file_event_uac_bypass_wmp.yml | 33 --- ...e_event_win_shell_write_susp_directory.yml | 50 ---- .../file_event_winrm_awl_bypass.yml | 36 --- ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml | 31 --- .../sysmon_creation_system_file.yml | 68 ----- .../sysmon_cred_dump_tools_dropped_files.yml | 58 ----- .../sysmon_cve_2021_26858_msexchange.yml | 39 --- .../sysmon_detect_powerup_dllhijacking.yml | 33 --- .../sysmon_ghostpack_safetykatz.yml | 27 -- ...sysmon_lsass_memory_dump_file_creation.yml | 35 --- .../file_event/sysmon_office_persistence.yml | 41 --- .../file_event/sysmon_outlook_newform.yml | 30 --- .../file_event/sysmon_pcre_net_temp_file.yml | 27 -- .../sysmon_powershell_exploit_scripts.yml | 121 --------- .../sysmon_powershell_startup_shortcuts.yml | 38 --- .../file_event/sysmon_quarkspw_filedump.yml | 29 --- .../sysmon_redmimicry_winnti_filedrop.yml | 28 --- .../sysmon_startup_folder_file_write.yml | 27 -- .../sysmon_susp_adsi_cache_usage.yml | 40 --- .../sigma/file_event/sysmon_susp_clr_logs.yml | 45 ---- .../file_event/sysmon_susp_desktop_ini.yml | 34 --- .../sysmon_susp_pfx_file_creation.yml | 27 -- ...cexplorer_driver_created_in_tmp_folder.yml | 39 --- ...n_suspicious_powershell_profile_create.yml | 31 --- .../sysmon_tsclient_filewrite_startup.yml | 26 -- .../sysmon_uac_bypass_consent_comctl32.yml | 29 --- .../sysmon_uac_bypass_dotnet_profiler.yml | 29 --- .../file_event/sysmon_uac_bypass_ieinstal.yml | 32 --- .../sysmon_uac_bypass_msconfig_gui.yml | 28 --- .../sysmon_uac_bypass_ntfs_reparse_point.yml | 29 --- .../sysmon_webshell_creation_detect.yml | 60 ----- ...ersistence_script_event_consumer_write.yml | 27 -- .../win_cve_2021_1675_printspooler.yml | 37 --- .../win_file_winword_cve_2021_40444.yml | 39 --- .../win_hivenightmare_file_exports.yml | 40 --- .../win_outlook_c2_macro_creation.yml | 30 --- .../sigma/file_event/win_rclone_exec_file.yml | 28 --- .../win_susp_desktopimgdownldr_file.yml | 41 --- .../image_load_pingback_backdoor.yml | 30 --- .../image_load_silenttrinity_stage_use.yml | 29 --- ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 31 --- .../process_creation_tttracer_mod_load.yml | 34 --- .../sysmon_abusing_azure_browser_sso.yml | 38 --- ..._alternate_powershell_hosts_moduleload.yml | 31 --- .../image_load/sysmon_foggyweb_nobelium.yml | 25 -- .../sysmon_in_memory_powershell.yml | 52 ---- .../sigma/image_load/sysmon_pcre_net_load.yml | 27 -- ...cons_imageload_wmi_scripteventconsumer.yml | 36 --- .../image_load/sysmon_spoolsv_dll_load.yml | 34 --- .../sigma/image_load/sysmon_susp_fax_dll.yml | 38 --- .../image_load/sysmon_susp_image_load.yml | 33 --- ...n_susp_office_dotnet_assembly_dll_load.yml | 34 --- ...sysmon_susp_office_dotnet_clr_dll_load.yml | 34 --- ...sysmon_susp_office_dotnet_gac_dll_load.yml | 34 --- .../sysmon_susp_office_dsparse_dll_load.yml | 34 --- .../sysmon_susp_office_kerberos_dll_load.yml | 34 --- .../sysmon_susp_python_image_load.yml | 30 --- ...sysmon_susp_script_dotnet_clr_dll_load.yml | 36 --- .../sysmon_susp_system_drawing_load.yml | 32 --- .../sysmon_susp_winword_vbadll_load.yml | 36 --- .../sysmon_susp_winword_wmidll_load.yml | 38 --- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 73 ------ ...sysmon_svchost_dll_search_order_hijack.yml | 43 ---- .../image_load/sysmon_tttracer_mod_load.yml | 34 --- .../image_load/sysmon_uac_bypass_via_dism.yml | 33 --- .../sysmon_uipromptforcreds_dlls.yml | 40 --- ...ysmon_unsigned_image_loaded_into_lsass.yml | 29 --- .../image_load/sysmon_wmi_module_load.yml | 64 ----- ...persistence_commandline_event_consumer.yml | 29 --- .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 33 --- .../sysmon_wsman_provider_image_load.yml | 49 ---- .../image_load/win_susp_svchost_clfsw32.yml | 29 --- .../image_load/win_suspicious_vss_ps_load.yml | 43 ---- rules/sigma/malware/av_exploiting.yml | 42 ---- rules/sigma/malware/av_hacktool.yml | 33 --- rules/sigma/malware/av_password_dumper.yml | 42 ---- .../av_printernightmare_cve_2021_34527.yml | 30 --- rules/sigma/malware/av_relevant_files.yml | 82 ------ rules/sigma/malware/av_webshell.yml | 80 ------ .../file_event_mal_octopus_scanner.yml | 27 -- .../process_creation_mal_blue_mockingbird.yml | 39 --- ...ocess_creation_mal_darkside_ransomware.yml | 36 --- ...ess_creation_mal_lockergoga_ransomware.yml | 27 -- .../malware/process_creation_mal_ryuk.yml | 34 --- .../malware/registry_event_mal_azorult.yml | 40 --- .../registry_event_mal_blue_mockingbird.yml | 34 --- .../malware/registry_event_mal_flowcloud.yml | 36 --- .../malware/registry_event_mal_netwire.yml | 38 --- .../malware/registry_event_mal_ursnif.yml | 38 --- .../silenttrinity_stager_msbuild_activity.yml | 31 --- .../sysmon_dllhost_net_connections.yml | 53 ---- ...smon_excel_outbound_network_connection.yml | 61 ----- .../sysmon_malware_backconnect_ports.yml | 111 --------- .../sysmon_notepad_network_connection.yml | 31 --- .../sysmon_powershell_network_connection.yml | 63 ----- .../sysmon_rdp_reverse_tunnel.yml | 42 ---- .../sysmon_regsvr32_network_activity.yml | 38 --- ...smon_remote_powershell_session_network.yml | 35 --- .../sysmon_rundll32_net_connections.yml | 52 ---- ..._susp_prog_location_network_connection.yml | 43 ---- .../network_connection/sysmon_susp_rdp.yml | 54 ---- ...uspicious_outbound_kerberos_connection.yml | 39 --- .../sysmon_win_binary_github_com.yml | 38 --- .../sysmon_win_binary_susp_com.yml | 33 --- .../sysmon_wuauclt_network_connection.yml | 28 --- .../win_net_crypto_mining.yml | 47 ---- .../sigma/other/win_defender_amsi_trigger.yml | 26 -- rules/sigma/other/win_defender_bypass.yml | 35 --- rules/sigma/other/win_defender_disabled.yml | 32 --- rules/sigma/other/win_defender_exclusions.yml | 27 -- .../other/win_defender_history_delete.yml | 31 --- .../other/win_defender_psexec_wmi_asr.yml | 35 --- ...win_defender_tamper_protection_trigger.yml | 29 --- rules/sigma/other/win_defender_threat.yml | 29 --- .../other/win_exchange_cve_2021_42321.yml | 21 -- .../win_exchange_proxylogon_oabvirtualdir.yml | 31 --- ...ange_proxyshell_certificate_generation.yml | 35 --- ...win_exchange_proxyshell_mailbox_export.yml | 39 --- ...hange_proxyshell_remove_mailbox_export.yml | 28 --- .../win_exchange_transportagent_failed.yml | 28 --- .../other/win_lateral_movement_condrv.yml | 36 --- rules/sigma/other/win_ldap_recon.yml | 82 ------ rules/sigma/other/win_pcap_drivers.yml | 43 ---- ...gon_exploitation_using_wellknown_tools.yml | 30 --- .../sigma/other/win_rare_schtask_creation.yml | 25 -- .../other/win_security_wmi_persistence.yml | 35 --- .../other/win_system_defender_disabled.yml | 33 --- rules/sigma/other/win_tool_psexec.yml | 42 ---- rules/sigma/other/win_wmi_persistence.yml | 36 --- .../pipe_created/pipe_created_tool_psexec.yml | 49 ---- ...sysmon_alternate_powershell_hosts_pipe.yml | 39 --- .../sysmon_apt_turla_namedpipes.yml | 40 --- .../sysmon_cred_dump_tools_named_pipes.yml | 42 ---- .../sysmon_efspotato_namedpipe.yml | 37 --- .../pipe_created/sysmon_mal_cobaltstrike.yml | 49 ---- .../sysmon_mal_cobaltstrike_re.yml | 79 ------ .../pipe_created/sysmon_mal_namedpipes.yml | 71 ------ .../sysmon_powershell_execution_pipe.yml | 27 -- .../sysmon_psexec_pipes_artifacts.yml | 37 --- .../sysmon_susp_adfs_namedpipe_connection.yml | 42 ---- ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 77 ------ .../sysmon_susp_wmi_consumer_namedpipe.yml | 33 --- ...ell_classic_alternate_powershell_hosts.yml | 34 --- .../powershell_classic_powercat.yml | 33 --- ...hell_classic_remote_powershell_session.yml | 34 --- ...susp_athremotefxvgpudisablementcommand.yml | 41 --- .../powershell_classic_susp_zip_compress.yml | 35 --- ...powershell_classic_suspicious_download.yml | 31 --- ...powershell_delete_volume_shadow_copies.yml | 36 --- .../powershell_downgrade_attack.yml | 31 --- .../powershell_exe_calling_ps.yml | 34 --- .../powershell_renamed_powershell.yml | 30 --- ...owershell_tamper_with_windows_defender.yml | 32 --- ...shell_wsman_com_provider_no_powershell.yml | 32 --- .../powershell_xor_commandline.yml | 30 --- .../powershell_alternate_powershell_hosts.yml | 31 --- .../powershell_bad_opsec_artifacts.yml | 41 --- .../powershell_clear_powershell_history.yml | 40 --- .../powershell_decompress_commands.yml | 30 --- .../powershell_get_clipboard.yml | 30 --- .../powershell_invoke_obfuscation_clip.yml | 30 --- ...hell_invoke_obfuscation_obfuscated_iex.yml | 43 ---- .../powershell_invoke_obfuscation_stdin.yml | 30 --- .../powershell_invoke_obfuscation_var.yml | 30 --- ...rshell_invoke_obfuscation_via_compress.yml | 30 --- ...wershell_invoke_obfuscation_via_rundll.yml | 30 --- ...owershell_invoke_obfuscation_via_stdin.yml | 30 --- ...rshell_invoke_obfuscation_via_use_clip.yml | 30 --- ...shell_invoke_obfuscation_via_use_mhsta.yml | 30 --- ...ll_invoke_obfuscation_via_use_rundll32.yml | 30 --- .../powershell_invoke_obfuscation_via_var.yml | 30 --- .../powershell_module/powershell_powercat.yml | 30 --- .../powershell_remote_powershell_session.yml | 31 --- ...susp_athremotefxvgpudisablementcommand.yml | 38 --- .../powershell_susp_zip_compress.yml | 35 --- ...ell_suspicious_download_in_contextinfo.yml | 30 --- ...ious_invocation_generic_in_contextinfo.yml | 38 --- ...ous_invocation_specific_in_contextinfo.yml | 95 ------- ...ppvpublishingserver_exe_in_contextinfo.yml | 30 --- .../powershell_accessing_win_api.yml | 73 ------ .../powershell_adrecon_execution.yml | 30 --- .../powershell_automated_collection.yml | 41 --- .../powershell_azurehound_commands.yml | 32 --- .../powershell_cl_invocation_lolscript.yml | 28 --- ...wershell_cl_invocation_lolscript_count.yml | 28 --- ...powershell_cl_mutexverifiers_lolscript.yml | 29 --- ...hell_cl_mutexverifiers_lolscript_count.yml | 29 --- .../powershell_create_local_user.yml | 29 --- .../powershell_data_compressed.yml | 32 --- .../powershell_detect_vm_env.yml | 33 --- .../powershell_dnscat_execution.yml | 26 -- .../powershell_icmp_exfiltration.yml | 31 --- .../powershell_invoke_nightmare.yml | 25 -- ...ke_obfuscation_clip_in_scriptblocktext.yml | 27 -- ...tion_obfuscated_iex_in_scriptblocktext.yml | 40 --- ...e_obfuscation_stdin_in_scriptblocktext.yml | 27 -- ...oke_obfuscation_var_in_scriptblocktext.yml | 27 -- ...cation_via_compress_in_scriptblocktext.yml | 27 -- ...uscation_via_rundll_in_scriptblocktext.yml | 27 -- ...fuscation_via_stdin_in_scriptblocktext.yml | 27 -- ...cation_via_use_clip_in_scriptblocktext.yml | 27 -- ...ation_via_use_mhsta_in_scriptblocktext.yml | 27 -- ...on_via_use_rundll32_in_scriptblocktext.yml | 27 -- ...obfuscation_via_var_in_scriptblocktext.yml | 27 -- .../powershell_keylogging.yml | 31 --- .../powershell_malicious_commandlets.yml | 124 ---------- .../powershell_malicious_keywords.yml | 47 ---- ...ll_memorydump_getstoragediagnosticinfo.yml | 27 -- ...wershell_nishang_malicious_commandlets.yml | 97 -------- .../powershell_ntfs_ads_access.yml | 36 --- ...rshell_powerview_malicious_commandlets.yml | 150 ----------- .../powershell_prompt_credentials.yml | 28 --- .../powershell_script/powershell_psattack.yml | 26 -- ...ershell_set_policies_to_unsecure_level.yml | 30 --- .../powershell_shellcode_b64.yml | 33 --- ...shell_shellintel_malicious_commandlets.yml | 29 --- .../powershell_software_discovery.yml | 34 --- ...ll_store_file_in_alternate_data_stream.yml | 31 --- ...l_susp_zip_compress_in_scriptblocktext.yml | 32 --- ...suspicious_download_in_scriptblocktext.yml | 30 --- ...shell_suspicious_export_pfxcertificate.yml | 29 --- ...powershell_suspicious_getprocess_lsass.yml | 27 -- ..._invocation_generic_in_scriptblocktext.yml | 38 --- ..._invocation_specific_in_scripblocktext.yml | 95 ------- .../powershell_suspicious_keywords.yml | 40 --- .../powershell_suspicious_mail_acces.yml | 31 --- ...hell_suspicious_mounted_share_deletion.yml | 29 --- .../powershell_suspicious_recon.yml | 31 --- .../powershell_suspicious_win32_pnpentity.yml | 26 -- .../powershell_suspicious_windowstyle.yml | 29 --- ...ublishingserver_exe_in_scriptblocktext.yml | 30 --- .../powershell_timestomp.yml | 35 --- .../powershell_trigger_profiles.yml | 34 --- .../powershell_web_request.yml | 37 --- ...hell_windows_firewall_profile_disabled.yml | 34 --- .../powershell_winlogon_helper_dll.yml | 36 --- .../powershell_wmi_persistence.yml | 36 --- .../powershell_wmimplant.yml | 45 ---- .../sysmon_cmstp_execution_by_access.yml | 38 --- ...mon_cobaltstrike_bof_injection_pattern.yml | 33 --- .../sysmon_cred_dump_lsass_access.yml | 79 ------ .../sysmon_direct_syscall_ntopenprocess.yml | 26 -- .../sysmon_in_memory_assembly_execution.yml | 80 ------ .../process_access/sysmon_invoke_phantom.yml | 33 --- .../sysmon_lazagne_cred_dump_lsass_access.yml | 37 --- ...sysmon_littlecorporal_generated_maldoc.yml | 30 --- ...ndocumented_autoelevated_com_interface.yml | 33 --- .../sysmon_lsass_dump_comsvcs_dll.yml | 32 --- .../process_access/sysmon_lsass_memdump.yml | 35 --- .../sysmon_malware_verclsid_shellcode.yml | 41 --- .../sysmon_mimikatz_trough_winrm.yml | 37 --- ...sysmon_pypykatz_cred_dump_lsass_access.yml | 38 --- .../sysmon_svchost_cred_dump.yml | 29 --- .../sysmon_uac_bypass_wow64_logger.yml | 31 --- .../win_susp_shell_spawn_from_winrm.yml | 36 --- ...sing_windows_telemetry_for_persistence.yml | 38 --- .../process_creation_advanced_ip_scanner.yml | 31 --- ...rocess_creation_alternate_data_streams.yml | 52 ---- .../process_creation_apt_gallium.yml | 38 --- .../process_creation_apt_gallium_sha1.yml | 49 ---- .../process_creation_apt_pandemic.yml | 37 --- .../process_creation_apt_slingshot.yml | 36 --- ...s_creation_apt_turla_commands_critical.yml | 36 --- .../process_creation_apt_wocao.yml | 49 ---- .../process_creation_automated_collection.yml | 46 ---- .../process_creation_c3_load_by_rundll32.yml | 29 --- .../process_creation_certoc_execution.yml | 33 --- .../process_creation_clip.yml | 27 -- ...creation_cobaltstrike_load_by_rundll32.yml | 32 --- .../process_creation_conti_cmd_ransomware.yml | 38 --- .../process_creation_coti_sqlcmd.yml | 36 --- ...process_creation_discover_private_keys.yml | 45 ---- ...cess_creation_dns_serverlevelplugindll.yml | 44 ---- .../process_creation_dotnet.yml | 38 --- .../process_creation_hack_dumpert.yml | 29 --- .../process_creation_infdefaultinstall.yml | 34 --- ...data_exfiltration_by_using_datasvcutil.yml | 43 ---- ...reation_lolbins_by_office_applications.yml | 40 --- ...suspicious_driver_installed_by_pnputil.yml | 46 ---- ...n_lolbins_with_wmiprvse_parent_process.yml | 37 --- .../process_creation_msdeploy.yml | 40 --- ..._applications_spawning_wmi_commandline.yml | 43 ---- ..._from_proxy_executing_regsvr32_payload.yml | 59 ----- ...from_proxy_executing_regsvr32_payload2.yml | 55 ---- ...eation_office_spawning_wmi_commandline.yml | 38 --- .../process_creation_pingback_backdoor.yml | 37 --- ...eation_protocolhandler_suspicious_file.yml | 35 --- ...ss_creation_root_certificate_installed.yml | 40 --- .../process_creation_sdelete.yml | 36 --- .../process_creation_software_discovery.yml | 41 --- ...ocess_creation_stickykey_like_backdoor.yml | 45 ---- .../process_creation_stordiag_execution.yml | 36 --- .../process_creation_susp_7z.yml | 38 --- ...susp_athremotefxvgpudisablementcommand.yml | 42 ---- .../process_creation_susp_del.yml | 36 --- .../process_creation_susp_recon.yml | 32 --- .../process_creation_susp_web_request_cmd.yml | 35 --- .../process_creation_susp_winzip.yml | 35 --- .../process_creation_susp_zip_compress.yml | 36 --- ...ingserver_execute_arbitrary_powershell.yml | 37 --- ...ublishingserver_vbs_execute_powershell.yml | 35 --- ...ss_creation_sysinternals_eula_accepted.yml | 31 --- ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 38 --- .../process_creation_tool_psexec.yml | 43 ---- ...s_creation_win_exchange_transportagent.yml | 29 --- .../process_mailboxexport_share.yml | 37 --- .../process_susp_esentutl_params.yml | 37 --- .../sysmon_abusing_debug_privilege.yml | 51 ---- ..._accesschk_usage_after_priv_escalation.yml | 36 --- ...levated_msi_spawned_cmd_and_powershell.yml | 38 --- ...ays_install_elevated_windows_installer.yml | 47 ---- .../sysmon_apt_muddywater_dnstunnel.yml | 34 --- .../process_creation/sysmon_apt_sourgrum.yml | 49 ---- ...sian_confluence_cve_2021_26084_exploit.yml | 39 --- .../sysmon_cmstp_execution_by_creation.yml | 35 --- .../sysmon_creation_mavinject_dll.yml | 38 --- .../sysmon_cve_2021_26857_msexchange.yml | 32 --- .../sysmon_expand_cabinet_files.yml | 43 ---- .../process_creation/sysmon_hack_wce.yml | 39 --- .../sysmon_high_integrity_sdclt.yml | 30 --- ...on_scripts_userinitmprlogonscript_proc.yml | 39 --- .../sysmon_long_powershell_commandline.yml | 34 --- .../sysmon_netcat_execution.yml | 34 --- .../sysmon_proxy_execution_wuauclt.yml | 40 --- ...move_windows_defender_definition_files.yml | 36 --- .../sysmon_sdclt_child_process.yml | 27 -- .../sysmon_susp_plink_remote_forward.yml | 30 --- .../sysmon_susp_service_modification.yml | 38 --- .../sysmon_susp_webdav_client_execution.yml | 30 --- .../sysmon_uninstall_crowdstrike_falcon.yml | 35 --- .../sysmon_vmtoolsd_susp_child_process.yml | 46 ---- .../wim_pc_apt_chafer_mar18.yml | 59 ----- .../win_ad_find_discovery.yml | 48 ---- .../win_anydesk_silent_install.yml | 34 --- .../win_apt_apt29_thinktanks.yml | 37 --- .../process_creation/win_apt_babyshark.yml | 38 --- .../win_apt_bear_activity_gtr19.yml | 52 ---- .../process_creation/win_apt_bluemashroom.yml | 31 --- .../process_creation/win_apt_cloudhopper.yml | 34 --- .../process_creation/win_apt_dragonfly.yml | 30 --- .../sigma/process_creation/win_apt_elise.yml | 34 --- .../win_apt_emissarypanda_sep19.yml | 31 --- .../process_creation/win_apt_empiremonkey.yml | 31 --- .../win_apt_equationgroup_dll_u_load.yml | 34 --- .../win_apt_evilnum_jul20.yml | 38 --- .../win_apt_greenbug_may20.yml | 63 ----- .../process_creation/win_apt_hafnium.yml | 94 ------- .../win_apt_hurricane_panda.yml | 33 --- .../win_apt_judgement_panda_gtr19.yml | 44 ---- .../win_apt_ke3chang_regadd.yml | 32 --- .../win_apt_lazarus_activity_apr21.yml | 43 ---- .../win_apt_lazarus_activity_dec20.yml | 46 ---- .../win_apt_lazarus_loader.yml | 48 ---- .../win_apt_lazarus_session_highjack.yml | 33 --- .../process_creation/win_apt_mustangpanda.yml | 45 ---- .../process_creation/win_apt_revil_kaseya.yml | 49 ---- .../sigma/process_creation/win_apt_sofacy.yml | 40 --- .../process_creation/win_apt_ta17_293a_ps.yml | 30 --- .../win_apt_ta505_dropper.yml | 29 --- .../process_creation/win_apt_taidoor.yml | 37 --- .../win_apt_tropictrooper.yml | 26 -- .../win_apt_turla_comrat_may20.yml | 38 --- .../process_creation/win_apt_unc2452_cmds.yml | 61 ----- .../process_creation/win_apt_unc2452_ps.yml | 36 --- .../win_apt_unidentified_nov_18.yml | 29 --- .../win_apt_winnti_mal_hk_jan20.yml | 47 ---- .../win_apt_winnti_pipemon.yml | 36 --- .../process_creation/win_apt_zxshell.yml | 40 --- .../win_attrib_hiding_files.yml | 44 ---- .../win_bad_opsec_sacrificial_processes.yml | 64 ----- .../process_creation/win_bootconf_mod.yml | 43 ---- .../win_bypass_squiblytwo.yml | 48 ---- .../win_change_default_file_association.yml | 44 ---- .../win_cl_invocation_lolscript.yml | 29 --- .../win_cl_mutexverifiers_lolscript.yml | 30 --- .../win_class_exec_xwizard.yml | 28 --- .../process_creation/win_cmdkey_recon.yml | 34 --- .../win_cmstp_com_object_access.yml | 52 ---- .../win_cobaltstrike_process_patterns.yml | 51 ---- .../win_commandline_path_traversal.yml | 33 --- ...win_commandline_path_traversal_evasion.yml | 34 --- .../win_control_panel_item.yml | 43 ---- ...g_sensitive_files_with_credential_data.yml | 51 ---- ..._credential_access_via_password_filter.yml | 33 --- .../process_creation/win_crime_fireball.yml | 34 --- .../win_crime_maze_ransomware.yml | 52 ---- .../win_crime_snatch_ransomware.yml | 32 --- .../win_crypto_mining_monero.yml | 41 --- .../win_data_compressed_with_rar.yml | 41 --- .../win_detecting_fake_instances_of_hxtsr.yml | 31 --- .../win_dll_sideload_xwizard.yml | 29 --- .../win_dns_exfiltration_tools_execution.yml | 32 --- .../win_dnscat2_powershell_implementation.yml | 41 --- .../win_encoded_frombase64string.yml | 33 --- .../process_creation/win_encoded_iex.yml | 40 --- .../win_etw_modification_cmdline.yml | 34 --- .../win_etw_trace_evasion.yml | 72 ------ ...ltration_and_tunneling_tools_execution.yml | 32 --- .../win_exploit_cve_2015_1641.yml | 30 --- .../win_exploit_cve_2017_0261.yml | 35 --- .../win_exploit_cve_2017_11882.yml | 35 --- .../win_exploit_cve_2017_8759.yml | 35 --- .../win_exploit_cve_2019_1378.yml | 47 ---- .../win_exploit_cve_2019_1388.yml | 39 --- .../win_exploit_cve_2020_10189.yml | 39 --- .../win_exploit_cve_2020_1048.yml | 40 --- .../win_exploit_cve_2020_1350.yml | 34 --- .../win_exploit_systemnightmare.yml | 28 --- .../win_file_permission_modifications.yml | 40 --- .../win_grabbing_sensitive_hives_via_reg.yml | 56 ----- .../process_creation/win_hack_adcspwn.yml | 29 --- .../process_creation/win_hack_bloodhound.yml | 54 ---- .../process_creation/win_hack_koadic.yml | 41 --- .../process_creation/win_hack_rubeus.yml | 42 ---- .../win_hack_secutyxploded.yml | 33 --- rules/sigma/process_creation/win_hh_chm.yml | 35 --- .../win_hiding_malware_in_fonts_folder.yml | 35 --- .../win_hktl_createminidump.yml | 30 --- .../win_hktl_uacme_uac_bypass.yml | 31 --- .../process_creation/win_html_help_spawn.yml | 48 ---- .../process_creation/win_hwp_exploits.yml | 39 --- .../win_impacket_compiled_tools.yml | 63 ----- .../win_impacket_lateralization.yml | 59 ----- .../process_creation/win_indirect_cmd.yml | 37 --- ...n_indirect_cmd_compatibility_assistant.yml | 35 --- .../win_install_reg_debugger_backdoor.yml | 37 --- .../process_creation/win_interactive_at.yml | 35 --- .../win_invoke_obfuscation_clip.yml | 27 -- ...obfuscation_obfuscated_iex_commandline.yml | 41 --- .../win_invoke_obfuscation_stdin.yml | 27 -- .../win_invoke_obfuscation_var.yml | 27 -- .../win_invoke_obfuscation_via_compress.yml | 27 -- .../win_invoke_obfuscation_via_rundll.yml | 27 -- .../win_invoke_obfuscation_via_stdin.yml | 27 -- .../win_invoke_obfuscation_via_use_clip.yml | 27 -- .../win_invoke_obfuscation_via_use_mhsta.yml | 27 -- ...in_invoke_obfuscation_via_use_rundll32.yml | 27 -- .../win_invoke_obfuscation_via_var.yml | 27 -- .../sigma/process_creation/win_lethalhta.yml | 30 --- ...n_local_system_owner_account_discovery.yml | 81 ------ .../win_lolbas_execution_of_wuauclt.yml | 35 --- .../win_lolbin_execution_via_winget.yml | 35 --- .../sigma/process_creation/win_lsass_dump.yml | 46 ---- .../sigma/process_creation/win_mal_adwind.yml | 38 --- .../process_creation/win_malware_conti.yml | 32 --- .../win_malware_conti_7zip.yml | 28 --- .../win_malware_conti_shadowcopy.yml | 32 --- .../process_creation/win_malware_dridex.yml | 49 ---- .../process_creation/win_malware_dtrack.yml | 30 --- .../process_creation/win_malware_emotet.yml | 44 ---- .../process_creation/win_malware_formbook.yml | 64 ----- .../process_creation/win_malware_notpetya.yml | 49 ---- .../process_creation/win_malware_qbot.yml | 43 ---- .../process_creation/win_malware_ryuk.yml | 32 --- .../win_malware_script_dropper.yml | 47 ---- .../win_malware_trickbot_recon_activity.yml | 36 --- .../win_malware_trickbot_wermgr.yml | 34 --- .../process_creation/win_malware_wannacry.yml | 85 ------- .../win_manage_bde_lolbas.yml | 33 --- .../win_mavinject_proc_inj.yml | 29 --- ...r_cobaltstrike_getsystem_service_start.yml | 70 ------ .../win_mimikatz_command_line.yml | 47 ---- .../process_creation/win_mmc_spawn_shell.yml | 42 ---- ..._modif_of_services_for_via_commandline.yml | 35 --- ...in_monitoring_for_persistence_via_bits.yml | 37 --- .../sigma/process_creation/win_mouse_lock.yml | 37 --- .../process_creation/win_mshta_javascript.yml | 34 --- .../win_mshta_spawn_shell.yml | 47 ---- .../win_multiple_suspicious_cli.yml | 66 ----- rules/sigma/process_creation/win_net_enum.yml | 38 --- .../process_creation/win_net_user_add.yml | 39 --- .../win_netsh_allow_port_rdp.yml | 41 --- .../process_creation/win_netsh_fw_add.yml | 32 --- .../win_netsh_fw_add_susp_image.yml | 72 ------ .../win_netsh_packet_capture.yml | 32 --- .../process_creation/win_netsh_port_fwd.yml | 46 ---- .../win_netsh_port_fwd_3389.yml | 38 --- .../win_netsh_wifi_credential_harvesting.yml | 39 --- .../process_creation/win_network_sniffing.yml | 42 ---- .../win_new_service_creation.yml | 37 --- .../process_creation/win_nltest_recon.yml | 47 ---- .../win_non_interactive_powershell.yml | 32 --- .../win_non_priv_reg_or_ps.yml | 51 ---- .../process_creation/win_office_shell.yml | 62 ----- ..._office_spawn_exe_from_users_directory.yml | 46 ---- .../win_pc_set_policies_to_unsecure_level.yml | 33 --- .../win_pc_susp_cmdl32_lolbas.yml | 34 --- .../win_pc_susp_reg_bitlocker.yml | 44 ---- .../win_pc_susp_schtasks_user_temp.yml | 29 --- .../process_creation/win_pc_susp_zipexec.yml | 40 --- .../win_plugx_susp_exe_locations.yml | 108 -------- .../win_possible_applocker_bypass.yml | 46 ---- ...ation_via_service_registry_permissions.yml | 41 --- .../win_powershell_amsi_bypass.yml | 32 --- .../win_powershell_audio_capture.yml | 27 -- .../win_powershell_b64_shellcode.yml | 30 --- .../win_powershell_bitsjob.yml | 34 --- ...in_powershell_cmdline_reversed_strings.yml | 56 ----- ..._powershell_cmdline_special_characters.yml | 38 --- ...wershell_cmdline_specific_comb_methods.yml | 60 ----- .../win_powershell_defender_exclusion.yml | 41 --- .../win_powershell_disable_windef_av.yml | 50 ---- .../win_powershell_dll_execution.yml | 35 --- .../win_powershell_downgrade_attack.yml | 40 --- .../win_powershell_download.yml | 39 --- .../win_powershell_frombase64string.yml | 28 --- ...in_powershell_reverse_shell_connection.yml | 34 --- ...ershell_suspicious_parameter_variation.yml | 70 ------ .../win_powershell_xor_commandline.yml | 35 --- .../win_powersploit_empire_schtasks.yml | 57 ----- .../win_proc_wrong_parent.yml | 55 ---- rules/sigma/process_creation/win_procdump.yml | 32 --- ...in_process_creation_bitsadmin_download.yml | 51 ---- .../win_process_dump_rdrleakdiag.yml | 27 -- .../win_process_dump_rundll32_comsvcs.yml | 34 --- .../process_creation/win_psexesvc_start.yml | 26 -- .../win_purplesharp_indicators.yml | 31 --- .../process_creation/win_query_registry.yml | 51 ---- .../win_rasautou_dll_execution.yml | 38 --- .../win_rdp_hijack_shadowing.yml | 29 --- .../win_redmimicry_winnti_proc.yml | 37 --- .../process_creation/win_reg_add_run_key.yml | 31 --- .../win_regedit_export_critical_keys.yml | 40 --- .../win_regedit_export_keys.yml | 43 ---- .../win_regedit_import_keys.yml | 41 --- .../win_regedit_import_keys_ads.yml | 41 --- rules/sigma/process_creation/win_regini.yml | 34 --- .../sigma/process_creation/win_regini_ads.yml | 34 --- .../win_remote_powershell_session_process.yml | 36 --- .../win_remote_time_discovery.yml | 42 ---- .../process_creation/win_renamed_binary.yml | 74 ------ .../win_renamed_binary_highly_relevant.yml | 59 ----- .../process_creation/win_renamed_jusched.yml | 36 --- .../process_creation/win_renamed_megasync.yml | 37 --- .../process_creation/win_renamed_paexec.yml | 43 ---- .../win_renamed_powershell.yml | 38 --- .../process_creation/win_renamed_procdump.yml | 44 ---- .../process_creation/win_renamed_psexec.yml | 36 --- .../process_creation/win_renamed_whoami.yml | 30 --- .../win_run_powershell_script_from_ads.yml | 32 --- ...un_powershell_script_from_input_stream.yml | 29 --- .../process_creation/win_run_virtualbox.yml | 44 ---- .../win_rundll32_without_parameters.yml | 35 --- .../win_script_event_consumer_spawn.yml | 43 ---- .../win_sdbinst_shim_persistence.yml | 34 --- .../win_service_execution.yml | 31 --- .../process_creation/win_service_stop.yml | 33 --- .../win_shadow_copies_access_symlink.yml | 30 --- .../win_shadow_copies_creation.yml | 36 --- .../win_shadow_copies_deletion.yml | 67 ----- .../win_shell_spawn_mshta.yml | 38 --- .../win_shell_spawn_susp_program.yml | 49 ---- .../win_silenttrinity_stage_use.yml | 26 -- .../win_soundrec_audio_capture.yml | 29 --- rules/sigma/process_creation/win_spn_enum.yml | 32 --- ...uthenticated_privileged_console_access.yml | 34 --- .../win_sus_auditpol_usage.yml | 35 --- .../process_creation/win_susp_adfind.yml | 38 --- .../process_creation/win_susp_atbroker.yml | 58 ----- .../process_creation/win_susp_bcdedit.yml | 35 --- .../process_creation/win_susp_bginfo.yml | 34 --- .../win_susp_bitstransfer.yml | 38 --- .../sigma/process_creation/win_susp_calc.yml | 33 --- rules/sigma/process_creation/win_susp_cdb.yml | 32 --- .../win_susp_certutil_command.yml | 61 ----- .../win_susp_certutil_encode.yml | 32 --- .../win_susp_child_process_as_system_.yml | 47 ---- .../process_creation/win_susp_cli_escape.yml | 33 --- .../win_susp_cmd_http_appdata.yml | 41 --- .../win_susp_cmd_shadowcopy_access.yml | 26 -- .../win_susp_codepage_switch.yml | 34 --- .../win_susp_commands_recon_activity.yml | 52 ---- .../win_susp_compression_params.yml | 43 ---- .../win_susp_comsvcs_procdump.yml | 42 ---- .../process_creation/win_susp_conhost.yml | 31 --- .../win_susp_control_cve_2021_40444.yml | 35 --- .../win_susp_control_dll_load.yml | 35 --- .../win_susp_copy_lateral_movement.yml | 55 ---- .../win_susp_copy_system32.yml | 37 --- .../process_creation/win_susp_covenant.yml | 43 ---- .../win_susp_crackmapexec_execution.yml | 41 --- ...sp_crackmapexec_powershell_obfuscation.yml | 43 ---- rules/sigma/process_creation/win_susp_csc.yml | 37 --- .../process_creation/win_susp_csc_folder.yml | 46 ---- rules/sigma/process_creation/win_susp_csi.yml | 48 ---- .../win_susp_curl_download.yml | 35 --- .../win_susp_curl_fileupload.yml | 32 --- .../win_susp_curl_start_combo.yml | 34 --- .../win_susp_dctask64_proc_inject.yml | 37 --- .../win_susp_desktopimgdownldr.yml | 44 ---- .../win_susp_devtoolslauncher.yml | 30 --- ...susp_direct_asep_reg_keys_modification.yml | 47 ---- .../win_susp_disable_eventlog.yml | 38 --- .../win_susp_disable_ie_features.yml | 38 --- .../win_susp_disable_raccine.yml | 42 ---- .../process_creation/win_susp_diskshadow.yml | 34 --- .../process_creation/win_susp_ditsnap.yml | 31 --- rules/sigma/process_creation/win_susp_dnx.yml | 29 --- .../win_susp_double_extension.yml | 40 --- .../sigma/process_creation/win_susp_dxcap.yml | 32 --- .../win_susp_emotet_rundll32_execution.yml | 42 ---- .../win_susp_eventlog_clear.yml | 51 ---- .../win_susp_execution_path.yml | 52 ---- .../win_susp_execution_path_webserver.yml | 40 --- .../process_creation/win_susp_explorer.yml | 32 --- .../win_susp_explorer_break_proctree.yml | 31 --- .../win_susp_file_characteristics.yml | 42 ---- ...p_file_download_via_gfxdownloadwrapper.yml | 32 --- .../process_creation/win_susp_findstr.yml | 38 --- .../process_creation/win_susp_findstr_lnk.yml | 35 --- .../win_susp_finger_usage.yml | 28 --- .../win_susp_firewall_disable.yml | 30 --- .../win_susp_fsutil_usage.yml | 37 --- rules/sigma/process_creation/win_susp_ftp.yml | 46 ---- rules/sigma/process_creation/win_susp_gup.yml | 34 --- .../win_susp_iss_module_install.yml | 34 --- .../win_susp_mounted_share_deletion.yml | 33 --- .../win_susp_mpcmdrun_download.yml | 36 --- .../win_susp_mshta_pattern.yml | 49 ---- .../process_creation/win_susp_msiexec_cwd.yml | 31 --- .../win_susp_msiexec_web_install.yml | 31 --- .../process_creation/win_susp_msoffice.yml | 33 --- .../win_susp_net_execution.yml | 58 ----- .../win_susp_netsh_dll_persistence.yml | 37 --- .../process_creation/win_susp_ngrok_pua.yml | 55 ---- .../process_creation/win_susp_ntdsutil.yml | 28 --- .../process_creation/win_susp_odbcconf.yml | 37 --- .../process_creation/win_susp_openwith.yml | 30 --- .../process_creation/win_susp_outlook.yml | 37 --- .../win_susp_outlook_temp.yml | 28 --- .../process_creation/win_susp_pcwutl.yml | 33 --- .../process_creation/win_susp_pester.yml | 45 ---- .../process_creation/win_susp_ping_hex_ip.yml | 32 --- .../win_susp_powershell_empire_launch.yml | 36 --- .../win_susp_powershell_empire_uac_bypass.yml | 34 --- .../win_susp_powershell_enc_cmd.yml | 61 ----- .../win_susp_powershell_encoded_param.yml | 28 --- .../win_susp_powershell_getprocess_lsass.yml | 27 -- .../win_susp_powershell_hidden_b64_cmd.yml | 79 ------ .../win_susp_powershell_parent_combo.yml | 38 --- .../win_susp_powershell_parent_process.yml | 67 ----- .../win_susp_powershell_sam_access.yml | 35 --- .../sigma/process_creation/win_susp_print.yml | 40 --- .../process_creation/win_susp_procdump.yml | 33 --- .../win_susp_procdump_lsass.yml | 40 --- .../process_creation/win_susp_ps_appdata.yml | 37 --- .../win_susp_ps_downloadfile.yml | 34 --- .../process_creation/win_susp_psexec_eula.yml | 30 --- .../win_susp_psexex_paexec_flags.yml | 49 ---- .../win_susp_psr_capture_screenshots.yml | 31 --- .../process_creation/win_susp_rar_flags.yml | 38 --- .../win_susp_rasdial_activity.yml | 29 --- .../win_susp_razorinstaller_explorer.yml | 34 --- .../win_susp_rclone_execution.yml | 73 ------ .../win_susp_recon_activity.yml | 41 --- .../win_susp_reg_disable_sec_services.yml | 47 ---- .../win_susp_regedit_trustedinstaller.yml | 29 --- .../win_susp_register_cimprovider.yml | 34 --- .../win_susp_registration_via_cscript.yml | 36 --- .../win_susp_regsvr32_anomalies.yml | 75 ------ .../win_susp_regsvr32_flags_anomaly.yml | 34 --- .../win_susp_regsvr32_no_dll.yml | 44 ---- .../win_susp_renamed_dctask64.yml | 38 --- .../win_susp_renamed_debugview.yml | 31 --- .../win_susp_renamed_paexec.yml | 37 --- .../process_creation/win_susp_rpcping.yml | 51 ---- .../win_susp_run_locations.yml | 40 --- .../win_susp_rundll32_activity.yml | 107 -------- .../win_susp_rundll32_by_ordinal.yml | 39 --- .../win_susp_rundll32_inline_vbs.yml | 32 --- .../win_susp_rundll32_no_params.yml | 35 --- ...p_rundll32_setupapi_installhinfsection.yml | 45 ---- .../win_susp_rundll32_sys.yml | 30 --- .../win_susp_runonce_execution.yml | 34 --- .../win_susp_runscripthelper.yml | 31 --- .../win_susp_schtask_creation.yml | 39 --- .../win_susp_schtask_creation_temp_folder.yml | 37 --- .../win_susp_screenconnect_access.yml | 35 --- .../win_susp_screensaver_reg.yml | 56 ----- .../win_susp_script_exec_from_temp.yml | 45 ---- .../win_susp_script_execution.yml | 38 --- .../win_susp_service_dacl_modification.yml | 39 --- .../process_creation/win_susp_service_dir.yml | 40 --- .../win_susp_service_path_modification.yml | 39 --- ...susp_servu_exploitation_cve_2021_35211.yml | 33 --- .../win_susp_servu_process_pattern.yml | 44 ---- .../win_susp_shell_spawn_from_mssql.yml | 34 --- .../win_susp_shimcache_flush.yml | 42 ---- .../process_creation/win_susp_splwow64.yml | 27 -- .../win_susp_spoolsv_child_processes.yml | 91 ------- .../win_susp_sqldumper_activity.yml | 32 --- .../win_susp_squirrel_lolbin.yml | 66 ----- .../process_creation/win_susp_svchost.yml | 37 --- .../win_susp_svchost_no_cli.yml | 43 ---- .../win_susp_sysprep_appdata.yml | 33 --- .../win_susp_sysvol_access.yml | 30 --- .../win_susp_taskmgr_localsystem.yml | 28 --- .../win_susp_taskmgr_parent.yml | 32 --- .../win_susp_tracker_execution.yml | 35 --- .../win_susp_tscon_localsystem.yml | 31 --- .../win_susp_tscon_rdp_redirect.yml | 30 --- .../win_susp_uac_bypass_trustedpath.yml | 27 -- .../win_susp_use_of_csharp_console.yml | 30 --- .../win_susp_use_of_sqlps_bin.yml | 40 --- .../win_susp_use_of_sqltoolsps_bin.yml | 39 --- .../win_susp_use_of_te_bin.yml | 33 --- .../win_susp_use_of_vsjitdebugger_bin.yml | 38 --- .../win_susp_userinit_child.yml | 33 --- .../process_creation/win_susp_vboxdrvinst.yml | 39 --- .../win_susp_vbscript_unc2452.yml | 37 --- .../win_susp_volsnap_disable.yml | 31 --- .../process_creation/win_susp_whoami.yml | 30 --- .../win_susp_whoami_anomaly.yml | 49 ---- .../win_susp_winrar_execution.yml | 34 --- .../win_susp_winrm_awl_bypass.yml | 37 --- .../win_susp_winrm_execution.yml | 33 --- .../win_susp_wmi_execution.yml | 50 ---- .../win_susp_wmic_eventconsumer_create.yml | 32 --- .../win_susp_wmic_proc_create_rundll32.yml | 30 --- ...n_susp_wmic_security_product_uninstall.yml | 52 ---- .../process_creation/win_susp_workfolders.yml | 30 --- .../process_creation/win_susp_wsl_lolbin.yml | 33 --- .../process_creation/win_susp_wuauclt.yml | 40 --- .../win_sysmon_driver_unload.yml | 35 --- .../win_system_exe_anomaly.yml | 66 ----- .../win_tap_installer_execution.yml | 24 -- .../win_task_folder_evasion.yml | 45 ---- .../win_termserv_proc_spawn.yml | 34 --- .../win_tools_relay_attacks.yml | 52 ---- .../process_creation/win_trust_discovery.yml | 52 ---- .../win_uac_bypass_changepk_slui.yml | 34 --- .../win_uac_bypass_cleanmgr.yml | 33 --- .../win_uac_bypass_computerdefaults.yml | 34 --- .../win_uac_bypass_consent_comctl32.yml | 33 --- .../win_uac_bypass_dismhost.yml | 35 --- .../win_uac_bypass_ieinstal.yml | 34 --- .../win_uac_bypass_msconfig_gui.yml | 32 --- .../win_uac_bypass_ntfs_reparse_point.yml | 45 ---- .../win_uac_bypass_pkgmgr_dism.yml | 33 --- .../win_uac_bypass_winsat.yml | 33 --- .../process_creation/win_uac_bypass_wmp.yml | 36 --- .../win_uac_bypass_wsreset.yml | 32 --- .../sigma/process_creation/win_uac_cmstp.yml | 40 --- .../process_creation/win_uac_fodhelper.yml | 33 --- .../process_creation/win_uac_wsreset.yml | 30 --- ..._change_sevice_image_path_by_non_admin.yml | 41 --- .../win_using_settingsynchost_as_lolbin.yml | 39 --- .../win_verclsid_runs_com.yml | 33 --- .../win_visual_basic_compiler.yml | 28 --- .../win_vul_java_remote_debugging.yml | 32 --- .../win_webshell_detection.yml | 86 ------- .../win_webshell_recon_detection.yml | 50 ---- .../process_creation/win_webshell_spawn.yml | 43 ---- .../process_creation/win_whoami_as_system.yml | 32 --- .../process_creation/win_whoami_priv.yml | 30 --- .../win_win10_sched_task_0day.yml | 37 --- .../process_creation/win_winword_dll_load.yml | 29 --- ..._wmi_backdoor_exchange_transport_agent.yml | 27 -- ..._wmi_persistence_script_event_consumer.yml | 30 --- .../win_wmi_spwns_powershell.yml | 40 --- .../win_wmiprvse_spawning_process.yml | 41 --- .../win_workflow_compiler.yml | 37 --- ...win_write_protect_for_storage_disabled.yml | 27 -- .../win_wsreset_uac_bypass.yml | 34 --- .../win_xsl_script_processing.yml | 35 --- ...w_disk_access_using_illegitimate_tools.yml | 53 ---- ...sing_windows_telemetry_for_persistence.yml | 56 ----- .../registry_event_apt_chafer_mar18.yml | 46 ---- .../registry_event_apt_pandemic.yml | 38 --- ...cve_2021_31979_cve_2021_33771_exploits.yml | 39 --- .../registry_event_defender_disabled.yml | 48 ---- .../registry_event_defender_exclusions.yml | 36 --- ..._defender_realtime_protection_disabled.yml | 48 ---- ...egistry_event_dns_serverlevelplugindll.yml | 41 --- .../registry_event_mal_adwind.yml | 36 --- .../registry_event_mstsc_history_cleared.yml | 39 --- .../registry_event_net_ntlm_downgrade.yml | 42 ---- ...registry_event_stickykey_like_backdoor.yml | 42 ---- ...istry_event_sysinternals_eula_accepted.yml | 32 --- .../registry_event_uac_bypass_eventvwr.yml | 36 --- .../registry_event_uac_bypass_winsat.yml | 38 --- .../registry_event_uac_bypass_wmp.yml | 34 --- .../registry_event/sysmon_apt_leviathan.yml | 29 --- .../sysmon_apt_oceanlotus_registry.yml | 54 ---- .../sysmon_asep_reg_keys_modification.yml | 234 ------------------ .../sysmon_bypass_via_wsreset.yml | 38 --- .../sysmon_cmstp_execution_by_registry.yml | 39 --- .../sysmon_cobaltstrike_service_installs.yml | 51 ---- .../registry_event/sysmon_comhijack_sdclt.yml | 32 --- .../registry_event/sysmon_cve_2020_1048.yml | 40 --- .../registry_event/sysmon_dhcp_calloutdll.yml | 37 --- ...ble_microsoft_office_security_features.yml | 43 ---- ...y_events_logging_adding_reg_key_minint.yml | 43 ---- ...ysmon_disable_wdigest_credential_guard.yml | 32 --- ...twork_protection_on_microsoft_defender.yml | 35 --- ...d_pua_protection_on_microsoft_defender.yml | 34 --- ...amper_protection_on_microsoft_defender.yml | 34 --- .../sysmon_dns_over_https_enabled.yml | 48 ---- ...on_enabling_cor_profiler_env_variables.yml | 34 --- .../registry_event/sysmon_etw_disabled.yml | 39 --- .../registry_event/sysmon_hack_wce_reg.yml | 32 --- ...n_hybridconnectionmgr_svc_installation.yml | 32 --- ...gon_scripts_userinitmprlogonscript_reg.yml | 33 --- .../sysmon_modify_screensaver_binary_path.yml | 37 --- .../sysmon_narrator_feedback_persistance.yml | 36 --- .../sysmon_new_application_appcompat.yml | 34 --- ..._dll_added_to_appcertdlls_registry_key.yml | 42 ---- ...dll_added_to_appinit_dlls_registry_key.yml | 47 ---- .../sysmon_office_test_regadd.yml | 33 --- .../sysmon_office_vsto_persistence.yml | 42 ---- .../sysmon_powershell_as_service.yml | 37 --- .../sysmon_rdp_registry_modification.yml | 40 --- .../sysmon_rdp_settings_hijack.yml | 33 --- .../sysmon_redmimicry_winnti_reg.yml | 29 --- .../sysmon_reg_office_security.yml | 34 --- .../sysmon_reg_silentprocessexit.yml | 33 --- .../sysmon_reg_silentprocessexit_lsass.yml | 31 --- .../sysmon_reg_vbs_payload_stored.yml | 45 ---- .../sysmon_registry_add_local_hidden_user.yml | 35 --- ...ysmon_registry_persistence_key_linking.yml | 38 --- ...smon_registry_persistence_search_order.yml | 69 ------ .../sysmon_registry_susp_printer_driver.yml | 37 --- ...mon_registry_trust_record_modification.yml | 33 --- .../sysmon_removal_amsi_registry_key.yml | 36 --- ...mon_removal_com_hijacking_registry_key.yml | 36 --- .../registry_event/sysmon_runkey_winekey.yml | 36 --- .../sysmon_runonce_persistence.yml | 33 --- .../sysmon_ssp_added_lsa_config.yml | 40 --- .../sysmon_susp_atbroker_change.yml | 36 --- .../sysmon_susp_download_run_key.yml | 37 --- .../sysmon_susp_lsass_dll_load.yml | 36 --- .../sysmon_susp_mic_cam_access.yml | 48 ---- .../sysmon_susp_reg_persist_explorer_run.yml | 47 ---- .../sysmon_susp_run_key_img_folder.yml | 51 ---- .../sysmon_susp_service_installed.yml | 46 ---- ...sysmon_suspicious_keyboard_layout_load.yml | 43 ---- ...mon_sysinternals_sdelete_registry_keys.yml | 32 --- .../registry_event/sysmon_taskcache_entry.yml | 34 --- .../sysmon_uac_bypass_sdclt.yml | 40 --- ...sysmon_volume_shadow_copy_service_keys.yml | 35 --- .../sysmon_wab_dllpath_reg_change.yml | 36 --- ...smon_wdigest_enable_uselogoncredential.yml | 32 --- .../sysmon_win_reg_persistence.yml | 48 ---- ...sysmon_win_reg_persistence_recycle_bin.yml | 35 --- .../sysmon_win_reg_telemetry_persistence.yml | 40 --- .../win_outlook_c2_registry_key.yml | 37 --- .../win_outlook_registry_todaypage.yml | 41 --- .../win_outlook_registry_webview.yml | 42 ---- .../win_portproxy_registry_key.yml | 36 --- .../win_registry_file_association_exefile.yml | 34 --- ...win_registry_mimikatz_printernightmare.yml | 59 ----- ..._registry_shell_open_keys_manipulation.yml | 55 ---- ...napi_in_powershell_credentials_dumping.yml | 30 --- .../sysmon_config_modification_error.yml | 29 --- .../sysmon_config_modification_status.yml | 31 --- .../sysmon_dcom_iertutil_dll_hijack.yml | 38 --- .../sysmon_wmi_event_subscription.yml | 26 -- .../sysmon_wmi_susp_encoded_scripts.yml | 43 ---- .../wmi_event/sysmon_wmi_susp_scripting.yml | 60 ----- 1127 files changed, 4 insertions(+), 42988 deletions(-) create mode 100644 .gitmodules create mode 160000 rules delete mode 100644 rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml delete mode 100644 rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml delete mode 100644 rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml delete mode 100644 rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml delete mode 100644 rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml delete mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml delete mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml delete mode 100644 rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml delete mode 100644 rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml delete mode 100644 rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml delete mode 100644 rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml delete mode 100644 rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml delete mode 100644 rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4634_Logoff.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml delete mode 100644 rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml delete mode 100644 rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml delete mode 100644 rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml delete mode 100644 rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml delete mode 100644 rules/sigma/builtin/win_account_discovery.yml delete mode 100644 rules/sigma/builtin/win_ad_object_writedac_access.yml delete mode 100644 rules/sigma/builtin/win_ad_replication_non_machine_account.yml delete mode 100644 rules/sigma/builtin/win_ad_user_enumeration.yml delete mode 100644 rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml delete mode 100644 rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml delete mode 100644 rules/sigma/builtin/win_admin_rdp_login.yml delete mode 100644 rules/sigma/builtin/win_admin_share_access.yml delete mode 100644 rules/sigma/builtin/win_alert_active_directory_user_control.yml delete mode 100644 rules/sigma/builtin/win_alert_ad_user_backdoors.yml delete mode 100644 rules/sigma/builtin/win_alert_enable_weak_encryption.yml delete mode 100644 rules/sigma/builtin/win_alert_lsass_access.yml delete mode 100644 rules/sigma/builtin/win_alert_mimikatz_keywords.yml delete mode 100644 rules/sigma/builtin/win_alert_ruler.yml delete mode 100644 rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml delete mode 100644 rules/sigma/builtin/win_apt_carbonpaper_turla.yml delete mode 100644 rules/sigma/builtin/win_apt_chafer_mar18_security.yml delete mode 100644 rules/sigma/builtin/win_apt_chafer_mar18_system.yml delete mode 100644 rules/sigma/builtin/win_apt_gallium.yml delete mode 100644 rules/sigma/builtin/win_apt_slingshot.yml delete mode 100644 rules/sigma/builtin/win_apt_stonedrill.yml delete mode 100644 rules/sigma/builtin/win_apt_turla_service_png.yml delete mode 100644 rules/sigma/builtin/win_apt_wocao.yml delete mode 100644 rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml delete mode 100644 rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml delete mode 100644 rules/sigma/builtin/win_atsvc_task.yml delete mode 100644 rules/sigma/builtin/win_audit_cve.yml delete mode 100644 rules/sigma/builtin/win_av_relevant_match.yml delete mode 100644 rules/sigma/builtin/win_camera_microphone_access.yml delete mode 100644 rules/sigma/builtin/win_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml delete mode 100644 rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml delete mode 100644 rules/sigma/builtin/win_dcsync.yml delete mode 100644 rules/sigma/builtin/win_disable_event_logging.yml delete mode 100644 rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml delete mode 100644 rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml delete mode 100644 rules/sigma/builtin/win_etw_modification.yml delete mode 100644 rules/sigma/builtin/win_event_log_cleared.yml delete mode 100644 rules/sigma/builtin/win_exchange_transportagent.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml delete mode 100644 rules/sigma/builtin/win_external_device.yml delete mode 100644 rules/sigma/builtin/win_global_catalog_enumeration.yml delete mode 100644 rules/sigma/builtin/win_gpo_scheduledtasks.yml delete mode 100644 rules/sigma/builtin/win_hack_smbexec.yml delete mode 100644 rules/sigma/builtin/win_hidden_user_creation.yml delete mode 100644 rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml delete mode 100644 rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml delete mode 100644 rules/sigma/builtin/win_impacket_psexec.yml delete mode 100644 rules/sigma/builtin/win_impacket_secretdump.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_var_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml delete mode 100644 rules/sigma/builtin/win_iso_mount.yml delete mode 100644 rules/sigma/builtin/win_lm_namedpipe.yml delete mode 100644 rules/sigma/builtin/win_lolbas_execution_of_nltest.yml delete mode 100644 rules/sigma/builtin/win_lsass_access_non_system_account.yml delete mode 100644 rules/sigma/builtin/win_mal_creddumper.yml delete mode 100644 rules/sigma/builtin/win_mal_wceaux_dll.yml delete mode 100644 rules/sigma/builtin/win_metasploit_authentication.yml delete mode 100644 rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml delete mode 100644 rules/sigma/builtin/win_mmc20_lateral_movement.yml delete mode 100644 rules/sigma/builtin/win_moriya_rootkit.yml delete mode 100644 rules/sigma/builtin/win_net_ntlm_downgrade.yml delete mode 100644 rules/sigma/builtin/win_net_use_admin_share.yml delete mode 100644 rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml delete mode 100644 rules/sigma/builtin/win_not_allowed_rdp_access.yml delete mode 100644 rules/sigma/builtin/win_ntfs_vuln_exploit.yml delete mode 100644 rules/sigma/builtin/win_overpass_the_hash.yml delete mode 100644 rules/sigma/builtin/win_pass_the_hash.yml delete mode 100644 rules/sigma/builtin/win_pass_the_hash_2.yml delete mode 100644 rules/sigma/builtin/win_petitpotam_network_share.yml delete mode 100644 rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml delete mode 100644 rules/sigma/builtin/win_possible_dc_shadow.yml delete mode 100644 rules/sigma/builtin/win_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/builtin/win_privesc_cve_2020_1472.yml delete mode 100644 rules/sigma/builtin/win_protected_storage_service_access.yml delete mode 100644 rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml delete mode 100644 rules/sigma/builtin/win_rare_schtasks_creations.yml delete mode 100644 rules/sigma/builtin/win_rare_service_installs.yml delete mode 100644 rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml delete mode 100644 rules/sigma/builtin/win_rdp_localhost_login.yml delete mode 100644 rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml delete mode 100644 rules/sigma/builtin/win_rdp_reverse_tunnel.yml delete mode 100644 rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml delete mode 100644 rules/sigma/builtin/win_remote_powershell_session.yml delete mode 100644 rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml delete mode 100644 rules/sigma/builtin/win_root_certificate_installed.yml delete mode 100644 rules/sigma/builtin/win_sam_registry_hive_handle_request.yml delete mode 100644 rules/sigma/builtin/win_scheduled_task_deletion.yml delete mode 100644 rules/sigma/builtin/win_scm_database_handle_failure.yml delete mode 100644 rules/sigma/builtin/win_scm_database_privileged_operation.yml delete mode 100644 rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml delete mode 100644 rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/builtin/win_security_mal_creddumper.yml delete mode 100644 rules/sigma/builtin/win_security_mal_service_installs.yml delete mode 100644 rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml delete mode 100644 rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml delete mode 100644 rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/builtin/win_security_tap_driver_installation.yml delete mode 100644 rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml delete mode 100644 rules/sigma/builtin/win_smb_file_creation_admin_shares.yml delete mode 100644 rules/sigma/builtin/win_software_atera_rmm_agent_install.yml delete mode 100644 rules/sigma/builtin/win_susp_add_domain_trust.yml delete mode 100644 rules/sigma/builtin/win_susp_add_sid_history.yml delete mode 100644 rules/sigma/builtin/win_susp_backup_delete.yml delete mode 100644 rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml delete mode 100644 rules/sigma/builtin/win_susp_dhcp_config.yml delete mode 100644 rules/sigma/builtin/win_susp_dhcp_config_failed.yml delete mode 100644 rules/sigma/builtin/win_susp_dns_config.yml delete mode 100644 rules/sigma/builtin/win_susp_dsrm_password_change.yml delete mode 100644 rules/sigma/builtin/win_susp_eventlog_cleared.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_guest_logon.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logon_reasons.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logon_source.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_process.