separate rules to submodule (#304)

* rm: rules * Add: hayabusa-rules to submodule
2021-12-19 20:50:20 +09:00
parent dbba49b815
commit 0bce3800b7
1127 changed files with 4 additions and 42988 deletions
@@ -1,34 +0,0 @@
-
-title: Advanced IP Scanner
-author: '@ROxPinTeddy'
-date: 2020/05/12
-description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
-  ransomware groups.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Legitimate administrative use
-id: fed85bf9-e075-4280-9159-fbe8a023d6fa
-level: medium
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/11
-references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
-related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
-  type: derived
-status: experimental
-tags:
- attack.discovery
- attack.t1046
-ruletype: SIGMA
@@ -1,30 +0,0 @@
-
-title: Unidentified Attacker November 2018
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2018/11/20
-description: A sigma rule detecting an unidetefied attacker who used phishing emails
-  to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29
-  campaign in 2016.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*ds7002.lnk*'
-  condition: (SELECTION_1 and SELECTION_2)
-id: 3a3f81ca-652c-482b-adeb-b1c804727f74
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/19
-references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
-related:
- id: 7453575c-a747-40b9-839b-125a0aae324b
-  type: derived
-status: stable
-tags:
- attack.execution
- attack.t1218.011
- attack.t1085
-ruletype: SIGMA
@@ -1,41 +0,0 @@
-
-title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
-author: Sittikorn S
-date: 2021/07/16
-description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
-  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*C:\Windows\system32\physmem.sys*'
-    - '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
-    - '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
-    - '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
-    - '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
-    - '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
-    - '*C:\Windows\system32\config\config\startwus.dat*'
-    - '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
-    - '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
-    - '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unlikely
-id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/09
-references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-status: experimental
-tags:
- attack.credential_access
- attack.t1566
- attack.t1203
- cve.2021.33771
- cve.2021.31979
-ruletype: SIGMA
@@ -1,32 +0,0 @@
-
-title: Dumpert Process Dumper
-author: Florian Roth
-date: 2020/02/04
-description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
-  process memory
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Windows\Temp\dumpert.dmp
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Very unlikely
-id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/21
-references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
-related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
-  type: derived
-status: experimental
-tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: CreateMiniDump Hacktool
-author: Florian Roth
-date: 2019/12/22
-description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
-  memory for credential extraction on the attacker's machine
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\lsass.dmp'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unknown
-id: db2110f3-479d-42a6-94fb-d35bc1e46492
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/19
-references:
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
-related:
- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
-  type: derived
-status: deprecated
-tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
-ruletype: SIGMA
@@ -1,38 +0,0 @@
-
-title: LSASS Process Memory Dump Files
-author: Florian Roth
-date: 2021/11/15
-description: Detects file names used by different memory dumping tools to create a
-  memory dump of the LSASS process memory, which contains user credentials
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*\lsass.dmp'
-    - '*\lsass.zip'
-    - '*\lsass.rar'
-  SELECTION_3:
-    TargetFilename:
-    - '*\lsass_2*'
-    - '*\lsassdump*'
-    - '*\lsassdmp*'
-  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
- Unknown
-id: a5a2d357-1ab8-4675-a967-ef9990a59391
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://www.google.com/search?q=procdump+lsass
-related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
-  type: obsoletes
-status: experimental
-tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
-ruletype: SIGMA
@@ -1,36 +0,0 @@
-
-title: Adwind RAT / JRAT
-author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
-date: 2017/11/10
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
-  SELECTION_3:
-    TargetFilename: '*.exe*'
-  SELECTION_4:
-    TargetFilename: '*\Retrive*'
-  SELECTION_5:
-    TargetFilename: '*.vbs*'
-  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
-id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/19
-references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
-  type: derived
-status: experimental
-tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- attack.t1064
-ruletype: SIGMA
@@ -1,41 +0,0 @@
-
-title: Suspicious VHD Image Download From Browser
-author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
-date: 2021/10/25
-description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate
-  payloads and evade security controls
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image:
-    - '*chrome.exe'
-    - '*firefox.exe'
-    - '*microsoftedge.exe'
-    - '*microsoftedgecp.exe'
-    - '*msedge.exe'
-    - '*iexplorer.exe'
-    - '*brave.exe'
-    - '*opera.exe'
-  SELECTION_3:
-    TargetFilename: '*.vhd*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Legitimate user creation
