CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

separate rules to submodule (#304)

Browse Source 
* rm: rules

* Add: hayabusa-rules to submodule
This commit is contained in:
itiB
2021-12-19 20:50:20 +09:00
committed by GitHub
parent dbba49b815
commit 0bce3800b7
1127 changed files with 4 additions and 42988 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
View File

@@ -1,34 +0,0 @@
title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
HostApplication: '*'
SELECTION_2:
HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: d7326048-328b-4d5e-98af-86e84b17c765
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
related:
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

33
rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml
View File

@@ -1,33 +0,0 @@
title: Netcat The Powershell Version
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
HostApplication:
- '*powercat *'
- '*powercat.ps1*'
condition: SELECTION_1
falsepositives:
- Unknown
id: c5b20776-639a-49bf-94c7-84f912b91c15
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
related:
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: derived
status: experimental
tags:
- attack.command_and_control
- attack.t1095
ruletype: SIGMA

34
rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
View File

@@ -1,34 +0,0 @@
title: Remote PowerShell Session
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
HostName: ServerRemoteHost
SELECTION_2:
HostApplication: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
related:
- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028
ruletype: SIGMA

41
rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
View File

@@ -1,41 +0,0 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_2:
HostApplication:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
ruletype: SIGMA

35
rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
View File

@@ -1,35 +0,0 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
HostApplication: '*Compress-Archive *'
SELECTION_2:
HostApplication: '* -Path *'
SELECTION_3:
HostApplication: '* -DestinationPath *'
SELECTION_4:
HostApplication: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 71ff406e-b633-4989-96ec-bc49d825a412
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001
ruletype: SIGMA

31
rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml
View File

@@ -1,31 +0,0 @@
title: Suspicious PowerShell Download
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
HostApplication: '*System.Net.WebClient*'
SELECTION_2:
HostApplication: '*.DownloadFile(*'
SELECTION_3:
HostApplication: '*.DownloadString(*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- PowerShell scripts that download content from the Internet
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

36
rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
View File

@@ -1,36 +0,0 @@
title: Delete Volume Shadow Copies Via WMI With PowerShell
author: frack113
date: 2021/06/03
description: Shadow Copies deletion using operating systems utilities via PowerShell
detection:
SELECTION_1:
HostApplication: '*Get-WmiObject*'
SELECTION_2:
HostApplication: '* Win32_Shadowcopy*'
SELECTION_3:
HostApplication:
- '*Delete()*'
- '*Remove-WmiObject*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities
for legitimate reason
fields:
- HostApplication
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
level: critical
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
status: experimental
tags:
- attack.impact
- attack.t1490
ruletype: SIGMA

31
rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
View File

@@ -1,31 +0,0 @@
title: PowerShell Downgrade Attack
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
description: Detects PowerShell downgrade attack by comparing the host versions with
the actually used engine version 2.0
detection:
SELECTION_1:
EngineVersion: 2.*
SELECTION_2:
HostVersion: 2.*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration Test
- Unknown
id: 6331d09b-4785-4c13-980f-f96661356249
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

34
rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml
View File

@@ -1,34 +0,0 @@
title: PowerShell Called from an Executable Version Mismatch
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects PowerShell called from an executable by the version mismatch
method
detection:
SELECTION_1:
EngineVersion:
- 2.*
- 4.*
- 5.*
SELECTION_2:
HostVersion: 3.*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Penetration Tests
- Unknown
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

30
rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml
View File

@@ -1,30 +0,0 @@
title: Renamed Powershell Under Powershell Channel
author: Harish Segar, frack113
date: 2020/06/29
description: Detects renamed powershell
detection:
SELECTION_1:
HostName: ConsoleHost
SELECTION_2:
HostApplication:
- powershell.exe*
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
level: low
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: test
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
ruletype: SIGMA

32
rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
View File

@@ -1,32 +0,0 @@
title: Tamper Windows Defender
author: frack113
date: 2021/06/07
description: Attempting to disable scheduled scanning and other parts of windows defender
atp.
detection:
SELECTION_1:
HostApplication: '*Set-MpPreference*'
SELECTION_2:
HostApplication:
- '*-DisableRealtimeMonitoring 1*'
- '*-DisableBehaviorMonitoring 1*'
- '*-DisableScriptScanning 1*'
- '*-DisableBlockAtFirstSeen 1*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
level: high
logsource:
category: ps_classic_provider_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
ruletype: SIGMA

32
rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
View File

@@ -1,32 +0,0 @@
title: Suspicious Non PowerShell WSMAN COM Provider
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/24
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
the host application.
detection:
SELECTION_1:
ProviderName: WSMan
SELECTION_2:
HostApplication: '*powershell*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Unknown
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/08/30
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://github.com/bohops/WSMan-WinRM
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.lateral_movement
- attack.t1021.003
ruletype: SIGMA

30
rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml
View File

@@ -1,30 +0,0 @@
title: Suspicious XOR Encoded PowerShell Command Line
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/06/29
description: Detects suspicious powershell process which includes bxor command, alternative
obfuscation method to b64 encoded commands.
detection:
SELECTION_1:
HostName: ConsoleHost
SELECTION_2:
HostApplication:
- '*bxor*'
- '*join*'
- '*char*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
ruletype: SIGMA