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml delete mode 100644 rules/sigma/builtin/win_susp_interactive_logons.yml delete mode 100644 rules/sigma/builtin/win_susp_kerberos_manipulation.yml delete mode 100644 rules/sigma/builtin/win_susp_ldap_dataexchange.yml delete mode 100644 rules/sigma/builtin/win_susp_local_anon_logon_created.yml delete mode 100644 rules/sigma/builtin/win_susp_logon_explicit_credentials.yml delete mode 100644 rules/sigma/builtin/win_susp_lsass_dump.yml delete mode 100644 rules/sigma/builtin/win_susp_lsass_dump_generic.yml delete mode 100644 rules/sigma/builtin/win_susp_mshta_execution.yml delete mode 100644 rules/sigma/builtin/win_susp_msmpeng_crash.yml delete mode 100644 rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml delete mode 100644 rules/sigma/builtin/win_susp_net_recon_activity.yml delete mode 100644 rules/sigma/builtin/win_susp_ntlm_auth.yml delete mode 100644 rules/sigma/builtin/win_susp_ntlm_rdp.yml delete mode 100644 rules/sigma/builtin/win_susp_proceshacker.yml delete mode 100644 rules/sigma/builtin/win_susp_psexec.yml delete mode 100644 rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml delete mode 100644 rules/sigma/builtin/win_susp_rc4_kerberos.yml delete mode 100644 rules/sigma/builtin/win_susp_rottenpotato.yml delete mode 100644 rules/sigma/builtin/win_susp_sam_dump.yml delete mode 100644 rules/sigma/builtin/win_susp_sdelete.yml delete mode 100644 rules/sigma/builtin/win_susp_time_modification.yml delete mode 100644 rules/sigma/builtin/win_susp_wmi_login.yml delete mode 100644 rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml delete mode 100644 rules/sigma/builtin/win_svcctl_remote_service.yml delete mode 100644 rules/sigma/builtin/win_syskey_registry_access.yml delete mode 100644 rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml delete mode 100644 rules/sigma/builtin/win_system_susp_eventlog_cleared.yml delete mode 100644 rules/sigma/builtin/win_tap_driver_installation.yml delete mode 100644 rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml delete mode 100644 rules/sigma/builtin/win_usb_device_plugged.yml delete mode 100644 rules/sigma/builtin/win_user_added_to_local_administrators.yml delete mode 100644 rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml delete mode 100644 rules/sigma/builtin/win_user_creation.yml delete mode 100644 rules/sigma/builtin/win_user_driver_loaded.yml delete mode 100644 rules/sigma/builtin/win_volume_shadow_copy_mount.yml delete mode 100644 rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml delete mode 100644 rules/sigma/builtin/win_vul_cve_2020_0688.yml delete mode 100644 rules/sigma/builtin/win_vul_cve_2020_1472.yml delete mode 100644 rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_cactustorch.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml delete mode 100644 rules/sigma/create_stream_hash/sysmon_ads_executable.yml delete mode 100644 rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml delete mode 100644 rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml delete mode 100644 rules/sigma/dns_query/dns_net_susp_ipify.yml delete mode 100644 rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml delete mode 100644 rules/sigma/dns_query/dns_query_mega_nz.yml delete mode 100644 rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml delete mode 100644 rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml delete mode 100644 rules/sigma/driver_load/driver_load_mal_creddumper.yml delete mode 100644 rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml delete mode 100644 rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/driver_load/driver_load_susp_temp_use.yml delete mode 100644 rules/sigma/driver_load/driver_load_vuln_dell_driver.yml delete mode 100644 rules/sigma/driver_load/driver_load_windivert.yml delete mode 100644 rules/sigma/edr/edr_command_execution_by_office_applications.yml delete mode 100644 rules/sigma/file_delete/sysmon_delete_prefetch.yml delete mode 100644 rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml delete mode 100644 rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml delete mode 100644 rules/sigma/file_event/file_event_advanced_ip_scanner.yml delete mode 100644 rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml delete mode 100644 rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml delete mode 100644 rules/sigma/file_event/file_event_hack_dumpert.yml delete mode 100644 rules/sigma/file_event/file_event_hktl_createminidump.yml delete mode 100644 rules/sigma/file_event/file_event_lsass_dump.yml delete mode 100644 rules/sigma/file_event/file_event_mal_adwind.yml delete mode 100644 rules/sigma/file_event/file_event_mal_vhd_download.yml delete mode 100644 rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml delete mode 100644 rules/sigma/file_event/file_event_moriya_rootkit.yml delete mode 100644 rules/sigma/file_event/file_event_pingback_backdoor.yml delete mode 100644 rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml delete mode 100644 rules/sigma/file_event/file_event_susp_task_write.yml delete mode 100644 rules/sigma/file_event/file_event_tool_psexec.yml delete mode 100644 rules/sigma/file_event/file_event_uac_bypass_winsat.yml delete mode 100644 rules/sigma/file_event/file_event_uac_bypass_wmp.yml delete mode 100644 rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml delete mode 100644 rules/sigma/file_event/file_event_winrm_awl_bypass.yml delete mode 100644 rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/file_event/sysmon_creation_system_file.yml delete mode 100644 rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml delete mode 100644 rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml delete mode 100644 rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml delete mode 100644 rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml delete mode 100644 rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml delete mode 100644 rules/sigma/file_event/sysmon_office_persistence.yml delete mode 100644 rules/sigma/file_event/sysmon_outlook_newform.yml delete mode 100644 rules/sigma/file_event/sysmon_pcre_net_temp_file.yml delete mode 100644 rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml delete mode 100644 rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml delete mode 100644 rules/sigma/file_event/sysmon_quarkspw_filedump.yml delete mode 100644 rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml delete mode 100644 rules/sigma/file_event/sysmon_startup_folder_file_write.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_clr_logs.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_desktop_ini.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml delete mode 100644 rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml delete mode 100644 rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml delete mode 100644 rules/sigma/file_event/sysmon_webshell_creation_detect.yml delete mode 100644 rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml delete mode 100644 rules/sigma/file_event/win_cve_2021_1675_printspooler.yml delete mode 100644 rules/sigma/file_event/win_file_winword_cve_2021_40444.yml delete mode 100644 rules/sigma/file_event/win_hivenightmare_file_exports.yml delete mode 100644 rules/sigma/file_event/win_outlook_c2_macro_creation.yml delete mode 100644 rules/sigma/file_event/win_rclone_exec_file.yml delete mode 100644 rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml delete mode 100644 rules/sigma/image_load/image_load_pingback_backdoor.yml delete mode 100644 rules/sigma/image_load/image_load_silenttrinity_stage_use.yml delete mode 100644 rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/image_load/process_creation_tttracer_mod_load.yml delete mode 100644 rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml delete mode 100644 rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml delete mode 100644 rules/sigma/image_load/sysmon_foggyweb_nobelium.yml delete mode 100644 rules/sigma/image_load/sysmon_in_memory_powershell.yml delete mode 100644 rules/sigma/image_load/sysmon_pcre_net_load.yml delete mode 100644 rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml delete mode 100644 rules/sigma/image_load/sysmon_spoolsv_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_fax_dll.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_image_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_python_image_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_system_drawing_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml delete mode 100644 rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml delete mode 100644 rules/sigma/image_load/sysmon_tttracer_mod_load.yml delete mode 100644 rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml delete mode 100644 rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml delete mode 100644 rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml delete mode 100644 rules/sigma/image_load/sysmon_wmi_module_load.yml delete mode 100644 rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml delete mode 100644 rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml delete mode 100644 rules/sigma/image_load/sysmon_wsman_provider_image_load.yml delete mode 100644 rules/sigma/image_load/win_susp_svchost_clfsw32.yml delete mode 100644 rules/sigma/image_load/win_suspicious_vss_ps_load.yml delete mode 100644 rules/sigma/malware/av_exploiting.yml delete mode 100644 rules/sigma/malware/av_hacktool.yml delete mode 100644 rules/sigma/malware/av_password_dumper.yml delete mode 100644 rules/sigma/malware/av_printernightmare_cve_2021_34527.yml delete mode 100644 rules/sigma/malware/av_relevant_files.yml delete mode 100644 rules/sigma/malware/av_webshell.yml delete mode 100644 rules/sigma/malware/file_event_mal_octopus_scanner.yml delete mode 100644 rules/sigma/malware/process_creation_mal_blue_mockingbird.yml delete mode 100644 rules/sigma/malware/process_creation_mal_darkside_ransomware.yml delete mode 100644 rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml delete mode 100644 rules/sigma/malware/process_creation_mal_ryuk.yml delete mode 100644 rules/sigma/malware/registry_event_mal_azorult.yml delete mode 100644 rules/sigma/malware/registry_event_mal_blue_mockingbird.yml delete mode 100644 rules/sigma/malware/registry_event_mal_flowcloud.yml delete mode 100644 rules/sigma/malware/registry_event_mal_netwire.yml delete mode 100644 rules/sigma/malware/registry_event_mal_ursnif.yml delete mode 100644 rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml delete mode 100644 rules/sigma/network_connection/sysmon_dllhost_net_connections.yml delete mode 100644 rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml delete mode 100644 rules/sigma/network_connection/sysmon_notepad_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_powershell_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml delete mode 100644 rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml delete mode 100644 rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml delete mode 100644 rules/sigma/network_connection/sysmon_rundll32_net_connections.yml delete mode 100644 rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_susp_rdp.yml delete mode 100644 rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_win_binary_github_com.yml delete mode 100644 rules/sigma/network_connection/sysmon_win_binary_susp_com.yml delete mode 100644 rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml delete mode 100644 rules/sigma/network_connection/win_net_crypto_mining.yml delete mode 100644 rules/sigma/other/win_defender_amsi_trigger.yml delete mode 100644 rules/sigma/other/win_defender_bypass.yml delete mode 100644 rules/sigma/other/win_defender_disabled.yml delete mode 100644 rules/sigma/other/win_defender_exclusions.yml delete mode 100644 rules/sigma/other/win_defender_history_delete.yml delete mode 100644 rules/sigma/other/win_defender_psexec_wmi_asr.yml delete mode 100644 rules/sigma/other/win_defender_tamper_protection_trigger.yml delete mode 100644 rules/sigma/other/win_defender_threat.yml delete mode 100644 rules/sigma/other/win_exchange_cve_2021_42321.yml delete mode 100644 rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml delete mode 100644 rules/sigma/other/win_exchange_transportagent_failed.yml delete mode 100644 rules/sigma/other/win_lateral_movement_condrv.yml delete mode 100644 rules/sigma/other/win_ldap_recon.yml delete mode 100644 rules/sigma/other/win_pcap_drivers.yml delete mode 100644 rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml delete mode 100644 rules/sigma/other/win_rare_schtask_creation.yml delete mode 100644 rules/sigma/other/win_security_wmi_persistence.yml delete mode 100644 rules/sigma/other/win_system_defender_disabled.yml delete mode 100644 rules/sigma/other/win_tool_psexec.yml delete mode 100644 rules/sigma/other/win_wmi_persistence.yml delete mode 100644 rules/sigma/pipe_created/pipe_created_tool_psexec.yml delete mode 100644 rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_namedpipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_powercat.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_automated_collection.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_create_local_user.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_data_compressed.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_keylogging.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_psattack.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_software_discovery.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_timestomp.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_web_request.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_wmimplant.yml delete mode 100644 rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml delete mode 100644 rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml delete mode 100644 rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml delete mode 100644 rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml delete mode 100644 rules/sigma/process_access/sysmon_invoke_phantom.yml delete mode 100644 rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml delete mode 100644 rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml delete mode 100644 rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml delete mode 100644 rules/sigma/process_access/sysmon_lsass_memdump.yml delete mode 100644 rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml delete mode 100644 rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml delete mode 100644 rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_svchost_cred_dump.yml delete mode 100644 rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml delete mode 100644 rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml delete mode 100644 rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml delete mode 100644 rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml delete mode 100644 rules/sigma/process_creation/process_creation_alternate_data_streams.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_gallium.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_pandemic.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_slingshot.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_wocao.yml delete mode 100644 rules/sigma/process_creation/process_creation_automated_collection.yml delete mode 100644 rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml delete mode 100644 rules/sigma/process_creation/process_creation_certoc_execution.yml delete mode 100644 rules/sigma/process_creation/process_creation_clip.yml delete mode 100644 rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml delete mode 100644 rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml delete mode 100644 rules/sigma/process_creation/process_creation_coti_sqlcmd.yml delete mode 100644 rules/sigma/process_creation/process_creation_discover_private_keys.yml delete mode 100644 rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml delete mode 100644 rules/sigma/process_creation/process_creation_dotnet.yml delete mode 100644 rules/sigma/process_creation/process_creation_hack_dumpert.yml delete mode 100644 rules/sigma/process_creation/process_creation_infdefaultinstall.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml delete mode 100644 rules/sigma/process_creation/process_creation_msdeploy.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml delete mode 100644 rules/sigma/process_creation/process_creation_pingback_backdoor.yml delete mode 100644 rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml delete mode 100644 rules/sigma/process_creation/process_creation_root_certificate_installed.yml delete mode 100644 rules/sigma/process_creation/process_creation_sdelete.yml delete mode 100644 rules/sigma/process_creation/process_creation_software_discovery.yml delete mode 100644 rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml delete mode 100644 rules/sigma/process_creation/process_creation_stordiag_execution.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_7z.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_del.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_recon.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_winzip.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_zip_compress.yml delete mode 100644 rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml delete mode 100644 rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml delete mode 100644 rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml delete mode 100644 rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml delete mode 100644 rules/sigma/process_creation/process_creation_tool_psexec.yml delete mode 100644 rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml delete mode 100644 rules/sigma/process_creation/process_mailboxexport_share.yml delete mode 100644 rules/sigma/process_creation/process_susp_esentutl_params.yml delete mode 100644 rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml delete mode 100644 rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml delete mode 100644 rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml delete mode 100644 rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml delete mode 100644 rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml delete mode 100644 rules/sigma/process_creation/sysmon_apt_sourgrum.yml delete mode 100644 rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml delete mode 100644 rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml delete mode 100644 rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml delete mode 100644 rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml delete mode 100644 rules/sigma/process_creation/sysmon_expand_cabinet_files.yml delete mode 100644 rules/sigma/process_creation/sysmon_hack_wce.yml delete mode 100644 rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml delete mode 100644 rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml delete mode 100644 rules/sigma/process_creation/sysmon_long_powershell_commandline.yml delete mode 100644 rules/sigma/process_creation/sysmon_netcat_execution.yml delete mode 100644 rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml delete mode 100644 rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml delete mode 100644 rules/sigma/process_creation/sysmon_sdclt_child_process.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_service_modification.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml delete mode 100644 rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml delete mode 100644 rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml delete mode 100644 rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml delete mode 100644 rules/sigma/process_creation/win_ad_find_discovery.yml delete mode 100644 rules/sigma/process_creation/win_anydesk_silent_install.yml delete mode 100644 rules/sigma/process_creation/win_apt_apt29_thinktanks.yml delete mode 100644 rules/sigma/process_creation/win_apt_babyshark.yml delete mode 100644 rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml delete mode 100644 rules/sigma/process_creation/win_apt_bluemashroom.yml delete mode 100644 rules/sigma/process_creation/win_apt_cloudhopper.yml delete mode 100644 rules/sigma/process_creation/win_apt_dragonfly.yml delete mode 100644 rules/sigma/process_creation/win_apt_elise.yml delete mode 100644 rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml delete mode 100644 rules/sigma/process_creation/win_apt_empiremonkey.yml delete mode 100644 rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml delete mode 100644 rules/sigma/process_creation/win_apt_evilnum_jul20.yml delete mode 100644 rules/sigma/process_creation/win_apt_greenbug_may20.yml delete mode 100644 rules/sigma/process_creation/win_apt_hafnium.yml delete mode 100644 rules/sigma/process_creation/win_apt_hurricane_panda.yml delete mode 100644 rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml delete mode 100644 rules/sigma/process_creation/win_apt_ke3chang_regadd.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_loader.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml delete mode 100644 rules/sigma/process_creation/win_apt_mustangpanda.yml delete mode 100644 rules/sigma/process_creation/win_apt_revil_kaseya.yml delete mode 100644 rules/sigma/process_creation/win_apt_sofacy.yml delete mode 100644 rules/sigma/process_creation/win_apt_ta17_293a_ps.yml delete mode 100644 rules/sigma/process_creation/win_apt_ta505_dropper.yml delete mode 100644 rules/sigma/process_creation/win_apt_taidoor.yml delete mode 100644 rules/sigma/process_creation/win_apt_tropictrooper.yml delete mode 100644 rules/sigma/process_creation/win_apt_turla_comrat_may20.yml delete mode 100644 rules/sigma/process_creation/win_apt_unc2452_cmds.yml delete mode 100644 rules/sigma/process_creation/win_apt_unc2452_ps.yml delete mode 100644 rules/sigma/process_creation/win_apt_unidentified_nov_18.yml delete mode 100644 rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml delete mode 100644 rules/sigma/process_creation/win_apt_winnti_pipemon.yml delete mode 100644 rules/sigma/process_creation/win_apt_zxshell.yml delete mode 100644 rules/sigma/process_creation/win_attrib_hiding_files.yml delete mode 100644 rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml delete mode 100644 rules/sigma/process_creation/win_bootconf_mod.yml delete mode 100644 rules/sigma/process_creation/win_bypass_squiblytwo.yml delete mode 100644 rules/sigma/process_creation/win_change_default_file_association.yml delete mode 100644 rules/sigma/process_creation/win_cl_invocation_lolscript.yml delete mode 100644 rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml delete mode 100644 rules/sigma/process_creation/win_class_exec_xwizard.yml delete mode 100644 rules/sigma/process_creation/win_cmdkey_recon.yml delete mode 100644 rules/sigma/process_creation/win_cmstp_com_object_access.yml delete mode 100644 rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml delete mode 100644 rules/sigma/process_creation/win_commandline_path_traversal.yml delete mode 100644 rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml delete mode 100644 rules/sigma/process_creation/win_control_panel_item.yml delete mode 100644 rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml delete mode 100644 rules/sigma/process_creation/win_credential_access_via_password_filter.yml delete mode 100644 rules/sigma/process_creation/win_crime_fireball.yml delete mode 100644 rules/sigma/process_creation/win_crime_maze_ransomware.yml delete mode 100644 rules/sigma/process_creation/win_crime_snatch_ransomware.yml delete mode 100644 rules/sigma/process_creation/win_crypto_mining_monero.yml delete mode 100644 rules/sigma/process_creation/win_data_compressed_with_rar.yml delete mode 100644 rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml delete mode 100644 rules/sigma/process_creation/win_dll_sideload_xwizard.yml delete mode 100644 rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml delete mode 100644 rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml delete mode 100644 rules/sigma/process_creation/win_encoded_frombase64string.yml delete mode 100644 rules/sigma/process_creation/win_encoded_iex.yml delete mode 100644 rules/sigma/process_creation/win_etw_modification_cmdline.yml delete mode 100644 rules/sigma/process_creation/win_etw_trace_evasion.yml delete mode 100644 rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2015_1641.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_0261.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_11882.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_8759.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2019_1378.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2019_1388.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_10189.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_1048.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_1350.yml delete mode 100644 rules/sigma/process_creation/win_exploit_systemnightmare.yml delete mode 100644 rules/sigma/process_creation/win_file_permission_modifications.yml delete mode 100644 rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml delete mode 100644 rules/sigma/process_creation/win_hack_adcspwn.yml delete mode 100644 rules/sigma/process_creation/win_hack_bloodhound.yml delete mode 100644 rules/sigma/process_creation/win_hack_koadic.yml delete mode 100644 rules/sigma/process_creation/win_hack_rubeus.yml delete mode 100644 rules/sigma/process_creation/win_hack_secutyxploded.yml delete mode 100644 rules/sigma/process_creation/win_hh_chm.yml delete mode 100644 rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml delete mode 100644 rules/sigma/process_creation/win_hktl_createminidump.yml delete mode 100644 rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_html_help_spawn.yml delete mode 100644 rules/sigma/process_creation/win_hwp_exploits.yml delete mode 100644 rules/sigma/process_creation/win_impacket_compiled_tools.yml delete mode 100644 rules/sigma/process_creation/win_impacket_lateralization.yml delete mode 100644 rules/sigma/process_creation/win_indirect_cmd.yml delete mode 100644 rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml delete mode 100644 rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml delete mode 100644 rules/sigma/process_creation/win_interactive_at.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_clip.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_var.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml delete mode 100644 rules/sigma/process_creation/win_lethalhta.yml delete mode 100644 rules/sigma/process_creation/win_local_system_owner_account_discovery.yml delete mode 100644 rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml delete mode 100644 rules/sigma/process_creation/win_lolbin_execution_via_winget.yml delete mode 100644 rules/sigma/process_creation/win_lsass_dump.yml delete mode 100644 rules/sigma/process_creation/win_mal_adwind.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti_7zip.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti_shadowcopy.yml delete mode 100644 rules/sigma/process_creation/win_malware_dridex.yml delete mode 100644 rules/sigma/process_creation/win_malware_dtrack.yml delete mode 100644 rules/sigma/process_creation/win_malware_emotet.yml delete mode 100644 rules/sigma/process_creation/win_malware_formbook.yml delete mode 100644 rules/sigma/process_creation/win_malware_notpetya.yml delete mode 100644 rules/sigma/process_creation/win_malware_qbot.yml delete mode 100644 rules/sigma/process_creation/win_malware_ryuk.yml delete mode 100644 rules/sigma/process_creation/win_malware_script_dropper.yml delete mode 100644 rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_malware_trickbot_wermgr.yml delete mode 100644 rules/sigma/process_creation/win_malware_wannacry.yml delete mode 100644 rules/sigma/process_creation/win_manage_bde_lolbas.yml delete mode 100644 rules/sigma/process_creation/win_mavinject_proc_inj.yml delete mode 100644 rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml delete mode 100644 rules/sigma/process_creation/win_mimikatz_command_line.yml delete mode 100644 rules/sigma/process_creation/win_mmc_spawn_shell.yml delete mode 100644 rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml delete mode 100644 rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml delete mode 100644 rules/sigma/process_creation/win_mouse_lock.yml delete mode 100644 rules/sigma/process_creation/win_mshta_javascript.yml delete mode 100644 rules/sigma/process_creation/win_mshta_spawn_shell.yml delete mode 100644 rules/sigma/process_creation/win_multiple_suspicious_cli.yml delete mode 100644 rules/sigma/process_creation/win_net_enum.yml delete mode 100644 rules/sigma/process_creation/win_net_user_add.yml delete mode 100644 rules/sigma/process_creation/win_netsh_allow_port_rdp.yml delete mode 100644 rules/sigma/process_creation/win_netsh_fw_add.yml delete mode 100644 rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml delete mode 100644 rules/sigma/process_creation/win_netsh_packet_capture.yml delete mode 100644 rules/sigma/process_creation/win_netsh_port_fwd.yml delete mode 100644 rules/sigma/process_creation/win_netsh_port_fwd_3389.yml delete mode 100644 rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml delete mode 100644 rules/sigma/process_creation/win_network_sniffing.yml delete mode 100644 rules/sigma/process_creation/win_new_service_creation.yml delete mode 100644 rules/sigma/process_creation/win_nltest_recon.yml delete mode 100644 rules/sigma/process_creation/win_non_interactive_powershell.yml delete mode 100644 rules/sigma/process_creation/win_non_priv_reg_or_ps.yml delete mode 100644 rules/sigma/process_creation/win_office_shell.yml delete mode 100644 rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml delete mode 100644 rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_zipexec.yml delete mode 100644 rules/sigma/process_creation/win_plugx_susp_exe_locations.yml delete mode 100644 rules/sigma/process_creation/win_possible_applocker_bypass.yml delete mode 100644 rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml delete mode 100644 rules/sigma/process_creation/win_powershell_amsi_bypass.yml delete mode 100644 rules/sigma/process_creation/win_powershell_audio_capture.yml delete mode 100644 rules/sigma/process_creation/win_powershell_b64_shellcode.yml delete mode 100644 rules/sigma/process_creation/win_powershell_bitsjob.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml delete mode 100644 rules/sigma/process_creation/win_powershell_defender_exclusion.yml delete mode 100644 rules/sigma/process_creation/win_powershell_disable_windef_av.yml delete mode 100644 rules/sigma/process_creation/win_powershell_dll_execution.yml delete mode 100644 rules/sigma/process_creation/win_powershell_downgrade_attack.yml delete mode 100644 rules/sigma/process_creation/win_powershell_download.yml delete mode 100644 rules/sigma/process_creation/win_powershell_frombase64string.yml delete mode 100644 rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml delete mode 100644 rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml delete mode 100644 rules/sigma/process_creation/win_powershell_xor_commandline.yml delete mode 100644 rules/sigma/process_creation/win_powersploit_empire_schtasks.yml delete mode 100644 rules/sigma/process_creation/win_proc_wrong_parent.yml delete mode 100644 rules/sigma/process_creation/win_procdump.yml delete mode 100644 rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml delete mode 100644 rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml delete mode 100644 rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml delete mode 100644 rules/sigma/process_creation/win_psexesvc_start.yml delete mode 100644 rules/sigma/process_creation/win_purplesharp_indicators.yml delete mode 100644 rules/sigma/process_creation/win_query_registry.yml delete mode 100644 rules/sigma/process_creation/win_rasautou_dll_execution.yml delete mode 100644 rules/sigma/process_creation/win_rdp_hijack_shadowing.yml delete mode 100644 rules/sigma/process_creation/win_redmimicry_winnti_proc.yml delete mode 100644 rules/sigma/process_creation/win_reg_add_run_key.yml delete mode 100644 rules/sigma/process_creation/win_regedit_export_critical_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_export_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_import_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_import_keys_ads.yml delete mode 100644 rules/sigma/process_creation/win_regini.yml delete mode 100644 rules/sigma/process_creation/win_regini_ads.yml delete mode 100644 rules/sigma/process_creation/win_remote_powershell_session_process.yml delete mode 100644 rules/sigma/process_creation/win_remote_time_discovery.yml delete mode 100644 rules/sigma/process_creation/win_renamed_binary.yml delete mode 100644 rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml delete mode 100644 rules/sigma/process_creation/win_renamed_jusched.yml delete mode 100644 rules/sigma/process_creation/win_renamed_megasync.yml delete mode 100644 rules/sigma/process_creation/win_renamed_paexec.yml delete mode 100644 rules/sigma/process_creation/win_renamed_powershell.yml delete mode 100644 rules/sigma/process_creation/win_renamed_procdump.yml delete mode 100644 rules/sigma/process_creation/win_renamed_psexec.yml delete mode 100644 rules/sigma/process_creation/win_renamed_whoami.yml delete mode 100644 rules/sigma/process_creation/win_run_powershell_script_from_ads.yml delete mode 100644 rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml delete mode 100644 rules/sigma/process_creation/win_run_virtualbox.yml delete mode 100644 rules/sigma/process_creation/win_rundll32_without_parameters.yml delete mode 100644 rules/sigma/process_creation/win_script_event_consumer_spawn.yml delete mode 100644 rules/sigma/process_creation/win_sdbinst_shim_persistence.yml delete mode 100644 rules/sigma/process_creation/win_service_execution.yml delete mode 100644 rules/sigma/process_creation/win_service_stop.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_access_symlink.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_creation.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_deletion.yml delete mode 100644 rules/sigma/process_creation/win_shell_spawn_mshta.yml delete mode 100644 rules/sigma/process_creation/win_shell_spawn_susp_program.yml delete mode 100644 rules/sigma/process_creation/win_silenttrinity_stage_use.yml delete mode 100644 rules/sigma/process_creation/win_soundrec_audio_capture.yml delete mode 100644 rules/sigma/process_creation/win_spn_enum.yml delete mode 100644 rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml delete mode 100644 rules/sigma/process_creation/win_sus_auditpol_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_adfind.yml delete mode 100644 rules/sigma/process_creation/win_susp_atbroker.yml delete mode 100644 rules/sigma/process_creation/win_susp_bcdedit.yml delete mode 100644 rules/sigma/process_creation/win_susp_bginfo.yml delete mode 100644 rules/sigma/process_creation/win_susp_bitstransfer.yml delete mode 100644 rules/sigma/process_creation/win_susp_calc.yml delete mode 100644 rules/sigma/process_creation/win_susp_cdb.yml delete mode 100644 rules/sigma/process_creation/win_susp_certutil_command.yml delete mode 100644 rules/sigma/process_creation/win_susp_certutil_encode.yml delete mode 100644 rules/sigma/process_creation/win_susp_child_process_as_system_.yml delete mode 100644 rules/sigma/process_creation/win_susp_cli_escape.yml delete mode 100644 rules/sigma/process_creation/win_susp_cmd_http_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_codepage_switch.yml delete mode 100644 rules/sigma/process_creation/win_susp_commands_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_compression_params.yml delete mode 100644 rules/sigma/process_creation/win_susp_comsvcs_procdump.yml delete mode 100644 rules/sigma/process_creation/win_susp_conhost.yml delete mode 100644 rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml delete mode 100644 rules/sigma/process_creation/win_susp_control_dll_load.yml delete mode 100644 rules/sigma/process_creation/win_susp_copy_lateral_movement.yml delete mode 100644 rules/sigma/process_creation/win_susp_copy_system32.yml delete mode 100644 rules/sigma/process_creation/win_susp_covenant.yml delete mode 100644 rules/sigma/process_creation/win_susp_crackmapexec_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml delete mode 100644 rules/sigma/process_creation/win_susp_csc.yml delete mode 100644 rules/sigma/process_creation/win_susp_csc_folder.yml delete mode 100644 rules/sigma/process_creation/win_susp_csi.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_download.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_fileupload.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_start_combo.yml delete mode 100644 rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml delete mode 100644 rules/sigma/process_creation/win_susp_desktopimgdownldr.yml delete mode 100644 rules/sigma/process_creation/win_susp_devtoolslauncher.yml delete mode 100644 rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_eventlog.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_ie_features.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_raccine.yml delete mode 100644 rules/sigma/process_creation/win_susp_diskshadow.yml delete mode 100644 rules/sigma/process_creation/win_susp_ditsnap.yml delete mode 100644 rules/sigma/process_creation/win_susp_dnx.yml delete mode 100644 rules/sigma/process_creation/win_susp_double_extension.yml delete mode 100644 rules/sigma/process_creation/win_susp_dxcap.yml delete mode 100644 rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_eventlog_clear.yml delete mode 100644 rules/sigma/process_creation/win_susp_execution_path.yml delete mode 100644 rules/sigma/process_creation/win_susp_execution_path_webserver.yml delete mode 100644 rules/sigma/process_creation/win_susp_explorer.yml delete mode 100644 rules/sigma/process_creation/win_susp_explorer_break_proctree.yml delete mode 100644 rules/sigma/process_creation/win_susp_file_characteristics.yml delete mode 100644 rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml delete mode 100644 rules/sigma/process_creation/win_susp_findstr.yml delete mode 100644 rules/sigma/process_creation/win_susp_findstr_lnk.yml delete mode 100644 rules/sigma/process_creation/win_susp_finger_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_firewall_disable.yml delete mode 100644 rules/sigma/process_creation/win_susp_fsutil_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_ftp.yml delete mode 100644 rules/sigma/process_creation/win_susp_gup.yml delete mode 100644 rules/sigma/process_creation/win_susp_iss_module_install.yml delete mode 100644 rules/sigma/process_creation/win_susp_mounted_share_deletion.yml delete mode 100644 rules/sigma/process_creation/win_susp_mpcmdrun_download.yml delete mode 100644 rules/sigma/process_creation/win_susp_mshta_pattern.yml delete mode 100644 rules/sigma/process_creation/win_susp_msiexec_cwd.yml delete mode 100644 rules/sigma/process_creation/win_susp_msiexec_web_install.yml delete mode 100644 rules/sigma/process_creation/win_susp_msoffice.yml delete mode 100644 rules/sigma/process_creation/win_susp_net_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml delete mode 100644 rules/sigma/process_creation/win_susp_ngrok_pua.yml delete mode 100644 rules/sigma/process_creation/win_susp_ntdsutil.yml delete mode 100644 rules/sigma/process_creation/win_susp_odbcconf.yml delete mode 100644 rules/sigma/process_creation/win_susp_openwith.yml delete mode 100644 rules/sigma/process_creation/win_susp_outlook.yml delete mode 100644 rules/sigma/process_creation/win_susp_outlook_temp.yml delete mode 100644 rules/sigma/process_creation/win_susp_pcwutl.yml delete mode 100644 rules/sigma/process_creation/win_susp_pester.yml delete mode 100644 rules/sigma/process_creation/win_susp_ping_hex_ip.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_empire_launch.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_encoded_param.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_parent_combo.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_parent_process.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_sam_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_print.yml delete mode 100644 rules/sigma/process_creation/win_susp_procdump.yml delete mode 100644 rules/sigma/process_creation/win_susp_procdump_lsass.yml delete mode 100644 rules/sigma/process_creation/win_susp_ps_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_ps_downloadfile.yml delete mode 100644 rules/sigma/process_creation/win_susp_psexec_eula.yml delete mode 100644 rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml delete mode 100644 rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml delete mode 100644 rules/sigma/process_creation/win_susp_rar_flags.yml delete mode 100644 rules/sigma/process_creation/win_susp_rasdial_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml delete mode 100644 rules/sigma/process_creation/win_susp_rclone_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml delete mode 100644 rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml delete mode 100644 rules/sigma/process_creation/win_susp_register_cimprovider.yml delete mode 100644 rules/sigma/process_creation/win_susp_registration_via_cscript.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_dctask64.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_debugview.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_paexec.yml delete mode 100644 rules/sigma/process_creation/win_susp_rpcping.yml delete mode 100644 rules/sigma/process_creation/win_susp_run_locations.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_no_params.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_sys.yml delete mode 100644 rules/sigma/process_creation/win_susp_runonce_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_runscripthelper.yml delete mode 100644 rules/sigma/process_creation/win_susp_schtask_creation.yml delete mode 100644 rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml delete mode 100644 rules/sigma/process_creation/win_susp_screenconnect_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_screensaver_reg.yml delete mode 100644 rules/sigma/process_creation/win_susp_script_exec_from_temp.yml delete mode 100644 rules/sigma/process_creation/win_susp_script_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_dacl_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_dir.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_path_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml delete mode 100644 rules/sigma/process_creation/win_susp_servu_process_pattern.yml delete mode 100644 rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml delete mode 100644 rules/sigma/process_creation/win_susp_shimcache_flush.yml delete mode 100644 rules/sigma/process_creation/win_susp_splwow64.yml delete mode 100644 rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml delete mode 100644 rules/sigma/process_creation/win_susp_sqldumper_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_squirrel_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_susp_svchost.yml delete mode 100644 rules/sigma/process_creation/win_susp_svchost_no_cli.yml delete mode 100644 rules/sigma/process_creation/win_susp_sysprep_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_sysvol_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml delete mode 100644 rules/sigma/process_creation/win_susp_taskmgr_parent.yml delete mode 100644 rules/sigma/process_creation/win_susp_tracker_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_tscon_localsystem.yml delete mode 100644 rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml delete mode 100644 rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_csharp_console.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_te_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_userinit_child.yml delete mode 100644 rules/sigma/process_creation/win_susp_vboxdrvinst.yml delete mode 100644 rules/sigma/process_creation/win_susp_vbscript_unc2452.yml delete mode 100644 rules/sigma/process_creation/win_susp_volsnap_disable.yml delete mode 100644 rules/sigma/process_creation/win_susp_whoami.yml delete mode 100644 rules/sigma/process_creation/win_susp_whoami_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrar_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrm_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmi_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml delete mode 100644 rules/sigma/process_creation/win_susp_workfolders.yml delete mode 100644 rules/sigma/process_creation/win_susp_wsl_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_susp_wuauclt.yml delete mode 100644 rules/sigma/process_creation/win_sysmon_driver_unload.yml delete mode 100644 rules/sigma/process_creation/win_system_exe_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_tap_installer_execution.yml delete mode 100644 rules/sigma/process_creation/win_task_folder_evasion.yml delete mode 100644 rules/sigma/process_creation/win_termserv_proc_spawn.yml delete mode 100644 rules/sigma/process_creation/win_tools_relay_attacks.yml delete mode 100644 rules/sigma/process_creation/win_trust_discovery.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_dismhost.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_ieinstal.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_winsat.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_wmp.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_wsreset.yml delete mode 100644 rules/sigma/process_creation/win_uac_cmstp.yml delete mode 100644 rules/sigma/process_creation/win_uac_fodhelper.yml delete mode 100644 rules/sigma/process_creation/win_uac_wsreset.yml delete mode 100644 rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml delete mode 100644 rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_verclsid_runs_com.yml delete mode 100644 rules/sigma/process_creation/win_visual_basic_compiler.yml delete mode 100644 rules/sigma/process_creation/win_vul_java_remote_debugging.yml delete mode 100644 rules/sigma/process_creation/win_webshell_detection.yml delete mode 100644 rules/sigma/process_creation/win_webshell_recon_detection.yml delete mode 100644 rules/sigma/process_creation/win_webshell_spawn.yml delete mode 100644 rules/sigma/process_creation/win_whoami_as_system.yml delete mode 100644 rules/sigma/process_creation/win_whoami_priv.yml delete mode 100644 rules/sigma/process_creation/win_win10_sched_task_0day.yml delete mode 100644 rules/sigma/process_creation/win_winword_dll_load.yml delete mode 100644 rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml delete mode 100644 rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml delete mode 100644 rules/sigma/process_creation/win_wmi_spwns_powershell.yml delete mode 100644 rules/sigma/process_creation/win_wmiprvse_spawning_process.yml delete mode 100644 rules/sigma/process_creation/win_workflow_compiler.yml delete mode 100644 rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml delete mode 100644 rules/sigma/process_creation/win_wsreset_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_xsl_script_processing.yml delete mode 100644 rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml delete mode 100644 rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml delete mode 100644 rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml delete mode 100644 rules/sigma/registry_event/registry_event_apt_pandemic.yml delete mode 100644 rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_disabled.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_exclusions.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml delete mode 100644 rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml delete mode 100644 rules/sigma/registry_event/registry_event_mal_adwind.yml delete mode 100644 rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml delete mode 100644 rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml delete mode 100644 rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml delete mode 100644 rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml delete mode 100644 rules/sigma/registry_event/sysmon_apt_leviathan.yml delete mode 100644 rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml delete mode 100644 rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml delete mode 100644 rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml delete mode 100644 rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/registry_event/sysmon_comhijack_sdclt.yml delete mode 100644 rules/sigma/registry_event/sysmon_cve_2020_1048.yml delete mode 100644 rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml delete mode 100644 rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml delete mode 100644 rules/sigma/registry_event/sysmon_etw_disabled.yml delete mode 100644 rules/sigma/registry_event/sysmon_hack_wce_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml delete mode 100644 rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml delete mode 100644 rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_application_appcompat.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_office_test_regadd.yml delete mode 100644 rules/sigma/registry_event/sysmon_office_vsto_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_powershell_as_service.yml delete mode 100644 rules/sigma/registry_event/sysmon_rdp_registry_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml delete mode 100644 rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_office_security.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_runkey_winekey.yml delete mode 100644 rules/sigma/registry_event/sysmon_runonce_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_atbroker_change.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_download_run_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_service_installed.yml delete mode 100644 rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml delete mode 100644 rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml delete mode 100644 rules/sigma/registry_event/sysmon_taskcache_entry.yml delete mode 100644 rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml delete mode 100644 rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml delete mode 100644 rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml delete mode 100644 rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml delete mode 100644 rules/sigma/registry_event/win_outlook_c2_registry_key.yml delete mode 100644 rules/sigma/registry_event/win_outlook_registry_todaypage.yml delete mode 100644 rules/sigma/registry_event/win_outlook_registry_webview.yml delete mode 100644 rules/sigma/registry_event/win_portproxy_registry_key.yml delete mode 100644 rules/sigma/registry_event/win_registry_file_association_exefile.yml delete mode 100644 rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml delete mode 100644 rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml delete mode 100644 rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml delete mode 100644 rules/sigma/sysmon/sysmon_config_modification_error.yml delete mode 100644 rules/sigma/sysmon/sysmon_config_modification_status.yml delete mode 100644 rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..b43020e1 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "rules"] + path = rules + url = git@github.com:Yamato-Security/hayabusa-rules.git diff --git a/rules b/rules new file mode 160000 index 00000000..631db512 --- /dev/null +++ b/rules @@ -0,0 +1 @@ +Subproject commit 631db51204d801fa75bfef48c31c389929fbb9be diff --git a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml deleted file mode 100644 index ec1f5fd6..00000000 --- a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: Powershell 2.0 Downgrade Attack -title_jp: Powershell 2.0へのダウングレード攻撃 -output: 'Powershell 2.0 downgrade attack detected!' -output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' -description: An attacker may have started Powershell 2.0 to evade detection. -description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 - -id: bc082394-73e6-4d00-a9af-e7b524ef5085 -level: medium -status: test -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 400 - EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' -falsepositives: - - legacy application -tags: - - attack.defense_evasion - - attack.t1562.010 - - lolbas -references: - - https://attack.mitre.org/techniques/T1562/010/ - - https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/ -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml deleted file mode 100644 index d206de9a..00000000 --- a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/25 - -title: Security log was cleared -title_jp: セキュリティログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" -description: Somebody has cleared the Security event log. -description_jp: 誰かがセキュリティログをクリアした。 - -id: c2f690ac-53f8-4745-8cfe-7127dda28c74 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 1102 - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1070.001 -references: - - https://attack.mitre.org/techniques/T1070/001/ -sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml deleted file mode 100644 index 171c3387..