-id: 8468111a-ef07-4654-903b-b863a80bbc95
-level: medium
-logsource:
-  category: file_event
-  definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename>
-    <!--vhd files for ZLoader and lazarus malware vectors -->"
-  product: windows
-modified: 2021/10/29
-references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
-status: test
-tags:
- attack.resource_development
- attack.t1587.001
-ruletype: SIGMA
@@ -1,26 +0,0 @@
-
-title: Mimikatz Kirbi File Creation
-author: Florian Roth
-date: 2021/11/08
-description: Detects the creation of files that contain Kerberos tickets based on
-  an extension used by the popular tool Mimikatz
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*.kirbi'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unlikely
-id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
-level: critical
-logsource:
-  category: file_event
-  product: windows
-references:
- https://cobalt.io/blog/kerberoast-attack-techniques
-status: test
-tags:
- attack.credential_access
- attack.t1558
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: Moriya Rootkit
-author: Bhabesh Raj
-date: 2021/05/06
-description: Detects the use of Moriya rootkit as described in the securelist's Operation
-  TunnelSnake report
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- None
-id: a1507d71-0b60-44f6-b17c-bf53220fdd88
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/21
-references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
-related:
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
-  type: derived
-status: experimental
-tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
-ruletype: SIGMA
@@ -1,30 +0,0 @@
-
-title: Pingback Backdoor
-author: Bhabesh Raj
-date: 2021/05/05
-description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
-  as described in the trustwave report
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*updata.exe'
-  SELECTION_3:
-    TargetFilename: C:\Windows\oci.dll
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Very unlikely
-id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/09
-references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
-status: experimental
-tags:
- attack.persistence
- attack.t1574.001
-ruletype: SIGMA
@@ -1,47 +0,0 @@
-
-title: Created Files by Office Applications
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-description: This rule will monitor executable and script file creation by office
-  applications. Please add more file extensions or magic bytes to the logic of your
-  choice.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image:
-    - '*winword.exe'
-    - '*excel.exe'
-    - '*powerpnt.exe'
-  SELECTION_3:
-    TargetFilename:
-    - '*.exe'
-    - '*.dll'
-    - '*.ocx'
-    - '*.com'
-    - '*.ps1'
-    - '*.vbs'
-    - '*.sys'
-    - '*.bat'
-    - '*.scr'
-    - '*.proj'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/11/10
-references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-status: experimental
-tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: Suspicious Scheduled Task Writ to System32 Tasks
-author: Florian Roth
-date: 2021/11/16
-description:
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\Windows\System32\Tasks*'
-  SELECTION_3:
-    Image:
-    - '*\AppData\\*'
-    - '*C:\PerfLogs*'
-    - '*\Windows\System32\config\systemprofile*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 80e1f67a-4596-4351-98f5-a9c3efabac95
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
-status: experimental
-tags:
- attack.persistence
- attack.execution
- attack.t1053
-ruletype: SIGMA
@@ -1,41 +0,0 @@
-
-title: PsExec Tool Execution
-author: Thomas Patzke
-date: 2017/06/12
-description: Detects PsExec service installation and execution events (service and
-  Sysmon)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\PSEXESVC.exe'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- unknown
-fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
-id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
-level: low
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/21
-references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
-related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
-  type: derived
-status: experimental
-tags:
- attack.execution
- attack.t1035
- attack.t1569.002
- attack.s0029
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: UAC Bypass Abusing Winsat Path Parsing - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
-  (UACMe 52)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Users\\*
-  SELECTION_3:
-    TargetFilename:
-    - '*\AppData\Local\Temp\system32\winsat.exe'
-    - '*\AppData\Local\Temp\system32\winmm.dll'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,33 +0,0 @@
-
-title: UAC Bypass Using Windows Media Player - File
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
-  (UACMe 32)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Users\\*
-  SELECTION_3:
-    TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
-  SELECTION_4:
-    Image: C:\Windows\system32\DllHost.exe
-  SELECTION_5:
-    TargetFilename: C:\Program Files\Windows Media Player\osk.exe
-  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
-falsepositives:
- Unknown
-id: 68578b43-65df-4f81-9a9b-92f32711a951
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,50 +0,0 @@
-
-title: Windows Shell File Write to Suspicious Folder
-author: Florian Roth
-date: 2021/11/20
-description: Detects a Windows executable that writes files to suspicious folders
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image:
-    - '*\cmd.exe'
-    - '*\powershell.exe'
-    - '*\wscript.exe'
-    - '*\cscript.exe'
-    - '*\sh.exe'
-    - '*\bash.exe'
-    - '*\msbuild.exe'
-  SELECTION_3:
-    TargetFilename:
-    - '*C:\Users\Public*'
-    - '*C:\PerfLogs*'
-  SELECTION_4:
-    Image:
-    - '*\schtasks.exe'
-    - '*\wmic.exe'
-    - '*\mshta.exe'
-    - '*\rundll32.exe'