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Unknown Reason -title_jp: ログオンに失敗 - 不明な理由 -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: a85096da-be85-48d7-8ad5-2f957cd74daa -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - filter: - - SubStatus: "0xc0000064" - - SubStatus: "0xc000006a" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml deleted file mode 100644 index a48aedf8..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Wrong Password -title_jp: ログオンに失敗 - パスワードが間違っている -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: e87bd730-df45-4ae9-85de-6c75369c5d29 -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - SubStatus: "0xc000006a" -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml deleted file mode 100644 index d31e06c0..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Username does not exist -title_jp: ログオンに失敗 - ユーザ名は存在しない -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 8afa97ce-a217-4f7c-aced-3e320a57756d -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - SubStatus: "0xc0000064" -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml deleted file mode 100644 index 01c79f75..00000000 --- a/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml +++ /dev/null @@ -1,48 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Unknown process used a high privilege -title_jp: 不明なプロセスが高い権限を使った -output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' -description: | - Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. - For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) - Disk wipers like bcwipe will also generate this. - More legitimate filepaths may have to be added to the filter. - This is marked as a medium alert as there is a high possibility for false positives. -description_jp: - -id: 5b6e58ee-c231-4a54-9eee-af2577802e08 -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4673 - filter: - - ProcessName: C:\Windows\System32\net.exe - - ProcessName: C:\Windows\System32\lsass.exe - - ProcessName: C:\Windows\System32\audiodg.exe - - ProcessName: C:\Windows\System32\svchost.exe - - ProcessName: C:\Windows\System32\mmc.exe - - ProcessName: C:\Windows\System32\net.exe - - ProcessName: C:\Windows\explorer.exe - - ProcessName: C:\Windows\System32\SettingSyncHost.exe - - ProcessName: C:\Windows\System32\sdiagnhost.exe - - ProcessName|startswith: C:\Program Files - - SubjectUserName: LOCAL SERVICE - condition: selection and not filter -falsepositives: - - normal system usage -tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1561 - - attack.impact -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673 - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 -sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml deleted file mode 100644 index ff4d1519..00000000 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Eric Conrad, Yamato Security -creation_date: 2020/11/08 -uodated_date: 2021/11/26 - -title: Hidden user account created! (Possible Backdoor) -title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり) -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' -description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. -description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. - -id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4720 - TargetUserName|endswith: "$" -falsepositives: - - domain controller -tags: - - attack.persistence - - attack.11136.001 -references: - - https://attack.mitre.org/techniques/T1136/001/ -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml deleted file mode 100644 index 1bafa9d0..00000000 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Yamato Security -creation_date: 2020/11/08 -uodated_date: 2021/11/26 - -title: Local user account created -title_jp: ローカルユーザアカウントが作成された -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' -description: A local user account was created. -description_jp: ローカルユーザアカウントが作成された. - -id: 13edce80-2b02-4469-8de4-a3e37271dcdb -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4720 - filter: - TargetUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.11136.001 -references: - - https://attack.mitre.org/techniques/T1136/001/ -sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml deleted file mode 100644 index 6302e534..00000000 --- a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml +++ /dev/null @@ -1,31 +0,0 @@ -author: Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to the global Domain Admins group -title_jp: ユーザがグローバルドメイン管理者グループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' -description: A user was added to the Domain Admins group. -description_jp: ユーザがドメイン管理者グループに追加された。 - -id: 4bb89c86-a138-42a0-baaf-fc2f777a4506 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - TargetUserName: Domain Admins - filter: - SubjectUserName|endswith: $ - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml deleted file mode 100644 index 5cc4fcbc..00000000 --- a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: User added to global security group -title_jp: ユーザがグローバルセキュリティグループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' -description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action. -description_jp: ユーザがグローバルのセキュリティグループに追加された。 - -id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - filter: - SubjectUserName|endswith: $ - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml deleted file mode 100644 index ab188cfa..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local Administrators group -title_jp: ユーザがローカル管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to the local Administrators group. -description_jp: ユーザがローカル管理者グループに追加された。 - -id: 611e2e76-a28f-4255-812c-eb8836b2f5bb -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4732 - TargetUserName: Administrators - condition: selection -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml deleted file mode 100644 index 2112fa3c..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local Domain Admins group -title_jp: ユーザがローカルドメイン管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to the local Domain Admins group. -description_jp: ユーザがドメイン管理者グループに追加された。 - -id: bc58e432-959f-464d-812e-d60ce5d46fa1 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - TargetUserName: Domain Admins - condition: selection -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml deleted file mode 100644 index b925c4b8..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ /dev/null @@ -1,32 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local security group -title_jp: ユーザがローカルセキュリティグループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to a security-enabled local group. -description_jp: ユーザがローカルセキュリティグループに追加された。 - -id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0 -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - filter: - - TargetUserName: Administrators - - TargetUserName: None - - TargetUserName: Domain Admins - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml deleted file mode 100644 index c263438e..00000000 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: Possible AS-REP Roasting -title_jp: AS-REPロースティングの可能性 -output: 'Possible AS-REP Roasting' -output_jp: 'AS-REPロースティングのリスクがある' -description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. -description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. - -id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a -level: medium -status: test -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' #RC4-HMAC - PreAuthType: 0 #Logon without pre-authentication - condition: selection -falsepositives: - - legacy application -tags: - - attack.credential_access - - attack.t1558.004 -references: - - https://attack.mitre.org/techniques/T1558/004/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml deleted file mode 100644 index 3ea40566..00000000 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: Kerberoasting -title_jp: Kerberoast攻撃 -output: 'Possible Kerberoasting Risk Activity.' -output_jp: 'Kerberoast攻撃のリスクがある' -description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. -description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. - -id: f19849e7-b5ba-404b-a731-9b624d7f6d19 -level: medium -status: test -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' #RC4-HMAC - PreAuthType: 2 #Standard password authentication - condition: selection -falsepositives: - - legacy application -tags: - - attack.credential_access - - attack.t1558.003 -references: - - https://attack.mitre.org/techniques/T1558/003/ -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml deleted file mode 100644 index d76fd058..00000000 --- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/25 - -title: System log file was cleared -title_jp: システムログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" -description: Somebody has cleared the System event log. -description_jp: 誰かがシステムログをクリアした。 - -id: f481a1f3-969e-4187-b3a5-b47c272bfebd -level: high -status: stable -detection: - selection: - Channel: System - EventID: 104 - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1070.001 -references: - - https://attack.mitre.org/techniques/T1070/001/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml deleted file mode 100644 index 03ee4e3e..00000000 --- a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: Event log service startup type changed to disabled -title_jp: イベントログサービスのスタートアップの種類が無効に変更された -output: 'Old setting: %param2% : New setting: %param3%' -output: '設定前: %param2% : 設定後: %param3%' - -id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5 -level: medium -status: test -detection: - selection: - Channel: System - EventID: 7040 - param1: 'Windows Event Log' - param3: "disabled" - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1562.002 -references: - - https://attack.mitre.org/techniques/T1562/002/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml deleted file mode 100644 index 4dbbdbd5..00000000 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ /dev/null @@ -1,32 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/23 - -title: Malicious service installed -title_jp: 悪意のあるサービスがインストールされた -output: 'Service: %ServiceName% : Image path: %ImagePath' -output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath' -description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt -description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt - -id: dbbfd9f3-9508-478b-887e-03ddb9236909 -level: high -status: test -detection: - selection: - Channel: System - EventID: 7045 - ServiceName: - regexes: ./config/regex/detectlist_suspicous_services.txt - ImagePath: - min_length: 1000 - allowlist: ./config/regex/allowlist_legitimate_services.txt - condition: selection -falsepositives: - - normal system usage -tags: - - attack.persistence - - attack.t1543.003 -references: - - https://attack.mitre.org/techniques/T1543/003/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml deleted file mode 100644 index 247f8113..00000000 --- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: Bits Job Creation -title_jp: Bits Jobの作成 -output: 'Job Title: %JobTitle% : URL: %Url%' -output_jp: 'Job名: %JobTitle% : URL: %Url%' -description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. - -id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-Bits-Client/Operational - EventID: 59 - condition: selection -falsepositives: - - normal system usage -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 - - lolbas -references: - - https://attack.mitre.org/techniques/T1197/ - - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml deleted file mode 100644 index 3ff9d7e4..00000000 --- a/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: PowerShell Execution Pipeline -title_jp: PowerShellパイプライン実行 -output: 'Command: %CommandLine%' -output_jp: 'コマンド: %CommandLine%' -description: Displays powershell execution -description_jp: Powershellの実行を出力する。 - -id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4103 - ContextInfo: - - Host Application - - ホスト アプリケーション - condition: selection -falsepositives: - - normal system usage -tags: - - attack.defense_evasion - - attack.t1059.001 - - lolbas -references: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml deleted file mode 100644 index fac3f62b..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 0 - System -title_jp: ログオンタイプ 0 - System -output: 'Bootup' -output_jp: 'システム起動' -description: Prints logon information -description_jp: Prints logon information - -id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 0 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml deleted file mode 100644 index 334c86e1..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 10 - RDP (Remote Interactive) -title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ) -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: a4e05f05-ff88-48b9-8524-a88c1c32fe19 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 10 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml deleted file mode 100644 index 23b6a503..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 11 - CachedInteractive -title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 11 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml deleted file mode 100644 index 0b4aa4a8..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 12 - CachedRemoteInteractive -title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 12 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml deleted file mode 100644 index 06d7a123..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 13 - CachedUnlock -title_jp: ログオンタイプ 13 - キャッシュされたアンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 13 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml deleted file mode 100644 index f555d9e9..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 2 - Interactive -title_jp: ログオンタイプ 2 - インタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information -description_jp: Prints logon information - -id: 7beb4832-f357-47a4-afd8-803d69a5c85c -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 2 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml deleted file mode 100644 index 6612ee6f..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 3 - Network -title_jp: ログオンタイプ 3 - ネットワーク -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: c7b22878-e5d8-4c30-b245-e51fd354359e -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 3 - filter: - - IpAddress: "-" - - IpAddress: "127.0.0.1" - - IpAddress: "::1" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml deleted file mode 100644 index e5cc2622..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 4 - Batch -title_jp: ログオンタイプ 4 - バッチ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: 8ad8b25f-6052-4cfd-9a50-717cb514af13 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 4 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml deleted file mode 100644 index e0120d5d..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 5 - Service -title_jp: ログオンタイプ 5 - サービス -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: 408e1304-51d7-4d3e-ab31-afd07192400b -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 5 - filter: - - TargetUserName: "SYSTEM" - - TargetUserName: "NETWORK SERVICE" - - TargetUserName: "LOCAL SERVICE" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml deleted file mode 100644 index df6a2716..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 7 - Unlock -title_jp: ログオンタイプ 7 - アンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 7 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml deleted file mode 100644 index 2070d324..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 8 - NetworkCleartext -title_jp: ログオンタイプ 8 - ネットワーク平文 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication. -description_jp: Prints logon information - -id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 8 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml deleted file mode 100644 index 5148ef63..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 9 - NewCredentials -title_jp: ログオンタイプ 9 - 新しい資格情報 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: d80facaa-ca97-47bb-aed2-66362416eb49 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 9 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/events/Security/Logons/4634_Logoff.yml deleted file mode 100644 index e7fafe50..00000000 --- a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logoff -title_jp: ログオフ -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4634 - filter: - TargetUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml deleted file mode 100644 index 34b7a268..00000000 --- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logoff - User Initiated -title_jp: ログオフ - ユーザが行った -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 6bad16f1-02c4-4075-b414-3cd16944bc65 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4647 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml deleted file mode 100644 index c3c9346f..00000000 --- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Admin Logon -title_jp: 管理者ログオン -output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4672 - filter: - - SubjectUserName: "SYSTEM" - - SubjectUserName: "LOCAL SERVICE" - - SubjectUserName: "NETWORK SERVICE" - - SubjectUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml deleted file mode 100644 index 20a61d27..00000000 --- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Kerberos TGT was requested -title_jp: Kerberos TGTが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' -description: Prints logon information. -description_jp: Prints logon information. - -id: d9f336ea-bb16-4a35-8a9c-183216b8d59c -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4768 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml deleted file mode 100644 index 87e7a13c..00000000 --- a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Kerberos Service Ticket Requested -title_jp: Kerberosサービスチケットが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' -description: Prints logon information. -description_jp: Prints logon information. - -id: da6257f3-cf49-464a-96fc-c84a7ce20636 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4769 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml deleted file mode 100644 index 2ca207a7..00000000 --- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: NTLM Logon to Local Account -title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 4fbe94b0-577a-4f77-9b13-250e27d440fa -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4776 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml deleted file mode 100644 index 4e0d4f88..00000000 --- a/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Connection to wireless access point -title_jp: ローカルアカウントへのNTLMログオン -output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' -output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' -description: Prints connection info to wireless access points. -description_jp: Prints connection info to wireless access points. - -id: 90dd0797-f481-453d-a97e-dd78436893f9 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-WLAN-AutoConfig - EventID: 8001 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml deleted file mode 100644 index f95c5efa..00000000 --- a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Azure AD Health Monitoring Agent Registry Keys Access -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -description: | - This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. - This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: Key - SELECTION_4: - ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent - SELECTION_5: - ProcessName: - - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*' - - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*' - - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*' - - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*' - - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*' - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: ff151c33-45fa-475d-af4f-c2f93571f4fe -level: medium -logsource: - product: windows - service: security -references: -- https://o365blog.com/post/hybridhealthagent/ -- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml deleted file mode 100644 index 21db7456..00000000 --- a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Azure AD Health Service Agents Registry Keys Access -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -description: | - This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). - Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). - This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. - Make sure you set the SACL to propagate to its sub-keys. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: Key - SELECTION_4: - ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent - SELECTION_5: - ProcessName: - - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*' - - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*' - - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*' - - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*' - - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*' - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8 -level: medium -logsource: - product: windows - service: security -references: -- https://o365blog.com/post/hybridhealthagent/ -- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml deleted file mode 100644 index 68bea3d8..00000000 --- a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Powerview Add-DomainObjectAcl DCSync AD Extend Right -author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community -date: 2019/04/03 -description: backdooring domain object to grant the rights associated with DCSync - to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync - Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer -detection: - SELECTION_1: - EventID: 5136 - SELECTION_2: - AttributeLDAPDisplayName: ntSecurityDescriptor - SELECTION_3: - AttributeValue: - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' - - '*89e95b76-444d-4c62-991a-0facbeda640c*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- New Domain Controller computer account, check user SIDs within the value attribute - of event 5136 and verify if it's a regular user or DC computer account. -id: 2c99737c-585d-4431-b61a-c911d86ff32f -level: critical -logsource: - product: windows - service: security -modified: 2021/07/09 -references: -- https://twitter.com/menasec1/status/1111556090137903104 -- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf -status: experimental -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_discovery.yml b/rules/sigma/builtin/win_account_discovery.yml deleted file mode 100644 index 05caa275..00000000 --- a/rules/sigma/builtin/win_account_discovery.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: AD Privileged Users or Groups Reconnaissance -author: Samir Bousseaden -date: 2019/04/03 -description: Detect priv users or groups recon based on 4661 eventid and known privileged - users or groups SIDs -detection: - SELECTION_1: - EventID: 4661 - SELECTION_2: - ObjectType: - - SAM_USER - - SAM_GROUP - SELECTION_3: - ObjectName: - - '*-512' - - '*-502' - - '*-500' - - '*-505' - - '*-519' - - '*-520' - - '*-544' - - '*-551' - - '*-555' - SELECTION_4: - ObjectName: '*admin*' - condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4)) -falsepositives: -- if source account name is not an admin then its super suspicious -id: 35ba1d85-724d-42a3-889f-2e2362bcaf23 -level: high -logsource: - definition: 'Requirements: enable Object Access SAM on your Domain Controllers' - product: windows - service: security -modified: 2021/09/08 -references: -- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_object_writedac_access.yml b/rules/sigma/builtin/win_ad_object_writedac_access.yml deleted file mode 100644 index 15733227..00000000 --- a/rules/sigma/builtin/win_ad_object_writedac_access.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: AD Object WriteDAC Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects WRITE_DAC access to a domain object -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectServer: DS - SELECTION_3: - AccessMask: '0x40000' - SELECTION_4: - ObjectType: - - 19195a5b-6da0-11d0-afd3-00c04fd930c9 - - domainDNS - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 028c7842-4243-41cd-be6f-12f3cf1a26c7 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1222 -- attack.t1222.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml deleted file mode 100644 index 5bd9e091..00000000 --- a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Active Directory Replication from Non Machine Account -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/07/26 -description: Detects potential abuse of Active Directory Replication Service (ADRS) - from a non machine account to request credentials. -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - AccessMask: '0x100' - SELECTION_3: - Properties: - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*89e95b76-444d-4c62-991a-0facbeda640c*' - SELECTION_4: - SubjectUserName: '*$' - SELECTION_5: - SubjectUserName: MSOL_* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4 - or SELECTION_5)) -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -id: 17d619c1-e020-4347-957e-1d1207455c93 -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_user_enumeration.yml b/rules/sigma/builtin/win_ad_user_enumeration.yml deleted file mode 100644 index d0b4ef44..00000000 --- a/rules/sigma/builtin/win_ad_user_enumeration.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: AD User Enumeration -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/30 -description: Detects access to a domain user from a non-machine account -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*' - SELECTION_3: - SubjectUserName: '*$' - SELECTION_4: - SubjectUserName: MSOL_* - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4)) -falsepositives: -- Administrators configuring new users. -id: ab6bffca-beff-4baa-af11-6733f296d57a -level: medium -logsource: - definition: Requires the "Read all properties" permission on the user object to - be audited for the "Everyone" principal - product: windows - service: security -modified: 2021/08/09 -references: -- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf -- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html -- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml deleted file mode 100644 index 8dca1652..00000000 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: ADCS Certificate Template Configuration Vulnerability -author: Orlinum , BlueDefenZer -date: 2021/11/17 -description: Detects certificate creation with template allowing risk permission subject -detection: - SELECTION_1: - EventID: 4898 - SELECTION_2: - TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - SELECTION_3: - EventID: 4899 - SELECTION_4: - NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) -falsepositives: -- Administrator activity -- Penetration tests -- Proxy SSL certificate with subject modification -- Smart card enrollement -id: 5ee3a654-372f-11ec-8d3d-0242ac130003 -level: low -logsource: - definition: Certificate services loaded a template would trigger event ID 4898 and - certificate Services template was updated would trigger event ID 4899. A risk - permission seems to be comming if template contain specific flag. - product: windows - service: security -references: -- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml deleted file mode 100644 index 13145824..00000000 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: ADCS Certificate Template Configuration Vulnerability with Risky EKU -author: Orlinum , BlueDefenZer -date: 2021/11/17 -description: Detects certificate creation with template allowing risk permission subject - and risky EKU -detection: - SELECTION_1: - EventID: 4898 - SELECTION_2: - TemplateContent: - - '*1.3.6.1.5.5.7.3.2*' - - '*1.3.6.1.5.2.3.4*' - - '*1.3.6.1.4.1.311.20.2.2*' - - '*2.5.29.37.0*' - SELECTION_3: - TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - SELECTION_4: - EventID: 4899 - SELECTION_5: - NewTemplateContent: - - '*1.3.6.1.5.5.7.3.2*' - - '*1.3.6.1.5.2.3.4*' - - '*1.3.6.1.4.1.311.20.2.2*' - - '*2.5.29.37.0*' - SELECTION_6: - NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6)) -falsepositives: -- Administrator activity -- Penetration tests -- Proxy SSL certificate with subject modification -- Smart card enrollement -id: bfbd3291-de87-4b7c-88a2-d6a5deb28668 -level: high -logsource: - definition: Certificate services loaded a template would trigger event ID 4898 and - certificate Services template was updated would trigger event ID 4899. A risk - permission seems to be comming if template contain specific flag with risky EKU. - product: windows - service: security -references: -- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_rdp_login.yml b/rules/sigma/builtin/win_admin_rdp_login.yml deleted file mode 100644 index 9bfb6c01..00000000 --- a/rules/sigma/builtin/win_admin_rdp_login.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Admin User Remote Logon -author: juju4 -date: 2017/10/29 -description: Detect remote login by Administrator user (depending on internal pattern). -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 10 - SELECTION_3: - AuthenticationPackageName: Negotiate - SELECTION_4: - TargetUserName: Admin* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Legitimate administrative activity. -id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a -level: low -logsource: - definition: 'Requirements: Identifiable administrators usernames (pattern or special - unique character. ex: "Admin-*"), internal policy mandating use only as secondary - account' - product: windows - service: security -modified: 2021/07/07 -references: -- https://car.mitre.org/wiki/CAR-2016-04-005 -status: experimental -tags: -- attack.lateral_movement -- attack.t1078 -- attack.t1078.001 -- attack.t1078.002 -- attack.t1078.003 -- car.2016-04-005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_share_access.yml b/rules/sigma/builtin/win_admin_share_access.yml deleted file mode 100644 index b884e1fe..00000000 --- a/rules/sigma/builtin/win_admin_share_access.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Access to ADMIN$ Share -author: Florian Roth -date: 2017/03/04 -description: Detects access to $ADMIN share -detection: - SELECTION_1: - EventID: 5140 - SELECTION_2: - ShareName: Admin$ - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Legitimate administrative activity -id: 098d7118-55bc-4912-a836-dc6483a8d150 -level: low -logsource: - definition: The advanced audit policy setting "Object Access > Audit File Share" - must be configured for Success/Failure - product: windows - service: security -modified: 2020/08/23 -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_active_directory_user_control.yml b/rules/sigma/builtin/win_alert_active_directory_user_control.yml deleted file mode 100644 index 882c68ea..00000000 --- a/rules/sigma/builtin/win_alert_active_directory_user_control.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Enabled User Right in AD to Control User Objects -author: '@neu5ron' -date: 2017/07/30 -description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege - right in Active Directory it would allow control of other AD user objects. -detection: - SELECTION_1: - EventID: 4704 - SELECTION_2: - PrivilegeList: - - '*SeEnableDelegationPrivilege*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd -level: high -logsource: - definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy - Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy - Change' - product: windows - service: security -modified: 2020/08/23 -references: -- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ -status: experimental -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml deleted file mode 100644 index 6d556326..00000000 --- a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml +++ /dev/null @@ -1,53 +0,0 @@ - -title: Active Directory User Backdoors -author: '@neu5ron' -date: 2017/04/13 -description: Detects scenarios where one can control another users or computers account - without having to use their credentials. -detection: - SELECTION_1: - EventID: 4738 - SELECTION_10: - AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity - SELECTION_2: - AllowedToDelegateTo: '-' - SELECTION_3: - AllowedToDelegateTo|re: ^$ - SELECTION_4: - EventID: 5136 - SELECTION_5: - AttributeLDAPDisplayName: msDS-AllowedToDelegateTo - SELECTION_6: - EventID: 5136 - SELECTION_7: - ObjectClass: user - SELECTION_8: - AttributeLDAPDisplayName: servicePrincipalName - SELECTION_9: - EventID: 5136 - condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or (SELECTION_4 - and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9 - and SELECTION_10)) -falsepositives: -- Unknown -id: 300bac00-e041-4ee2-9c36-e262656a6ecc -level: high -logsource: - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Account Management\Audit User Account - Management, DS Access > Audit Directory Service Changes, Group Policy : Computer - Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit - Policies\DS Access\Audit Directory Service Changes' - product: windows - service: security -modified: 2020/08/23 -references: -- https://msdn.microsoft.com/en-us/library/cc220234.aspx -- https://adsecurity.org/?p=3466 -- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ -status: experimental -tags: -- attack.t1098 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml deleted file mode 100644 index ab6468e1..00000000 --- a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml +++ /dev/null @@ -1,91 +0,0 @@ - -title: Weak Encryption Enabled and Kerberoast -author: '@neu5ron' -date: 2017/07/30 -description: Detects scenario where weak encryption is enabled for a user profile - which could be used for hash/password cracking. -detection: - SELECTION_1: - EventID: 4738 - SELECTION_2: - NewUacValue: - - '*8???' - - '*9???' - - '*A???' - - '*B???' - - '*C???' - - '*D???' - - '*E???' - - '*F???' - SELECTION_3: - OldUacValue: - - '*8???' - - '*9???' - - '*A???' - - '*B???' - - '*C???' - - '*D???' - - '*E???' - - '*F???' - SELECTION_4: - NewUacValue: - - '*1????' - - '*3????' - - '*5????' - - '*7????' - - '*9????' - - '*B????' - - '*D????' - - '*F????' - SELECTION_5: - OldUacValue: - - '*1????' - - '*3????' - - '*5????' - - '*7????' - - '*9????' - - '*B????' - - '*D????' - - '*F????' - SELECTION_6: - NewUacValue: - - '*8??' - - '*9??' - - '*A??' - - '*B??' - - '*C??' - - '*D??' - - '*E??' - - '*F??' - SELECTION_7: - OldUacValue: - - '*8??' - - '*9??' - - '*A??' - - '*B??' - - '*C??' - - '*D??' - - '*E??' - - '*F??' - condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4 - and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7)))) -falsepositives: -- Unknown -id: f6de9536-0441-4b3f-a646-f4e00f300ffd -level: high -logsource: - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Account Management\Audit User Account - Management' - product: windows - service: security -references: -- https://adsecurity.org/?p=2053 -- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_lsass_access.yml b/rules/sigma/builtin/win_alert_lsass_access.yml deleted file mode 100644 index d93aece5..00000000 --- a/rules/sigma/builtin/win_alert_lsass_access.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: LSASS Access Detected via Attack Surface Reduction -author: Markus Neis -date: 2018/08/26 -description: Detects Access to LSASS Process -detection: - SELECTION_1: - EventID: 1121 - SELECTION_2: - Path: '*\lsass.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Google Chrome GoogleUpdate.exe -- Some Taskmgr.exe related activity -id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 -level: high -logsource: - definition: 'Requirements:Enabled Block credential stealing from the Windows local - security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' - product: windows - service: windefend -modified: 2021/11/13 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml deleted file mode 100644 index f462131e..00000000 --- a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Mimikatz Use -author: Florian Roth -date: 2017/01/10 -description: This method detects mimikatz keywords in different Eventlogs (some of - them only appear in older Mimikatz version that are however still used by different - threat groups) -detection: - SELECTION_1: - - \mimikatz - - mimikatz.exe - - \mimilib.dll - - <3 eo.oe - - eo.oe.kiwi - - privilege::debug - - sekurlsa::logonpasswords - - lsadump::sam - - mimidrv.sys - - ' p::d ' - - ' s::l ' - - gentilkiwi.com - - Kiwi Legit Printer - condition: (SELECTION_1) -falsepositives: -- Naughty administrators -- Penetration test -- AV Signature updates -- Files with Mimikatz in their filename -id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 -level: critical -logsource: - product: windows -modified: 2021/08/26 -status: experimental -tags: -- attack.s0002 -- attack.t1003 -- attack.lateral_movement -- attack.credential_access -- car.2013-07-001 -- car.2019-04-004 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.001 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ruler.yml b/rules/sigma/builtin/win_alert_ruler.yml deleted file mode 100644 index 4aaf7869..00000000 --- a/rules/sigma/builtin/win_alert_ruler.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Hacktool Ruler -author: Florian Roth -date: 2017/05/31 -description: This events that are generated when using the hacktool Ruler by Sensepost -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Workstation: RULER - SELECTION_3: - EventID: 4624 - SELECTION_4: - EventID: 4625 - SELECTION_5: - WorkstationName: RULER - condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5)) -falsepositives: -- Go utilities that use staaldraad awesome NTLM library -id: 24549159-ac1b-479c-8175-d42aea947cae -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://github.com/sensepost/ruler -- https://github.com/sensepost/ruler/issues/47 -- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 -status: experimental -tags: -- attack.discovery -- attack.execution -- attack.t1087 -- attack.t1075 -- attack.t1114 -- attack.t1059 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml deleted file mode 100644 index 438305cd..00000000 --- a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml +++ /dev/null @@ -1,48 +0,0 @@ - -title: File Was Not Allowed To Run -author: Pushkarev Dmitry -date: 2020/06/28 -description: Detect run not allowed files. Applocker is a very useful tool, especially - on servers where unprivileged users have access. For example terminal servers. You - need configure applocker and log collect to receive these events. -detection: - SELECTION_1: - EventID: 8004 - SELECTION_2: - EventID: 8007 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- need tuning applocker or add exceptions in SIEM -fields: -- PolicyName -- RuleId -- RuleName -- TargetUser -- TargetProcessId -- FilePath -- FileHash -- Fqbn -id: 401e5d00-b944-11ea-8f9a-00163ecd60ae -level: medium -logsource: - product: windows - service: applocker -modified: 2020/08/23 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker -- https://nxlog.co/documentation/nxlog-user-guide/applocker.html -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1064 -- attack.t1204 -- attack.t1035 -- attack.t1204.002 -- attack.t1059.001 -- attack.t1059.003 -- attack.t1059.005 -- attack.t1059.006 -- attack.t1059.007 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml deleted file mode 100644 index 4b762d27..00000000 --- a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Turla Service Install -author: Florian Roth -date: 2017/03/31 -description: This method detects a service install of malicious services mentioned - in Carbon Paper - Turla report by ESET -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: - - srservice - - ipvpn - - hkmsvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 -level: high -logsource: - product: windows - service: system -references: -- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ -status: experimental -tags: -- attack.persistence -- attack.g0010 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml deleted file mode 100644 index ec02fb45..00000000 --- a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Chafer Activity -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report - in March 2018 -detection: - SELECTION_1: - EventID: 4698 - SELECTION_2: - TaskName: - - SC Scheduled Scan - - UpdatMachine - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: c0580559-a6bd-4ef6-b9b7-83703d98b561 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/19 -references: -- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -related: -- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: derived -status: experimental -tags: -- attack.persistence -- attack.g0049 -- attack.t1053 -- attack.t1053.005 -- attack.s0111 -- attack.t1050 -- attack.t1543.003 -- attack.defense_evasion -- attack.t1112 -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml deleted file mode 100644 index f7d9a946..00000000 --- a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Chafer Activity -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report - in March 2018 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: - - SC Scheduled Scan - - UpdatMachine - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/19 -references: -- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -status: experimental -tags: -- attack.persistence -- attack.g0049 -- attack.t1053 -- attack.t1053.005 -- attack.s0111 -- attack.t1050 -- attack.t1543.003 -- attack.defense_evasion -- attack.t1112 -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_gallium.yml b/rules/sigma/builtin/win_apt_gallium.yml deleted file mode 100644 index a85c5c9b..00000000 --- a/rules/sigma/builtin/win_apt_gallium.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: GALLIUM Artefacts -author: Tim Burrell -date: 2020/02/07 -description: Detects artefacts associated with activity group GALLIUM - Microsoft - Threat Intelligence Center indicators released in December 2019. -detection: - SELECTION_1: - EventID: 257 - SELECTION_2: - QNAME: - - asyspy256.ddns.net - - hotkillmail9sddcc.ddns.net - - rosaf112.ddns.net - - cvdfhjh1231.myftp.biz - - sz2016rose.ddns.net - - dffwescwer4325.myftp.biz - - cvdfhjh1231.ddns.net - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 3db10f25-2527-4b79-8d4b-471eb900ee29 -level: high -logsource: - product: windows - service: dns-server -modified: 2021/09/19 -references: -- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ -- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) -related: -- id: 440a56bf-7873-4439-940a-1c8a671073c2 - type: derived -status: experimental -tags: -- attack.credential_access -- attack.command_and_control -- attack.t1071 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_slingshot.yml b/rules/sigma/builtin/win_apt_slingshot.yml deleted file mode 100644 index 3824cb83..00000000 --- a/rules/sigma/builtin/win_apt_slingshot.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Defrag Deactivation -author: Florian Roth, Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -description: Detects the deactivation and disabling of the Scheduled defragmentation - task as seen by Slingshot APT group -detection: - SELECTION_1: - EventID: 4701 - SELECTION_2: - TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 -level: medium -logsource: - definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' - product: windows - service: security -modified: 2021/09/19 -references: -- https://securelist.com/apt-slingshot/84312/ -related: -- id: 958d81aa-8566-4cea-a565-59ccd4df27b0 - type: derived -status: experimental -tags: -- attack.persistence -- attack.t1053 -- attack.s0111 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_stonedrill.yml b/rules/sigma/builtin/win_apt_stonedrill.yml deleted file mode 100644 index 9a58cd58..00000000 --- a/rules/sigma/builtin/win_apt_stonedrill.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: StoneDrill Service Install -author: Florian Roth -date: 2017/03/07 -description: This method detects a service install of the malicious Microsoft Network - Realtime Inspection Service service described in StoneDrill report by Kaspersky -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: NtsSrv - SELECTION_3: - ServiceFileName: '* LocalService' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unlikely -id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 -level: high -logsource: - product: windows - service: system -references: -- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ -status: experimental -tags: -- attack.persistence -- attack.g0064 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_turla_service_png.yml b/rules/sigma/builtin/win_apt_turla_service_png.yml deleted file mode 100644 index 6d3424e9..00000000 --- a/rules/sigma/builtin/win_apt_turla_service_png.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Turla PNG Dropper Service -author: Florian Roth -date: 2018/11/23 -description: This method detects malicious services mentioned in Turla PNG dropper - report by NCC Group in November 2018 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: WerFaultSvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unlikely -id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 -level: critical -logsource: - product: windows - service: system -references: -- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ -status: experimental -tags: -- attack.persistence -- attack.g0010 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_wocao.yml b/rules/sigma/builtin/win_apt_wocao.yml deleted file mode 100644 index 75c0a3b6..00000000 --- a/rules/sigma/builtin/win_apt_wocao.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Operation Wocao Activity -author: Florian Roth, frack113 -date: 2019/12/20 -description: Detects activity mentioned in Operation Wocao report -detection: - SELECTION_1: - EventID: 4799 - SELECTION_2: - TargetUserName: Administr* - SELECTION_3: - CallerProcessName: '*\checkadmin.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Administrators that use checkadmin.exe tool to enumerate local administrators -id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d -level: high -logsource: - product: windows - service: security -modified: 2021/09/19 -references: -- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ -- https://twitter.com/SBousseaden/status/1207671369963646976 -status: experimental -tags: -- attack.discovery -- attack.t1012 -- attack.defense_evasion -- attack.t1036.004 -- attack.t1036 -- attack.t1027 -- attack.execution -- attack.t1053.005 -- attack.t1053 -- attack.t1059.001 -- attack.t1086 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml deleted file mode 100644 index 870ee845..00000000 --- a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Arbitrary Shell Command Execution Via Settingcontent-Ms -author: Sreeman -date: 2020/03/13 -description: The .SettingContent-ms file type was introduced in Windows 10 and allows - a user to create "shortcuts" to various Windows 10 setting pages. These files are - simply XML and contain paths to various Windows 10 settings binaries. -detection: - SELECTION_1: - CommandLine: '*.SettingContent-ms*' - SELECTION_2: - FilePath: '*immersivecontrolpanel*' - condition: (SELECTION_1 and not (SELECTION_2)) -falsepositives: -- unknown -fields: -- ParentProcess -- CommandLine -- ParentCommandLine -id: 24de4f3b-804c-4165-b442-5a06a2302c7e -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -status: experimental -tags: -- attack.t1204 -- attack.t1193 -- attack.t1566.001 -- attack.execution -- attack.initial_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml deleted file mode 100644 index 966f66be..00000000 --- a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Using AppVLP To Circumvent ASR File Path Rule -author: Sreeman -date: 2020/03/13 -description: Application Virtualization Utility is included with Microsoft Office.We - are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used - for Application Virtualization, but we can use it as an abuse binary to circumvent - the ASR file path rule folder or to mark a file as a system file -detection: - SELECTION_1: - CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf) - condition: SELECTION_1 -falsepositives: -- unknown -fields: -- ParentProcess -- CommandLine -- ParentCommandLine -id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -level: medium -logsource: - product: windows - service: security -modified: 2021/06/11 -status: experimental -tags: -- attack.t1218 -- attack.defense_evasion -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_atsvc_task.yml b/rules/sigma/builtin/win_atsvc_task.yml deleted file mode 100644 index e15f4db2..00000000 --- a/rules/sigma/builtin/win_atsvc_task.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Remote Task Creation via ATSVC Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: Detects remote task creation via at.exe or API interacting with ATSVC - namedpipe -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: atsvc - SELECTION_4: - Accesses: '*WriteData*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: f6de6525-4509-495a-8a82-1f8b0ed73a00 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -status: experimental -tags: -- attack.lateral_movement -- attack.persistence -- attack.t1053 -- car.2013-05-004 -- car.2015-04-001 -- attack.t1053.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_audit_cve.yml b/rules/sigma/builtin/win_audit_cve.yml deleted file mode 100644 index e5a726e8..00000000 --- a/rules/sigma/builtin/win_audit_cve.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Audit CVE Event -author: Florian Roth -date: 2020/01/15 -description: Detects events generated by Windows to indicate the exploitation of a - known vulnerability (e.g. CVE-2020-0601) -detection: - SELECTION_1: - Provider_Name: Microsoft-Windows-Audit-CVE - condition: SELECTION_1 -falsepositives: -- Unknown -id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2 -level: critical -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://twitter.com/mattifestation/status/1217179698008068096 -- https://twitter.com/VM_vivisector/status/1217190929330655232 -- https://twitter.com/davisrichardg/status/1217517547576348673 -- https://twitter.com/DidierStevens/status/1217533958096924676 -- https://twitter.com/FlemmingRiis/status/1217147415482060800 -status: experimental -tags: -- attack.execution -- attack.t1203 -- attack.privilege_escalation -- attack.t1068 -- attack.defense_evasion -- attack.t1211 -- attack.credential_access -- attack.t1212 -- attack.lateral_movement -- attack.t1210 -- attack.impact -- attack.t1499.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_av_relevant_match.yml b/rules/sigma/builtin/win_av_relevant_match.yml deleted file mode 100644 index 6b50e7f4..00000000 --- a/rules/sigma/builtin/win_av_relevant_match.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: Relevant Anti-Virus Event -author: Florian Roth -date: 2017/02/19 -description: This detection method points out highly relevant Antivirus events -detection: - SELECTION_1: - - HTool- - - Hacktool - - ASP/Backdoor - - JSP/Backdoor - - PHP/Backdoor - - Backdoor.ASP - - Backdoor.JSP - - Backdoor.PHP - - Webshell - - Portscan - - Mimikatz - - .WinCred. - - PlugX - - Korplug - - Pwdump - - Chopper - - WmiExec - - Xscan - - Clearlog - - ASPXSpy - SELECTION_2: - - Keygen - - Crack - condition: ((SELECTION_1) and not (SELECTION_2)) -falsepositives: -- Some software piracy tools (key generators, cracks) are classified as hack tools -id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 -level: high -logsource: - product: windows - service: application -modified: 2021/11/20 -status: experimental -tags: -- attack.resource_development -- attack.t1588 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_camera_microphone_access.yml b/rules/sigma/builtin/win_camera_microphone_access.yml deleted file mode 100644 index 14f0bf85..00000000 --- a/rules/sigma/builtin/win_camera_microphone_access.