-    - '*\forfiles.exe'
-    - '*\scriptrunner.exe'
-  SELECTION_5:
-    TargetFilename:
-    - '*C:\Users\Public*'
-    - '*C:\PerfLogs*'
-    - '*\AppData\\*'
-    - '*C:\Windows\Temp*'
-  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
-falsepositives:
- Unknown
-fields:
- CommandLine
- ParentCommandLine
-id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- No references
-status: experimental
-ruletype: SIGMA
@@ -1,36 +0,0 @@
-
-title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
-author: Julia Fomina, oscd.community
-date: 2020/10/06
-description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
-  winrm.vbs and copied cscript.exe (can be renamed)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*WsmPty.xsl'
-    - '*WsmTxt.xsl'
-  SELECTION_3:
-    TargetFilename:
-    - C:\Windows\System32\\*
-    - C:\Windows\SysWOW64\\*
-  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
-falsepositives:
- Unlikely
-id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
-level: medium
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/19
-references:
- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
-related:
- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
-  type: derived
-status: experimental
-tags:
- attack.defense_evasion
- attack.t1216
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: Wmiprvse Wbemcomn DLL Hijack
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/12
-description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
-  directory over the network and loading it for a WMI DLL Hijack scenario.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: System
-  SELECTION_3:
-    TargetFilename: '*\wbem\wbemcomn.dll'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/09
-references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
-status: experimental
-tags:
- attack.execution
- attack.t1047
- attack.lateral_movement
- attack.t1021.002
-ruletype: SIGMA
@@ -1,68 +0,0 @@
-
-title: File Created with System Process Name
-author: Sander Wiebing
-date: 2020/05/26
-description: Detects the creation of an executable with a system process name in a
-  suspicious folder
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*\svchost.exe'
-    - '*\rundll32.exe'
-    - '*\services.exe'
-    - '*\powershell.exe'
-    - '*\regsvr32.exe'
-    - '*\spoolsv.exe'
-    - '*\lsass.exe'
-    - '*\smss.exe'
-    - '*\csrss.exe'
-    - '*\conhost.exe'
-    - '*\wininit.exe'
-    - '*\lsm.exe'
-    - '*\winlogon.exe'
-    - '*\explorer.exe'
-    - '*\taskhost.exe'
-    - '*\Taskmgr.exe'
-    - '*\taskmgr.exe'
-    - '*\sihost.exe'
-    - '*\RuntimeBroker.exe'
-    - '*\runtimebroker.exe'
-    - '*\smartscreen.exe'
-    - '*\dllhost.exe'
-    - '*\audiodg.exe'
-    - '*\wlanext.exe'
-  SELECTION_3:
-    TargetFilename:
-    - C:\Windows\System32\\*
-    - C:\Windows\system32\\*
-    - C:\Windows\SysWow64\\*
-    - C:\Windows\SysWOW64\\*
-    - C:\Windows\winsxs\\*
-    - C:\Windows\WinSxS\\*
-    - \SystemRoot\System32\\*
-  SELECTION_4:
-    Image: '*\Windows\System32\dism.exe'
-  SELECTION_5:
-    TargetFilename: C:\$WINDOWS.~BT\\*
-  SELECTION_6:
-    Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe
-  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
-    and  not (SELECTION_5 and SELECTION_6))
-falsepositives:
- System processes copied outside the default folder
-fields:
- Image
-id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/10/28
-status: test
-tags:
- attack.defense_evasion
- attack.t1036
- attack.t1036.005
-ruletype: SIGMA
@@ -1,58 +0,0 @@
-
-title: Cred Dump Tools Dropped Files
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/11/01
-description: Files with well-known filenames (parts of credential dump software or
-  files produced by them) creation
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*\pwdump*'
-    - '*\kirbi*'
-    - '*\pwhashes*'
-    - '*\wce_ccache*'
-    - '*\wce_krbtkts*'
-    - '*\fgdump-log*'
-  SELECTION_3:
-    TargetFilename:
-    - '*\test.pwd'
-    - '*\lsremora64.dll'
-    - '*\lsremora.dll'
-    - '*\fgexec.exe'
-    - '*\wceaux.dll'
-    - '*\SAM.out'
-    - '*\SECURITY.out'
-    - '*\SYSTEM.out'
-    - '*\NTDS.out'
-    - '*\DumpExt.dll'
-    - '*\DumpSvc.exe'
-    - '*\cachedump64.exe'
-    - '*\cachedump.exe'
-    - '*\pstgdump.exe'
-    - '*\servpw.exe'
-    - '*\servpw64.exe'
-    - '*\pwdump.exe'
-    - '*\procdump64.exe'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Legitimate Administrator using tool for password recovery
-id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
-ruletype: SIGMA
@@ -1,39 +0,0 @@
-
-title: CVE-2021-26858 Exchange Exploitation
-author: Bhabesh Raj
-date: 2021/03/03
-description: Detects possible successful exploitation for vulnerability described
-  in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange
-  Server’s Unified Messaging service | which could indicate dropping web shells or
-  other malicious content
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*UMWorkerProcess.exe'
-  SELECTION_3:
-    TargetFilename:
-    - '*CacheCleanup.bin'
-    - '*.txt'
-    - '*.LOG'
-    - '*.cfg'
-    - '*cleanup.bin'
-  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
-falsepositives:
- Unknown
-fields:
- ComputerName
- TargetFilename
-id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
-level: critical
-logsource:
-  category: file_event
-  product: windows
-references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-status: experimental
-tags:
- attack.t1203
- attack.execution
- cve.2021.26858
-ruletype: SIGMA
@@ -1,33 +0,0 @@
-
-title: Powerup Write Hijack DLL
-author: Subhash Popuri (@pbssubhash)
-date: 2021/08/21
-description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege
-  escalation. In it's default mode, it builds a self deleting .bat file which executes
-  malicious command. The detection rule relies on creation of the malicious bat file
-  (debug.bat by default).
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*\powershell.exe'
-  SELECTION_3:
-    TargetFilename: '*.bat'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Pentest
- Any powershell script that creates bat files
-id: 602a1f13-c640-4d73-b053-be9a2fa58b96
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
-status: experimental
-tags:
- attack.persistence
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1574.001
-ruletype: SIGMA
@@ -1,27 +0,0 @@
-
-title: Detection of SafetyKatz
-author: Markus Neis
-date: 2018/07/24
-description: Detects possible SafetyKatz Behaviour
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\Temp\debug.bin'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unknown
-id: e074832a-eada-4fd7-94a1-10642b130e16
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://github.com/GhostPack/SafetyKatz
-status: experimental
-tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
-ruletype: SIGMA
@@ -1,35 +0,0 @@
-
-title: LSASS Memory Dump File Creation
-author: Teymur Kheirkhabarov, oscd.community
-date: 2019/10/22
-description: LSASS memory dump creation using operating systems utilities. Procdump
-  will use process name in output file if no name is specified
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*lsass*'
-  SELECTION_3:
-    TargetFilename: '*dmp'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident
-  responder or forensic invetigator
- Dumps of another process that contains lsass in its process name (substring)
-fields:
- ComputerName
- TargetFilename
-id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/08/16
-references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-status: experimental
-tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
-ruletype: SIGMA
@@ -1,41 +0,0 @@
-
-title: Microsoft Office Add-In Loading
-author: NVISO
-date: 2020/05/11
-description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll
-  are simply .dll fit for Word or Excel).
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\Microsoft\Word\Startup\\*'
-  SELECTION_3:
-    TargetFilename: '*.wll'
-  SELECTION_4:
-    TargetFilename: '*\Microsoft\Excel\Startup\\*'
-  SELECTION_5:
-    TargetFilename: '*.xll'
-  SELECTION_6:
-    TargetFilename: '*\Microsoft\Addins\\*'
-  SELECTION_7:
-    TargetFilename:
-    - '*.xlam'
-    - '*.xla'
-  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
-    SELECTION_5)) or (SELECTION_6 and SELECTION_7)))
-falsepositives:
- Legitimate add-ins
-id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- Internal Research
-status: experimental
-tags:
- attack.persistence
- attack.t1137
- attack.t1137.006
-ruletype: SIGMA
@@ -1,30 +0,0 @@
-
-title: Outlook Form Installation
-author: Tobias Michalski
-date: 2021/06/10
-description: Detects the creation of new Outlook form which can contain malicious
-  code
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: \outlook.exe
-  SELECTION_3:
-    TargetFilename: '*\appdata\local\microsoft\FORMS\\*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- unknown
-fields:
- TargetFilename
-id: c3edc6a5-d9d4-48d8-930e-aab518390917
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-status: experimental
-tags:
- attack.persistence
- attack.t1137.003
-ruletype: SIGMA
@@ -1,27 +0,0 @@
-
-title: PCRE.NET Package Temp Files
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/10/29
-description: Detects processes creating temp files related to PCRE.NET package
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unknown
-id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/08/14
-references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
-status: experimental
-tags:
- attack.execution
- attack.t1059
-ruletype: SIGMA
@@ -1,121 +0,0 @@
-
-title: Malicious PowerShell Commandlet Names
-author: Markus Neis
-date: 2018/04/07
-description: Detects the creation of known powershell scripts for exploitation
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*\Invoke-DllInjection.ps1'
-    - '*\Invoke-WmiCommand.ps1'
-    - '*\Get-GPPPassword.ps1'
-    - '*\Get-Keystrokes.ps1'
-    - '*\Get-VaultCredential.ps1'
-    - '*\Invoke-CredentialInjection.ps1'