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Processes Accessing the Microphone and Webcam -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/07 -description: Potential adversaries accessing the microphone and webcam in an endpoint. -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - EventID: 4656 - SELECTION_3: - EventID: 4663 - SELECTION_4: - ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*' - SELECTION_5: - ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)) -falsepositives: -- Unknown -id: 8cd538a4-62d5-4e83-810b-12d41e428d6e -level: medium -logsource: - product: windows - service: security -references: -- https://twitter.com/duzvik/status/1269671601852813320 -- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 -status: experimental -tags: -- attack.collection -- attack.t1123 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml deleted file mode 100644 index 13d65f62..00000000 --- a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: CobaltStrike Service Installations -author: Florian Roth, Wojciech Lesicki -date: 2021/05/26 -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: '*ADMIN$*' - SELECTION_3: - ImagePath: '*.exe*' - SELECTION_4: - ImagePath: '*%COMSPEC%*' - SELECTION_5: - ImagePath: '*start*' - SELECTION_6: - ImagePath: '*powershell*' - SELECTION_7: - ImagePath: '*powershell -nop -w hidden -encodedcommand*' - SELECTION_8: - ImagePath: - - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*' - - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*' - - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6) or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: 5a105d34-05fc-401e-8553-272b45c1522d -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://www.sans.org/webcasts/119395 -- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ -- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.lateral_movement -- attack.t1021.002 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml deleted file mode 100644 index e1b45c52..00000000 --- a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: DCERPC SMB Spoolss Named Pipe -author: OTR (Open Threat Research) -date: 2018/11/28 -description: Detects the use of the spoolss named pipe over SMB. This can be used - to trigger the authentication via NTLM of any machine that has the spoolservice - enabled. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: spoolss - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Domain Controllers acting as printer servers too? :) -id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e -level: medium -logsource: - product: windows - service: security -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -- https://dirkjanm.io/a-different-way-of-abusing-zerologon/ -- https://twitter.com/_dirkjan/status/1309214379003588608 -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml deleted file mode 100644 index ad7b67a4..00000000 --- a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program - Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer - DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\Internet Explorer\iertutil.dll' - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Unknown -id: c39f0c81-7348-4965-ab27-2fde35a1b641 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcsync.yml b/rules/sigma/builtin/win_dcsync.yml deleted file mode 100644 index 0486e61f..00000000 --- a/rules/sigma/builtin/win_dcsync.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Mimikatz DC Sync -author: Benjamin Delpy, Florian Roth, Scott Dermott -date: 2018/06/03 -description: Detects Mimikatz DC sync security events -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - Properties: - - '*Replicating Directory Changes All*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - SELECTION_3: - SubjectDomainName: Window Manager - SELECTION_4: - SubjectUserName: - - NT AUTHORITY* - - MSOL_* - SELECTION_5: - SubjectUserName: '*$' - condition: ((((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- Valid DC Sync that is not covered by the filters; please report -- Local Domain Admin account used for Azure AD Connect -id: 611eab06-a145-4dfa-a295-3ccc5c20f59a -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://twitter.com/gentilkiwi/status/1003236624925413376 -- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 -status: experimental -tags: -- attack.credential_access -- attack.s0002 -- attack.t1003 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_disable_event_logging.yml b/rules/sigma/builtin/win_disable_event_logging.yml deleted file mode 100644 index e641c5dc..00000000 --- a/rules/sigma/builtin/win_disable_event_logging.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Disabling Windows Event Auditing -author: '@neu5ron' -date: 2017/11/19 -description: 'Detects scenarios where system auditing (ie: windows event log auditing) - is disabled. This may be used in a scenario where an entity would want to bypass - local logging to evade detection when windows event logging is enabled and reviewed. - Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, - which will make sure that Active Directory GPOs take precedence over local/edited - computer policies via something such as "gpedit.msc". Please note, that disabling - "Local Group Policy Object Processing" may cause an issue in scenarios of one off - specific GPO modifications -- however it is recommended to perform these modifications - in Active Directory anyways.' -detection: - SELECTION_1: - EventID: 4719 - SELECTION_2: - AuditPolicyChanges: - - '*%%8448*' - - '*%%8450*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 69aeb277-f15f-4d2d-b32a-55e883609563 -level: high -logsource: - definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, - Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy - Change' - product: windows - service: security -references: -- https://bit.ly/WinLogsZero2Hero -status: experimental -tags: -- attack.defense_evasion -- attack.t1054 -- attack.t1562.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml deleted file mode 100644 index 5665cfed..00000000 --- a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: DPAPI Domain Backup Key Extraction -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -description: Detects tools extracting LSA secret DPAPI domain backup key from Domain - Controllers -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectType: SecretObject - SELECTION_3: - AccessMask: '0x2' - SELECTION_4: - ObjectName: BCKUPKEY - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 4ac1f50b-3bd0-4968-902d-868b4647937e -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml deleted file mode 100644 index 2d83f8a0..00000000 --- a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DPAPI Domain Master Key Backup Attempt -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects anyone attempting a backup for the DPAPI Master Key. This events - gets generated at the source and not the Domain Controller. -detection: - SELECTION_1: - EventID: 4692 - condition: SELECTION_1 -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_etw_modification.yml b/rules/sigma/builtin/win_etw_modification.yml deleted file mode 100644 index e9c22434..00000000 --- a/rules/sigma/builtin/win_etw_modification.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: COMPlus_ETWEnabled Registry Modification -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - ObjectName: '*\SOFTWARE\Microsoft\.NETFramework' - SELECTION_3: - ObjectValueName: ETWEnabled - SELECTION_4: - NewValue: '0' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/_xpn_/status/1268712093928378368 -- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr -- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables -- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 -- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39 -- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ -- https://bunnyinside.com/?term=f71e8cb9c76a -- http://managed670.rssing.com/chan-5590147/all_p1.html -- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_event_log_cleared.yml b/rules/sigma/builtin/win_event_log_cleared.yml deleted file mode 100644 index 13eedec4..00000000 --- a/rules/sigma/builtin/win_event_log_cleared.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Security Event Log Cleared -author: Saw Winn Naung -date: 2021/08/15 -description: Checks for event id 1102 which indicates the security event log was cleared. -detection: - SELECTION_1: - EventID: 1102 - SELECTION_2: - Provider_Name: Microsoft-Windows-Eventlog - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate administrative activity -fields: -- SubjectLogonId -- SubjectUserName -- SubjectUserSid -- SubjectDomainName -id: a122ac13-daf8-4175-83a2-72c387be339d -level: medium -logsource: - product: windows - service: security -modified: 2021/10/13 -references: -- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml -status: experimental -tags: -- attack.t1107 -- attack.t1070.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exchange_transportagent.yml b/rules/sigma/builtin/win_exchange_transportagent.yml deleted file mode 100644 index 45b86cf0..00000000 --- a/rules/sigma/builtin/win_exchange_transportagent.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: MSExchange Transport Agent Installation -author: Tobias Michalski -date: 2021/06/08 -description: Detects the Installation of a Exchange Transport Agent -detection: - condition: Install-TransportAgent -falsepositives: -- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator - for this. -fields: -- AssemblyPath -id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 -level: medium -logsource: - product: windows - service: msexchange-management -modified: 2021/09/19 -references: -- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -related: -- id: 83809e84-4475-4b69-bc3e-4aad8568612f - type: derived -status: experimental -tags: -- attack.persistence -- attack.t1505.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml deleted file mode 100644 index 50c5cb01..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Possible CVE-2021-1675 Print Spooler Exploitation -author: Florian Roth, KevTheHermit, fuzzyf10w -date: 2021/06/30 -description: Detects events of driver load errors in print service logs that could - be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 -detection: - SELECTION_1: - EventID: 808 - SELECTION_2: - EventID: 4909 - SELECTION_3: - ErrorCode: - - '0x45A' - - '0x7e' - SELECTION_4: - - The print spooler failed to load a plug-in module - - MyExploit.dll - - evil.dll - - \addCube.dll - - \rev.dll - - \rev2.dll - - \main64.dll - - \mimilib.dll - - \mimispool.dll - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4)) -falsepositives: -- Problems with printer drivers -fields: -- PluginDllName -id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 -level: high -logsource: - product: windows - service: printservice-admin -modified: 2021/07/08 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -- https://twitter.com/fuzzyf10w/status/1410202370835898371 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml deleted file mode 100644 index 208ccbbf..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation -author: Florian Roth -date: 2021/07/01 -description: Detects driver load events print service operational log that are a sign - of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 -detection: - SELECTION_1: - EventID: '316' - SELECTION_2: - - 'UNIDRV.DLL, kernelbase.dll, ' - - ' 123 ' - - ' 1234 ' - - mimispool - condition: (SELECTION_1 and (SELECTION_2)) -falsepositives: -- Unknown -fields: -- DriverAdded -id: f34d942d-c8c4-4f1f-b196-22471aecf10a -level: critical -logsource: - product: windows - service: printservice-operational -references: -- https://twitter.com/MalwareJake/status/1410421967463731200 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml deleted file mode 100644 index e27b3a11..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation IPC Access -author: INIT_6 -date: 2021/07/02 -description: Detects remote printer driver load from Detailed File Share in Security - logs that are a sign of successful exploitation attempts against print spooler vulnerability - CVE-2021-1675 and CVE-2021-34527 -detection: - SELECTION_1: - EventID: '5145' - SELECTION_2: - ShareName: \\\*\IPC$ - SELECTION_3: - RelativeTargetName: spoolss - SELECTION_4: - AccessMask: '0x3' - SELECTION_5: - ObjectType: File - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- nothing observed so far -id: 8fe1c584-ee61-444b-be21-e9054b229694 -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/INIT_3/status/1410662463641731075 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -- cve.2021.34527 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_external_device.yml b/rules/sigma/builtin/win_external_device.yml deleted file mode 100644 index e381b4bc..00000000 --- a/rules/sigma/builtin/win_external_device.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: External Disk Drive Or USB Storage Device -author: Keith Wright -date: 2019/11/20 -description: Detects external diskdrives or plugged in USB devices , EventID 6416 - on windows 10 or later -detection: - SELECTION_1: - EventID: 6416 - SELECTION_2: - ClassName: DiskDrive - SELECTION_3: - DeviceDescription: USB Mass Storage Device - condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3) -falsepositives: -- Legitimate administrative activity -id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 -level: low -logsource: - product: windows - service: security -modified: 2021/08/09 -status: experimental -tags: -- attack.t1091 -- attack.t1200 -- attack.lateral_movement -- attack.initial_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_global_catalog_enumeration.yml b/rules/sigma/builtin/win_global_catalog_enumeration.yml deleted file mode 100644 index 4d7e1d49..00000000 --- a/rules/sigma/builtin/win_global_catalog_enumeration.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Enumeration via the Global Catalog -author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/11 -description: Detects enumeration of the global catalog (that can be performed using - BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain - width. -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestinationPort: 3268 - SELECTION_3: - DestinationPort: 3269 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress - > 2000 -falsepositives: -- Exclude known DCs. -id: 619b020f-0fd7-4f23-87db-3f51ef837a34 -level: medium -logsource: - definition: The advanced audit policy setting "Windows Filtering Platform > Filtering - Platform Connection" must be configured for Success - product: windows - service: security -modified: 2021/06/01 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_gpo_scheduledtasks.yml b/rules/sigma/builtin/win_gpo_scheduledtasks.yml deleted file mode 100644 index b264d962..00000000 --- a/rules/sigma/builtin/win_gpo_scheduledtasks.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Persistence and Execution at Scale via GPO Scheduled Task -author: Samir Bousseaden -date: 2019/04/03 -description: Detect lateral movement using GPO scheduled task, usually used to deploy - ransomware at scale -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\SYSVOL - SELECTION_3: - RelativeTargetName: '*ScheduledTasks.xml' - SELECTION_4: - Accesses: - - '*WriteData*' - - '*%%4417*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- if the source IP is not localhost then it's super suspicious, better to monitor - both local and remote changes to GPO scheduledtasks -id: a8f29a7b-b137-4446-80a0-b804272f3da2 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://twitter.com/menasec1/status/1106899890377052160 -- https://www.secureworks.com/blog/ransomware-as-a-distraction -status: experimental -tags: -- attack.persistence -- attack.lateral_movement -- attack.t1053 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hack_smbexec.yml b/rules/sigma/builtin/win_hack_smbexec.yml deleted file mode 100644 index 99faa199..00000000 --- a/rules/sigma/builtin/win_hack_smbexec.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: smbexec.py Service Installation -author: Omer Faruk Celik -date: 2018/03/20 -description: Detects the use of smbexec.py tool by detecting a specific service installation -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: BTOBTO - SELECTION_3: - ServiceFileName: '*\execute.bat' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Penetration Test -- Unknown -fields: -- ServiceName -- ServiceFileName -id: 52a85084-6989-40c3-8f32-091e12e13f09 -level: critical -logsource: - product: windows - service: system -modified: 2020/08/23 -references: -- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ -status: experimental -tags: -- attack.lateral_movement -- attack.execution -- attack.t1077 -- attack.t1021.002 -- attack.t1035 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hidden_user_creation.yml b/rules/sigma/builtin/win_hidden_user_creation.yml deleted file mode 100644 index 45f43c4a..00000000 --- a/rules/sigma/builtin/win_hidden_user_creation.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Hidden Local User Creation -author: Christian Burkard -date: 2021/05/03 -description: Detects the creation of a local hidden user account which should not - happen for event ID 4720. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - TargetUserName: '*$' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- EventCode -- AccountName -id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 -level: high -logsource: - product: windows - service: security -references: -- https://twitter.com/SBousseaden/status/1387743867663958021 -status: experimental -tags: -- attack.persistence -- attack.t1136.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml deleted file mode 100644 index 747f4c44..00000000 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: HybridConnectionManager Service Installation -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Rule to detect the Hybrid Connection Manager service installation. -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceName: HybridConnectionManager - SELECTION_3: - ServiceFileName: '*HybridConnectionManager*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of Hybrid Connection Manager via Azure function apps. -id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml deleted file mode 100644 index e1baa865..00000000 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: HybridConnectionManager Service Running -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Rule to detect the Hybrid Connection Manager service running on an endpoint. -detection: - SELECTION_1: - EventID: 40300 - SELECTION_2: - EventID: 40301 - SELECTION_3: - EventID: 40302 - SELECTION_4: - - HybridConnection - - sb:// - - servicebus.windows.net - - HybridConnectionManage - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4)) -falsepositives: -- Legitimate use of Hybrid Connection Manager via Azure function apps. -id: b55d23e5-6821-44ff-8a6e-67218891e49f -level: high -logsource: - product: windows - service: microsoft-servicebus-client -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_psexec.yml b/rules/sigma/builtin/win_impacket_psexec.yml deleted file mode 100644 index 2ae66da8..00000000 --- a/rules/sigma/builtin/win_impacket_psexec.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Impacket PsExec Execution -author: Bhabesh Raj -date: 2020/12/14 -description: Detects execution of Impacket's psexec.py. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: - - '*RemCom_stdint*' - - '*RemCom_stdoutt*' - - '*RemCom_stderrt*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- nothing observed so far -id: 32d56ea1-417f-44ff-822b-882873f5f43b -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_secretdump.yml b/rules/sigma/builtin/win_impacket_secretdump.yml deleted file mode 100644 index 702db365..00000000 --- a/rules/sigma/builtin/win_impacket_secretdump.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Possible Impacket SecretDump Remote Activity -author: Samir Bousseaden, wagga -date: 2019/04/03 -description: Detect AD credential dumping using impacket secretdump HKTL -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\ADMIN$ - SELECTION_3: - RelativeTargetName: '*SYSTEM32\\*' - SELECTION_4: - RelativeTargetName: '*.tmp*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: 252902e3-5830-4cf6-bf21-c22083dfd5cf -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -modified: 2021/06/27 -references: -- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml deleted file mode 100644 index 3708781f..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation CLIP+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/13 -description: Detects Obfuscated use of Clip.exe to execute PowerShell -detection: - SELECTION_1: - ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: system -modified: 2021/09/16 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml deleted file mode 100644 index 8dede200..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation CLIP+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/13 -description: Detects Obfuscated use of Clip.exe to execute PowerShell -detection: - SELECTION_1: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 -level: high -logsource: - product: windows - service: security -modified: 2021/09/16 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: f7385ee2-0e0c-11eb-adc1-0242ac120002 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml deleted file mode 100644 index fa8d939f..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Invoke-Obfuscation Obfuscated IEX Invocation -author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - SELECTION_3: - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - SELECTION_4: - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - SELECTION_5: - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - SELECTION_6: - ImagePath|re: \\*mdr\*\W\s*\)\.Name - SELECTION_7: - ImagePath|re: \$VerbosePreference\.ToString\( - SELECTION_8: - ImagePath|re: \String\]\s*\$VerbosePreference - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 - or SELECTION_6 or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -level: high -logsource: - product: windows - service: system -modified: 2021/09/16 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml deleted file mode 100644 index f833b779..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Invoke-Obfuscation Obfuscated IEX Invocation -author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the code block linked in the references -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - SELECTION_3: - ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - SELECTION_4: - ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - SELECTION_5: - ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - SELECTION_6: - ServiceFileName|re: \\*mdr\*\W\s*\)\.Name - SELECTION_7: - ServiceFileName|re: \$VerbosePreference\.ToString\( - SELECTION_8: - ServiceFileName|re: \String\]\s*\$VerbosePreference - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 - or SELECTION_6 or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: fd0f5778-d3cb-4c9a-9695-66759d04702a -level: high -logsource: - product: windows - service: security -modified: 2021/09/16 -references: -- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -related: -- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml deleted file mode 100644 index 7fbb3b31..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation STDIN+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of stdin to execute PowerShell -detection: - SELECTION_1: - ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: system -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml deleted file mode 100644 index a92fbad5..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation STDIN+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of stdin to execute PowerShell -detection: - SELECTION_1: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 -level: high -logsource: - product: windows - service: security -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 72862bf2-0eb1-11eb-adc1-0242ac120002 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml deleted file mode 100644 index b4e189fb..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation VAR+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of Environment Variables to execute PowerShell -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*" - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 -level: high -logsource: - product: windows - service: system -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml deleted file mode 100644 index 9882cbdf..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation VAR+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of Environment Variables to execute PowerShell -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*" - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: dcf2db1f-f091-425b-a821-c05875b8925a -level: high -logsource: - product: windows - service: security -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml deleted file mode 100644 index d5ca47b4..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation COMPRESS OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -detection: - SELECTION_1: - ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 175997c5-803c-4b08-8bb0-70b099f47595 -level: medium -logsource: - product: windows - service: system -modified: 2021/08/09 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml deleted file mode 100644 index d667dba5..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation COMPRESS OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -detection: - SELECTION_1: - ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml deleted file mode 100644 index 01ab25fd..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation RUNDLL LAUNCHER -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -detection: - SELECTION_1: - ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 -level: medium -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml deleted file mode 100644 index 0ba84a39..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation RUNDLL LAUNCHER -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -detection: - SELECTION_1: - ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca -level: medium -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml deleted file mode 100644 index 89378b77..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Stdin -author: Nikita Nazarov, oscd.community -date: 2020/10/12 -description: Detects Obfuscated Powershell via Stdin in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 487c7524-f892-4054-b263-8a0ace63fc25 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml deleted file mode 100644 index bd8b9f94..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Stdin -author: Nikita Nazarov, oscd.community -date: 2020/10/12 -description: Detects Obfuscated Powershell via Stdin in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 487c7524-f892-4054-b263-8a0ace63fc25 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml deleted file mode 100644 index 3ec75741..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use Clip -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Clip.exe in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).* - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 63e3365d-4824-42d8-8b82-e56810fefa0c -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml deleted file mode 100644 index aecd5454..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use Clip -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Clip.exe in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).* - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 63e3365d-4824-42d8-8b82-e56810fefa0c - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml deleted file mode 100644 index ed66aa8e..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use MSHTA -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use MSHTA in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml deleted file mode 100644 index 7ccc780b..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use MSHTA -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use MSHTA in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml deleted file mode 100644 index b51c72f8..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use Rundll32 -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Rundll32 in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml deleted file mode 100644 index 750beec7..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use Rundll32 -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Rundll32 in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml deleted file mode 100644 index 80b11728..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -description: Detects Obfuscated Powershell via VAR++ LAUNCHER -detection: - SELECTION_1: - ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml deleted file mode 100644 index a639a197..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -description: Detects Obfuscated Powershell via VAR++ LAUNCHER -detection: - SELECTION_1: - ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_iso_mount.yml b/rules/sigma/builtin/win_iso_mount.yml deleted file mode 100644 index 26102f86..00000000 --- a/rules/sigma/builtin/win_iso_mount.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: ISO Image Mount -author: Syed Hasan (@syedhasan009) -date: 2021/05/29 -description: Detects the mount of ISO images on an endpoint -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - ObjectServer: Security - SELECTION_3: - ObjectType: File - SELECTION_4: - ObjectName: \Device\CdRom* - SELECTION_5: - ObjectName: \Device\CdRom0\setup.exe - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Software installation ISO files -id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Removable Storage" - must be configured for Success/Failure - product: windows - service: security -modified: 2021/11/20 -references: -- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore -- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages -- https://twitter.com/MsftSecIntel/status/1257324139515269121 -status: experimental -tags: -- attack.initial_access -- attack.t1566.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lm_namedpipe.yml b/rules/sigma/builtin/win_lm_namedpipe.yml deleted file mode 100644 index 5075f9fc..00000000 --- a/rules/sigma/builtin/win_lm_namedpipe.yml +++ /dev/null @@ -1,54 +0,0 @@ - -title: First Time Seen Remote Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: This detection excludes known namped pipes accessible remotely and notify - on newly observed ones, may help to detect lateral movement and remote exec using - named pipes -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - EventID: 5145 - SELECTION_4: - ShareName: \\*\IPC$ - SELECTION_5: - RelativeTargetName: - - atsvc - - samr - - lsarpc - - winreg - - netlogon - - srvsvc - - protected_storage - - wkssvc - - browser - - netdfs - - svcctl - - spoolss - - ntsvcs - - LSM_API_service - - HydraLsPipe - - TermSrv_API_service - - MsFteWds - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 and SELECTION_4 - and SELECTION_5)) -falsepositives: -- update the excluded named pipe to filter out any newly observed legit named pipe -id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://twitter.com/menasec1/status/1104489274387451904 -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml deleted file mode 100644 index a87f181a..00000000 --- a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Correct Execution of Nltest.exe -author: Arun Chauhan -date: 2021/10/04 -description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, - domain trusts, parent domain and the current user permissions. -detection: - SELECTION_1: - EventID: 4689 - SELECTION_2: - ProcessName: '*nltest.exe' - SELECTION_3: - Status: '0x0' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Red team activity -- rare legitimate use by an administrator -fields: -- SubjectUserName -- SubjectDomainName -id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 -level: high -logsource: - product: windows - service: security -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm -- https://attack.mitre.org/software/S0359/ -status: experimental -tags: -- attack.discovery -- attack.t1482 -- attack.t1018 -- attack.t1016 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lsass_access_non_system_account.yml b/rules/sigma/builtin/win_lsass_access_non_system_account.yml deleted file mode 100644 index 87e87b3d..00000000 --- a/rules/sigma/builtin/win_lsass_access_non_system_account.yml +++ /dev/null @@ -1,70 +0,0 @@ - -title: LSASS Access from Non System Account -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -description: Detects potential mimikatz-like tools accessing LSASS from non system - account -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - EventID: 4656 - SELECTION_3: - AccessMask: - - '0x40' - - '0x1400' - - '0x1000' - - '0x100000' - - '0x1410' - - '0x1010' - - '0x1438' - - '0x143a' - - '0x1418' - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - - '40' - - '1400' - - '1000' - - '100000' - - '1410' - - '1010' - - '1438' - - 143a - - '1418' - - 1f0fff - - 1f1fff - - 1f2fff - - 1f3fff - SELECTION_4: - ObjectType: Process - SELECTION_5: - ObjectName: '*\lsass.exe' - SELECTION_6: - SubjectUserName: '*$' - SELECTION_7: - ProcessName: C:\Program Files* - condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5) - and not (SELECTION_6)) and not (SELECTION_7)) -falsepositives: -- Unknown -fields: -- ComputerName -- ObjectName -- SubjectUserName -- ProcessName -id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 -level: critical -logsource: - product: windows - service: security -modified: 2021/03/17 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_creddumper.yml b/rules/sigma/builtin/win_mal_creddumper.yml deleted file mode 100644 index e9f4807a..00000000 --- a/rules/sigma/builtin/win_mal_creddumper.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed -level: high -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_wceaux_dll.yml b/rules/sigma/builtin/win_mal_wceaux_dll.yml deleted file mode 100644 index 45c1eb04..00000000 --- a/rules/sigma/builtin/win_mal_wceaux_dll.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: WCE wceaux.dll Access -author: Thomas Patzke -date: 2017/06/14 -description: Detects wceaux.dll access while WCE pass-the-hash remote command execution - on source host -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4658 - SELECTION_3: - EventID: 4660 - SELECTION_4: - EventID: 4663 - SELECTION_5: - ObjectName: '*\wceaux.dll' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Penetration testing -id: 1de68c67-af5c-4097-9c85-fe5578e09e67 -level: critical -logsource: - product: windows - service: security -references: -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://jpcertcc.github.io/ToolAnalysisResultSheet -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_metasploit_authentication.yml b/rules/sigma/builtin/win_metasploit_authentication.yml deleted file mode 100644 index a1d7f3a3..00000000 --- a/rules/sigma/builtin/win_metasploit_authentication.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Metasploit SMB Authentication -author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/06 -description: Alerts on Metasploit host's authentications on the domain. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - EventID: 4624 - SELECTION_3: - LogonType: 3 - SELECTION_4: - AuthenticationPackageName: NTLM - SELECTION_5: - WorkstationName|re: ^[A-Za-z0-9]{16}$ - SELECTION_6: - ProcessName|re: ^$ - SELECTION_7: - EventID: 4776 - SELECTION_8: - Workstation|re: ^[A-Za-z0-9]{16}$ - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8)) -falsepositives: -- Linux hostnames composed of 16 characters. -id: 72124974-a68b-4366-b990-d30e0b2a190d -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index eec1f046..00000000 --- a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,66 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 7045 - SELECTION_10: - ImagePath: '*cmd.exe*' - SELECTION_11: - ImagePath: '*/c*' - SELECTION_12: - ImagePath: '*echo*' - SELECTION_13: - ImagePath: '*\pipe\\*' - SELECTION_14: - ImagePath: '*rundll32*' - SELECTION_15: - ImagePath: '*.dll,a*' - SELECTION_16: - ImagePath: '*/p:*' - SELECTION_2: - ImagePath: '*cmd*' - SELECTION_3: - ImagePath: '*/c*' - SELECTION_4: - ImagePath: '*echo*' - SELECTION_5: - ImagePath: '*\pipe\\*' - SELECTION_6: - ImagePath: '*%COMSPEC%*' - SELECTION_7: - ImagePath: '*/c*' - SELECTION_8: - ImagePath: '*echo*' - SELECTION_9: - ImagePath: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ImagePath -id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mmc20_lateral_movement.yml b/rules/sigma/builtin/win_mmc20_lateral_movement.yml deleted file mode 100644 index 59d719b3..00000000 --- a/rules/sigma/builtin/win_mmc20_lateral_movement.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: MMC20 Lateral Movement -author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' -date: 2020/03/04 -description: Detects MMC20.Application Lateral Movement; specifically looks for the - spawning of the parent MMC.exe with a command line of "-Embedding" as a child of - svchost.exe -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - ParentImage: '*\svchost.exe' - SELECTION_3: - Image: '*\mmc.exe' - SELECTION_4: - CommandLine: '*-Embedding*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unlikely -id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd -level: high -logsource: - category: process_creation - product: windows -modified: 2020/08/23 -references: -- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing -status: experimental -tags: -- attack.execution -- attack.t1175 -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_moriya_rootkit.yml b/rules/sigma/builtin/win_moriya_rootkit.yml deleted file mode 100644 index d7ceedf2..00000000 --- a/rules/sigma/builtin/win_moriya_rootkit.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Moriya Rootkit -author: Bhabesh Raj -date: 2021/05/06 -description: Detects the use of Moriya rootkit as described in the securelist's Operation - TunnelSnake report -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: ZzNetSvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- None -id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_ntlm_downgrade.yml b/rules/sigma/builtin/win_net_ntlm_downgrade.yml deleted file mode 100644 index 31b36e4b..00000000 --- a/rules/sigma/builtin/win_net_ntlm_downgrade.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: NetNTLM Downgrade Attack -author: Florian Roth, wagga -date: 2018/03/20 -description: Detects NetNTLM downgrade attack -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - ObjectName: '*\REGISTRY\MACHINE\SYSTEM*' - SELECTION_3: - ObjectName: '*ControlSet*' - SELECTION_4: - ObjectName: '*\Control\Lsa*' - SELECTION_5: - ObjectValueName: - - LmCompatibilityLevel - - NtlmMinClientSec - - RestrictSendingNTLMTraffic - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: d3abac66-f11c-4ed0-8acb-50cc29c97eed -level: critical -logsource: - definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' - product: windows - service: security -modified: 2021/06/27 -references: -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -related: -- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_use_admin_share.yml b/rules/sigma/builtin/win_net_use_admin_share.yml deleted file mode 100644 index 29ad7473..00000000 --- a/rules/sigma/builtin/win_net_use_admin_share.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Mounted Windows Admin Shares with net.exe -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, - wagga -date: 2020/10/05 -description: Detects when an admin share is mounted using net.exe -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: - - '*\net.exe' - - '*\net1.exe' - SELECTION_3: - CommandLine: '* use *' - SELECTION_4: - CommandLine: '*\\\*\\*$*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Administrators -id: 3abd6094-7027-475f-9630-8ab9be7b9725 -level: medium -logsource: - category: process_creation - product: windows -modified: 2021/06/27 -references: -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml deleted file mode 100644 index 594e73f1..00000000 --- a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: New or Renamed User Account with '$' in Attribute 'SamAccountName'. -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -description: Detects possible bypass EDR and SIEM via abnormal user account name. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - EventID: 4781 - SELECTION_3: - SamAccountName: '*$*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Unknown -fields: -- EventID -- SamAccountName -- SubjectUserName -id: cfeed607-6aa4-4bbd-9627-b637deb723c8 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -status: experimental -tags: -- attack.defense_evasion -- attack.t1036 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_not_allowed_rdp_access.yml b/rules/sigma/builtin/win_not_allowed_rdp_access.yml deleted file mode 100644 index 1d79dbb4..00000000 --- a/rules/sigma/builtin/win_not_allowed_rdp_access.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Denied Access To Remote Desktop -author: Pushkarev Dmitry -date: 2020/06/27 -description: This event is generated when an authenticated user who is not allowed - to log on remotely attempts to connect to this computer through Remote Desktop. - Often, this event can be generated by attackers when searching for available windows - servers in the network. -detection: - SELECTION_1: - EventID: 4825 - condition: SELECTION_1 -falsepositives: -- Valid user was not added to RDP group -fields: -- EventCode -- AccountName -- ClientAddress -id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9 -level: medium -logsource: - product: windows - service: security -references: -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 -status: experimental -tags: -- attack.lateral_movement -- attack.t1076 -- attack.t1021.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml deleted file mode 100644 index 519b471e..00000000 --- a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: NTFS Vulnerability Exploitation -author: Florian Roth -date: 2021/01/11 -description: This the exploitation of a NTFS vulnerability as reported without many - details via Twitter -detection: - SELECTION_1: - Provider_Name: Ntfs - SELECTION_2: - EventID: 55 - SELECTION_3: - Origin: File System Driver - SELECTION_4: - Description: '*contains a corrupted file record*' - SELECTION_5: - Description: '*The name of the file is "\"*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unlikely -id: f14719ce-d3ab-4e25-9ce6-2899092260b0 -level: critical -logsource: - product: windows - service: system -modified: 2021/11/17 -references: -- https://twitter.com/jonasLyk/status/1347900440000811010 -- https://twitter.com/wdormann/status/1347958161609809921 -status: experimental -tags: -- attack.impact -- attack.t1499.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_overpass_the_hash.yml b/rules/sigma/builtin/win_overpass_the_hash.yml deleted file mode 100644 index 6681cb74..00000000 --- a/rules/sigma/builtin/win_overpass_the_hash.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Successful Overpass the Hash Attempt -author: Roberto Rodriguez (source), Dominik Schaudel (rule) -date: 2018/02/12 -description: Detects successful logon with logon type 9 (NewCredentials) which matches - the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 9 - SELECTION_3: - LogonProcessName: seclogo - SELECTION_4: - AuthenticationPackageName: Negotiate - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Runas command-line tool using /netonly parameter -id: 192a0330-c20b-4356-90b6-7b7049ae0b87 -level: high -logsource: - product: windows - service: security -references: -- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- attack.s0002 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash.yml b/rules/sigma/builtin/win_pass_the_hash.yml deleted file mode 100644 index c9549334..00000000 --- a/rules/sigma/builtin/win_pass_the_hash.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Pass the Hash Activity -author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) -date: 2017/03/08 -description: Detects the attack technique pass the hash which is used to move laterally - inside the network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - EventID: 4625 - SELECTION_3: - LogonType: '3' - SELECTION_4: - LogonProcessName: NtLmSsp - SELECTION_5: - WorkstationName: '%Workstations%' - SELECTION_6: - ComputerName: '%Workstations%' - SELECTION_7: - AccountName: ANONYMOUS LOGON - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5 - and SELECTION_6) and not (SELECTION_7)) -falsepositives: -- Administrator activity -- Penetration tests -id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 -level: medium -logsource: - definition: The successful use of PtH for lateral movement between workstations - would trigger event ID 4624, a failed logon attempt would trigger an event ID - 4625 - product: windows - service: security -references: -- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- car.2016-04-004 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash_2.yml b/rules/sigma/builtin/win_pass_the_hash_2.yml deleted file mode 100644 index 2cce718f..00000000 --- a/rules/sigma/builtin/win_pass_the_hash_2.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: Pass the Hash Activity 2 -author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) -date: 2019/06/14 -description: Detects the attack technique pass the hash which is used to move laterally - inside the network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - SubjectUserSid: S-1-0-0 - SELECTION_3: - LogonType: '3' - SELECTION_4: - LogonProcessName: NtLmSsp - SELECTION_5: - KeyLength: '0' - SELECTION_6: - LogonType: '9' - SELECTION_7: - LogonProcessName: seclogo - SELECTION_8: - AccountName: ANONYMOUS LOGON - condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7))) and not (SELECTION_8)) -falsepositives: -- Administrator activity -- Penetration tests -id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b -level: medium -logsource: - definition: The successful use of PtH for lateral movement between workstations - would trigger event ID 4624 - product: windows - service: security -references: -- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events -- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ -status: stable -tags: -- attack.lateral_movement -- attack.t1075 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_network_share.yml b/rules/sigma/builtin/win_petitpotam_network_share.yml deleted file mode 100644 index 7c6c8a7e..00000000 --- a/rules/sigma/builtin/win_petitpotam_network_share.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Possible PetitPotam Coerce Authentication Attempt -author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -description: Detect PetitPotam coerced authentication activity. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\\* - SELECTION_3: - ShareName: '*\IPC$' - SELECTION_4: - RelativeTargetName: lsarpc - SELECTION_5: - SubjectUserName: ANONYMOUS LOGON - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown. Feedback welcomed. -id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Detailed File Share" - must be configured for Success/Failure - product: windows - service: security -references: -- https://github.com/topotam/PetitPotam -- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml -status: experimental -tags: -- attack.credential_access -- attack.t1187 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml deleted file mode 100644 index 0bf1ffbc..00000000 --- a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: PetitPotam Suspicious Kerberos TGT Request -author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer - certificate by abusing Active Directory Certificate Services in combination with - PetitPotam, the next step would be to leverage the certificate for malicious purposes. - One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool - like Rubeus. This request will generate a 4768 event with some unusual fields depending - on the environment. This analytic will require tuning, we recommend filtering Account_Name - to the Domain Controller computer accounts. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - TargetUserName: '*$' - SELECTION_3: - CertThumbprint: '*' - SELECTION_4: - IpAddress: ::1 - SELECTION_5: - CertThumbprint: '' - condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- False positives are possible if the environment is using certificates for authentication. - We recommend filtering Account_Name to the Domain Controller computer accounts. -id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 -level: high -logsource: - definition: The advanced audit policy setting "Account Logon > Kerberos Authentication - Service" must be configured for Success/Failure - product: windows - service: security -modified: 2021/09/07 -references: -- https://github.com/topotam/PetitPotam -- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ -- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml -status: experimental -tags: -- attack.credential_access -- attack.t1187 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_possible_dc_shadow.yml b/rules/sigma/builtin/win_possible_dc_shadow.yml deleted file mode 100644 index 698d33a8..00000000 --- a/rules/sigma/builtin/win_possible_dc_shadow.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Possible DC Shadow -author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2019/10/25 -description: Detects DCShadow via create new SPN -detection: - SELECTION_1: - EventID: 4742 - SELECTION_2: - ServicePrincipalNames: '*GC/*' - SELECTION_3: - EventID: 5136 - SELECTION_4: - AttributeLDAPDisplayName: servicePrincipalName - SELECTION_5: - AttributeValue: GC/* - condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5)) -falsepositives: -- Exclude known DCs -id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml -- https://twitter.com/gentilkiwi/status/1003236624925413376 -- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 -- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d -status: experimental -tags: -- attack.credential_access -- attack.t1207 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml deleted file mode 100644 index 0f2671e9..00000000 --- a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: PowerShell Scripts Installed as Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae -level: high -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml deleted file mode 100644 index 1cacfe12..00000000 --- a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Possible Zerologon (CVE-2020-1472) Exploitation -author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community -date: 2020/10/15 -description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) -detection: - SELECTION_1: - EventID: 4742 - SELECTION_2: - SubjectUserName: ANONYMOUS LOGON - SELECTION_3: - TargetUserName: '%DC-MACHINE-NAME%' - SELECTION_4: - PasswordLastSet: '-' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- automatic DC computer account password change -- legitimate DC computer account password change -id: dd7876d8-0f09-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 -- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ -status: experimental -tags: -- attack.t1068 -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_protected_storage_service_access.yml b/rules/sigma/builtin/win_protected_storage_service_access.yml deleted file mode 100644 index 1fbee11a..00000000 --- a/rules/sigma/builtin/win_protected_storage_service_access.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Protected Storage Service Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects access to a protected_storage service over the network. Potential - abuse of DPAPI to extract domain backup keys from Domain Controllers -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: '*IPC*' - SELECTION_3: - RelativeTargetName: protected_storage - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 45545954-4016-43c6-855e-eae8f1c369dc -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml deleted file mode 100644 index 9c1364aa..00000000 --- a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: QuarksPwDump Clearing Access History -author: Florian Roth -date: 2017/05/15 -description: Detects QuarksPwDump clearing access history in hive -detection: - SELECTION_1: - EventID: 16 - SELECTION_2: - HiveName: '*\AppData\Local\Temp\SAM*' - SELECTION_3: - HiveName: '*.dmp' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 39f919f3-980b-4e6f-a975-8af7e507ef2b -level: critical -logsource: - product: windows - service: system -modified: 2019/11/13 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_schtasks_creations.yml b/rules/sigma/builtin/win_rare_schtasks_creations.yml deleted file mode 100644 index 2453fd24..00000000 --- a/rules/sigma/builtin/win_rare_schtasks_creations.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Rare Schtasks Creations -author: Florian Roth -date: 2017/03/23 -description: Detects rare scheduled tasks creations that only appear a few times per - time frame and could reveal password dumpers, backdoor installs or other types of - malicious code -detection: - SELECTION_1: - EventID: 4698 - condition: SELECTION_1 | count() by TaskName < 5 -falsepositives: -- Software installation -- Software updates -id: b0d77106-7bb0-41fe-bd94-d1752164d066 -level: low -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). We also recommend extracting the Command field - from the embedded XML in the event data. - product: windows - service: security -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.persistence -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_service_installs.yml b/rules/sigma/builtin/win_rare_service_installs.yml deleted file mode 100644 index 956abf96..00000000 --- a/rules/sigma/builtin/win_rare_service_installs.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Rare Service Installs -author: Florian Roth -date: 2017/03/08 -description: Detects rare service installs that only appear a few times per time frame - and could reveal password dumpers, backdoor installs or other types of malicious - services -detection: - SELECTION_1: - EventID: 7045 - condition: SELECTION_1 | count() by ServiceFileName < 5 -falsepositives: -- Software installation -- Software updates -id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae -level: low -logsource: - product: windows - service: system -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml deleted file mode 100644 index 8c6ee0a1..00000000 --- a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln -author: Florian Roth (rule), Adam Bradbury (idea) -date: 2019/06/02 -description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable - to CVE-2019-0708 RDP RCE aka BlueKeep -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - TargetUserName: AAAAAAA - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 8400629e-79a9-4737-b387-5db940ab2367 -level: critical -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://twitter.com/AdamTheAnalyst/status/1134394070045003776 -- https://github.com/zerosum0x0/CVE-2019-0708 -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_localhost_login.yml b/rules/sigma/builtin/win_rdp_localhost_login.yml deleted file mode 100644 index e0b37345..00000000 --- a/rules/sigma/builtin/win_rdp_localhost_login.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: RDP Login from Localhost -author: Thomas Patzke -date: 2019/01/28 -description: RDP login with localhost source address may be a tunnelled login -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 10 - SELECTION_3: - IpAddress: - - ::1 - - 127.0.0.1 - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 51e33403-2a37-4d66-a574-1fda1782cc31 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1076 -- car.2013-07-002 -- attack.t1021.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml deleted file mode 100644 index c502101c..00000000 --- a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Potential RDP Exploit CVE-2019-0708 -author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements) -date: 2019/05/24 -description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 -detection: - SELECTION_1: - EventID: 56 - SELECTION_2: - EventID: 50 - SELECTION_3: - Provider_Name: TermDD - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Bad connections or network interruptions -id: aaa5b30d-f418-420b-83a0-299cb6024885 -level: high -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://github.com/zerosum0x0/CVE-2019-0708 -- https://github.com/Ekultek/BlueKeep -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml deleted file mode 100644 index 64eb9646..00000000 --- a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: RDP over Reverse SSH Tunnel WFP -author: Samir Bousseaden -date: 2019/02/16 -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - SourcePort: 3389 - SELECTION_3: - DestAddress: - - 127.* - - ::1 - SELECTION_4: - DestPort: 3389 - SELECTION_5: - SourceAddress: - - 127.* - - ::1 - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- unknown -id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41 -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://twitter.com/SBousseaden/status/1096148422984384514 -- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx -status: experimental -tags: -- attack.defense_evasion -- attack.command_and_control -- attack.lateral_movement -- attack.t1076 -- attack.t1090 -- attack.t1090.001 -- attack.t1090.002 -- attack.t1021.001 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml deleted file mode 100644 index 33858382..00000000 --- a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Register new Logon Process by Rubeus -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -description: Detects potential use of Rubeus via registered new trusted logon process -detection: - SELECTION_1: - EventID: 4611 - SELECTION_2: - LogonProcessName: User32LogonProcesss - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 12e6d621-194f-4f59-90cc-1959e21e69f7 -level: critical -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_powershell_session.yml b/rules/sigma/builtin/win_remote_powershell_session.yml deleted file mode 100644 index 0abee6a5..00000000 --- a/rules/sigma/builtin/win_remote_powershell_session.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Remote PowerShell Sessions Network Connections (WinRM) -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound - connections to ports 5985 OR 5986 -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestPort: 5985 - SELECTION_3: - DestPort: 5986 - SELECTION_4: - LayerRTID: 44 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Legitimate use of remote PowerShell execution -id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -level: high -logsource: - product: windows - service: security -modified: 2021/05/21 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml deleted file mode 100644 index 64260e10..00000000 --- a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Remote Registry Management Using Reg Utility -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Remote registry management using REG utility from non-admin workstation -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\winreg*' - SELECTION_3: - IpAddress: '%Admins_Workstations%' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Legitimate usage of remote registry management by administrator -id: 68fcba0d-73a5-475e-a915-e8b4c576827e -level: medium -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -- attack.discovery -- attack.t1012 -- attack.credential_access -- attack.t1552.002 -- attack.s0075 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_root_certificate_installed.yml b/rules/sigma/builtin/win_root_certificate_installed.yml deleted file mode 100644 index c6afd974..00000000 --- a/rules/sigma/builtin/win_root_certificate_installed.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Root Certificate Installed -author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2020/10/10 -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. -detection: - SELECTION_1: - EventID: 4104 - SELECTION_2: - ScriptBlockText: '*Cert:\LocalMachine\Root*' - SELECTION_3: - ScriptBlockText: '*Move-Item*' - SELECTION_4: - ScriptBlockText: '*Import-Certificate*' - condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4)) -falsepositives: -- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to - test if GPO push doesn't trigger FP -id: 42821614-9264-4761-acfc-5772c3286f76 -level: medium -logsource: - product: windows - service: powershell -modified: 2021/09/21 -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md -status: experimental -tags: -- attack.defense_evasion -- attack.t1553.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml deleted file mode 100644 index 01917a8b..00000000 --- a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: SAM Registry Hive Handle Request -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects handles requested to SAM registry hive -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ObjectType: Key - SELECTION_3: - ObjectName: '*\SAM' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ProcessName -- ObjectName -id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332 -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html -status: experimental -tags: -- attack.discovery -- attack.t1012 -- attack.credential_access -- attack.t1552.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scheduled_task_deletion.yml b/rules/sigma/builtin/win_scheduled_task_deletion.yml deleted file mode 100644 index 20e4b058..00000000 --- a/rules/sigma/builtin/win_scheduled_task_deletion.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Scheduled Task Deletion -author: David Strassegger -date: 2021/01/22 -description: Detects scheduled task deletion events. Scheduled tasks are likely to - be deleted if not used for persistence. Malicious Software often creates tasks directly - under the root node e.g. \TASKNAME -detection: - SELECTION_1: - EventID: 4699 - condition: SELECTION_1 -falsepositives: -- Software installation -id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 -level: medium -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. - product: windows - service: security -references: -- https://twitter.com/matthewdunwoody/status/1352356685982146562 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_handle_failure.yml b/rules/sigma/builtin/win_scm_database_handle_failure.yml deleted file mode 100644 index 110c061d..00000000 --- a/rules/sigma/builtin/win_scm_database_handle_failure.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: SCM Database Handle Failure -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects non-system users failing to get a handle of the SCM database. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ObjectType: SC_MANAGER OBJECT - SELECTION_3: - ObjectName: ServicesActive - SELECTION_4: - SubjectLogonId: '0x3e4' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: 13addce7-47b2-4ca0-a98f-1de964d1d669 -level: critical -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html -status: experimental -tags: -- attack.discovery -- attack.t1010 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_privileged_operation.yml b/rules/sigma/builtin/win_scm_database_privileged_operation.yml deleted file mode 100644 index 568020cb..00000000 --- a/rules/sigma/builtin/win_scm_database_privileged_operation.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: SCM Database Privileged Operation -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/15 -description: Detects non-system users performing privileged operation os the SCM database -detection: - SELECTION_1: - EventID: 4674 - SELECTION_2: - ObjectType: SC_MANAGER OBJECT - SELECTION_3: - ObjectName: servicesactive - SELECTION_4: - PrivilegeList: SeTakeOwnershipPrivilege - SELECTION_5: - SubjectLogonId: '0x3e4' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: dae8171c-5ec6-4396-b210-8466585b53e9 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html -status: experimental -tags: -- attack.privilege_escalation -- attack.t1548 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml deleted file mode 100644 index 8c3cde51..00000000 --- a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Remote WMI ActiveScriptEventConsumers -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers - remotely to move laterally in a network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 3 - SELECTION_3: - ProcessName: '*scrcons.exe' - SELECTION_4: - TargetLogonId: '0x3e7' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- SCCM -id: 9599c180-e3a8-4743-8f92-7fb96d3be648 -level: high -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.persistence -- attack.t1546.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml deleted file mode 100644 index 4fd129a9..00000000 --- a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: CobaltStrike Service Installations -author: Florian Roth, Wojciech Lesicki -date: 2021/05/26 -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: '*ADMIN$*' - SELECTION_3: - ServiceFileName: '*.exe*' - SELECTION_4: - ServiceFileName: '*%COMSPEC%*' - SELECTION_5: - ServiceFileName: '*start*' - SELECTION_6: - ServiceFileName: '*powershell*' - SELECTION_7: - ServiceFileName: '*powershell -nop -w hidden -encodedcommand*' - SELECTION_8: - ServiceFileName: - - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*' - - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*' - - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6) or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://www.sans.org/webcasts/119395 -- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ -- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -related: -- id: 5a105d34-05fc-401e-8553-272b45c1522d - type: derived -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.lateral_movement -- attack.t1021.002 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_creddumper.yml b/rules/sigma/builtin/win_security_mal_creddumper.yml deleted file mode 100644 index 25aa5e17..00000000 --- a/rules/sigma/builtin/win_security_mal_creddumper.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 -level: high -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -related: -- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_service_installs.yml b/rules/sigma/builtin/win_security_mal_service_installs.yml deleted file mode 100644 index c5ce8b1c..00000000 --- a/rules/sigma/builtin/win_security_mal_service_installs.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Malicious Service Installations -author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) -date: 2017/03/27 -description: Detects known malicious service installs that only appear in cases of - lateral movement, credential dumping, and other suspicious activities. -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceName: javamtsup - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Penetration testing -id: cb062102-587e-4414-8efa-dbe3c7bf19c6 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://awakesecurity.com/blog/threat-hunting-for-paexec/ -- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html -- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf -related: -- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1003 -- attack.t1035 -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml deleted file mode 100644 index 38e48d2a..00000000 --- a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: Metasploit Or Impacket Service Installation Via SMB PsExec -author: Bartlomiej Czyz, Relativity -date: 2021/01/21 -description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and - Impacket psexec.py by triggering on specific service installation -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$ - SELECTION_3: - ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$) - SELECTION_4: - ServiceStartType: '3' - SELECTION_5: - ServiceType: '0x10' - SELECTION_6: - ServiceName: PSEXESVC - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - and not (SELECTION_6)) -falsepositives: -- Possible, different agents with a 8 character binary and a 4, 8 or 16 character - service name -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ServiceName -- ServiceFileName -id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 -level: high -logsource: - product: windows - service: security -modified: 2021/07/23 -references: -- https://bczyz1.github.io/2021/01/30/psexec.html -related: -- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 - type: derived -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -- attack.t1570 -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml deleted file mode 100644 index 12376834..00000000 --- a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ /dev/null @@ -1,69 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 4697 - SELECTION_10: - ServiceFileName: '*cmd.exe*' - SELECTION_11: - ServiceFileName: '*/c*' - SELECTION_12: - ServiceFileName: '*echo*' - SELECTION_13: - ServiceFileName: '*\pipe\\*' - SELECTION_14: - ServiceFileName: '*rundll32*' - SELECTION_15: - ServiceFileName: '*.dll,a*' - SELECTION_16: - ServiceFileName: '*/p:*' - SELECTION_2: - ServiceFileName: '*cmd*' - SELECTION_3: - ServiceFileName: '*/c*' - SELECTION_4: - ServiceFileName: '*echo*' - SELECTION_5: - ServiceFileName: '*\pipe\\*' - SELECTION_6: - ServiceFileName: '*%COMSPEC%*' - SELECTION_7: - ServiceFileName: '*/c*' - SELECTION_8: - ServiceFileName: '*echo*' - SELECTION_9: - ServiceFileName: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ServiceFileName -id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -related: -- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml deleted file mode 100644 index 5ba61d36..00000000 --- a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: PowerShell Scripts Installed as Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 -level: high -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -related: -- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_tap_driver_installation.yml b/rules/sigma/builtin/win_security_tap_driver_installation.yml deleted file mode 100644 index c70dae79..00000000 --- a/rules/sigma/builtin/win_security_tap_driver_installation.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Tap Driver Installation -author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: '*tap0901*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate OpenVPN TAP insntallation -id: 9c8afa4d-0022-48f0-9456-3712466f9701 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -related: -- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 - type: derived -status: experimental -tags: -- attack.exfiltration -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml deleted file mode 100644 index 9e2a8e04..00000000 --- a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Exchange Set OabVirtualDirectory ExternalUrl Property -author: Jose Rodriguez @Cyb3rPandaH -date: 2021/03/15 -description: Rule to detect an adversary setting OabVirtualDirectory External URL - property to a script in Exchange Management log -detection: - SELECTION_1: - - Set-OabVirtualDirectory - SELECTION_2: - - ExternalUrl - SELECTION_3: - - Page_Load - SELECTION_4: - - script - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 9db37458-4df2-46a5-95ab-307e7f29e675 -level: high -logsource: - product: windows - service: msexchange-management -modified: 2021/11/15 -references: -- https://twitter.com/OTR_Community/status/1371053369071132675 -status: experimental -tags: -- attack.persistence -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml deleted file mode 100644 index 9c708842..00000000 --- a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: SMB Create Remote File Admin Share -author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -date: 2020/08/06 -description: Look for non-system accounts SMB accessing a file with write (0x2) access - mask via administrative share (i.e C$). -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: '*C$' - SELECTION_3: - AccessMask: '0x2' - SELECTION_4: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: b210394c-ba12-4f89-9117-44a2464b9511 -level: high -logsource: - product: windows - service: security -references: -- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml -- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml deleted file mode 100644 index 9387fcbf..00000000 --- a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Atera Agent Installation -author: Bhabesh Raj -date: 2021/09/01 -description: Detects successful installation of Atera Remote Monitoring & Management - (RMM) agent as recently found to be used by Conti operators -detection: - SELECTION_1: - EventID: 1033 - SELECTION_2: - Provider_Name: MsiInstaller - SELECTION_3: - Message: '*AteraAgent*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Atera agent installation -id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent -status: experimental -tags: -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_domain_trust.yml b/rules/sigma/builtin/win_susp_add_domain_trust.yml deleted file mode 100644 index 9df063a5..00000000 --- a/rules/sigma/builtin/win_susp_add_domain_trust.yml +++ /dev/null @@ -1,21 +0,0 @@ - -title: Addition of Domain Trusts -author: Thomas Patzke -date: 2019/12/03 -description: Addition of domains is seldom and should be verified for legitimacy. -detection: - SELECTION_1: - EventID: 4706 - condition: SELECTION_1 -falsepositives: -- Legitimate extension of domain structure -id: 0255a820-e564-4e40-af2b-6ac61160335c -level: medium -logsource: - product: windows - service: security -status: stable -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_sid_history.yml b/rules/sigma/builtin/win_susp_add_sid_history.yml deleted file mode 100644 index 4350892f..00000000 --- a/rules/sigma/builtin/win_susp_add_sid_history.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Addition of SID History to Active Directory Object -author: Thomas Patzke, @atc_project (improvements) -date: 2017/02/19 -description: An attacker can use the SID history attribute to gain additional privileges. -detection: - SELECTION_1: - EventID: 4765 - SELECTION_2: - EventID: 4766 - SELECTION_3: - EventID: 4738 - SELECTION_4: - SidHistory: - - '-' - - '%%1793' - SELECTION_5: - SidHistory|re: ^$ - condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and not (SELECTION_4)) - and not (SELECTION_5))) -falsepositives: -- Migration of an account into a new domain -id: 2632954e-db1c-49cb-9936-67d1ef1d17d2 -level: medium -logsource: - product: windows - service: security -references: -- https://adsecurity.org/?p=1772 -status: stable -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1178 -- attack.t1134.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_backup_delete.yml b/rules/sigma/builtin/win_susp_backup_delete.yml deleted file mode 100644 index 2faf96f1..00000000 --- a/rules/sigma/builtin/win_susp_backup_delete.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Backup Catalog Deleted -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) -date: 2017/05/12 -description: Detects backup catalog deletions -detection: - SELECTION_1: - EventID: 524 - SELECTION_2: - Provider_Name: Microsoft-Windows-Backup - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 9703792d-fd9a-456d-a672-ff92efe4806a -level: medium -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx -- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -status: experimental -tags: -- attack.defense_evasion -- attack.t1107 -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml deleted file mode 100644 index ba6e3a58..00000000 --- a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Failed Code Integrity Checks -author: Thomas Patzke -date: 2019/12/03 -description: Code integrity failures may indicate tampered executables. -detection: - SELECTION_1: - EventID: 5038 - SELECTION_2: - EventID: 6281 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Disk device errors -id: 470ec5fa-7b4e-4071-b200-4c753100f49b -level: low -logsource: - product: windows - service: security -modified: 2020/08/23 -status: stable -tags: -- attack.defense_evasion -- attack.t1009 -- attack.t1027.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config.yml b/rules/sigma/builtin/win_susp_dhcp_config.yml deleted file mode 100644 index b2720813..00000000 --- a/rules/sigma/builtin/win_susp_dhcp_config.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: DHCP Server Loaded the CallOut DLL -author: Dimitrios Slamaris -date: 2017/05/15 -description: This rule detects a DHCP server in which a specified Callout DLL (in - registry) was loaded -detection: - SELECTION_1: - EventID: 1033 - SELECTION_2: - Provider_Name: Microsoft-Windows-DHCP-Server - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 -level: critical -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html -- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx -- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml deleted file mode 100644 index 70697751..00000000 --- a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: DHCP Server Error Failed Loading the CallOut DLL -author: Dimitrios Slamaris, @atc_project (fix) -date: 2017/05/15 -description: This rule detects a DHCP server error in which a specified Callout DLL - (in registry) could not be loaded -detection: - SELECTION_1: - EventID: 1031 - SELECTION_2: - EventID: 1032 - SELECTION_3: - EventID: 1034 - SELECTION_4: - Provider_Name: Microsoft-Windows-DHCP-Server - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Unknown -id: 75edd3fd-7146-48e5-9848-3013d7f0282c -level: critical -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html -- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx -- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dns_config.yml b/rules/sigma/builtin/win_susp_dns_config.yml deleted file mode 100644 index 91810c41..00000000 --- a/rules/sigma/builtin/win_susp_dns_config.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DNS Server Error Failed Loading the ServerLevelPluginDLL -author: Florian Roth -date: 2017/05/08 -description: This rule detects a DNS server error in which a specified plugin DLL - (in registry) could not be loaded -detection: - SELECTION_1: - EventID: 150 - SELECTION_2: - EventID: 770 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unknown -id: cbe51394-cd93-4473-b555-edf0144952d9 -level: critical -logsource: - product: windows - service: dns-server -references: -- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx -- https://twitter.com/gentilkiwi/status/861641945944391680 -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dsrm_password_change.yml b/rules/sigma/builtin/win_susp_dsrm_password_change.yml deleted file mode 100644 index 95ff1bb3..00000000 --- a/rules/sigma/builtin/win_susp_dsrm_password_change.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Password Change on Directory Service Restore Mode (DSRM) Account -author: Thomas Patzke -date: 2017/02/19 -description: The Directory Service Restore Mode (DSRM) account is a local administrator - account on Domain Controllers. Attackers may change the password to gain persistence. -detection: - SELECTION_1: - EventID: 4794 - condition: SELECTION_1 -falsepositives: -- Initial installation of a domain controller -id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 -level: high -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://adsecurity.org/?p=1714 -status: stable -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_susp_eventlog_cleared.yml deleted file mode 100644 index 8309611a..00000000 --- a/rules/sigma/builtin/win_susp_eventlog_cleared.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Eventlog Cleared -author: Florian Roth -date: 2017/01/10 -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution -detection: - SELECTION_1: - EventID: 517 - SELECTION_2: - EventID: 1102 - SELECTION_3: - Provider_Name: Microsoft-Windows-Eventlog - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Rollout of log collection agents (the setup routine often includes a reset of the - local Eventlog) -- System provisioning (system reset before the golden image creation) -id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 -level: high -logsource: - product: windows - service: security -modified: 2021/10/13 -references: -- https://twitter.com/deviouspolack/status/832535435960209408 -- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -related: -- id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes -status: experimental -tags: -- attack.defense_evasion -- attack.t1070 -- attack.t1070.001 -- car.2016-04-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_guest_logon.yml b/rules/sigma/builtin/win_susp_failed_guest_logon.yml deleted file mode 100644 index e44823b4..00000000 --- a/rules/sigma/builtin/win_susp_failed_guest_logon.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious Rejected SMB Guest Logon From IP -author: Florian Roth, KevTheHermit, fuzzyf10w -date: 2021/06/30 -description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in - Windows Spooler Service -detection: - SELECTION_1: - EventID: 31017 - SELECTION_2: - Description: '*Rejected an insecure guest logon*' - SELECTION_3: - UserName: '' - SELECTION_4: - ServerName: \1* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Account fallback reasons (after failed login with specific account) -fields: -- Computer -- User -id: 71886b70-d7b4-4dbf-acce-87d2ca135262 -level: medium -logsource: - product: windows - service: smbclient-security -modified: 2021/07/05 -references: -- https://twitter.com/KevTheHermit/status/1410203844064301056 -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -status: experimental -tags: -- attack.credential_access -- attack.t1110.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml deleted file mode 100644 index 2b41b9fd..00000000 --- a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Account Tampering - Suspicious Failed Logon Reasons -author: Florian Roth -date: 2017/02/19 -description: This method uses uncommon error codes on failed logons to determine suspicious - activity and tampering with accounts that have been disabled or somehow restricted. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - EventID: 4776 - SELECTION_3: - Status: - - '0xC0000072' - - '0xC000006F' - - '0xC0000070' - - '0xC0000413' - - '0xC000018C' - - '0xC000015B' - SELECTION_4: - SubjectUserSid: S-1-0-0 - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- User using a disabled account -id: 9eb99343-d336-4020-a3cd-67f3819e68ee -level: high -logsource: - product: windows - service: security -modified: 2021/10/29 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 -- https://twitter.com/SBousseaden/status/1101431884540710913 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.initial_access -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_source.yml b/rules/sigma/builtin/win_susp_failed_logon_source.yml deleted file mode 100644 index 51d806bd..00000000 --- a/rules/sigma/builtin/win_susp_failed_logon_source.yml +++ /dev/null @@ -1,57 +0,0 @@ - -title: Failed Logon From Public IP -author: NVISO -date: 2020/05/06 -description: A login from a public IP can indicate a misconfigured firewall or network - boundary. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - IpAddress: '*-*' - SELECTION_3: - IpAddress: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - - 169.254.* - SELECTION_4: - IpAddress: ::1 - SELECTION_5: - IpAddress: - - fe80::* - - fc00::* - condition: (SELECTION_1 and not ((SELECTION_2 or SELECTION_3 or SELECTION_4 or - SELECTION_5))) -falsepositives: -- Legitimate logon attempts over the internet -- IPv4-to-IPv6 mapped IPs -id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 -level: medium -logsource: - product: windows - service: security -status: experimental -tags: -- attack.initial_access -- attack.persistence -- attack.t1078 -- attack.t1190 -- attack.t1133 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml deleted file mode 100644 index b5198853..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Multiple Users Attempting To Authenticate Using Explicit Credentials -author: Mauricio Velazco -date: 2021/06/01 -description: Detects a source user failing to authenticate with multiple users using - explicit credentials on a host. -detection: - SELECTION_1: - EventID: 4648 - condition: SELECTION_1 | count(Account_Name) by ComputerName > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml deleted file mode 100644 index 9c43959b..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Multiple Users Failing to Authenticate from Single Process -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple accounts from a single process on - the system. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - LogonType: 2 - SELECTION_3: - ProcessName: '-' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by ProcessName > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: fe563ab6-ded4-4916-b49f-a3a8445fe280 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -- https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml deleted file mode 100644 index 8e6d1d1b..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 529 - SELECTION_2: - EventID: 4625 - SELECTION_3: - TargetUserName: '*' - SELECTION_4: - WorkstationName: '*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName) - by WorkstationName > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml deleted file mode 100644 index 2f5be1ee..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - TargetUserName: '*' - SELECTION_3: - Workstation: '*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName) - by Workstation > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -related: -- id: e98374a6-e2d9-4076-9b5c-11bdb2569995 - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml deleted file mode 100644 index 85f238bc..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Valid Users Failing to Authenticate From Single Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects multiple failed logins with multiple valid domain accounts from - a single source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4771 - SELECTION_2: - Status: '0x18' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml deleted file mode 100644 index 3efef0e8..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Disabled Users Failing To Authenticate From Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects failed logins with multiple disabled domain accounts from a single - source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - Status: '0x12' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: 4b6fe998-b69c-46d8-901b-13677c9fb663 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml deleted file mode 100644 index ad15a8cb..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Invalid Users Failing To Authenticate From Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - Status: '0x6' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml deleted file mode 100644 index f7efc427..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Valid Users Failing to Authenticate from Single Source Using NTLM -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple valid domain accounts from a single - source system using the NTLM protocol. -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Status: '*0xC000006A' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by Workstation > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml deleted file mode 100644 index c51d606e..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Invalid Users Failing To Authenticate From Single Source Using NTLM -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the NTLM protocol. -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Status: '*0xC0000064' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by Workstation > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 56d62ef8-3462-4890-9859-7b41e541f8d5 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml deleted file mode 100644 index 8002f8f7..00000000 --- a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Multiple Users Remotely Failing To Authenticate From Single Source -author: Mauricio Velazco -date: 2021/06/01 -description: Detects a source system failing to authenticate against a remote host - with multiple users. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - LogonType: 3 - SELECTION_3: - IpAddress: '-' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: add2ef8d-dc91-4002-9e7e-f2702369f53a -level: medium -logsource: - product: windows - service: security -modified: 2021/07/09 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_interactive_logons.yml b/rules/sigma/builtin/win_susp_interactive_logons.yml deleted file mode 100644 index c0f6713d..00000000 --- a/rules/sigma/builtin/win_susp_interactive_logons.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Interactive Logon to Server Systems -author: Florian Roth -date: 2017/03/17 -description: Detects interactive console logons to Server Systems -detection: - SELECTION_1: - EventID: 528 - SELECTION_2: - EventID: 529 - SELECTION_3: - EventID: 4624 - SELECTION_4: - EventID: 4625 - SELECTION_5: - LogonType: 2 - SELECTION_6: - ComputerName: - - '%ServerSystems%' - - '%DomainControllers%' - SELECTION_7: - LogonProcessName: Advapi - SELECTION_8: - ComputerName: '%Workstations%' - condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5 - and SELECTION_6) and not (SELECTION_7 and SELECTION_8)) -falsepositives: -- Administrative activity via KVM or ILO board -id: 3ff152b2-1388-4984-9cd9-a323323fdadf -level: medium -logsource: - product: windows - service: security -status: experimental -tags: -- attack.lateral_movement -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml deleted file mode 100644 index 84a40a82..00000000 --- a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml +++ /dev/null @@ -1,60 +0,0 @@ - -title: Kerberos Manipulation -author: Florian Roth -date: 2017/02/10 -description: This method triggers on rare Kerberos Failure Codes caused by manipulations - of Kerberos messages -detection: - SELECTION_1: - EventID: 675 - SELECTION_2: - EventID: 4768 - SELECTION_3: - EventID: 4769 - SELECTION_4: - EventID: 4771 - SELECTION_5: - FailureCode: - - '0x9' - - '0xA' - - '0xB' - - '0xF' - - '0x10' - - '0x11' - - '0x13' - - '0x14' - - '0x1A' - - '0x1F' - - '0x21' - - '0x22' - - '0x23' - - '0x24' - - '0x26' - - '0x27' - - '0x28' - - '0x29' - - '0x2C' - - '0x2D' - - '0x2E' - - '0x2F' - - '0x31' - - '0x32' - - '0x3E' - - '0x3F' - - '0x40' - - '0x41' - - '0x43' - - '0x44' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Faulty legacy applications -id: f7644214-0eb0-4ace-9455-331ec4c09253 -level: high -logsource: - product: windows - service: security -status: experimental -tags: -- attack.credential_access -- attack.t1212 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml deleted file mode 100644 index ff34fef6..00000000 --- a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious LDAP-Attributes Used -author: xknow @xknow_infosec -date: 2019/03/24 -description: Detects the usage of particular AttributeLDAPDisplayNames, which are - known for data exchange via LDAP by the tool LDAPFragger and are additionally not - commonly used in companies. -detection: - SELECTION_1: - EventID: 5136 - SELECTION_2: - AttributeValue: '*' - SELECTION_3: - AttributeLDAPDisplayName: - - primaryInternationalISDNNumber - - otherFacsimileTelephoneNumber - - primaryTelexNumber - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Companies, who may use these default LDAP-Attributes for personal information -id: d00a9a72-2c09-4459-ad03-5e0a23351e36 -level: high -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 -- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ -- https://github.com/fox-it/LDAPFragger -status: experimental -tags: -- attack.t1071 -- attack.t1001.003 -- attack.command_and_control -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml deleted file mode 100644 index 9d4d3d4f..00000000 --- a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Suspicious Windows ANONYMOUS LOGON Local Account Created -author: James Pemberton / @4A616D6573 -date: 2019/10/31 -description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, - such as using additional spaces. Created as an covering detection for exclusion - of Logon Type 3 from ANONYMOUS LOGON accounts. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - SamAccountName: '*ANONYMOUS*' - SELECTION_3: - SamAccountName: '*LOGON*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 1bbf25b9-8038-4154-a50b-118f2a32be27 -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://twitter.com/SBousseaden/status/1189469425482829824 -status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 -- attack.t1136.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml deleted file mode 100644 index 3cdfaa0f..00000000 --- a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious Remote Logon with Explicit Credentials -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st -date: 2020/10/05 -description: Detects suspicious processes logging on with explicit credentials -detection: - SELECTION_1: - EventID: 4648 - SELECTION_2: - ProcessName: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\pwsh.exe' - - '*\winrs.exe' - - '*\wmic.exe' - - '*\net.exe' - - '*\net1.exe' - - '*\reg.exe' - SELECTION_3: - TargetServerName: localhost - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Administrators that use the RunAS command or scheduled tasks -id: 941e5c45-cda7-4864-8cea-bbb7458d194a -level: medium -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -status: experimental -tags: -- attack.t1078 -- attack.lateral_movement -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump.yml b/rules/sigma/builtin/win_susp_lsass_dump.yml deleted file mode 100644 index 72a5f42b..00000000 --- a/rules/sigma/builtin/win_susp_lsass_dump.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Password Dumper Activity on LSASS -author: sigma -date: 2017/02/12 -description: Detects process handle on LSASS process with certain access mask and - object type SAM_DOMAIN -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ProcessName: '*\lsass.exe' - SELECTION_3: - AccessMask: '0x705' - SELECTION_4: - ObjectType: SAM_DOMAIN - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c -level: high -logsource: - product: windows - service: security -modified: 2021/06/21 -references: -- https://twitter.com/jackcr/status/807385668833968128 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml deleted file mode 100644 index ff536f86..00000000 --- a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml +++ /dev/null @@ -1,85 +0,0 @@ - -title: Generic Password Dumper Activity on LSASS -author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, - Aleksey Potapov, oscd.community (update) -date: 2019/11/01 -description: Detects process handle on LSASS process with certain access mask -detection: - SELECTION_1: - ObjectName: '*\lsass.exe' - SELECTION_2: - EventID: 4656 - SELECTION_3: - AccessMask: - - '*0x40*' - - '*0x1400*' - - '*0x1000*' - - '*0x100000*' - - '*0x1410*' - - '*0x1010*' - - '*0x1438*' - - '*0x143a*' - - '*0x1418*' - - '*0x1f0fff*' - - '*0x1f1fff*' - - '*0x1f2fff*' - - '*0x1f3fff*' - SELECTION_4: - EventID: 4663 - SELECTION_5: - AccessList: - - '*4484*' - - '*4416*' - SELECTION_6: - ProcessName: - - '*\wmiprvse.exe' - - '*\taskmgr.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\lsm.exe' - - '*\csrss.exe' - - '*\wininit.exe' - - '*\vmtoolsd.exe' - - '*\minionhost.exe' - - '*\VsTskMgr.exe' - - '*\thor64.exe' - - '*\MicrosoftEdgeUpdate.exe' - - '*\GamingServices.exe' - - '*\svchost.exe' - SELECTION_7: - ProcessName: - - C:\Windows\System32\\* - - C:\Windows\SysWow64\\* - - C:\Windows\SysNative\\* - - C:\Program Files\\* - - C:\Windows\Temp\asgard2-agent\\* - SELECTION_8: - ProcessName: - - C:\Program Files* - condition: (((SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and - SELECTION_5))) and not (SELECTION_6 and SELECTION_7)) and not (SELECTION_8)) -falsepositives: -- Legitimate software accessing LSASS process for legitimate reason; update the whitelist - with it -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ProcessName -- ProcessID -id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 -level: high -logsource: - product: windows - service: security -modified: 2021/11/09 -references: -- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- car.2019-04-004 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_mshta_execution.yml b/rules/sigma/builtin/win_susp_mshta_execution.yml deleted file mode 100644 index d18df3fa..00000000 --- a/rules/sigma/builtin/win_susp_mshta_execution.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: MSHTA Suspicious Execution 01 -author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -date: 2019/02/22 -description: Detection for mshta.exe suspicious execution patterns sometimes involving - file polyglotism -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: '*\mshta.exe' - SELECTION_3: - CommandLine: - - '*vbscript*' - - '*.jpg*' - - '*.png*' - - '*.lnk*' - - '*.xls*' - - '*.doc*' - - '*.zip*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- False positives depend on scripts and administrative tools used in the monitored - environment -id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 -level: high -logsource: - category: process_creation - product: windows -modified: 2020/08/23 -references: -- http://blog.sevagas.com/?Hacking-around-HTA-files -- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 -- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script -- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 -status: experimental -tags: -- attack.defense_evasion -- attack.t1140 -- attack.t1218.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_msmpeng_crash.yml b/rules/sigma/builtin/win_susp_msmpeng_crash.yml deleted file mode 100644 index 83a03004..00000000 --- a/rules/sigma/builtin/win_susp_msmpeng_crash.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Microsoft Malware Protection Engine Crash -author: Florian Roth -date: 2017/05/09 -description: This rule detects a suspicious crash of the Microsoft Malware Protection - Engine -detection: - SELECTION_1: - Provider_Name: Application Error - SELECTION_2: - EventID: 1000 - SELECTION_3: - Provider_Name: Windows Error Reporting - SELECTION_4: - EventID: 1001 - SELECTION_5: - - MsMpEng.exe - SELECTION_6: - - mpengine.dll - condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and - (SELECTION_5 and SELECTION_6)) -falsepositives: -- MsMpEng.exe can crash when C:\ is full -id: 6c82cf5c-090d-4d57-9188-533577631108 -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 -- https://technet.microsoft.com/en-us/library/security/4022344 -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1211 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml deleted file mode 100644 index 2c7e5f3b..00000000 --- a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Suspicious Multiple File Rename Or Delete Occurred -author: Vasiliy Burov, oscd.community -date: 2020/10/16 -description: Detects multiple file rename or delete events occurrence within a specified - period of time by a same user (these events may signalize about ransomware activity). -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - ObjectType: File - SELECTION_3: - AccessList: '%%1537' - SELECTION_4: - Keywords: '0x8020000000000000' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) | count() - by SubjectLogonId > 10 -falsepositives: -- Software uninstallation -- Files restore activities -id: 97919310-06a7-482c-9639-92b67ed63cf8 -level: medium -logsource: - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local - Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security - Settings/Advanced Audit Policy Configuration/Object Access' - product: windows - service: security -references: -- https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html -status: experimental -tags: -- attack.impact -- attack.t1486 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_net_recon_activity.yml b/rules/sigma/builtin/win_susp_net_recon_activity.yml deleted file mode 100644 index a6a1ff0d..00000000 --- a/rules/sigma/builtin/win_susp_net_recon_activity.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Reconnaissance Activity -author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), - oscd.community -date: 2017/03/07 -description: Detects activity as "net user administrator /domain" and "net group domain - admins /domain" -detection: - SELECTION_1: - EventID: 4661 - SELECTION_2: - ObjectType: - - SAM_USER - - SAM_GROUP - SELECTION_3: - ObjectName: S-1-5-21-* - SELECTION_4: - AccessMask: '0x2d' - SELECTION_5: - ObjectName: - - '*-500' - - '*-512' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Administrator activity -- Penetration tests -id: 968eef52-9cff-4454-8992-1e74b9cbad6c -level: high -logsource: - definition: The volume of Event ID 4661 is high on Domain Controllers and therefore - "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured - in the recommendations for server systems - product: windows - service: security -modified: 2020/08/23 -references: -- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -- attack.t1069 -- attack.t1069.002 -- attack.s0039 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_auth.yml b/rules/sigma/builtin/win_susp_ntlm_auth.yml deleted file mode 100644 index a86566f9..00000000 --- a/rules/sigma/builtin/win_susp_ntlm_auth.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: NTLM Logon -author: Florian Roth -date: 2018/06/08 -description: Detects logons using NTLM, which could be caused by a legacy source or - attackers -detection: - SELECTION_1: - EventID: 8002 - SELECTION_2: - ProcessName: '*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legacy hosts -id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b -level: low -logsource: - definition: Requires events from Microsoft-Windows-NTLM/Operational - product: windows - service: ntlm -modified: 2021/11/20 -references: -- https://twitter.com/JohnLaTwC/status/1004895028995477505 -- https://goo.gl/PsqrhT -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_rdp.yml b/rules/sigma/builtin/win_susp_ntlm_rdp.yml deleted file mode 100644 index 0d7a6604..00000000 --- a/rules/sigma/builtin/win_susp_ntlm_rdp.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Potential Remote Desktop Connection to Non-Domain Host -author: James Pemberton -date: 2020/05/22 -description: Detects logons using NTLM to hosts that are potentially not part of the - domain. -detection: - SELECTION_1: - EventID: 8001 - SELECTION_2: - TargetName: TERMSRV* - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Host connections to valid domains, exclude these. -- Host connections not using host FQDN. -- Host connections to external legitimate domains. -fields: -- Computer -- UserName -- DomainName -- TargetName -id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad -level: medium -logsource: - definition: Requires events from Microsoft-Windows-NTLM/Operational - product: windows - service: ntlm -references: -- n/a -status: experimental -tags: -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_proceshacker.yml b/rules/sigma/builtin/win_susp_proceshacker.yml deleted file mode 100644 index 1fe43beb..00000000 --- a/rules/sigma/builtin/win_susp_proceshacker.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: ProcessHacker Privilege Elevation -author: Florian Roth -date: 2021/05/27 -description: Detects a ProcessHacker tool that elevated privileges to a very high - level -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: ProcessHacker* - SELECTION_3: - AccountName: LocalSystem - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unlikely -id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 -level: high -logsource: - product: windows - service: system -references: -- https://twitter.com/1kwpeter/status/1397816101455765504 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_psexec.yml b/rules/sigma/builtin/win_susp_psexec.yml deleted file mode 100644 index 2d651b26..00000000 --- a/rules/sigma/builtin/win_susp_psexec.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Suspicious PsExec Execution -author: Samir Bousseaden -date: 2019/04/03 -description: detects execution of psexec or paexec with renamed service name, this - rule helps to filter out the noise if psexec is used for legit purposes or if attacker - uses a different psexec client other than sysinternal one -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' - SELECTION_4: - EventID: 5145 - SELECTION_5: - ShareName: \\*\IPC$ - SELECTION_6: - RelativeTargetName: PSEXESVC* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4 - and SELECTION_5 and SELECTION_6)) -falsepositives: -- nothing observed so far -id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml deleted file mode 100644 index b70fac83..00000000 --- a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Suspicious Access to Sensitive File Extensions -author: Samir Bousseaden -date: 2019/04/03 -description: Detects known sensitive file extensions accessed on a network share -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Help Desk operator doing backup or re-imaging end user machine or pentest or backup - software -- Users working with these data types or exchanging message files -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- RelativeTargetName -id: 91c945bc-2ad1-4799-a591-4d00198a1215 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -status: experimental -tags: -- attack.collection -- attack.t1039 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rc4_kerberos.yml b/rules/sigma/builtin/win_susp_rc4_kerberos.yml deleted file mode 100644 index 1da55067..00000000 --- a/rules/sigma/builtin/win_susp_rc4_kerberos.