-    - '*\Invoke-Mimikatz.ps1'
-    - '*\Invoke-NinjaCopy.ps1'
-    - '*\Invoke-TokenManipulation.ps1'
-    - '*\Out-Minidump.ps1'
-    - '*\VolumeShadowCopyTools.ps1'
-    - '*\Invoke-ReflectivePEInjection.ps1'
-    - '*\Get-TimedScreenshot.ps1'
-    - '*\Invoke-UserHunter.ps1'
-    - '*\Find-GPOLocation.ps1'
-    - '*\Invoke-ACLScanner.ps1'
-    - '*\Invoke-DowngradeAccount.ps1'
-    - '*\Get-ServiceUnquoted.ps1'
-    - '*\Get-ServiceFilePermission.ps1'
-    - '*\Get-ServicePermission.ps1'
-    - '*\Invoke-ServiceAbuse.ps1'
-    - '*\Install-ServiceBinary.ps1'
-    - '*\Get-RegAutoLogon.ps1'
-    - '*\Get-VulnAutoRun.ps1'
-    - '*\Get-VulnSchTask.ps1'
-    - '*\Get-UnattendedInstallFile.ps1'
-    - '*\Get-WebConfig.ps1'
-    - '*\Get-ApplicationHost.ps1'
-    - '*\Get-RegAlwaysInstallElevated.ps1'
-    - '*\Get-Unconstrained.ps1'
-    - '*\Add-RegBackdoor.ps1'
-    - '*\Add-ScrnSaveBackdoor.ps1'
-    - '*\Gupt-Backdoor.ps1'
-    - '*\Invoke-ADSBackdoor.ps1'
-    - '*\Enabled-DuplicateToken.ps1'
-    - '*\Invoke-PsUaCme.ps1'
-    - '*\Remove-Update.ps1'
-    - '*\Check-VM.ps1'
-    - '*\Get-LSASecret.ps1'
-    - '*\Get-PassHashes.ps1'
-    - '*\Show-TargetScreen.ps1'
-    - '*\Port-Scan.ps1'
-    - '*\Invoke-PoshRatHttp.ps1'
-    - '*\Invoke-PowerShellTCP.ps1'
-    - '*\Invoke-PowerShellWMI.ps1'
-    - '*\Add-Exfiltration.ps1'
-    - '*\Add-Persistence.ps1'
-    - '*\Do-Exfiltration.ps1'
-    - '*\Start-CaptureServer.ps1'
-    - '*\Invoke-ShellCode.ps1'
-    - '*\Get-ChromeDump.ps1'
-    - '*\Get-ClipboardContents.ps1'
-    - '*\Get-FoxDump.ps1'
-    - '*\Get-IndexedItem.ps1'
-    - '*\Get-Screenshot.ps1'
-    - '*\Invoke-Inveigh.ps1'
-    - '*\Invoke-NetRipper.ps1'
-    - '*\Invoke-EgressCheck.ps1'
-    - '*\Invoke-PostExfil.ps1'
-    - '*\Invoke-PSInject.ps1'
-    - '*\Invoke-RunAs.ps1'
-    - '*\MailRaider.ps1'
-    - '*\New-HoneyHash.ps1'
-    - '*\Set-MacAttribute.ps1'
-    - '*\Invoke-DCSync.ps1'
-    - '*\Invoke-PowerDump.ps1'
-    - '*\Exploit-Jboss.ps1'
-    - '*\Invoke-ThunderStruck.ps1'
-    - '*\Invoke-VoiceTroll.ps1'
-    - '*\Set-Wallpaper.ps1'
-    - '*\Invoke-InveighRelay.ps1'
-    - '*\Invoke-PsExec.ps1'
-    - '*\Invoke-SSHCommand.ps1'
-    - '*\Get-SecurityPackages.ps1'
-    - '*\Install-SSP.ps1'
-    - '*\Invoke-BackdoorLNK.ps1'
-    - '*\PowerBreach.ps1'
-    - '*\Get-SiteListPassword.ps1'
-    - '*\Get-System.ps1'
-    - '*\Invoke-BypassUAC.ps1'
-    - '*\Invoke-Tater.ps1'
-    - '*\Invoke-WScriptBypassUAC.ps1'
-    - '*\PowerUp.ps1'
-    - '*\PowerView.ps1'
-    - '*\Get-RickAstley.ps1'
-    - '*\Find-Fruit.ps1'
-    - '*\HTTP-Login.ps1'
-    - '*\Find-TrustedDocuments.ps1'
-    - '*\Invoke-Paranoia.ps1'
-    - '*\Invoke-WinEnum.ps1'
-    - '*\Invoke-ARPScan.ps1'
-    - '*\Invoke-PortScan.ps1'
-    - '*\Invoke-ReverseDNSLookup.ps1'
-    - '*\Invoke-SMBScanner.ps1'
-    - '*\Invoke-Mimikittenz.ps1'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Penetration Tests
-id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
-status: experimental
-tags:
- attack.execution
- attack.t1086
- attack.t1059.001
-ruletype: SIGMA
@@ -1,38 +0,0 @@
-
-title: PowerShell Writing Startup Shortcuts
-author: Christopher Peacock '@securepeacock', SCYTHE
-date: 2021/10/24
-description: Attempts to detect PowerShell writing startup shortcuts. This procedure
-  was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries
-  using PowerShell to write malicious .lnk files into the startup directory to establish
-  persistence. Accordingly, this detection opportunity is likely to identify persistence
-  mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence
-  mechanism eventually launches the command-line script that leads to the installation
-  of a malicious DLL"
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*\powershell.exe'
-  SELECTION_3:
-    TargetFilename: '*\start menu\programs\startup\\*'
-  SELECTION_4:
-    TargetFilename: '*.lnk'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
- Unknown
- Depending on your environment accepted applications may leverage this at times.
-  It is recomended to search for anomolies inidicative of malware.