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Suspicious Kerberos RC4 Ticket Encryption -author: Florian Roth -date: 2017/02/06 -description: Detects service ticket requests using RC4 encryption type -detection: - SELECTION_1: - EventID: 4769 - SELECTION_2: - TicketOptions: '0x40810000' - SELECTION_3: - TicketEncryptionType: '0x17' - SELECTION_4: - ServiceName: $* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Service accounts used on legacy systems (e.g. NetApp) -- Windows Domains with DFL 2003 and legacy systems -id: 496a0e47-0a33-4dca-b009-9e6ca3591f39 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://adsecurity.org/?p=3458 -- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity -status: experimental -tags: -- attack.credential_access -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rottenpotato.yml b/rules/sigma/builtin/win_susp_rottenpotato.yml deleted file mode 100644 index aee0c95d..00000000 --- a/rules/sigma/builtin/win_susp_rottenpotato.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: RottenPotato Like Attack Pattern -author: '@SBousseaden, Florian Roth' -date: 2019/11/15 -description: Detects logon events that have characteristics of events generated during - an attack with RottenPotato and the like -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 3 - SELECTION_3: - TargetUserName: ANONYMOUS_LOGON - SELECTION_4: - WorkstationName: '-' - SELECTION_5: - IpAddress: 127.0.0.1 - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://twitter.com/SBousseaden/status/1195284233729777665 -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -- attack.t1171 -- attack.t1557.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sam_dump.yml b/rules/sigma/builtin/win_susp_sam_dump.yml deleted file mode 100644 index c2a0a130..00000000 --- a/rules/sigma/builtin/win_susp_sam_dump.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: SAM Dump to AppData -author: Florian Roth -date: 2018/01/27 -description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other - password dumpers -detection: - SELECTION_1: - EventID: 16 - SELECTION_2: - - \AppData\Local\Temp\SAM- - SELECTION_3: - - .dmp - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Penetration testing -id: 839dd1e8-eda8-4834-8145-01beeee33acd -level: high -logsource: - definition: The source of this type of event is Kernel-General - product: windows - service: system -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sdelete.yml b/rules/sigma/builtin/win_susp_sdelete.yml deleted file mode 100644 index eca49526..00000000 --- a/rules/sigma/builtin/win_susp_sdelete.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Secure Deletion with SDelete -author: Thomas Patzke -date: 2017/06/14 -description: Detects renaming of file while deletion with SDelete tool. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - EventID: 4658 - SELECTION_4: - ObjectName: - - '*.AAA' - - '*.ZZZ' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Legitimate usage of SDelete -id: 39a80702-d7ca-4a83-b776-525b1f86a36d -level: medium -logsource: - product: windows - service: security -modified: 2020/08/02 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete -status: experimental -tags: -- attack.impact -- attack.defense_evasion -- attack.t1107 -- attack.t1070.004 -- attack.t1066 -- attack.t1027.005 -- attack.t1485 -- attack.t1553.002 -- attack.s0195 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_time_modification.yml b/rules/sigma/builtin/win_susp_time_modification.yml deleted file mode 100644 index abeb35b5..00000000 --- a/rules/sigma/builtin/win_susp_time_modification.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Unauthorized System Time Modification -author: '@neu5ron' -date: 2019/02/05 -description: Detect scenarios where a potentially unauthorized application or user - is modifying the system time. -detection: - SELECTION_1: - EventID: 4616 - SELECTION_2: - ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - SELECTION_3: - ProcessName: C:\Windows\System32\VBoxService.exe - SELECTION_4: - ProcessName: C:\Windows\System32\svchost.exe - SELECTION_5: - SubjectUserSid: S-1-5-19 - condition: (SELECTION_1 and not (((SELECTION_2 or SELECTION_3) or (SELECTION_4 - and SELECTION_5)))) -falsepositives: -- HyperV or other virtualization technologies with binary not listed in filter portion - of detection -id: faa031b5-21ed-4e02-8881-2591f98d82ed -level: medium -logsource: - definition: 'Requirements: Audit Policy : System > Audit Security State Change, - Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\System\Audit Security State Change' - product: windows - service: security -modified: 2020/01/27 -references: -- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) -- Live environment caused by malware -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 -status: experimental -tags: -- attack.defense_evasion -- attack.t1099 -- attack.t1070.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_wmi_login.yml b/rules/sigma/builtin/win_susp_wmi_login.yml deleted file mode 100644 index af31284e..00000000 --- a/rules/sigma/builtin/win_susp_wmi_login.yml +++ /dev/null @@ -1,24 +0,0 @@ - -title: Login with WMI -author: Thomas Patzke -date: 2019/12/04 -description: Detection of logins performed with WMI -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - ProcessName: '*\WmiPrvSE.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Monitoring tools -- Legitimate system administration -id: 5af54681-df95-4c26-854f-2565e13cfab0 -level: low -logsource: - product: windows - service: security -status: stable -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index e9d683d5..00000000 --- a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Suspicious Outbound Kerberos Connection -author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestinationPort: 88 - SELECTION_3: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Other browsers -id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 -level: high -logsource: - product: windows - service: security -modified: 2019/11/13 -references: -- https://github.com/GhostPack/Rubeus -status: experimental -tags: -- attack.lateral_movement -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_svcctl_remote_service.yml b/rules/sigma/builtin/win_svcctl_remote_service.yml deleted file mode 100644 index de4e3024..00000000 --- a/rules/sigma/builtin/win_svcctl_remote_service.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Remote Service Activity via SVCCTL Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: Detects remote service activity via remote access to the svcctl named - pipe -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: svcctl - SELECTION_4: - Accesses: '*WriteData*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -status: experimental -tags: -- attack.lateral_movement -- attack.persistence -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_syskey_registry_access.yml b/rules/sigma/builtin/win_syskey_registry_access.yml deleted file mode 100644 index 09270214..00000000 --- a/rules/sigma/builtin/win_syskey_registry_access.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: SysKey Registry Keys Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects handle requests and access operations to specific registry keys - to calculate the SysKey -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: key - SELECTION_4: - ObjectName: - - '*lsa\JD' - - '*lsa\GBG' - - '*lsa\Skew1' - - '*lsa\Data' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 -level: critical -logsource: - product: windows - service: security -modified: 2019/11/10 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml deleted file mode 100644 index d0c57140..00000000 --- a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Sysmon Channel Reference Deletion -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/07/14 -description: Potential threat actor tampering with Sysmon manifest and eventually - disabling it -detection: - SELECTION_1: - ObjectName: - - '*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*' - - '*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational*' - SELECTION_2: - EventID: 4657 - SELECTION_3: - ObjectValueName: Enabled - SELECTION_4: - NewValue: '0' - SELECTION_5: - EventID: 4663 - SELECTION_6: - AccessMask: 65536 - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/Flangvik/status/1283054508084473861 -- https://twitter.com/SecurityJosh/status/1283027365770276866 -- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html -- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml deleted file mode 100644 index 56c69cef..00000000 --- a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Eventlog Cleared -author: Florian Roth -date: 2017/01/10 -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution -detection: - SELECTION_1: - EventID: 104 - SELECTION_2: - Provider_Name: Microsoft-Windows-Eventlog - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Rollout of log collection agents (the setup routine often includes a reset of the - local Eventlog) -- System provisioning (system reset before the golden image creation) -id: a62b37e0-45d3-48d9-a517-90c1a1b0186b -level: high -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://twitter.com/deviouspolack/status/832535435960209408 -- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -related: -- id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes -- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1070 -- attack.t1070.001 -- car.2016-04-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_tap_driver_installation.yml b/rules/sigma/builtin/win_tap_driver_installation.yml deleted file mode 100644 index 0daf9eaa..00000000 --- a/rules/sigma/builtin/win_tap_driver_installation.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Tap Driver Installation -author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: '*tap0901*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate OpenVPN TAP insntallation -id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 -level: medium -logsource: - product: windows - service: system -modified: 2021/09/21 -status: experimental -tags: -- attack.exfiltration -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml deleted file mode 100644 index 556771b6..00000000 --- a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Transferring Files with Credential Data via Network Shares -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Transferring files with well-known filenames (sensitive files with credential - data) using network shares -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: - - '*\mimidrv*' - - '*\lsass*' - - '*\windows\minidump\\*' - - '*\hiberfil*' - - '*\sqldmpr*' - - '*\sam*' - - '*\ntds.dit*' - - '*\security*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Transferring sensitive files for legitimate administration work by legitimate administrator -id: 910ab938-668b-401b-b08c-b596e80fdca5 -level: medium -logsource: - product: windows - service: security -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -- attack.t1003.001 -- attack.t1003.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_usb_device_plugged.yml b/rules/sigma/builtin/win_usb_device_plugged.yml deleted file mode 100644 index 23f93a97..00000000 --- a/rules/sigma/builtin/win_usb_device_plugged.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: USB Device Plugged -author: Florian Roth -date: 2017/11/09 -description: Detects plugged USB devices -detection: - SELECTION_1: - EventID: 2003 - SELECTION_2: - EventID: 2100 - SELECTION_3: - EventID: 2102 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) -falsepositives: -- Legitimate administrative activity -id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 -level: low -logsource: - product: windows - service: driver-framework -references: -- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ -- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ -status: experimental -tags: -- attack.initial_access -- attack.t1200 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/win_user_added_to_local_administrators.yml deleted file mode 100644 index 06b76c48..00000000 --- a/rules/sigma/builtin/win_user_added_to_local_administrators.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: User Added to Local Administrators -author: Florian Roth -date: 2017/03/14 -description: This rule triggers on user accounts that are added to the local Administrators - group, which could be legitimate activity or a sign of privilege escalation activity -detection: - SELECTION_1: - EventID: 4732 - SELECTION_2: - TargetUserName: Administr* - SELECTION_3: - TargetSid: S-1-5-32-544 - SELECTION_4: - SubjectUserName: '*$' - condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Legitimate administrative activity -id: c265cf08-3f99-46c1-8d59-328247057d57 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -status: stable -tags: -- attack.privilege_escalation -- attack.t1078 -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml deleted file mode 100644 index 92b07a83..00000000 --- a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -description: The 'LsaRegisterLogonProcess' function verifies that the application - making the function call is a logon process by checking that it has the SeTcbPrivilege - privilege set. Possible Rubeus tries to get a handle to LSA. -detection: - SELECTION_1: - EventID: 4673 - SELECTION_2: - Service: LsaRegisterLogonProcess() - SELECTION_3: - Keywords: '0x8010000000000000' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 -level: high -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_creation.yml b/rules/sigma/builtin/win_user_creation.yml deleted file mode 100644 index 27ec53cc..00000000 --- a/rules/sigma/builtin/win_user_creation.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Local User Creation -author: Patrick Bareiss -date: 2019/04/18 -description: Detects local user creation on windows servers, which shouldn't happen - in an Active Directory environment. Apply this Sigma Use Case on your windows server - logs and not on your DC logs. -detection: - SELECTION_1: - EventID: 4720 - condition: SELECTION_1 -falsepositives: -- Domain Controller Logs -- Local accounts managed by privileged account management tools -fields: -- EventCode -- AccountName -- AccountDomain -id: 66b6be3d-55d0-4f47-9855-d69df21740ea -level: low -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ -status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_driver_loaded.yml b/rules/sigma/builtin/win_user_driver_loaded.yml deleted file mode 100644 index 951db50a..00000000 --- a/rules/sigma/builtin/win_user_driver_loaded.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Suspicious Driver Loaded By User -author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to - load or unload a device driver. With this privilege, the user can dynamically load - and unload device drivers or other code in to kernel mode. This user right does - not apply to Plug and Play device drivers. If you exclude privileged users/admins - and processes, which are allowed to do so, you are maybe left with bad programs - trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) - and the usage of Sysinternals and various other tools. So you have to work with - a whitelist to find the bad stuff. -detection: - SELECTION_1: - EventID: 4673 - SELECTION_2: - PrivilegeList: SeLoadDriverPrivilege - SELECTION_3: - Service: '-' - SELECTION_4: - ProcessName: - - '*\Windows\System32\Dism.exe' - - '*\Windows\System32\rundll32.exe' - - '*\Windows\System32\fltMC.exe' - - '*\Windows\HelpPane.exe' - - '*\Windows\System32\mmc.exe' - - '*\Windows\System32\svchost.exe' - - '*\Windows\System32\wimserv.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs - etc. - but not much. You have to baseline this according to your used products and - allowed tools. Also try to exclude users, which are allowed to load drivers.' -id: f63508a0-c809-4435-b3be-ed819394d612 -level: medium -logsource: - product: windows - service: security -references: -- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 -status: experimental -tags: -- attack.t1089 -- attack.defense_evasion -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml deleted file mode 100644 index 5aec87e1..00000000 --- a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Volume Shadow Copy Mount -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -description: Detects volume shadow copy mount -detection: - SELECTION_1: - Provider_Name: Microsoft-Windows-Ntfs - SELECTION_2: - EventID: 98 - SELECTION_3: - DeviceName: '*HarddiskVolumeShadowCopy*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of volume shadow copy mounts (backups maybe). -id: f512acbf-e662-4903-843e-97ce4652b740 -level: medium -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy -status: experimental -tags: -- attack.credential_access -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml deleted file mode 100644 index 80f1cca6..00000000 --- a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: VSSAudit Security Event Source Registration -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -description: Detects the registration of the security event source VSSAudit. It would - usually trigger when volume shadow copy operations happen. -detection: - SELECTION_1: - AuditSourceName: VSSAudit - SELECTION_2: - EventID: 4904 - SELECTION_3: - EventID: 4905 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. -id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b -level: medium -logsource: - product: windows - service: security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy -status: experimental -tags: -- attack.credential_access -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_0688.yml b/rules/sigma/builtin/win_vul_cve_2020_0688.yml deleted file mode 100644 index b8960b6d..00000000 --- a/rules/sigma/builtin/win_vul_cve_2020_0688.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CVE-2020-0688 Exploitation via Eventlog -author: Florian Roth, wagga -date: 2020/02/29 -description: Detects the exploitation of Microsoft Exchange vulnerability as described - in CVE-2020-0688 -detection: - SELECTION_1: - EventID: 4 - SELECTION_2: - Provider_Name: MSExchange Control Panel - SELECTION_3: - Level: Error - SELECTION_4: - - '&__VIEWSTATE=' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4) -falsepositives: -- Unknown -id: d6266bf5-935e-4661-b477-78772735a7cb -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ -- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ -status: experimental -tags: -- attack.initial_access -- attack.t1190 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_1472.yml b/rules/sigma/builtin/win_vul_cve_2020_1472.yml deleted file mode 100644 index 7b73408e..00000000 --- a/rules/sigma/builtin/win_vul_cve_2020_1472.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Vulnerable Netlogon Secure Channel Connection Allowed -author: NVISO -date: 2020/09/15 -description: Detects that a vulnerable Netlogon secure channel connection was allowed, - which could be an indicator of CVE-2020-1472. -detection: - SELECTION_1: - EventID: 5829 - condition: SELECTION_1 -falsepositives: -- Unknown -fields: -- SAMAccountName -id: a0cb7110-edf0-47a4-9177-541a4083128a -level: high -logsource: - product: windows - service: system -modified: 2021/08/09 -references: -- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc -status: experimental -tags: -- attack.privilege_escalation -- attack.t1548 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index 3278229c..00000000 --- a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: T1047 Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\wbem\wbemcomn.dll' - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Unknown -id: f6c68d5f-e101-4b86-8c84-7d96851fd65c -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml deleted file mode 100644 index 75c2655a..00000000 --- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: CACTUSTORCH Remote Thread Creation -author: '@SBousseaden (detection), Thomas Patzke (rule)' -date: 2019/02/01 -description: Detects remote thread creation from CACTUSTORCH as described in references. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: - - '*\System32\cscript.exe' - - '*\System32\wscript.exe' - - '*\System32\mshta.exe' - - '*\winword.exe' - - '*\excel.exe' - SELECTION_3: - TargetImage: '*\SysWOW64\\*' - SELECTION_4: - StartModule|re: ^$ - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: 2e4e488a-6164-4811-9ea1-f960c7359c40 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/12 -references: -- https://twitter.com/SBousseaden/status/1090588499517079552 -- https://github.com/mdsecactivebreach/CACTUSTORCH -status: experimental -tags: -- attack.defense_evasion -- attack.t1093 -- attack.t1055.012 -- attack.execution -- attack.t1064 -- attack.t1059.005 -- attack.t1059.007 -- attack.t1218.005 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml deleted file mode 100644 index 4e260051..00000000 --- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CobaltStrike Process Injection -author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community -date: 2018/11/30 -description: Detects a possible remote threat creation with certain characteristics - which are typical for Cobalt Strike beacons -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - StartAddress: - - '*0B80' - - '*0C7C' - - '*0C88' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/20 -references: -- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f -- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1055 -- attack.t1055.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml deleted file mode 100644 index aac6829d..00000000 --- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: CreateRemoteThread API and LoadLibrary -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -description: Detects potential use of CreateRemoteThread api and LoadLibrary function - to inject DLL into a process -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - StartModule: '*\kernel32.dll' - SELECTION_3: - StartFunction: LoadLibraryA - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 052ec6f6-1adc-41e6-907a-f1c813478bee -level: critical -logsource: - category: create_remote_thread - product: windows -modified: 2020/08/28 -references: -- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1055 -- attack.t1055.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml deleted file mode 100644 index 9c56270b..00000000 --- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Password Dumper Remote Thread in LSASS -author: Thomas Patzke -date: 2017/02/19 -description: Detects password dumper activity by monitoring remote thread creation - EventID 8 in combination with the lsass.exe process as TargetImage. The process - in field Process is the malicious program. A single execution can lead to hundreds - of events. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - TargetImage: '*\lsass.exe' - SELECTION_3: - StartModule: '' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Antivirus products -id: f239b326-2f41-4d6b-9dfa-c846a60ef505 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/06/21 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm -status: stable -tags: -- attack.credential_access -- attack.t1003 -- attack.s0005 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml deleted file mode 100644 index 5a3396c2..00000000 --- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Accessing WinAPI in PowerShell. Code Injection. -author: Nikita Nazarov, oscd.community -date: 2020/10/06 -description: Detecting Code injection with PowerShell in another process -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: '*\powershell.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 -level: high -logsource: - category: create_remote_thread - definition: Note that you have to configure logging for CreateRemoteThread in Symson - config - product: windows -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -status: experimental -tags: -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml deleted file mode 100644 index 65c06f01..00000000 --- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: PowerShell Rundll32 Remote Thread Creation -author: Florian Roth -date: 2018/06/25 -description: Detects PowerShell remote thread creation in Rundll32.exe -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: '*\powershell.exe' - SELECTION_3: - TargetImage: '*\rundll32.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 99b97608-3e21-4bfe-8217-2a127c396a0e -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/12 -references: -- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html -status: experimental -tags: -- attack.defense_evasion -- attack.execution -- attack.t1085 -- attack.t1218.011 -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml deleted file mode 100644 index 62d05fa3..00000000 --- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ /dev/null @@ -1,89 +0,0 @@ - -title: Suspicious Remote Thread Created -author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", - however, this is still largely observed in the wild. This rule aims to detect suspicious - processes (those we would not expect to behave in this way like word.exe or outlook.exe) - creating remote threads on other processes. It is a generalistic rule, but it should - have a low FP ratio due to the selected range of processes. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: - - '*\bash.exe' - - '*\cvtres.exe' - - '*\defrag.exe' - - '*\dnx.exe' - - '*\esentutl.exe' - - '*\excel.exe' - - '*\expand.exe' - - '*\explorer.exe' - - '*\find.exe' - - '*\findstr.exe' - - '*\forfiles.exe' - - '*\git.exe' - - '*\gpupdate.exe' - - '*\hh.exe' - - '*\iexplore.exe' - - '*\installutil.exe' - - '*\lync.exe' - - '*\makecab.exe' - - '*\mDNSResponder.exe' - - '*\monitoringhost.exe' - - '*\msbuild.exe' - - '*\mshta.exe' - - '*\msiexec.exe' - - '*\mspaint.exe' - - '*\outlook.exe' - - '*\ping.exe' - - '*\powerpnt.exe' - - '*\powershell.exe' - - '*\provtool.exe' - - '*\python.exe' - - '*\regsvr32.exe' - - '*\robocopy.exe' - - '*\runonce.exe' - - '*\sapcimc.exe' - - '*\schtasks.exe' - - '*\smartscreen.exe' - - '*\spoolsv.exe' - - '*\tstheme.exe' - - '*\userinit.exe' - - '*\vssadmin.exe' - - '*\vssvc.exe' - - '*\w3wp.exe' - - '*\winlogon.exe' - - '*\winscp.exe' - - '*\wmic.exe' - - '*\word.exe' - - '*\wscript.exe' - SELECTION_3: - SourceImage: '*Visual Studio*' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unknown -fields: -- ComputerName -- User -- SourceImage -- TargetImage -id: 66d31e5f-52d6-40a4-9615-002d3789a119 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/06/27 -notes: -- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite - for process injection for .NET in-memory offensive tools. -references: -- Personal research, statistical analysis -- https://lolbas-project.github.io -status: experimental -tags: -- attack.privilege_escalation -- attack.defense_evasion -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml deleted file mode 100644 index cf32a722..00000000 --- a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Executable in ADS -author: Florian Roth, @0xrawsec -date: 2018/06/03 -description: Detects the creation of an ADS data stream that contains an executable - (non-empty imphash) -detection: - SELECTION_1: - EventID: 15 - SELECTION_2: - Imphash: '00000000000000000000000000000000' - SELECTION_3: - Imphash|re: ^$ - condition: (SELECTION_1 and not ((SELECTION_2) or (SELECTION_3))) -falsepositives: -- unknown -fields: -- TargetFilename -- Image -id: b69888d4-380c-45ce-9cf9-d9ce46e67821 -level: critical -logsource: - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' - product: windows -modified: 2020/08/26 -references: -- https://twitter.com/0xrawsec/status/1002478725605273600?s=21 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.s0139 -- attack.t1564.004 -ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml deleted file mode 100644 index 9e3a7b40..00000000 --- a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Exports Registry Key To an Alternate Data Stream -author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -description: Exports the target Registry key and hides it in the specified alternate - data stream. -detection: - SELECTION_1: - EventID: 15 - SELECTION_2: - Image: '*\regedit.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -fields: -- TargetFilename -id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 -level: high -logsource: - category: create_stream_hash - product: windows -references: -- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml -- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -status: experimental -tags: -- attack.defense_evasion -- attack.t1564.004 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml deleted file mode 100644 index 061ce08f..00000000 --- a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Suspicious Cobalt Strike DNS Beaconing -author: Florian Roth -date: 2021/11/09 -description: Detects a program that invoked suspicious DNS queries known from Cobalt - Strike beacons -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: - - aaa.stage.* - - post.1* - SELECTION_3: - QueryName: '*.stage.123456.*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Unknown -fields: -- Image -- CommandLine -id: f356a9c4-effd-4608-bbf8-408afd5cd006 -level: critical -logsource: - category: dns_query - product: windows -references: -- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns -- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ -status: experimental -tags: -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_susp_ipify.yml b/rules/sigma/dns_query/dns_net_susp_ipify.yml deleted file mode 100644 index 6c6a7533..00000000 --- a/rules/sigma/dns_query/dns_net_susp_ipify.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Suspicious DNS Query for IP Lookup Service APIs -author: Brandon George (blog post), Thomas Patzke (rule) -date: 2021/07/08 -description: Detects DNS queries for ip lookup services such as api.ipify.org not - originating from a browser process. -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: - - canireachthe.net - - ipv4.icanhazip.com - - ip.anysrc.net - - edns.ip-api.com - - wtfismyip.com - - checkip.dyndns.org - - api.2ip.ua - - icanhazip.com - - api.ipify.org - - ip-api.com - - checkip.amazonaws.com - - ipecho.net - - ipinfo.io - - ipv4bot.whatismyipaddress.com - - freegeoip.app - SELECTION_3: - Image: - - '*\chrome.exe' - - '*\iexplore.exe' - - '*\firefox.exe' - - '*\brave.exe' - - '*\opera.exe' - - '*\msedge.exe' - - '*\vivaldi.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Legitimate usage of ip lookup services such as ipify API -id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 -level: medium -logsource: - category: dns_query - product: windows -modified: 2021/09/10 -references: -- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon -- https://twitter.com/neonprimetime/status/1436376497980428318 -status: experimental -tags: -- attack.reconnaissance -- attack.t1590 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml deleted file mode 100644 index 098f6e01..00000000 --- a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DNS HybridConnectionManager Service Bus -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Detects Azure Hybrid Connection Manager services querying the Azure service - bus service -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*servicebus.windows.net*' - SELECTION_3: - Image: '*HybridConnectionManager*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service -id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d -level: high -logsource: - category: dns_query - product: windows -modified: 2021/06/10 -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_mega_nz.yml b/rules/sigma/dns_query/dns_query_mega_nz.yml deleted file mode 100644 index d0ae8a7b..00000000 --- a/rules/sigma/dns_query/dns_query_mega_nz.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: DNS Query for MEGA.io Upload Domain -author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -description: Detects DNS queries for subdomains used for upload to MEGA.io -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*userstorage.mega.co.nz*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Mega upload -id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 -level: high -logsource: - category: dns_query - product: windows -references: -- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -status: experimental -tags: -- attack.exfiltration -- attack.t1567.002 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml deleted file mode 100644 index f45dd33d..00000000 --- a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml +++ /dev/null @@ -1,76 +0,0 @@ - -title: Possible DNS Rebinding -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -description: Detects several different DNS-answers by one domain with IPs from internal - and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved - in host cache for a while TTL). -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*' - SELECTION_3: - QueryStatus: '0' - SELECTION_4: - QueryResults: - - (::ffff:)?10.* - - (::ffff:)?192.168.* - - (::ffff:)?172.16.* - - (::ffff:)?172.17.* - - (::ffff:)?172.18.* - - (::ffff:)?172.19.* - - (::ffff:)?172.20.* - - (::ffff:)?172.21.* - - (::ffff:)?172.22.* - - (::ffff:)?172.23.* - - (::ffff:)?172.24.* - - (::ffff:)?172.25.* - - (::ffff:)?172.26.* - - (::ffff:)?172.27.* - - (::ffff:)?172.28.* - - (::ffff:)?172.29.* - - (::ffff:)?172.30.* - - (::ffff:)?172.31.* - - (::ffff:)?127.* - SELECTION_5: - QueryName: '*' - SELECTION_6: - QueryStatus: '0' - SELECTION_7: - QueryResults: - - (::ffff:)?10.* - - (::ffff:)?192.168.* - - (::ffff:)?172.16.* - - (::ffff:)?172.17.* - - (::ffff:)?172.18.* - - (::ffff:)?172.19.* - - (::ffff:)?172.20.* - - (::ffff:)?172.21.* - - (::ffff:)?172.22.* - - (::ffff:)?172.23.* - - (::ffff:)?172.24.* - - (::ffff:)?172.25.* - - (::ffff:)?172.26.* - - (::ffff:)?172.27.* - - (::ffff:)?172.28.* - - (::ffff:)?172.29.* - - (::ffff:)?172.30.* - - (::ffff:)?172.31.* - - (::ffff:)?127.* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5 - and SELECTION_6) and not (SELECTION_7)) | count(QueryName) by ComputerName > - 3 -id: eb07e747-2552-44cd-af36-b659ae0958e4 -level: medium -logsource: - category: dns_query - product: windows -modified: 2020/08/28 -references: -- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 -status: experimental -tags: -- attack.initial_access -- attack.t1189 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml deleted file mode 100644 index 399f4c18..00000000 --- a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Regsvr32 Network Activity -author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -description: Detects network connections and DNS queries initiated by Regsvr32.exe -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - Image: '*\regsvr32.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- ComputerName -- User -- Image -- DestinationIp -- DestinationPort -id: 36e037c4-c228-4866-b6a3-48eb292b9955 -level: high -logsource: - category: dns_query - product: windows -modified: 2021/09/21 -references: -- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ -- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -related: -- id: c7e91a02-d771-4a6d-a700-42587e0b1095 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1559.001 -- attack.t1175 -- attack.defense_evasion -- attack.t1218.010 -- attack.t1117 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/driver_load/driver_load_mal_creddumper.yml deleted file mode 100644 index be4611a2..00000000 --- a/rules/sigma/driver_load/driver_load_mal_creddumper.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 -level: critical -logsource: - category: driver_load - product: windows -modified: 2021/11/10 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -related: -- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index c3a686f5..00000000 --- a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,69 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 6 - SELECTION_10: - ImagePath: '*cmd.exe*' - SELECTION_11: - ImagePath: '*/c*' - SELECTION_12: - ImagePath: '*echo*' - SELECTION_13: - ImagePath: '*\pipe\\*' - SELECTION_14: - ImagePath: '*rundll32*' - SELECTION_15: - ImagePath: '*.dll,a*' - SELECTION_16: - ImagePath: '*/p:*' - SELECTION_2: - ImagePath: '*cmd*' - SELECTION_3: - ImagePath: '*/c*' - SELECTION_4: - ImagePath: '*echo*' - SELECTION_5: - ImagePath: '*\pipe\\*' - SELECTION_6: - ImagePath: '*%COMSPEC%*' - SELECTION_7: - ImagePath: '*/c*' - SELECTION_8: - ImagePath: '*echo*' - SELECTION_9: - ImagePath: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ImagePath -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 -level: critical -logsource: - category: driver_load - product: windows -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -related: -- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml deleted file mode 100644 index 2d4eff19..00000000 --- a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: PowerShell Scripts Run by a Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 -level: high -logsource: - category: driver_load - product: windows -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -related: -- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/driver_load/driver_load_susp_temp_use.yml deleted file mode 100644 index 3c95b5ba..00000000 --- a/rules/sigma/driver_load/driver_load_susp_temp_use.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Suspicious Driver Load from Temp -author: Florian Roth -date: 2017/02/12 -description: Detects a driver load from a temporary directory -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: '*\Temp\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- there is a relevant set of false positives depending on applications in the environment -id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 -level: high -logsource: - category: driver_load - product: windows -modified: 2020/08/23 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml deleted file mode 100644 index 1afc0de5..00000000 --- a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Vulnerable Dell BIOS Update Driver Load -author: Florian Roth -date: 2021/05/05 -description: Detects the load of the vulnerable Dell BIOS update driver as reported - in CVE-2021-21551 -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: '*\DBUtil_2_3.Sys*' - SELECTION_3: - Hashes: - - '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*' - - '*c948ae14761095e4d76b55d9de86412258be7afd*' - - '*c996d7971c49252c582171d9380360f2*' - - '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*' - - '*10b30bdee43b3a2ec4aa63375577ade650269d25*' - - '*d2fd132ab7bbc6bbb87a84f026fa0244*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- legitimate BIOS driver updates (should be rare) -id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -level: high -logsource: - category: driver_load - product: windows -references: -- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ -status: experimental -tags: -- attack.privilege_escalation -- cve.2021.21551 -- attack.t1543 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_windivert.yml b/rules/sigma/driver_load/driver_load_windivert.yml deleted file mode 100644 index bbd6699d..00000000 --- a/rules/sigma/driver_load/driver_load_windivert.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: WinDivert Driver Load -author: Florian Roth -date: 2021/07/30 -description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection - package for Windows -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*\WinDivert.sys*' - - '*\WinDivert64.sys*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- legitimate WinDivert driver usage -id: 679085d5-f427-4484-9f58-1dc30a7c426d -level: high -logsource: - category: driver_load - product: windows -references: -- https://reqrypt.org/windivert-doc.html -- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ -status: experimental -tags: -- attack.collection -- attack.defense_evasion -- attack.t1599.001 -- attack.t1557.001 -ruletype: SIGMA diff --git a/rules/sigma/edr/edr_command_execution_by_office_applications.yml b/rules/sigma/edr/edr_command_execution_by_office_applications.yml deleted file mode 100644 index aaa27e57..00000000 --- a/rules/sigma/edr/edr_command_execution_by_office_applications.yml +++ /dev/null @@ -1,37 +0,0 @@ -title: EDR WMI Command Execution by Office Applications -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) -date: 2021/08/23 -description: Initial execution of malicious document calls wmic Win32_Process::Create - to execute the file with regsvr32 -detection: - SELECTION_1: - EventLog: EDR - SELECTION_2: - EventType: WMIExecution - SELECTION_3: - WMIcommand: '*Win32_Process\:\:Create*' - SELECTION_4: - Image: - - '*\winword.exe' - - '*\excel.exe' - - '*\powerpnt.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 -level: high -logsource: - category: edr - product: windows -modified: 2021/11/09 -references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -status: experimental -tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/file_delete/sysmon_delete_prefetch.yml deleted file mode 100644 index ad26aa1a..00000000 --- a/rules/sigma/file_delete/sysmon_delete_prefetch.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Prefetch File Deletion -author: Cedric MAURUGEON -date: 2021/09/29 -description: Detects the deletion of a prefetch file (AntiForensic) -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - TargetFilename: C:\Windows\Prefetch\\* - SELECTION_4: - TargetFilename: '*.pf' - SELECTION_5: - Image: C:\windows\system32\svchost.exe - SELECTION_6: - User: NT AUTHORITY\SYSTEM - condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6)) -falsepositives: -- Unknown -id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 -level: high -logsource: - category: file_delete - product: windows -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml deleted file mode 100644 index 09e8b1ac..00000000 --- a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Sysinternals SDelete File Deletion -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection to trigger for the deletion of files by Sysinternals - SDelete. It looks for the common name pattern used to rename files. -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - TargetFilename: - - '*.AAA' - - '*.ZZZ' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Legitime usage of SDelete -id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc -level: medium -logsource: - category: file_delete - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/9 -- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml deleted file mode 100644 index 2f9f5720..00000000 --- a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Windows Spooler Service Suspicious File Deletion -author: Bhabesh Raj -date: 2021/07/01 -description: Detect DLL deletions from Spooler Service driver folder -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - Image: '*spoolsv.exe' - SELECTION_4: - TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf -level: high -logsource: - category: file_delete - product: windows -modified: 2021/08/24 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/cube0x0/CVE-2021-1675 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1574 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml deleted file mode 100644 index 5e595fd6..00000000 --- a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Advanced IP Scanner -author: '@ROxPinTeddy' -date: 2020/05/12 -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for - ransomware groups. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate administrative use -id: fed85bf9-e075-4280-9159-fbe8a023d6fa -level: medium -logsource: - category: file_event - product: windows -modified: 2021/09/11 -references: -- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ -- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html -- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc -- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf -- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer -related: -- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f - type: derived -status: experimental -tags: -- attack.discovery -- attack.t1046 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml deleted file mode 100644 index d6f8fd79..00000000 --- a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Unidentified Attacker November 2018 -author: '@41thexplorer, Microsoft Defender ATP' -date: 2018/11/20 -description: A sigma rule detecting an unidetefied attacker who used phishing emails - to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 - campaign in 2016. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*ds7002.lnk*' - condition: (SELECTION_1 and SELECTION_2) -id: 3a3f81ca-652c-482b-adeb-b1c804727f74 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://twitter.com/DrunkBinary/status/1063075530180886529 -related: -- id: 7453575c-a747-40b9-839b-125a0aae324b - type: derived -status: stable -tags: -- attack.execution -- attack.t1218.011 -- attack.t1085 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml deleted file mode 100644 index d5138819..00000000 --- a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum -author: Sittikorn S -date: 2021/07/16 -description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 - CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*C:\Windows\system32\physmem.sys*' - - '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*' - - '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*' - - '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*' - - '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*' - - '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*' - - '*C:\Windows\system32\config\config\startwus.dat*' - - '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*' - - '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*' - - '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ -- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ -status: experimental -tags: -- attack.credential_access -- attack.t1566 -- attack.t1203 -- cve.2021.33771 -- cve.2021.31979 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hack_dumpert.yml b/rules/sigma/file_event/file_event_hack_dumpert.yml deleted file mode 100644 index 7b10aec1..00000000 --- a/rules/sigma/file_event/file_event_hack_dumpert.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Dumpert Process Dumper -author: Florian Roth -date: 2020/02/04 -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe - process memory -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\Temp\dumpert.dmp - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Very unlikely -id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://github.com/outflanknl/Dumpert -- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ -related: -- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 - type: derived -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hktl_createminidump.yml b/rules/sigma/file_event/file_event_hktl_createminidump.yml deleted file mode 100644 index 759c245f..00000000 --- a/rules/sigma/file_event/file_event_hktl_createminidump.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: CreateMiniDump Hacktool -author: Florian Roth -date: 2019/12/22 -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process - memory for credential extraction on the attacker's machine -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\lsass.dmp' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: db2110f3-479d-42a6-94fb-d35bc1e46492 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass -related: -- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d - type: derived -status: deprecated -tags: -- attack.credential_access -- attack.t1003.001 -- attack.t1003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_lsass_dump.yml b/rules/sigma/file_event/file_event_lsass_dump.yml deleted file mode 100644 index f8a18a0b..00000000 --- a/rules/sigma/file_event/file_event_lsass_dump.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: LSASS Process Memory Dump Files -author: Florian Roth -date: 2021/11/15 -description: Detects file names used by different memory dumping tools to create a - memory dump of the LSASS process memory, which contains user credentials -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\lsass.dmp' - - '*\lsass.zip' - - '*\lsass.rar' - SELECTION_3: - TargetFilename: - - '*\lsass_2*' - - '*\lsassdump*' - - '*\lsassdmp*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Unknown -id: a5a2d357-1ab8-4675-a967-ef9990a59391 -level: high -logsource: - category: file_event - product: windows -references: -- https://www.google.com/search?q=procdump+lsass -related: -- id: db2110f3-479d-42a6-94fb-d35bc1e46492 - type: obsoletes -status: experimental -tags: -- attack.credential_access -- attack.t1003.001 -- attack.t1003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_adwind.yml b/rules/sigma/file_event/file_event_mal_adwind.yml deleted file mode 100644 index 89d02db2..00000000 --- a/rules/sigma/file_event/file_event_mal_adwind.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Adwind RAT / JRAT -author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Roaming\Oracle\bin\java*' - SELECTION_3: - TargetFilename: '*.exe*' - SELECTION_4: - TargetFilename: '*\Retrive*' - SELECTION_5: - TargetFilename: '*.vbs*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 -- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -related: -- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1059.005 -- attack.t1059.007 -- attack.t1064 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_vhd_download.yml b/rules/sigma/file_event/file_event_mal_vhd_download.yml deleted file mode 100644 index d52d9515..00000000 --- a/rules/sigma/file_event/file_event_mal_vhd_download.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Suspicious VHD Image Download From Browser -author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/10/25 -description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate - payloads and evade security controls -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*chrome.exe' - - '*firefox.exe' - - '*microsoftedge.exe' - - '*microsoftedgecp.exe' - - '*msedge.exe' - - '*iexplorer.exe' - - '*brave.exe' - - '*opera.exe' - SELECTION_3: - TargetFilename: '*.vhd*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate user creation -id: 8468111a-ef07-4654-903b-b863a80bbc95 -level: medium -logsource: - category: file_event - definition: in sysmon add ".vhd - " - product: windows -modified: 2021/10/29 -references: -- https://redcanary.com/blog/intelligence-insights-october-2021/ -- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ -- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ -status: test -tags: -- attack.resource_development -- attack.t1587.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml deleted file mode 100644 index dc9d26df..00000000 --- a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Mimikatz Kirbi File Creation -author: Florian Roth -date: 2021/11/08 -description: Detects the creation of files that contain Kerberos tickets based on - an extension used by the popular tool Mimikatz -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*.kirbi' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 -level: critical -logsource: - category: file_event - product: windows -references: -- https://cobalt.io/blog/kerberoast-attack-techniques -status: test -tags: -- attack.credential_access -- attack.t1558 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_moriya_rootkit.yml b/rules/sigma/file_event/file_event_moriya_rootkit.yml deleted file mode 100644 index 3f7ba19a..00000000 --- a/rules/sigma/file_event/file_event_moriya_rootkit.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Moriya Rootkit -author: Bhabesh Raj -date: 2021/05/06 -description: Detects the use of Moriya rootkit as described in the securelist's Operation - TunnelSnake report -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- None -id: a1507d71-0b60-44f6-b17c-bf53220fdd88 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 -related: -- id: 25b9c01c-350d-4b95-bed1-836d04a4f324 - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_pingback_backdoor.yml b/rules/sigma/file_event/file_event_pingback_backdoor.yml deleted file mode 100644 index 8b387765..00000000 --- a/rules/sigma/file_event/file_event_pingback_backdoor.