-id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
-status: experimental
-tags:
- attack.registry_run_keys_/_startup_folder
- attack.t1547.001
-ruletype: SIGMA
@@ -1,29 +0,0 @@
-
-title: QuarksPwDump Dump File
-author: Florian Roth
-date: 2018/02/10
-description: Detects a dump file written by QuarksPwDump password dumper
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Local\Temp\SAM-*'
-  SELECTION_3:
-    TargetFilename: '*.dmp*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 847def9e-924d-4e90-b7c4-5f581395a2b4
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
-status: experimental
-tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
-ruletype: SIGMA
@@ -1,28 +0,0 @@
-
-title: RedMimicry Winnti Playbook Dropped File
-author: Alexander Rausch
-date: 2020/06/24
-description: Detects actions caused by the RedMimicry Winnti playbook
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*gthread-3.6.dll*'
-    - '*sigcmm-2.4.dll*'
-    - '*\Windows\Temp\tmp.bat*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unknown
-id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://redmimicry.com
-status: experimental
-tags:
- attack.defense_evasion
- attack.t1027
-ruletype: SIGMA
@@ -1,27 +0,0 @@
-
-title: Startup Folder File Write
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A General detection for files being created in the Windows startup directory.
-  This could be an indicator of persistence.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- unknown
-id: 2aa0a6b4-a865-495b-ab51-c28249537b75
-level: low
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/12
- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
-status: experimental
-tags:
- attack.persistence
- attack.t1547.001
-ruletype: SIGMA
@@ -1,40 +0,0 @@
-
-title: Suspicious ADSI-Cache Usage By Unknown Tool
-author: xknow @xknow_infosec
-date: 2019/03/24
-description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect
-  tools like LDAPFragger.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*'
-  SELECTION_3:
-    TargetFilename: '*.sch'
-  SELECTION_4:
-    Image:
-    - C:\windows\system32\svchost.exe
-    - C:\windows\system32\dllhost.exe
-    - C:\windows\system32\mmc.exe
-    - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-    - C:\Windows\CCM\CcmExec.exe
-  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
-falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity
-  by MMC, Powershell, Windows etc.
-id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
-status: experimental
-tags:
- attack.t1071
- attack.t1001.003
- attack.command_and_control
-ruletype: SIGMA
@@ -1,45 +0,0 @@
-
-title: Suspcious CLR Logs Creation
-author: omkar72, oscd.community, Wojciech Lesicki
-date: 2020/10/12
-description: Detects suspicious .NET assembly executions. Could detect using Cobalt
-  Strike's command execute-assembly.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Local\Microsoft\CLR*'
-  SELECTION_3:
-    TargetFilename: '*\UsageLogs\\*'
-  SELECTION_4:
-    TargetFilename:
-    - '*mshta*'
-    - '*cscript*'
-    - '*wscript*'
-    - '*regsvr32*'
-    - '*wmic*'
-    - '*rundll32*'
-    - '*svchost*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
-falsepositives:
- https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc
-  in command line and msiexec.exe as parent process
-id: e4b63079-6198-405c-abd7-3fe8b0ce3263
-level: high
-logsource:
-  category: file_event
-  definition: Check your sysmon configuration for monitoring UsageLogs folder. In
-    SwiftOnSecurity configuration we have that thanks @SBousseaden
-  product: windows
-modified: 2021/11/17
-references:
- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml
-status: experimental
-tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
- attack.t1218
-ruletype: SIGMA
@@ -1,34 +0,0 @@
-
-title: Suspicious desktop.ini Action
-author: Maxime Thiebaut (@0xThiebaut)
-date: 2020/03/19
-description: Detects unusual processes accessing desktop.ini, which can be leveraged
-  to alter how Explorer displays a folder's content (i.e. renaming files) without
-  changing them on disk.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\desktop.ini'
-  SELECTION_3:
-    Image:
-    - C:\Windows\explorer.exe
-    - C:\Windows\System32\msiexec.exe
-    - C:\Windows\System32\mmc.exe
-  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
-falsepositives:
- Operations performed through Windows SCCM or equivalent
-id: 81315b50-6b60-4d8f-9928-3466e1022515
-level: medium
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
-status: experimental
-tags:
- attack.persistence
- attack.t1023
- attack.t1547.009
-ruletype: SIGMA
@@ -1,27 +0,0 @@
-
-title: Suspicious PFX File Creation
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-description: A general detection for processes creating PFX files. This could be an
-  indicator of an adversary exporting a local certificate to a PFX file.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*.pfx'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- System administrators managing certififcates.
-id: dca1b3e8-e043-4ec8-85d7-867f334b5724
-level: medium
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/14
- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
-status: experimental
-tags:
- attack.credential_access
- attack.t1552.004
-ruletype: SIGMA
@@ -1,39 +0,0 @@
-
-title: Suspicious PROCEXP152.sys File Created In TMP
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
-date: 2019/04/08
-description: Detects the creation of the PROCEXP152.sys file in the application-data
-  local temporary folder. This driver is used by Sysinternals Process Explorer but
-  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
-  which uses KDU.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\AppData\Local\Temp\\*'
-  SELECTION_3:
-    TargetFilename: '*PROCEXP152.sys'
-  SELECTION_4:
-    Image:
-    - '*\procexp64.exe*'
-    - '*\procexp.exe*'
-    - '*\procmon64.exe*'
-    - '*\procmon.exe*'
-  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
-falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note -
-  Clever attackers may easily bypass this detection by just renaming the driver filename.