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Pingback Backdoor -author: Bhabesh Raj -date: 2021/05/05 -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*updata.exe' - SELECTION_3: - TargetFilename: C:\Windows\oci.dll - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very unlikely -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel -- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 -status: experimental -tags: -- attack.persistence -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml deleted file mode 100644 index cf7d60b7..00000000 --- a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ /dev/null @@ -1,47 +0,0 @@ - -title: Created Files by Office Applications -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) -date: 2021/08/23 -description: This rule will monitor executable and script file creation by office - applications. Please add more file extensions or magic bytes to the logic of your - choice. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*winword.exe' - - '*excel.exe' - - '*powerpnt.exe' - SELECTION_3: - TargetFilename: - - '*.exe' - - '*.dll' - - '*.ocx' - - '*.com' - - '*.ps1' - - '*.vbs' - - '*.sys' - - '*.bat' - - '*.scr' - - '*.proj' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -level: high -logsource: - category: file_event - product: windows -modified: 2021/11/10 -references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -status: experimental -tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_susp_task_write.yml b/rules/sigma/file_event/file_event_susp_task_write.yml deleted file mode 100644 index 5429a0cf..00000000 --- a/rules/sigma/file_event/file_event_susp_task_write.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Suspicious Scheduled Task Writ to System32 Tasks -author: Florian Roth -date: 2021/11/16 -description: -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Windows\System32\Tasks*' - SELECTION_3: - Image: - - '*\AppData\\*' - - '*C:\PerfLogs*' - - '*\Windows\System32\config\systemprofile*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 80e1f67a-4596-4351-98f5-a9c3efabac95 -level: high -logsource: - category: file_event - product: windows -references: -- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ -status: experimental -tags: -- attack.persistence -- attack.execution -- attack.t1053 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_tool_psexec.yml b/rules/sigma/file_event/file_event_tool_psexec.yml deleted file mode 100644 index f5a257b3..00000000 --- a/rules/sigma/file_event/file_event_tool_psexec.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: PsExec Tool Execution -author: Thomas Patzke -date: 2017/06/12 -description: Detects PsExec service installation and execution events (service and - Sysmon) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\PSEXESVC.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- EventID -- CommandLine -- ParentCommandLine -- ServiceName -- ServiceFileName -- TargetFilename -- PipeName -id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d -level: low -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://jpcertcc.github.io/ToolAnalysisResultSheet -related: -- id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1035 -- attack.t1569.002 -- attack.s0029 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml deleted file mode 100644 index 81183bbd..00000000 --- a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: UAC Bypass Abusing Winsat Path Parsing - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: - - '*\AppData\Local\Temp\system32\winsat.exe' - - '*\AppData\Local\Temp\system32\winmm.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 155dbf56-e0a4-4dd0-8905-8a98705045e8 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml deleted file mode 100644 index d5ca7ab4..00000000 --- a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: UAC Bypass Using Windows Media Player - File -author: Christian Burkard -date: 2021/08/23 -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\OskSupport.dll' - SELECTION_4: - Image: C:\Windows\system32\DllHost.exe - SELECTION_5: - TargetFilename: C:\Program Files\Windows Media Player\osk.exe - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- Unknown -id: 68578b43-65df-4f81-9a9b-92f32711a951 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml deleted file mode 100644 index e442758a..00000000 --- a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml +++ /dev/null @@ -1,50 +0,0 @@ - -title: Windows Shell File Write to Suspicious Folder -author: Florian Roth -date: 2021/11/20 -description: Detects a Windows executable that writes files to suspicious folders -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\msbuild.exe' - SELECTION_3: - TargetFilename: - - '*C:\Users\Public*' - - '*C:\PerfLogs*' - SELECTION_4: - Image: - - '*\schtasks.exe' - - '*\wmic.exe' - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - SELECTION_5: - TargetFilename: - - '*C:\Users\Public*' - - '*C:\PerfLogs*' - - '*\AppData\\*' - - '*C:\Windows\Temp*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- Unknown -fields: -- CommandLine -- ParentCommandLine -id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 -level: high -logsource: - category: file_event - product: windows -references: -- No references -status: experimental -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml deleted file mode 100644 index 8d003e2a..00000000 --- a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl -author: Julia Fomina, oscd.community -date: 2020/10/06 -description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via - winrm.vbs and copied cscript.exe (can be renamed) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*WsmPty.xsl' - - '*WsmTxt.xsl' - SELECTION_3: - TargetFilename: - - C:\Windows\System32\\* - - C:\Windows\SysWOW64\\* - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unlikely -id: d353dac0-1b41-46c2-820c-d7d2561fc6ed -level: medium -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 -related: -- id: 074e0ded-6ced-4ebd-8b4d-53f55908119 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1216 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index a6f4e9a5..00000000 --- a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: System - SELECTION_3: - TargetFilename: '*\wbem\wbemcomn.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_creation_system_file.yml b/rules/sigma/file_event/sysmon_creation_system_file.yml deleted file mode 100644 index fca4521b..00000000 --- a/rules/sigma/file_event/sysmon_creation_system_file.yml +++ /dev/null @@ -1,68 +0,0 @@ - -title: File Created with System Process Name -author: Sander Wiebing -date: 2020/05/26 -description: Detects the creation of an executable with a system process name in a - suspicious folder -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\runtimebroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' - SELECTION_3: - TargetFilename: - - C:\Windows\System32\\* - - C:\Windows\system32\\* - - C:\Windows\SysWow64\\* - - C:\Windows\SysWOW64\\* - - C:\Windows\winsxs\\* - - C:\Windows\WinSxS\\* - - \SystemRoot\System32\\* - SELECTION_4: - Image: '*\Windows\System32\dism.exe' - SELECTION_5: - TargetFilename: C:\$WINDOWS.~BT\\* - SELECTION_6: - Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe - condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3 and SELECTION_4)) - and not (SELECTION_5 and SELECTION_6)) -falsepositives: -- System processes copied outside the default folder -fields: -- Image -id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d -level: high -logsource: - category: file_event - product: windows -modified: 2021/10/28 -status: test -tags: -- attack.defense_evasion -- attack.t1036 -- attack.t1036.005 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml deleted file mode 100644 index cf546df7..00000000 --- a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ /dev/null @@ -1,58 +0,0 @@ - -title: Cred Dump Tools Dropped Files -author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -description: Files with well-known filenames (parts of credential dump software or - files produced by them) creation -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\pwdump*' - - '*\kirbi*' - - '*\pwhashes*' - - '*\wce_ccache*' - - '*\wce_krbtkts*' - - '*\fgdump-log*' - SELECTION_3: - TargetFilename: - - '*\test.pwd' - - '*\lsremora64.dll' - - '*\lsremora.dll' - - '*\fgexec.exe' - - '*\wceaux.dll' - - '*\SAM.out' - - '*\SECURITY.out' - - '*\SYSTEM.out' - - '*\NTDS.out' - - '*\DumpExt.dll' - - '*\DumpSvc.exe' - - '*\cachedump64.exe' - - '*\cachedump.exe' - - '*\pstgdump.exe' - - '*\servpw.exe' - - '*\servpw64.exe' - - '*\pwdump.exe' - - '*\procdump64.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Administrator using tool for password recovery -id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.003 -- attack.t1003.004 -- attack.t1003.005 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml deleted file mode 100644 index 1a282c20..00000000 --- a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: CVE-2021-26858 Exchange Exploitation -author: Bhabesh Raj -date: 2021/03/03 -description: Detects possible successful exploitation for vulnerability described - in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange - Server’s Unified Messaging service | which could indicate dropping web shells or - other malicious content -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*UMWorkerProcess.exe' - SELECTION_3: - TargetFilename: - - '*CacheCleanup.bin' - - '*.txt' - - '*.LOG' - - '*.cfg' - - '*cleanup.bin' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unknown -fields: -- ComputerName -- TargetFilename -id: b06335b3-55ac-4b41-937e-16b7f5d57dfd -level: critical -logsource: - category: file_event - product: windows -references: -- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -status: experimental -tags: -- attack.t1203 -- attack.execution -- cve.2021.26858 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml deleted file mode 100644 index a66f5b02..00000000 --- a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Powerup Write Hijack DLL -author: Subhash Popuri (@pbssubhash) -date: 2021/08/21 -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege - escalation. In it's default mode, it builds a self deleting .bat file which executes - malicious command. The detection rule relies on creation of the malicious bat file - (debug.bat by default). -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - TargetFilename: '*.bat' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Pentest -- Any powershell script that creates bat files -id: 602a1f13-c640-4d73-b053-be9a2fa58b96 -level: high -logsource: - category: file_event - product: windows -references: -- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.defense_evasion -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml deleted file mode 100644 index ace295fb..00000000 --- a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Detection of SafetyKatz -author: Markus Neis -date: 2018/07/24 -description: Detects possible SafetyKatz Behaviour -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Temp\debug.bin' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: e074832a-eada-4fd7-94a1-10642b130e16 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://github.com/GhostPack/SafetyKatz -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml deleted file mode 100644 index 9d54ad3e..00000000 --- a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: LSASS Memory Dump File Creation -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: LSASS memory dump creation using operating systems utilities. Procdump - will use process name in output file if no name is specified -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*lsass*' - SELECTION_3: - TargetFilename: '*dmp' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Dumping lsass memory for forensic investigation purposes by legitimate incident - responder or forensic invetigator -- Dumps of another process that contains lsass in its process name (substring) -fields: -- ComputerName -- TargetFilename -id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a -level: high -logsource: - category: file_event - product: windows -modified: 2021/08/16 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_office_persistence.yml b/rules/sigma/file_event/sysmon_office_persistence.yml deleted file mode 100644 index afa4c9dc..00000000 --- a/rules/sigma/file_event/sysmon_office_persistence.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Microsoft Office Add-In Loading -author: NVISO -date: 2020/05/11 -description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll - are simply .dll fit for Word or Excel). -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Microsoft\Word\Startup\\*' - SELECTION_3: - TargetFilename: '*.wll' - SELECTION_4: - TargetFilename: '*\Microsoft\Excel\Startup\\*' - SELECTION_5: - TargetFilename: '*.xll' - SELECTION_6: - TargetFilename: '*\Microsoft\Addins\\*' - SELECTION_7: - TargetFilename: - - '*.xlam' - - '*.xla' - condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and - SELECTION_5)) or (SELECTION_6 and SELECTION_7))) -falsepositives: -- Legitimate add-ins -id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- Internal Research -status: experimental -tags: -- attack.persistence -- attack.t1137 -- attack.t1137.006 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_outlook_newform.yml b/rules/sigma/file_event/sysmon_outlook_newform.yml deleted file mode 100644 index 94b0b8dd..00000000 --- a/rules/sigma/file_event/sysmon_outlook_newform.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Outlook Form Installation -author: Tobias Michalski -date: 2021/06/10 -description: Detects the creation of new Outlook form which can contain malicious - code -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: \outlook.exe - SELECTION_3: - TargetFilename: '*\appdata\local\microsoft\FORMS\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -fields: -- TargetFilename -id: c3edc6a5-d9d4-48d8-930e-aab518390917 -level: high -logsource: - category: file_event - product: windows -references: -- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -status: experimental -tags: -- attack.persistence -- attack.t1137.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml deleted file mode 100644 index 2bee4489..00000000 --- a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: PCRE.NET Package Temp Files -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -description: Detects processes creating temp files related to PCRE.NET package -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da -level: high -logsource: - category: file_event - product: windows -modified: 2021/08/14 -references: -- https://twitter.com/rbmaslen/status/1321859647091970051 -- https://twitter.com/tifkin_/status/1321916444557365248 -status: experimental -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml deleted file mode 100644 index 9c9acc39..00000000 --- a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml +++ /dev/null @@ -1,121 +0,0 @@ - -title: Malicious PowerShell Commandlet Names -author: Markus Neis -date: 2018/04/07 -description: Detects the creation of known powershell scripts for exploitation -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Penetration Tests -id: f331aa1f-8c53-4fc3-b083-cc159bc971cb -level: high -logsource: - category: file_event - product: windows -references: -- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml deleted file mode 100644 index d8f3f241..00000000 --- a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: PowerShell Writing Startup Shortcuts -author: Christopher Peacock '@securepeacock', SCYTHE -date: 2021/10/24 -description: Attempts to detect PowerShell writing startup shortcuts. This procedure - was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries - using PowerShell to write malicious .lnk files into the startup directory to establish - persistence. Accordingly, this detection opportunity is likely to identify persistence - mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence - mechanism eventually launches the command-line script that leads to the installation - of a malicious DLL" -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - TargetFilename: '*\start menu\programs\startup\\*' - SELECTION_4: - TargetFilename: '*.lnk' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -- Depending on your environment accepted applications may leverage this at times. - It is recomended to search for anomolies inidicative of malware. -id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -level: high -logsource: - category: file_event - product: windows -references: -- https://redcanary.com/blog/intelligence-insights-october-2021/ -- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder -status: experimental -tags: -- attack.registry_run_keys_/_startup_folder -- attack.t1547.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml deleted file mode 100644 index 0d7e58b5..00000000 --- a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: QuarksPwDump Dump File -author: Florian Roth -date: 2018/02/10 -description: Detects a dump file written by QuarksPwDump password dumper -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\SAM-*' - SELECTION_3: - TargetFilename: '*.dmp*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 847def9e-924d-4e90-b7c4-5f581395a2b4 -level: critical -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml deleted file mode 100644 index 7144b964..00000000 --- a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: RedMimicry Winnti Playbook Dropped File -author: Alexander Rausch -date: 2020/06/24 -description: Detects actions caused by the RedMimicry Winnti playbook -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*gthread-3.6.dll*' - - '*sigcmm-2.4.dll*' - - '*\Windows\Temp\tmp.bat*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 130c9e58-28ac-4f83-8574-0a4cc913b97e -level: high -logsource: - category: file_event - product: windows -references: -- https://redmimicry.com -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml deleted file mode 100644 index 474f4758..00000000 --- a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Startup Folder File Write -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection for files being created in the Windows startup directory. - This could be an indicator of persistence. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 2aa0a6b4-a865-495b-ab51-c28249537b75 -level: low -logsource: - category: file_event - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/12 -- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html -status: experimental -tags: -- attack.persistence -- attack.t1547.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml deleted file mode 100644 index 36e1cb6c..00000000 --- a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Suspicious ADSI-Cache Usage By Unknown Tool -author: xknow @xknow_infosec -date: 2019/03/24 -description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect - tools like LDAPFragger. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*' - SELECTION_3: - TargetFilename: '*.sch' - SELECTION_4: - Image: - - C:\windows\system32\svchost.exe - - C:\windows\system32\dllhost.exe - - C:\windows\system32\mmc.exe - - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe - - C:\Windows\CCM\CcmExec.exe - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity - by MMC, Powershell, Windows etc. -id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 -- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ -- https://github.com/fox-it/LDAPFragger -status: experimental -tags: -- attack.t1071 -- attack.t1001.003 -- attack.command_and_control -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/file_event/sysmon_susp_clr_logs.yml deleted file mode 100644 index cff06d72..00000000 --- a/rules/sigma/file_event/sysmon_susp_clr_logs.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: Suspcious CLR Logs Creation -author: omkar72, oscd.community, Wojciech Lesicki -date: 2020/10/12 -description: Detects suspicious .NET assembly executions. Could detect using Cobalt - Strike's command execute-assembly. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Microsoft\CLR*' - SELECTION_3: - TargetFilename: '*\UsageLogs\\*' - SELECTION_4: - TargetFilename: - - '*mshta*' - - '*cscript*' - - '*wscript*' - - '*regsvr32*' - - '*wmic*' - - '*rundll32*' - - '*svchost*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc - in command line and msiexec.exe as parent process -id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -level: high -logsource: - category: file_event - definition: Check your sysmon configuration for monitoring UsageLogs folder. In - SwiftOnSecurity configuration we have that thanks @SBousseaden - product: windows -modified: 2021/11/17 -references: -- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ -- https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml -status: experimental -tags: -- attack.execution -- attack.defense_evasion -- attack.t1059.001 -- attack.t1218 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml deleted file mode 100644 index 8269eafd..00000000 --- a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Suspicious desktop.ini Action -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/19 -description: Detects unusual processes accessing desktop.ini, which can be leveraged - to alter how Explorer displays a folder's content (i.e. renaming files) without - changing them on disk. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\desktop.ini' - SELECTION_3: - Image: - - C:\Windows\explorer.exe - - C:\Windows\System32\msiexec.exe - - C:\Windows\System32\mmc.exe - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Operations performed through Windows SCCM or equivalent -id: 81315b50-6b60-4d8f-9928-3466e1022515 -level: medium -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ -status: experimental -tags: -- attack.persistence -- attack.t1023 -- attack.t1547.009 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml deleted file mode 100644 index 71481373..00000000 --- a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Suspicious PFX File Creation -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A general detection for processes creating PFX files. This could be an - indicator of an adversary exporting a local certificate to a PFX file. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*.pfx' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- System administrators managing certififcates. -id: dca1b3e8-e043-4ec8-85d7-867f334b5724 -level: medium -logsource: - category: file_event - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/14 -- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html -status: experimental -tags: -- attack.credential_access -- attack.t1552.004 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml deleted file mode 100644 index 22e29910..00000000 --- a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious PROCEXP152.sys File Created In TMP -author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -description: Detects the creation of the PROCEXP152.sys file in the application-data - local temporary folder. This driver is used by Sysinternals Process Explorer but - also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), - which uses KDU. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_3: - TargetFilename: '*PROCEXP152.sys' - SELECTION_4: - Image: - - '*\procexp64.exe*' - - '*\procexp.exe*' - - '*\procmon64.exe*' - - '*\procmon.exe*' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other legimate tools using this driver and filename (like Sysinternals). Note - - Clever attackers may easily bypass this detection by just renaming the driver filename. - Therefore just Medium-level and don't rely on it. -id: 3da70954-0f2c-4103-adff-b7440368f50e -level: medium -logsource: - category: file_event - product: windows -references: -- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -status: experimental -tags: -- attack.t1089 -- attack.t1562.001 -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml deleted file mode 100644 index 9f340600..00000000 --- a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Powershell Profile.ps1 Modification -author: HieuTT35 -date: 2019/10/24 -description: Detects a change in profile.ps1 of the Powershell profile -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\profile.ps1*' - SELECTION_3: - TargetFilename: '*\My Documents\PowerShell\\*' - SELECTION_4: - TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*' - condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4)) -falsepositives: -- System administrator create Powershell profile manually -id: b5b78988-486d-4a80-b991-930eff3ff8bf -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/24 -references: -- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1546.013 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml deleted file mode 100644 index 112ec4af..00000000 --- a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Hijack Legit RDP Session to Move Laterally -author: Samir Bousseaden -date: 2019/02/21 -description: Detects the usage of tsclient share to place a backdoor on the RDP source - machine's startup folder -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\mstsc.exe' - SELECTION_3: - TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -id: 52753ea4-b3a0-4365-910d-36cff487b789 -level: high -logsource: - category: file_event - product: windows -status: experimental -tags: -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml deleted file mode 100644 index 4b4354b6..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using Consent and Comctl32 - File -author: Christian Burkard -date: 2021/08/23 -description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll - (UACMe 22) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\System32\consent.exe.@* - SELECTION_3: - TargetFilename: '*\comctl32.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 62ed5b55-f991-406a-85d9-e8e8fdf18789 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml deleted file mode 100644 index 0754223c..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using .NET Code Profiler on MMC -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe - DLL hijacking (UACMe 39) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\pe386.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 93a19907-d4f9-4deb-9f91-aac4692776a6 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml deleted file mode 100644 index 9676afb4..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: UAC Bypass Using IEInstal - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: C:\Program Files\Internet Explorer\IEInstal.exe - SELECTION_3: - TargetFilename: C:\Users\\* - SELECTION_4: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_5: - TargetFilename: '*consent.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml deleted file mode 100644 index ff744dca..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: UAC Bypass Using MSConfig Token Modification - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 41bb431f-56d8-4691-bb56-ed34e390906f -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml deleted file mode 100644 index de79c275..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using NTFS Reparse Point - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe - DLL hijacking (UACMe 36) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml deleted file mode 100644 index 40389d2e..00000000 --- a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml +++ /dev/null @@ -1,60 +0,0 @@ - -title: Windows Webshell Creation -author: Beyu Denis, oscd.community -date: 2019/10/22 -description: Possible webshell file creation on a static web site -detection: - SELECTION_1: - EventID: 11 - SELECTION_10: - TargetFilename: '*.pl*' - SELECTION_11: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_2: - TargetFilename: '*\inetpub\wwwroot\\*' - SELECTION_3: - TargetFilename: - - '*.asp*' - - '*.ashx*' - - '*.ph*' - SELECTION_4: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_5: - TargetFilename: - - '*\www\\*' - - '*\htdocs\\*' - - '*\html\\*' - SELECTION_6: - TargetFilename: '*.ph*' - SELECTION_7: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_8: - TargetFilename: '*.jsp' - SELECTION_9: - TargetFilename: '*\cgi-bin\\*' - condition: (SELECTION_1 and ((((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - or ((SELECTION_5 and SELECTION_6) and not (SELECTION_7))) or ((SELECTION_8 or - (SELECTION_9 and SELECTION_10)) and not (SELECTION_11)))) -falsepositives: -- Legitimate administrator or developer creating legitimate executable files in a - web application folder -id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 -level: critical -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- PT ESC rule and personal experience -status: experimental -tags: -- attack.persistence -- attack.t1100 -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml deleted file mode 100644 index 48e26ae1..00000000 --- a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: WMI Persistence - Script Event Consumer File Write -author: Thomas Patzke -date: 2018/03/07 -description: Detects file writes of WMI script event consumer -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: C:\WINDOWS\system32\wbem\scrcons.exe - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) -id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -status: experimental -tags: -- attack.t1084 -- attack.t1546.003 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml deleted file mode 100644 index 51720d15..00000000 --- a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern -author: Florian Roth -date: 2021/06/29 -description: Detects the default filename used in PoC code against print spooler vulnerability - CVE-2021-1675 -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*' - - '*C:\Windows\System32\spool\drivers\x64\3\New\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -fields: -- ComputerName -- TargetFilename -id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/07/01 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -- https://github.com/cube0x0/CVE-2021-1675 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.resource_development -- attack.t1587 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml deleted file mode 100644 index 5042704f..00000000 --- a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious Word Cab File Write CVE-2021-40444 -author: Florian Roth, Sittikorn S -date: 2021/09/10 -description: Detects file creation patterns noticeable during the exploitation of - CVE-2021-40444 -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: \winword.exe - SELECTION_3: - TargetFilename: '*.cab' - SELECTION_4: - TargetFilename: '*\Windows\INetCache*' - SELECTION_5: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_6: - TargetFilename: '*.inf*' - condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -fields: -- TargetFilename -id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/13 -references: -- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 -- https://twitter.com/vanitasnk/status/1437329511142420483?s=21 -status: experimental -tags: -- attack.resource_development -- attack.t1587 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/file_event/win_hivenightmare_file_exports.yml deleted file mode 100644 index 6d80bb79..00000000 --- a/rules/sigma/file_event/win_hivenightmare_file_exports.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Typical HiveNightmare SAM File Export -author: Florian Roth -date: 2021/07/23 -description: Detects files written by the different tools that exploit HiveNightmare -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\hive_sam_*' - - '*\SAM-2021-*' - - '*\SAM-2022-*' - - '*\SAM-haxx*' - - '*\Sam.save*' - SELECTION_3: - TargetFilename: - - C:\windows\temp\sam - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Files that accidentally contain these strings -fields: -- CommandLine -- ParentCommandLine -id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/GossiTheDog/HiveNightmare -- https://github.com/FireFart/hivenightmare/ -- https://github.com/WiredPulse/Invoke-HiveNightmare -- https://twitter.com/cube0x0/status/1418920190759378944 -status: experimental -tags: -- attack.credential_access -- attack.t1552.001 -- cve.2021.36934 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml deleted file mode 100644 index d9f6f964..00000000 --- a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Outlook C2 Macro Creation -author: '@ScoubiMtl' -date: 2021/04/05 -description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. - VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both - events Registry & File Creation happens at the same time. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- User genuinly creates a VB Macro for their email -id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 -level: medium -logsource: - category: file_event - product: windows -references: -- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -status: experimental -tags: -- attack.persistence -- attack.command_and_control -- attack.t1137 -- attack.t1008 -- attack.t1546 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_rclone_exec_file.yml b/rules/sigma/file_event/win_rclone_exec_file.yml deleted file mode 100644 index 1455ae44..00000000 --- a/rules/sigma/file_event/win_rclone_exec_file.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Rclone Config File Creation -author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -description: Detects Rclone config file being created -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*:\Users\\*' - SELECTION_3: - TargetFilename: '*\.config\rclone\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Rclone usage (rare) -id: 34986307-b7f4-49be-92f3-e7a4d01ac5db -level: high -logsource: - category: file_event - product: windows -modified: 2021/10/04 -references: -- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -status: experimental -tags: -- attack.exfiltration -- attack.t1567.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml deleted file mode 100644 index ec85a436..00000000 --- a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Suspicious Desktopimgdownldr Target File -author: Florian Roth -date: 2020/07/03 -description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores - a file to a suspicious location or contains a file with a suspicious extension -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*svchost.exe' - SELECTION_3: - TargetFilename: '*\Personalization\LockScreenImage\\*' - SELECTION_4: - TargetFilename: '*C:\Windows\\*' - SELECTION_5: - TargetFilename: - - '*.jpg*' - - '*.jpeg*' - - '*.png*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- False positives depend on scripts and administrative tools used in the monitored - environment -fields: -- CommandLine -- ParentCommandLine -id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 -level: high -logsource: - category: file_event - product: windows -references: -- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ -- https://twitter.com/SBousseaden/status/1278977301745741825 -status: experimental -tags: -- attack.defense_evasion -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_pingback_backdoor.yml b/rules/sigma/image_load/image_load_pingback_backdoor.yml deleted file mode 100644 index a9f33802..00000000 --- a/rules/sigma/image_load/image_load_pingback_backdoor.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Pingback Backdoor -author: Bhabesh Raj -date: 2021/05/05 -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*msdtc.exe' - SELECTION_3: - ImageLoaded: C:\Windows\oci.dll - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very unlikely -id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b -level: high -logsource: - category: image_load - product: windows -modified: 2021/09/09 -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel -- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 -status: experimental -tags: -- attack.persistence -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml deleted file mode 100644 index cc88231c..00000000 --- a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: SILENTTRINITY Stager Execution -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -description: Detects SILENTTRINITY stager use -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: '*st2stager*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d -level: high -logsource: - category: image_load - product: windows -modified: 2021/10/04 -references: -- https://github.com/byt3bl33d3r/SILENTTRINITY -related: -- id: 03552375-cc2c-4883-bbe4-7958d5a980be - type: derived -status: experimental -tags: -- attack.command_and_control -- attack.t1071 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index f533e5fb..00000000 --- a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\wmiprvse.exe' - SELECTION_3: - ImageLoaded: '*\wbem\wbemcomn.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 7707a579-e0d8-4886-a853-ce47e4575aaa -level: critical -logsource: - category: image_load - product: windows -modified: 2021/09/09 -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml deleted file mode 100644 index 95031338..00000000 --- a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Time Travel Debugging Utility Usage -author: Ensar Şamil, @sblmsrsn, @oscd_initiative -date: 2020/10/06 -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - ParentImage: '*\tttracer.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate usage by software developers/testers -id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a -level: high -logsource: - category: process_creation - product: windows -modified: 2021/09/21 -references: -- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ -- https://twitter.com/mattifestation/status/1196390321783025666 -- https://twitter.com/oulusoyum/status/1191329746069655553 -related: -- id: e76c8240-d68f-4773-8880-5c6f63595aaf - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.credential_access -- attack.t1218 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml deleted file mode 100644 index 2b9dcdbc..00000000 --- a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Abusing Azure Browser SSO -author: Den Iuzvyk -date: 2020/07/15 -description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens - for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure - AD and a user logs in with their Azure AD account) wanting to perform SSO authentication - in the browser. An attacker can use this to authenticate to Azure AD in a browser - as that user. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*MicrosoftAccountTokenProvider.dll' - SELECTION_3: - Image: - - '*BackgroundTaskHost.exe' - - '*devenv.exe' - - '*iexplore.exe' - - '*MicrosoftEdge.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- unknown -id: 50f852e6-af22-4c78-9ede-42ef36aa3453 -level: high -logsource: - category: image_load - product: windows -modified: 2020/12/23 -references: -- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml deleted file mode 100644 index cd4202f9..00000000 --- a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Alternate PowerShell Hosts -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: System.Management.Automation - SELECTION_3: - ImageLoaded: '*System.Management.Automation*' - SELECTION_4: - Image: '*\powershell.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: fe6e002f-f244-4278-9263-20e4b593827f -level: medium -logsource: - category: image_load - product: windows -modified: 2021/05/12 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html -status: experimental -tags: -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml deleted file mode 100644 index ae5fc804..00000000 --- a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: FoggyWeb Backdoor DLL Loading -author: Florian Roth -date: 2021/09/27 -description: Detects DLL image load activity as used by FoggyWeb backdoor loader -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: C:\Windows\ADFS\version.dll - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c -level: critical -logsource: - category: image_load - product: windows -references: -- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ -status: experimental -tags: -- attack.resource_development -- attack.t1587 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/image_load/sysmon_in_memory_powershell.yml deleted file mode 100644 index c08df0f6..00000000 --- a/rules/sigma/image_load/sysmon_in_memory_powershell.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: In-memory PowerShell -author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton -date: 2019/11/14 -description: Detects loading of essential DLL used by PowerShell, but not by the process - powershell.exe. Detects meterpreter's "load powershell" extension. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\System.Management.Automation.Dll' - - '*\System.Management.Automation.ni.Dll' - SELECTION_3: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\WINDOWS\System32\sdiagnhost.exe' - - '*\mscorsvw.exe' - - '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe' - - '*\sqlps.exe' - - '*\wsmprovhost.exe' - - '*\winrshost.exe' - - '*\syncappvpublishingserver.exe' - - '*\runscripthelper.exe' - - '*\ServerManager.exe' - - '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -enrichment: -- EN_0001_cache_sysmon_event_id_1_info -- EN_0003_enrich_other_sysmon_events_with_event_id_1_data -falsepositives: -- Used by some .NET binaries, minimal on user workstation. -- Used by Microsoft SQL Server Management Studio -id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f -level: high -logsource: - category: image_load - product: windows -modified: 2021/11/11 -references: -- https://adsecurity.org/?p=2921 -- https://github.com/p3nt4/PowerShdll -related: -- id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes -status: experimental -tags: -- attack.t1086 -- attack.t1059.001 -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_pcre_net_load.yml b/rules/sigma/image_load/sysmon_pcre_net_load.yml deleted file mode 100644 index 06efb137..00000000 --- a/rules/sigma/image_load/sysmon_pcre_net_load.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: PCRE.NET Package Image Load -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -description: Detects processes loading modules related to PCRE.NET package -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 84b0a8f3-680b-4096-a45b-e9a89221727c -level: high -logsource: - category: image_load - product: windows -modified: 2021/08/14 -references: -- https://twitter.com/rbmaslen/status/1321859647091970051 -- https://twitter.com/tifkin_/status/1321916444557365248 -status: experimental -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml deleted file mode 100644 index 2c4d93bc..00000000 --- a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: WMI Script Host Process Image Loaded -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe - functionality being used via images being loaded by a process. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\scrcons.exe' - SELECTION_3: - ImageLoaded: - - '*\vbscript.dll' - - '*\wbemdisp.dll' - - '*\wshom.ocx' - - '*\scrrun.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 -level: high -logsource: - category: image_load - product: windows -references: -- https://twitter.com/HunterPlaybook/status/1301207718355759107 -- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.persistence -- attack.t1546.003 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml deleted file mode 100644 index 7040913e..00000000 --- a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Windows Spooler Service Suspicious Binary Load -author: FPT.EagleEye, Thomas Patzke (improvements) -date: 2021/06/29 -description: Detect DLL Load from Spooler Service backup folder -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*spoolsv.exe' - SELECTION_3: - ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*' - SELECTION_4: - ImageLoaded: '*.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Loading of legitimate driver -id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14 -level: informational -logsource: - category: image_load - product: windows -modified: 2021/08/24 -references: -- https://github.com/hhlxf/PrintNightmare -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1574 -- cve.2021.1675 -- cve.2021.34527 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/image_load/sysmon_susp_fax_dll.yml deleted file mode 100644 index 527347bc..00000000 --- a/rules/sigma/image_load/sysmon_susp_fax_dll.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Fax Service DLL Search Order Hijack -author: NVISO -date: 2020/05/04 -description: The Fax service attempts to load ualapi.dll, which is non-existent. An - attacker can then (side)load their own malicious DLL using this service. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*fxssvc.exe' - SELECTION_3: - ImageLoaded: - - '*ualapi.dll' - SELECTION_4: - ImageLoaded: - - C:\Windows\WinSxS\\* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unlikely -id: 828af599-4c53-4ed2-ba4a-a9f835c434ea -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://windows-internals.com/faxing-your-way-to-system/ -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.t1073 -- attack.t1038 -- attack.t1574.001 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_image_load.yml b/rules/sigma/image_load/sysmon_susp_image_load.yml deleted file mode 100644 index 5e7c1c98..00000000 --- a/rules/sigma/image_load/sysmon_susp_image_load.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Possible Process Hollowing Image Loading -author: Markus Neis -date: 2018/01/07 -description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. - through process hollowing by Mimikatz -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\notepad.exe' - SELECTION_3: - ImageLoaded: - - '*\samlib.dll' - - '*\WinSCard.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very likely, needs more tuning -id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml deleted file mode 100644 index 8bf01a6a..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: dotNET DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects any assembly DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - C:\Windows\assembly\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: ff0f2b05-09db-4095-b96d-1b75ca24894a -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml deleted file mode 100644 index 2d6e9c41..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: CLR DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects CLR DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\clr.dll*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: d13c43f0-f66b-4279-8b2c-5912077c1780 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml deleted file mode 100644 index 85d73b1b..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: GAC DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects any GAC DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - C:\Windows\Microsoft.NET\assembly\GAC_MSIL* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: 90217a70-13fc-48e4-b3db-0d836c5824ac -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml deleted file mode 100644 index e0636a7c..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Active Directory Parsing DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects DSParse DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\dsparse.dll*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: a2a3b925-7bb0-433b-b508-db9003263cc4 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml deleted file mode 100644 index 34c4c4fe..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Active Directory Kerberos DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects Kerberos DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\kerberos.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/image_load/sysmon_susp_python_image_load.yml deleted file mode 100644 index 2af6e561..00000000 --- a/rules/sigma/image_load/sysmon_susp_python_image_load.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Python Py2Exe Image Load -author: Patrick St. John, OTR (Open Threat Research) -date: 2020/05/03 -description: Detects the image load of Python Core indicative of a Python script bundled - with Py2Exe. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: Python Core - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legit Py2Exe Binaries -fields: -- Description -id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/05/12 -references: -- https://www.py2exe.org/ -- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1027.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml deleted file mode 100644 index 013da64c..00000000 --- a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: CLR DLL Loaded Via Scripting Applications -author: omkar72, oscd.community -date: 2020/10/14 -description: Detects CLR DLL being loaded by an scripting applications -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - SELECTION_3: - ImageLoaded: - - '*\clr.dll' - - '*\mscoree.dll' - - '*\mscorlib.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -id: 4508a70e-97ef-4300-b62b-ff27992990ea -level: high -logsource: - category: image_load - product: windows -references: -- https://github.com/tyranid/DotNetToJScript -- https://thewover.github.io/Introducing-Donut/ -- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml deleted file mode 100644 index 8d0ea2fe..00000000 --- a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Suspicious System.Drawing Load -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection for processes loading System.Drawing.ni.dll. This - could be an indicator of potential Screen Capture. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*\System.Drawing.ni.dll' - SELECTION_3: - Image: - - '*\WmiPrvSE.exe' - - '*\mmc.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- unknown -id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/16 -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/16 -- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html -status: experimental -tags: -- attack.collection -- attack.t1113 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml deleted file mode 100644 index a91fa571..00000000 --- a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: VBA DLL Loaded Via Microsoft Word -author: Antonlovesdnb -date: 2020/02/19 -description: Detects DLL's Loaded Via Word Containing VBA Macros -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\VBE7.DLL' - - '*\VBEUI.DLL' - - '*\VBE7INTL.DLL' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml deleted file mode 100644 index c63c492f..00000000 --- a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Windows Management Instrumentation DLL Loaded Via Microsoft Word -author: Michael R. (@nahamike01) -date: 2019/12/26 -description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\wbemdisp.dll' - - '*\wbemsvc.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Possible. Requires further testing. -id: a457f232-7df9-491d-898f-b5aabd2cbe2f -level: high -logsource: - category: image_load - product: windows -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/ -- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf -status: experimental -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml deleted file mode 100644 index 05dc8b88..00000000 --- a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ /dev/null @@ -1,73 +0,0 @@ - -title: Load of dbghelp/dbgcore DLL from Suspicious Process -author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by - suspicious processes. Tools like ProcessHacker and some attacker tradecract use - MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity - C2 Framework has a module that leverages this API to dump the contents of Lsass.exe - and transfer it over the network back to the attacker's machine. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\dbghelp.dll' - - '*\dbgcore.dll' - SELECTION_3: - Image: - - '*\msbuild.exe' - - '*\cmd.exe' - - '*\rundll32.exe' - - '*\powershell.exe' - - '*\word.exe' - - '*\excel.exe' - - '*\powerpnt.exe' - - '*\outlook.exe' - - '*\monitoringhost.exe' - - '*\wmic.exe' - - '*\bash.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\schtasks.exe' - - '*\dnx.exe' - - '*\regsvcs.exe' - - '*\sc.exe' - - '*\scriptrunner.exe' - SELECTION_4: - Image: '*Visual Studio*' - SELECTION_5: - ImageLoaded: - - '*\dbghelp.dll' - - '*\dbgcore.dll' - SELECTION_6: - Signed: 'FALSE' - SELECTION_7: - Image: '*Visual Studio*' - condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - or ((SELECTION_5 and SELECTION_6) and not (SELECTION_7)))) -falsepositives: -- Penetration tests -fields: -- ComputerName -- User -- Image -- ImageLoaded -id: 0e277796-5f23-4e49-a490-483131d4f6e1 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html -- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml deleted file mode 100644 index 9e8e4668..00000000 --- a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Svchost DLL Search Order Hijack -author: SBousseaden -date: 2019/10/28 -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that - do not exist within C:\Windows\System32\ by default. An attacker can place their - malicious logic within the PROCESS_ATTACH block of their library and restart the - aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote - machine. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\svchost.exe' - SELECTION_3: - ImageLoaded: - - '*\tsmsisrv.dll' - - '*\tsvipsrv.dll' - - '*\wlbsctrl.dll' - SELECTION_4: - ImageLoaded: - - C:\Windows\WinSxS\\* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Pentest -id: 602a1f13-c640-4d73-b053-be9a2fa58b77 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -- attack.t1038 -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml deleted file mode 100644 index 51ebaf59..00000000 --- a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Time Travel Debugging Utility Usage -author: Ensar Şamil, @sblmsrsn, @oscd_initiative -date: 2020/10/06 -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\ttdrecord.dll' - - '*\ttdwriter.dll' - - '*\ttdloader.dll' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate usage by software developers/testers -id: e76c8240-d68f-4773-8880-5c6f63595aaf -level: high -logsource: - category: image_load - product: windows -modified: 2021/09/21 -references: -- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ -- https://twitter.com/mattifestation/status/1196390321783025666 -- https://twitter.com/oulusoyum/status/1191329746069655553 -status: experimental -tags: -- attack.defense_evasion -- attack.credential_access -- attack.t1218 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml deleted file mode 100644 index 0f9cf9e9..00000000 --- a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: UAC Bypass With Fake DLL -author: oscd.community, Dmitry Uchakin -date: 2020/10/06 -description: Attempts to load dismcore.dll after dropping it -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\dism.exe' - SELECTION_3: - ImageLoaded: - - '*\dismcore.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Pentests -- Actions of a legitimate telnet client -id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 -level: high -logsource: - category: image_load - product: windows -references: -- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml deleted file mode 100644 index 4066e9f6..00000000 --- a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: UIPromptForCredentials DLLs -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -description: Detects potential use of UIPromptForCredentials functions by looking - for some of the DLLs needed for it. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\credui.dll' - - '*\wincredui.dll' - SELECTION_3: - OriginalFileName: - - credui.dll - - wincredui.dll - SELECTION_4: - Image: - - C:\Windows\System32\\* - - C:\Windows\explorer.exe* - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4)) -falsepositives: -- other legitimate processes loading those DLLs in your environment. -id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/20 -references: -- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password -- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -status: experimental -tags: -- attack.credential_access -- attack.collection -- attack.t1056.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml deleted file mode 100644 index 5669d048..00000000 --- a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Unsigned Image Loaded Into LSASS Process -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Loading unsigned image (DLL, EXE) into LSASS process -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\lsass.exe' - SELECTION_3: - Signed: 'false' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Valid user connecting using RDP -id: 857c8db3-c89b-42fb-882b-f681c7cf4da2 -level: medium -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_module_load.yml b/rules/sigma/image_load/sysmon_wmi_module_load.yml deleted file mode 100644 index dc7ec21f..00000000 --- a/rules/sigma/image_load/sysmon_wmi_module_load.yml +++ /dev/null @@ -1,64 +0,0 @@ - -title: WMI Modules Loaded -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects non wmiprvse loading WMI modules -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\wmiclnt.dll' - - '*\WmiApRpl.dll' - - '*\wmiprov.dll' - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\WMINet_Utils.dll' - - '*\wbemsvc.dll' - - '*\fastprox.dll' - SELECTION_3: - Image: - - '*\WmiPrvSE.exe' - - '*\WmiApSrv.exe' - - '*\svchost.exe' - - '*\DeviceCensus.exe' - - '*\CompatTelRunner.exe' - - '*\sdiagnhost.exe' - - '*\SIHClient.exe' - - '*\ngentask.exe' - - '*\windows\system32\taskhostw.exe' - - '*\windows\system32\MoUsoCoreWorker.exe' - - '*\windows\system32\wbem\WMIADAP.exe' - - '*C:\Windows\Sysmon64.exe' - - '*C:\Windows\Sysmon.exe' - - '*C:\Windows\System32\wbem\unsecapp.exe' - - '*\logman.exe' - - '*\systeminfo.exe' - - '*\nvcontainer.exe' - - '*C:\Windows\System32\wbem\WMIC.exe' - SELECTION_4: - Image: - - C:\Program Files\\* - - C:\Program Files (x86)\\* - condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Unknown -fields: -- ComputerName -- User -- Image -- ImageLoaded -id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/20 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html -status: experimental -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml deleted file mode 100644 index e99b0f1b..00000000 --- a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: WMI Persistence - Command Line Event Consumer -author: Thomas Patzke -date: 2018/03/07 -description: Detects WMI command line event consumers -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: C:\Windows\System32\wbem\WmiPrvSE.exe - SELECTION_3: - ImageLoaded: '*\wbemcons.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown (data set is too small; further testing needed) -id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -status: experimental -tags: -- attack.t1084 -- attack.t1546.003 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml deleted file mode 100644 index 060b0a77..00000000 --- a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: WMIC Loading Scripting Libraries -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/17 -description: Detects threat actors proxy executing code and bypassing application - controls by leveraging wmic and the `/FORMAT` argument switch to download and execute - an XSL file (i.e js, vbs, etc). -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\wmic.exe' - SELECTION_3: - ImageLoaded: - - '*\jscript.dll' - - '*\vbscript.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Apparently, wmic os get lastboottuptime loads vbscript.dll -id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 -level: high -logsource: - category: image_load - product: windows -references: -- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html -- https://twitter.com/dez_/status/986614411711442944 -- https://lolbas-project.github.io/lolbas/Binaries/Wmic/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1220 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml deleted file mode 100644 index 30483b48..00000000 --- a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: Suspicious WSMAN Provider Image Loads -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -description: Detects signs of potential use of the WSMAN provider from uncommon processes - locally and remote execution. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - EventID: 7 - SELECTION_3: - ImageLoaded: - - '*\WsmSvc.dll' - - '*\WsmAuto.dll' - - '*\Microsoft.WSMan.Management.ni.dll' - SELECTION_4: - OriginalFileName: - - WsmSvc.dll - - WSMANAUTOMATION.DLL - - Microsoft.WSMan.Management.dll - SELECTION_5: - Image: '*\powershell.exe' - SELECTION_6: - Image: '*\svchost.exe' - SELECTION_7: - OriginalFileName: WsmWmiPl.dll - condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4) and not - (SELECTION_5)) or (SELECTION_6 and SELECTION_7))) -falsepositives: -- Unknown -id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/17 -references: -- https://twitter.com/chadtilbury/status/1275851297770610688 -- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ -- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://github.com/bohops/WSMan-WinRM -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.lateral_movement -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml deleted file mode 100644 index a6d45e9c..00000000 --- a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: APT PRIVATELOG Image Load Pattern -author: Florian Roth -date: 2021/09/07 -description: Detects an image load pattern as seen when a tool named PRIVATELOG is - used and rarely observed under legitimate circumstances -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\svchost.exe' - SELECTION_3: - ImageLoaded: '*\clfsw32.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Rarely observed -id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc -level: high -logsource: - category: image_load - product: windows -references: -- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml deleted file mode 100644 index c2a7adc2..00000000 --- a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Image Load of VSS_PS.dll by Uncommon Executable -author: Markus Neis, @markus_neis -date: 2021/07/07 -description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName - datapoint -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\vss_ps.dll' - SELECTION_3: - Image: - - '*\svchost.exe' - - '*\msiexec.exe' - - '*\vssvc.exe' - - '*\srtasks.exe' - - '*\tiworker.exe' - - '*\dllhost.exe' - - '*\searchindexer.exe' - - '*dismhost.exe' - - '*taskhostw.exe' - - '*\clussvc.exe' - SELECTION_4: - Image: '*c:\windows\\*' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3 and SELECTION_4)) -falsepositives: -- unknown -id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 -level: high -logsource: - category: image_load - product: windows -references: -- 1bd85e1caa1415ebdc8852c91e37bbb7 -- https://twitter.com/am0nsec/status/1412232114980982787 -status: experimental -tags: -- attack.defense_evasion -- attack.impact -- attack.t1490 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_exploiting.yml b/rules/sigma/malware/av_exploiting.yml deleted file mode 100644 index 08f613a5..00000000 --- a/rules/sigma/malware/av_exploiting.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Antivirus Exploitation Framework Detection -author: Florian Roth -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports an exploitation - framework -detection: - SELECTION_1: - Signature: - - '*MeteTool*' - - '*MPreter*' - - '*Meterpreter*' - - '*Metasploit*' - - '*PowerSploit*' - - '*CobaltSrike*' - - '*Swrort*' - - '*Rozena*' - - '*Backdoor.Cobalt*' - - '*CobaltStr*' - - '*COBEACON*' - - '*Cometer*' - - '*Razy*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- FileName -- User -id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 -level: critical -logsource: - product: antivirus -modified: 2019/01/16 -references: -- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ -status: experimental -tags: -- attack.execution -- attack.t1203 -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_hacktool.yml b/rules/sigma/malware/av_hacktool.yml deleted file mode 100644 index e425932b..00000000 --- a/rules/sigma/malware/av_hacktool.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Antivirus Hacktool Detection -author: Florian Roth -date: 2021/08/16 -description: Detects a highly relevant Antivirus alert that reports a hack tool or - other attack tool -detection: - SELECTION_1: - Signature: - - HTOOL* - - HKTL* - - SecurityTool* - - ATK/* - SELECTION_2: - Signature: - - '*Hacktool*' - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unlikely -fields: -- FileName -- User -id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba -level: high -logsource: - product: antivirus -references: -- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_password_dumper.yml b/rules/sigma/malware/av_password_dumper.yml deleted file mode 100644 index e358a522..00000000 --- a/rules/sigma/malware/av_password_dumper.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Antivirus Password Dumper Detection -author: Florian Roth -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports a password dumper -detection: - SELECTION_1: - Signature: - - '*DumpCreds*' - - '*Mimikatz*' - - '*PWCrack*' - - '*HTool/WCE*' - - '*PSWtool*' - - '*PWDump*' - - '*SecurityTool*' - - '*PShlSpy*' - - '*Rubeus*' - - '*Kekeo*' - - '*LsassDump*' - - '*Outflank*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- FileName -- User -id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 -level: critical -logsource: - product: antivirus -modified: 2019/10/04 -references: -- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ -- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1558 -- attack.t1003.001 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml deleted file mode 100644 index 11ea7d57..00000000 --- a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection -author: Sittikorn S, Nuttakorn T -date: 2021/07/01 -description: Detects the suspicious file that is created from PoC code against Windows - Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), - CVE-2021-1675 . -detection: - SELECTION_1: - FileName: '*C:\Windows\System32\spool\drivers\x64\\*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- Signature -- FileName -- ComputerName -id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561 -level: critical -logsource: - product: antivirus -references: -- https://twitter.com/mvelazco/status/1410291741241102338 -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 -status: stable -tags: -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_relevant_files.yml b/rules/sigma/malware/av_relevant_files.yml deleted file mode 100644 index 084f4989..00000000 --- a/rules/sigma/malware/av_relevant_files.yml +++ /dev/null @@ -1,82 +0,0 @@ - -title: Antivirus Relevant File Paths Alerts -author: Florian Roth, Arnim Rupp -date: 2018/09/09 -description: Detects an Antivirus alert in a highly relevant file path or with a relevant - file name -detection: - SELECTION_1: - FileName: - - C:\Windows\\* - - C:\Temp\\* - - C:\PerfLogs\\* - - C:\Users\Public\\* - - C:\Users\Default\\* - SELECTION_2: - FileName: - - '*\Client\\*' - - '*\tsclient\\*' - - '*\inetpub\\*' - - '*/www/*' - - '*apache*' - - '*tomcat*' - - '*nginx*' - - '*weblogic*' - SELECTION_3: - Filename: - - '*.ps1' - - '*.psm1' - - '*.vbs' - - '*.bat' - - '*.cmd' - - '*.sh' - - '*.chm' - - '*.xml' - - '*.txt' - - '*.jsp' - - '*.jspx' - - '*.asp' - - '*.aspx' - - '*.ashx' - - '*.asax' - - '*.asmx' - - '*.php' - - '*.cfm' - - '*.py' - - '*.pyc' - - '*.pl' - - '*.rb' - - '*.cgi' - - '*.war' - - '*.ear' - - '*.hta' - - '*.lnk' - - '*.scf' - - '*.sct' - - '*.vbe' - - '*.wsf' - - '*.wsh' - - '*.gif' - - '*.png' - - '*.jpg' - - '*.jpeg' - - '*.svg' - - '*.dat' - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) -falsepositives: -- Unlikely -fields: -- Signature -- User -id: c9a88268-0047-4824-ba6e-4d81ce0b907c -level: high -logsource: - product: antivirus -modified: 2021/05/09 -references: -- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ -status: experimental -tags: -- attack.resource_development -- attack.t1588 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_webshell.yml b/rules/sigma/malware/av_webshell.yml deleted file mode 100644 index 1ffda88b..00000000 --- a/rules/sigma/malware/av_webshell.yml +++ /dev/null @@ -1,80 +0,0 @@ - -title: Antivirus Web Shell Detection -author: Florian Roth, Arnim Rupp -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports a web shell. It's - highly recommended to tune this rule to the specific strings used by your anti virus - solution by downloading a big webshell repo from e.g. github and checking the matches. -detection: - SELECTION_1: - Signature: - - PHP/* - - JSP/* - - ASP/* - - Perl/* - - PHP.* - - JSP.* - - ASP.* - - Perl.* - - VBS/Uxor* - - IIS/BackDoor* - - JAVA/Backdoor* - - Troj/ASP* - - Troj/PHP* - - Troj/JSP* - SELECTION_2: - Signature: - - '*Webshell*' - - '*Chopper*' - - '*SinoChoper*' - - '*ASPXSpy*' - - '*Aspdoor*' - - '*filebrowser*' - - '*PHP_*' - - '*JSP_*' - - '*ASP_*' - - '*PHP:*' - - '*JSP:*' - - '*ASP:*' - - '*Perl:*' - - '*PHPShell*' - - '*Trojan.PHP*' - - '*Trojan.ASP*' - - '*Trojan.JSP*' - - '*Trojan.VBS*' - - '*PHP?Agent*' - - '*ASP?Agent*' - - '*JSP?Agent*' - - '*VBS?Agent*' - - '*Backdoor?PHP*' - - '*Backdoor?JSP*' - - '*Backdoor?ASP*' - - '*Backdoor?VBS*' - - '*Backdoor?Java*' - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unlikely -fields: -- FileName -- User -id: fdf135a2-9241-4f96-a114-bb404948f736 -level: critical -logsource: - product: antivirus -modified: 2021/05/08 -references: -- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ -- https://github.com/tennc/webshell -- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection -- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection -- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection -- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection -- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection -- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection -- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection -status: experimental -tags: -- attack.persistence -- attack.t1100 -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/malware/file_event_mal_octopus_scanner.yml deleted file mode 100644 index 611a0e31..00000000 --- a/rules/sigma/malware/file_event_mal_octopus_scanner.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Octopus Scanner Malware -author: NVISO -date: 2020/06/09 -description: Detects Octopus Scanner Malware. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\AppData\Local\Microsoft\Cache134.dat' - - '*\AppData\Local\Microsoft\ExplorerSync.db' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 805c55d9-31e6-4846-9878-c34c75054fe9 -level: high -logsource: - category: file_event - product: windows -references: -- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain -status: experimental -tags: -- attack.t1195 -- attack.t1195.001 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml deleted file mode 100644 index dcb7ae82..00000000 --- a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Blue Mockingbird -author: Trent Liffick (@tliffick) -date: 2020/05/14 -description: Attempts to detect system changes made by Blue Mockingbird -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: '*\cmd.exe' - SELECTION_3: - CommandLine: '*sc config*' - SELECTION_4: - CommandLine: '*wercplsupporte.dll*' - SELECTION_5: - Image: '*\wmic.exe' - SELECTION_6: - CommandLine: '*COR_PROFILER' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -id: c3198a27-23a0-4c2c-af19-e5328d49680e -level: high -logsource: - category: process_creation - product: windows -modified: 2021/09/11 -references: -- https://redcanary.com/blog/blue-mockingbird-cryptominer/ -related: -- id: ce239692-aa94-41b3-b32f-9cab259c96ea - type: merged -status: experimental -tags: -- attack.execution -- attack.t1112 -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml deleted file mode 100644 index a1ed5f01..00000000 --- a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: DarkSide Ransomware Pattern -author: Florian Roth -date: 2021/05/14 -description: Detects DarkSide Ransomware and helpers -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - CommandLine: - - "*=[char][byte]('0x'+*" - - '* -work worker0 -path *' - SELECTION_3: - ParentCommandLine: - - '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*' - SELECTION_4: - Image: - - '*\AppData\Local\Temp\\*' - condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) -falsepositives: -- Unknown -- UAC bypass method used by other malware -id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c -level: critical -logsource: - category: process_creation - product: windows -references: -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html -- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ -- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml deleted file mode 100644 index 37d2a39a..00000000 --- a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: LockerGoga Ransomware -author: Vasiliy Burov, oscd.community -date: 2020/10/18 -description: Detects LockerGoga Ransomware command line. -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - CommandLine: '*-i SM-tgytutrc -s*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 74db3488-fd28-480a-95aa-b7af626de068 -level: critical -logsource: - category: process_creation - product: windows -references: -- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a -- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ -- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ -status: experimental -tags: -- attack.impact -- attack.t1486 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_ryuk.yml b/rules/sigma/malware/process_creation_mal_ryuk.yml deleted file mode 100644 index 3c24bb4f..00000000 --- a/rules/sigma/malware/process_creation_mal_ryuk.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Ryuk Ransomware -author: Vasiliy Burov -date: 2019/08/06 -description: Detects Ryuk Ransomware command lines -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: - - '*\net.exe' - - '*\net1.exe' - SELECTION_3: - CommandLine: '*stop*' - SELECTION_4: - CommandLine: - - '*samss*' - - '*audioendpointbuilder*' - - '*unistoresvc_?????*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unlikely -id: 0acaad27-9f02-4136-a243-c357202edd74 -level: critical -logsource: - category: process_creation - product: windows -references: -- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_azorult.yml b/rules/sigma/malware/registry_event_mal_azorult.yml deleted file mode 100644 index 99935e08..00000000 --- a/rules/sigma/malware/registry_event_mal_azorult.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Registry Entries For Azorult Malware -author: Trent Liffick -date: 2020/05/08 -description: Detects the presence of a registry key created during Azorult execution -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - EventID: 12 - SELECTION_5: - EventID: 13 - SELECTION_6: - TargetObject: '*SYSTEM\\*' - SELECTION_7: - TargetObject: '*\services\localNETService' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5) - and SELECTION_6 and SELECTION_7) -falsepositives: -- unknown -fields: -- Image -- TargetObject -- TargetDetails -id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 -level: critical -logsource: - category: registry_event - product: windows -references: -- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a -status: experimental -tags: -- attack.execution -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml deleted file mode 100644 index 44f831f6..00000000 --- a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Blue Mockingbird -author: Trent Liffick (@tliffick) -date: 2020/05/14 -description: Attempts to detect system changes made by Blue Mockingbird -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- unknown -id: 92b0b372-a939-44ed-a11b-5136cf680e27 -level: high -logsource: - category: registry_event - product: windows -modified: 2021/09/11 -references: -- https://redcanary.com/blog/blue-mockingbird-cryptominer/ -related: -- id: c3198a27-23a0-4c2c-af19-e5328d49680e - type: derived -status: experimental -tags: -- attack.execution -- attack.t1112 -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_flowcloud.yml b/rules/sigma/malware/registry_event_mal_flowcloud.yml deleted file mode 100644 index b1058002..00000000 --- a/rules/sigma/malware/registry_event_mal_flowcloud.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: FlowCloud Malware -author: NVISO -date: 2020/06/09 -description: Detects FlowCloud malware from threat group TA410. -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: - - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} - - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} - - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} - SELECTION_5: - TargetObject: - - HKLM\SYSTEM\Setup\PrintResponsor\\* - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)) -falsepositives: -- Unknown -id: 5118765f-6657-4ddb-a487-d7bd673abbf1 -level: critical -logsource: - category: registry_event - product: windows -modified: 2021/07/22 -references: -- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new -status: experimental -tags: -- attack.persistence -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_netwire.yml b/rules/sigma/malware/registry_event_mal_netwire.yml deleted file mode 100644 index 1ce88a79..00000000 --- a/rules/sigma/malware/registry_event_mal_netwire.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: NetWire RAT Registry Key -Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity - "Because Sysmon runs as a service, it has no filtering ability for, or concept of, - HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" - Therefore I set netwire in my - configuration. -author: Christopher Peacock -date: 2021/10/07 -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\software\NetWire*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- No known false positives -id: 1d218616-71b0-4c40-855b-9dbe75510f7f -level: high -logsource: - category: registry_event - product: windows -references: -- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing -- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ -- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ -- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line -- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_ursnif.yml b/rules/sigma/malware/registry_event_mal_ursnif.yml deleted file mode 100644 index dcf82a6a..00000000 --- a/rules/sigma/malware/registry_event_mal_ursnif.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Ursnif -author: megan201296 -date: 2019/02/13 -description: Detects new registry key created by Ursnif malware. -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' - SELECTION_5: - TargetObject: - - '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\Edge\\*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not - (SELECTION_5)) -falsepositives: -- Unknown -id: 21f17060-b282-4249-ade0-589ea3591558 -level: critical -logsource: - category: registry_event - product: windows -modified: 2021/11/15 -references: -- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ -- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ -status: experimental -tags: -- attack.execution -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml deleted file mode 100644 index 9d47d0d6..00000000 --- a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Silenttrinity Stager Msbuild Activity -author: Kiran kumar s, oscd.community -date: 2020/10/11 -description: Detects a possible remote connections to Silenttrinity c2 -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\msbuild.exe' - SELECTION_3: - DestinationPort: - - '80' - - '443' - SELECTION_4: - Initiated: 'true' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 -level: high -logsource: - category: network_connection - product: windows -references: -- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ -status: experimental -tags: -- attack.execution -- attack.t1127.001 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml deleted file mode 100644 index 8394040b..00000000 --- a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml +++ /dev/null @@ -1,53 +0,0 @@ - -title: Dllhost Internet Connection -author: bartblaze -date: 2020/07/13 -description: Detects Dllhost that communicates with public IP addresses -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\dllhost.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Communication to other corporate systems that use IP addresses from public address - spaces -id: cfed2f44-16df-4bf3-833a-79405198b277 -level: medium -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml -status: experimental -tags: -- attack.defense_evasion -- attack.t1218 -- attack.execution -- attack.t1559.001 -- attack.t1175 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml deleted file mode 100644 index 98f059c7..00000000 --- a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml +++ /dev/null @@ -1,61 +0,0 @@ - -title: Excel Network Connections -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0" -date: 2021/11/10 -description: Detects an Excel process that opens suspicious network connections to - non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely - have to tune this rule for your organization, but it is certainly something you - should look for and could have applications for malicious activity beyond CVE-2021-42292. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\excel.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIsIpv6: 'false' - SELECTION_5: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.0.0.1* - SELECTION_6: - DestinationIsIpv6: 'false' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6)) -falsepositives: -- You may have to tune certain domains out that Excel may call out to, such as microsoft - or other business use case domains. -- Office documents commonly have templates that refer to external addresses, like - sharepoint.ourcompany.com may have to be tuned. -- It is highly recomended to baseline your activity and tune out common business use - cases. -id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 -level: medium -logsource: - category: network_connection - product: windows -references: -- https://corelight.com/blog/detecting-cve-2021-42292 -status: experimental -tags: -- attack.execution -- attack.t1203 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml deleted file mode 100644 index 5576ab1e..00000000 --- a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml +++ /dev/null @@ -1,111 +0,0 @@ - -title: Suspicious Typical Malware Back Connect Ports -author: Florian Roth -date: 2017/03/19 -description: Detects programs that connect to typical malware back connect ports based - on statistical analysis from two different sandbox system databases -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationPort: - - '4443' - - '2448' - - '8143' - - '1777' - - '1443' - - '243' - - '65535' - - '13506' - - '3360' - - '200' - - '198' - - '49180' - - '13507' - - '6625' - - '4444' - - '4438' - - '1904' - - '13505' - - '13504' - - '12102' - - '9631' - - '5445' - - '2443' - - '777' - - '13394' - - '13145' - - '12103' - - '5552' - - '3939' - - '3675' - - '666' - - '473' - - '5649' - - '4455' - - '4433' - - '1817' - - '100' - - '65520' - - '1960' - - '1515' - - '743' - - '700' - - '14154' - - '14103' - - '14102' - - '12322' - - '10101' - - '7210' - - '4040' - - '9943' - SELECTION_4: - EventID: 3 - SELECTION_5: - Image: '*\Program Files*' - SELECTION_6: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - SELECTION_7: - DestinationIsIpv6: 'false' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4 - and (SELECTION_5 or (SELECTION_6 and SELECTION_7))))) -falsepositives: -- unknown -id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 -level: medium -logsource: - category: network_connection - definition: 'Use the following config to generate the necessary Event ID 10 Process - Access events: VBE7.DLLUNKNOWN' - product: windows -modified: 2020/08/24 -references: -- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -status: experimental -tags: -- attack.command_and_control -- attack.t1571 -- attack.t1043 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml deleted file mode 100644 index 0911c917..00000000 --- a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Notepad Making Network Connection -author: EagleEye Team -date: 2020/05/14 -description: Detects suspicious network connection by Notepad -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\notepad.exe' - SELECTION_3: - DestinationPort: '9100' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- None observed so far -id: e81528db-fc02-45e8-8e98-4e84aba1f10b -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf -- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ -status: experimental -tags: -- attack.command_and_control -- attack.execution -- attack.defense_evasion -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml deleted file mode 100644 index 96429c14..00000000 --- a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml +++ /dev/null @@ -1,63 +0,0 @@ - -title: PowerShell Network Connections -author: Florian Roth -date: 2017/03/13 -description: Detects a Powershell process that opens network connections - check for - suspicious target ports and target systems - adjust to your environment (e.g. extend - filters with company's ip range') -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIsIpv6: 'false' - SELECTION_5: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.0.0.1* - SELECTION_6: - DestinationIsIpv6: 'false' - SELECTION_7: - User: NT AUTHORITY\SYSTEM - SELECTION_8: - User: '*AUT*' - SELECTION_9: - User: '* NT*' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)) -falsepositives: -- Administrative scripts -id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -level: low -logsource: - category: network_connection - product: windows -modified: 2021/06/14 -references: -- https://www.youtube.com/watch?v=DLtJTxMWZ2o -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.t1086 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml deleted file mode 100644 index 38e1f4b9..00000000 --- a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: RDP Over Reverse SSH Tunnel -author: Samir Bousseaden -date: 2019/02/16 -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address and on TCP port 3389 -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\svchost.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - SourcePort: 3389 - SELECTION_5: - DestinationIp: - - 127.* - SELECTION_6: - DestinationIp: - - ::1 - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5 - or SELECTION_6)) -falsepositives: -- unknown -id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 -level: high -logsource: - category: network_connection - product: windows -modified: 2021/05/11 -references: -- https://twitter.com/SBousseaden/status/1096148422984384514 -status: experimental -tags: -- attack.command_and_control -- attack.t1572 -- attack.lateral_movement -- attack.t1021.001 -- attack.t1076 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml deleted file mode 100644 index e3c3567c..00000000 --- a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Regsvr32 Network Activity -author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -description: Detects network connections and DNS queries initiated by Regsvr32.exe -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\regsvr32.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- ComputerName -- User -- Image -- DestinationIp -- DestinationPort -id: c7e91a02-d771-4a6d-a700-42587e0b1095 -level: high -logsource: - category: network_connection - product: windows -modified: 2021/09/21 -references: -- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ -- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -status: experimental -tags: -- attack.execution -- attack.t1559.001 -- attack.t1175 -- attack.defense_evasion -- attack.t1218.010 -- attack.t1117 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml deleted file mode 100644 index 79b124ec..00000000 --- a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Remote PowerShell Session -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects remote PowerShell connections by monitoring network outbound - connections to ports 5985 or 5986 from a non-network service account. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 5985 - SELECTION_3: - DestinationPort: 5986 - SELECTION_4: - User: NT AUTHORITY\NETWORK SERVICE - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. -id: c539afac-c12a-46ed-b1bd-5a5567c9f045 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.t1086 -- attack.lateral_movement -- attack.t1021.006 -- attack.t1028 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml deleted file mode 100644 index b3db683e..00000000 --- a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Rundll32 Internet Connection -author: Florian Roth -date: 2017/11/04 -description: Detects a rundll32 that communicates with public IP addresses -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\rundll32.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Communication to other corporate systems that use IP addresses from public address - spaces -id: cdc8da7d-c303-42f8-b08c-b4ab47230263 -level: medium -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 -status: experimental -tags: -- attack.defense_evasion -- attack.t1218.011 -- attack.t1085 -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml deleted file mode 100644 index 0a65bd83..00000000 --- a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Suspicious Program Location with Network Connections -author: Florian Roth -date: 2017/03/19 -description: Detects programs with network connections running in suspicious files - system locations -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - '*\Users\Contacts\\*' - - '*\Users\Searches\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - SELECTION_3: - Image: - - '*\$Recycle.bin' - SELECTION_4: - Image: - - C:\Perflogs\\* - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4)) -falsepositives: -- unknown -id: 7b434893-c57d-4f41-908d-6a17bf1ae98f -level: high -logsource: - category: network_connection - definition: Use the following config to generate the necessary Event ID 3 Network - Connection events - product: windows -references: -- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -status: experimental -tags: -- attack.command_and_control -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_rdp.yml b/rules/sigma/network_connection/sysmon_susp_rdp.yml deleted file mode 100644 index 5113f650..00000000 --- a/rules/sigma/network_connection/sysmon_susp_rdp.yml +++ /dev/null @@ -1,54 +0,0 @@ - -title: Suspicious Outbound RDP Connections -author: Markus Neis - Swisscom -date: 2019/05/15 -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible - lateral movement -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 3389 - SELECTION_3: - Initiated: 'true' - SELECTION_4: - Image: - - '*\mstsc.exe' - - '*\RTSApp.exe' - - '*\RTS2App.exe' - - '*\RDCMan.exe' - - '*\ws_TunnelService.exe' - - '*\RSSensor.exe' - - '*\RemoteDesktopManagerFree.exe' - - '*\RemoteDesktopManager.exe' - - '*\RemoteDesktopManager64.exe' - - '*\mRemoteNG.exe' - - '*\mRemote.exe' - - '*\Terminals.exe' - - '*\spiceworks-finder.exe' - - '*\FSDiscovery.exe' - - '*\FSAssessment.exe' - - '*\MobaRTE.exe' - - '*\chrome.exe' - - '*\System32\dns.exe' - - '*\thor.exe' - - '*\thor64.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other Remote Desktop RDP tools -- domain controller using dns.exe -id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.001 -- attack.t1076 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index 1ea0e858..00000000 --- a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious Outbound Kerberos Connection -author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 88 - SELECTION_3: - Initiated: 'true' - SELECTION_4: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other browsers -id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://github.com/GhostPack/Rubeus -status: experimental -tags: -- attack.credential_access -- attack.t1558 -- attack.t1208 -- attack.lateral_movement -- attack.t1550.003 -- attack.t1097 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml deleted file mode 100644 index 8c594e4a..00000000 --- a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Microsoft Binary Github Communication -author: Michael Haag (idea), Florian Roth (rule) -date: 2017/08/24 -description: Detects an executable in the Windows folder accessing github.com -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationHostname: - - '*.github.com' - - '*.githubusercontent.com' - SELECTION_4: - Image: C:\Windows\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -- '@subTee in your network' -id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://twitter.com/M_haggis/status/900741347035889665 -- https://twitter.com/M_haggis/status/1032799638213066752 -- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 -status: experimental -tags: -- attack.lateral_movement -- attack.t1105 -- attack.exfiltration -- attack.t1567.001 -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml deleted file mode 100644 index cd1b5e3e..00000000 --- a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Microsoft Binary Suspicious Communication Endpoint -author: Florian Roth -date: 2018/08/30 -description: Detects an executable in the Windows folder accessing suspicious domains -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationHostname: - - '*dl.dropboxusercontent.com' - - '*.pastebin.com' - - '*.githubusercontent.com' - SELECTION_4: - Image: C:\Windows\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 -level: high -logsource: - category: network_connection - product: windows -references: -- https://twitter.com/M_haggis/status/900741347035889665 -- https://twitter.com/M_haggis/status/1032799638213066752 -status: experimental -tags: -- attack.lateral_movement -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml deleted file mode 100644 index ebb03586..00000000 --- a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Wuauclt Network Connection -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to - proxy execute code and making a network connections. One could easily make the DLL - spawn a new process and inject to it to proxy the network connection and bypass - this rule. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*wuauclt*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate use of wuauclt.exe over the network. -id: c649a6c7-cd8c-4a78-9c04-000fc76df954 -level: medium -logsource: - category: network_connection - product: windows -references: -- https://dtm.uk/wuauclt/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1218 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/win_net_crypto_mining.yml b/rules/sigma/network_connection/win_net_crypto_mining.yml deleted file mode 100644 index 51a5bf04..00000000 --- a/rules/sigma/network_connection/win_net_crypto_mining.yml +++ /dev/null @@ -1,47 +0,0 @@ - -title: Windows Crypto Mining Pool Connections -author: Florian Roth -date: 2021/10/26 -description: Detects process connections to a Monero crypto mining pool -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationHostname: - - pool.minexmr.com - - fr.minexmr.com - - de.minexmr.com - - sg.minexmr.com - - ca.minexmr.com - - us-west.minexmr.com - - pool.supportxmr.com - - mine.c3pool.com - - xmr-eu1.nanopool.org - - xmr-eu2.nanopool.org - - xmr-us-east1.nanopool.org - - xmr-us-west1.nanopool.org - - xmr-asia1.nanopool.org - - xmr-jp1.nanopool.org - - xmr-au1.nanopool.org - - xmr.2miners.com - - xmr.hashcity.org - - xmr.f2pool.com - - xmrpool.eu - - pool.hashvault.pro - - moneroocean.stream - - monerocean.stream - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate use of crypto miners -id: fa5b1358-b040-4403-9868-15f7d9ab6329 -level: high -logsource: - category: network_connection - product: windows -references: -- https://www.poolwatch.io/coin/monero -status: stable -tags: -- attack.impact -- attack.t1496 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_amsi_trigger.yml b/rules/sigma/other/win_defender_amsi_trigger.yml deleted file mode 100644 index ceb96d3e..00000000 --- a/rules/sigma/other/win_defender_amsi_trigger.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Windows Defender AMSI Trigger Detected -author: Bhabesh Raj -date: 2020/09/14 -description: Detects triggering of AMSI by Windows Defender. -detection: - SELECTION_1: - EventID: 1116 - SELECTION_2: - Source_Name: AMSI - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unlikely -id: ea9bf0fa-edec-4fb8-8b78-b119f2528186 -level: high -logsource: - product: windows - service: windefend -modified: 2021/10/13 -references: -- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -status: stable -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_bypass.yml b/rules/sigma/other/win_defender_bypass.yml deleted file mode 100644 index 934a7dfd..00000000 --- a/rules/sigma/other/win_defender_bypass.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Windows Defender Exclusion Set -author: '@BarryShooshooga' -date: 2019/10/26 -description: Detects scenarios where an windows defender exclusion was added in registry - where an entity would want to bypass antivirus scanning from windows defender -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - EventID: 4656 - SELECTION_3: - EventID: 4660 - SELECTION_4: - EventID: 4663 - SELECTION_5: - ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Intended inclusions by administrator -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d -level: high -logsource: - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit - Policy, Registry System Access Control (SACL): Auditing/User' - product: windows - service: security -references: -- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_disabled.yml b/rules/sigma/other/win_defender_disabled.yml deleted file mode 100644 index 5f668850..00000000 --- a/rules/sigma/other/win_defender_disabled.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Windows Defender Threat Detection Disabled -author: Ján Trenčanský, frack113 -date: 2020/07/28 -description: Detects disabling Windows Defender threat protection -detection: - SELECTION_1: - EventID: 5001 - SELECTION_2: - EventID: 5010 - SELECTION_3: - EventID: 5012 - SELECTION_4: - EventID: 5101 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) -falsepositives: -- Administrator actions -id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 -level: high -logsource: - product: windows - service: windefend -modified: 2021/09/21 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_exclusions.yml b/rules/sigma/other/win_defender_exclusions.yml deleted file mode 100644 index 392ae2b0..00000000 --- a/rules/sigma/other/win_defender_exclusions.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Windows Defender Exclusions Added -author: Christian Burkard -date: 2021/07/06 -description: Detects the Setting of Windows Defender Exclusions -detection: - SELECTION_1: - EventID: 5007 - SELECTION_2: - New_Value: '*\Microsoft\Windows Defender\Exclusions*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Administrator actions -id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f -level: medium -logsource: - product: windows - service: windefend -modified: 2021/10/13 -references: -- https://twitter.com/_nullbind/status/1204923340810543109 -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_history_delete.yml b/rules/sigma/other/win_defender_history_delete.yml deleted file mode 100644 index f91be5ee..00000000 --- a/rules/sigma/other/win_defender_history_delete.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Windows Defender Malware Detection History Deletion -author: Cian Heasley -date: 2020/08/13 -description: Windows Defender logs when the history of detected infections is deleted. - Log file will contain the message "Windows Defender Antivirus has removed history - of malware and other potentially unwanted software". -detection: - SELECTION_1: - EventID: 1013 - SELECTION_2: - EventType: 4 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Deletion of Defender malware detections history for legitimate reasons -fields: -- EventID -- EventType -id: 2afe6582-e149-11ea-87d0-0242ac130003 -level: high -logsource: - product: windows - service: windefend -modified: 2021/05/30 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_psexec_wmi_asr.yml b/rules/sigma/other/win_defender_psexec_wmi_asr.yml deleted file mode 100644 index 7f411ec9..00000000 --- a/rules/sigma/other/win_defender_psexec_wmi_asr.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: PSExec and WMI Process Creations Block -author: Bhabesh Raj -date: 2020/07/14 -description: Detects blocking of process creations originating from PSExec and WMI - commands -detection: - SELECTION_1: - EventID: 1121 - SELECTION_2: - ProcessName: - - '*\wmiprvse.exe' - - '*\psexesvc.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003 -level: high -logsource: - definition: 'Requirements:Enabled Block process creations originating from PSExec - and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' - product: windows - service: windefend -modified: 2021/11/13 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands -- https://twitter.com/duff22b/status/1280166329660497920 -status: experimental -tags: -- attack.execution -- attack.lateral_movement -- attack.t1047 -- attack.t1035 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_tamper_protection_trigger.yml b/rules/sigma/other/win_defender_tamper_protection_trigger.yml deleted file mode 100644 index ddd5ea17..00000000 --- a/rules/sigma/other/win_defender_tamper_protection_trigger.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Microsoft Defender Tamper Protection Trigger -author: Bhabesh Raj -date: 2021/07/05 -description: Detects block of attempt to disable real time protection of Microsoft - Defender by tamper protection -detection: - SELECTION_1: - EventID: 5013 - SELECTION_2: - Value: - - '*\Windows Defender\DisableAntiSpyware = 0x1()' - - '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)' - condition: ((SELECTION_1) and SELECTION_2) -falsepositives: -- Administrator actions -id: 49e5bc24-8b86-49f1-b743-535f332c2856 -level: critical -logsource: - product: windows - service: windefend -references: -- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_threat.yml b/rules/sigma/other/win_defender_threat.yml deleted file mode 100644 index 1ba96d93..00000000 --- a/rules/sigma/other/win_defender_threat.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Windows Defender Threat Detected -author: Ján Trenčanský -date: 2020/07/28 -description: Detects all actions taken by Windows Defender malware detection engines -detection: - SELECTION_1: - EventID: 1006 - SELECTION_2: - EventID: 1116 - SELECTION_3: - EventID: 1015 - SELECTION_4: - EventID: 1117 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) -falsepositives: -- unlikely -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 -level: high -logsource: - product: windows - service: windefend -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -status: stable -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_cve_2021_42321.yml b/rules/sigma/other/win_exchange_cve_2021_42321.yml deleted file mode 100644 index e17e37cf..00000000 --- a/rules/sigma/other/win_exchange_cve_2021_42321.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Possible Exploitation of Exchange RCE CVE-2021-42321 -author: Florian Roth, @testanull -date: 2021/11/18 -description: Detects log entries that appear in exploitation attempts against MS Exchange - RCE CVE-2021-42321 -detection: - condition: 'Cmdlet failed. Cmdlet Get-App, ' -falsepositives: -- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues -id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb -level: critical -logsource: - product: windows - service: msexchange-management -references: -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml deleted file mode 100644 index 7d698702..00000000 --- a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: ProxyLogon MSExchange OabVirtualDirectory -author: Florian Roth -date: 2021/08/09 -description: Detects specific patterns found after a successful ProxyLogon exploitation - in relation to a Commandlet invocation of Set-OabVirtualDirectory -detection: - SELECTION_1: - - OabVirtualDirectory - SELECTION_2: - - ' -ExternalUrl ' - SELECTION_3: - - eval(request - - http://f/