-  Therefore just Medium-level and don't rely on it.
-id: 3da70954-0f2c-4103-adff-b7440368f50e
-level: medium
-logsource:
-  category: file_event
-  product: windows
-references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
-status: experimental
-tags:
- attack.t1089
- attack.t1562.001
- attack.defense_evasion
-ruletype: SIGMA
@@ -1,31 +0,0 @@
-
-title: Powershell Profile.ps1 Modification
-author: HieuTT35
-date: 2019/10/24
-description: Detects a change in profile.ps1 of the Powershell profile
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\profile.ps1*'
-  SELECTION_3:
-    TargetFilename: '*\My Documents\PowerShell\\*'
-  SELECTION_4:
-    TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*'
-  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
-falsepositives:
- System administrator create Powershell profile manually
-id: b5b78988-486d-4a80-b991-930eff3ff8bf
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/24
-references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
-status: experimental
-tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.013
-ruletype: SIGMA
@@ -1,26 +0,0 @@
-
-title: Hijack Legit RDP Session to Move Laterally
-author: Samir Bousseaden
-date: 2019/02/21
-description: Detects the usage of tsclient share to place a backdoor on the RDP source
-  machine's startup folder
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*\mstsc.exe'
-  SELECTION_3:
-    TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- unknown
-id: 52753ea4-b3a0-4365-910d-36cff487b789
-level: high
-logsource:
-  category: file_event
-  product: windows
-status: experimental
-tags:
- attack.command_and_control
- attack.t1219
-ruletype: SIGMA
@@ -1,29 +0,0 @@
-
-title: UAC Bypass Using Consent and Comctl32 - File
-author: Christian Burkard
-date: 2021/08/23
-description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
-  (UACMe 22)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Windows\System32\consent.exe.@*
-  SELECTION_3:
-    TargetFilename: '*\comctl32.dll'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,29 +0,0 @@
-
-title: UAC Bypass Using .NET Code Profiler on MMC
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe
-  DLL hijacking (UACMe 39)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Users\\*
-  SELECTION_3:
-    TargetFilename: '*\AppData\Local\Temp\pe386.dll'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 93a19907-d4f9-4deb-9f91-aac4692776a6
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,32 +0,0 @@
-
-title: UAC Bypass Using IEInstal - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: C:\Program Files\Internet Explorer\IEInstal.exe
-  SELECTION_3:
-    TargetFilename: C:\Users\\*
-  SELECTION_4:
-    TargetFilename: '*\AppData\Local\Temp\\*'
-  SELECTION_5:
-    TargetFilename: '*consent.exe'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
-falsepositives:
- Unknown
-id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,28 +0,0 @@
-
-title: UAC Bypass Using MSConfig Token Modification - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Users\\*
-  SELECTION_3:
-    TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 41bb431f-56d8-4691-bb56-ed34e390906f
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,29 +0,0 @@
-
-title: UAC Bypass Using NTFS Reparse Point - File
-author: Christian Burkard
-date: 2021/08/30
-description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
-  DLL hijacking (UACMe 36)
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: C:\Users\\*
-  SELECTION_3:
-    TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Unknown
-id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/hfiref0x/UACME
-status: experimental
-tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
-ruletype: SIGMA
@@ -1,60 +0,0 @@
-
-title: Windows Webshell Creation
-author: Beyu Denis, oscd.community
-date: 2019/10/22
-description: Possible webshell file creation on a static web site
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_10:
-    TargetFilename: '*.pl*'
-  SELECTION_11:
-    TargetFilename:
-    - '*\AppData\Local\Temp\\*'
-    - '*\Windows\Temp\\*'
-  SELECTION_2:
-    TargetFilename: '*\inetpub\wwwroot\\*'
-  SELECTION_3:
-    TargetFilename:
-    - '*.asp*'
-    - '*.ashx*'
-    - '*.ph*'
-  SELECTION_4:
-    TargetFilename:
-    - '*\AppData\Local\Temp\\*'
-    - '*\Windows\Temp\\*'
-  SELECTION_5:
-    TargetFilename:
-    - '*\www\\*'
-    - '*\htdocs\\*'
-    - '*\html\\*'
-  SELECTION_6:
-    TargetFilename: '*.ph*'
-  SELECTION_7:
-    TargetFilename:
-    - '*\AppData\Local\Temp\\*'
-    - '*\Windows\Temp\\*'
-  SELECTION_8:
-    TargetFilename: '*.jsp'
-  SELECTION_9:
-    TargetFilename: '*\cgi-bin\\*'
-  condition: (SELECTION_1 and ((((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
-    or ((SELECTION_5 and SELECTION_6) and  not (SELECTION_7))) or ((SELECTION_8 or
-    (SELECTION_9 and SELECTION_10)) and  not (SELECTION_11))))
-falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a
-  web application folder
-id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- PT ESC rule and personal experience
-status: experimental
-tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
-ruletype: SIGMA
@@ -1,27 +0,0 @@
-
-title: WMI Persistence - Script Event Consumer File Write
-author: Thomas Patzke
-date: 2018/03/07
-description: Detects file writes of WMI script event consumer
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: C:\WINDOWS\system32\wbem\scrcons.exe
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
-id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2020/08/23
-references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-status: experimental
-tags:
- attack.t1084
- attack.t1546.003
- attack.persistence
-ruletype: SIGMA
@@ -1,37 +0,0 @@
-
-title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
-author: Florian Roth
-date: 2021/06/29
-description: Detects the default filename used in PoC code against print spooler vulnerability
-  CVE-2021-1675
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*'
-    - '*C:\Windows\System32\spool\drivers\x64\3\New\\*'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- Unknown
-fields:
- ComputerName
- TargetFilename
-id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/07/01
-references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
-status: experimental
-tags:
- attack.execution
- attack.privilege_escalation
- attack.resource_development
- attack.t1587
- cve.2021.1675
-ruletype: SIGMA
@@ -1,39 +0,0 @@
-
-title: Suspicious Word Cab File Write CVE-2021-40444
-author: Florian Roth, Sittikorn S
-date: 2021/09/10
-description: Detects file creation patterns noticeable during the exploitation of
-  CVE-2021-40444
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: \winword.exe
-  SELECTION_3:
-    TargetFilename: '*.cab'
-  SELECTION_4:
-    TargetFilename: '*\Windows\INetCache*'
-  SELECTION_5:
-    TargetFilename: '*\AppData\Local\Temp\\*'
-  SELECTION_6:
-    TargetFilename: '*.inf*'
-  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
-    and SELECTION_6)))
-falsepositives:
- unknown
-fields:
- TargetFilename
-id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-level: critical
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/09/13
-references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
-status: experimental
-tags:
- attack.resource_development
- attack.t1587
-ruletype: SIGMA
@@ -1,40 +0,0 @@
-
-title: Typical HiveNightmare SAM File Export
-author: Florian Roth
-date: 2021/07/23
-description: Detects files written by the different tools that exploit HiveNightmare
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename:
-    - '*\hive_sam_*'
-    - '*\SAM-2021-*'
-    - '*\SAM-2022-*'
-    - '*\SAM-haxx*'
-    - '*\Sam.save*'
-  SELECTION_3:
-    TargetFilename:
-    - C:\windows\temp\sam
-  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
- Files that accidentally contain these strings
-fields:
- CommandLine
- ParentCommandLine
-id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://github.com/GossiTheDog/HiveNightmare
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
- https://twitter.com/cube0x0/status/1418920190759378944
-status: experimental
-tags:
- attack.credential_access
- attack.t1552.001
- cve.2021.36934
-ruletype: SIGMA
@@ -1,30 +0,0 @@
-
-title: Outlook C2 Macro Creation
-author: '@ScoubiMtl'
-date: 2021/04/05
-description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key.
-  VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both
-  events Registry & File Creation happens at the same time.
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM'
-  condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
- User genuinly creates a VB Macro for their email
-id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
-level: medium
-logsource:
-  category: file_event
-  product: windows
-references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
-status: experimental
-tags:
- attack.persistence
- attack.command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
-ruletype: SIGMA
@@ -1,28 +0,0 @@
-
-title: Rclone Config File Creation
-author: Aaron Greetham (@beardofbinary) - NCC Group
-date: 2021/05/26
-description: Detects Rclone config file being created
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    TargetFilename: '*:\Users\\*'
-  SELECTION_3:
-    TargetFilename: '*\.config\rclone\\*'
-  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
-falsepositives:
- Legitimate Rclone usage (rare)
-id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
-level: high
-logsource:
-  category: file_event
-  product: windows
-modified: 2021/10/04
-references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
-status: experimental
-tags:
- attack.exfiltration
- attack.t1567.002
-ruletype: SIGMA
@@ -1,41 +0,0 @@
-
-title: Suspicious Desktopimgdownldr Target File
-author: Florian Roth
-date: 2020/07/03
-description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores
-  a file to a suspicious location or contains a file with a suspicious extension
-detection:
-  SELECTION_1:
-    EventID: 11
-  SELECTION_2:
-    Image: '*svchost.exe'
-  SELECTION_3:
-    TargetFilename: '*\Personalization\LockScreenImage\\*'
-  SELECTION_4:
-    TargetFilename: '*C:\Windows\\*'
-  SELECTION_5:
-    TargetFilename:
-    - '*.jpg*'
-    - '*.jpeg*'
-    - '*.png*'
-  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
-    and  not (SELECTION_5))
-falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
-  environment
-fields:
- CommandLine
- ParentCommandLine
-id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
-level: high
-logsource:
-  category: file_event
-  product: windows
-references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
-status: experimental
-tags:
- attack.defense_evasion
- attack.t1105
-ruletype: SIGMA