CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

separate rules to submodule (#304)

Browse Source 
* rm: rules

* Add: hayabusa-rules to submodule
This commit is contained in:
itiB
2021-12-19 20:50:20 +09:00
committed by GitHub
parent dbba49b815
commit 0bce3800b7
1127 changed files with 4 additions and 42988 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "rules"]
path = rules
url = git@github.com:Yamato-Security/hayabusa-rules.git

1
rules Submodule

Submodule rules added at 631db51204

29
rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Powershell 2.0 Downgrade Attack
title_jp: Powershell 2.0へのダウングレード攻撃
output: 'Powershell 2.0 downgrade attack detected!'
output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
description: An attacker may have started Powershell 2.0 to evade detection.
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
id: bc082394-73e6-4d00-a9af-e7b524ef5085
level: medium
status: test
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
falsepositives:
- legacy application
tags:
- attack.defense_evasion
- attack.t1562.010
- lolbas
references:
- https://attack.mitre.org/techniques/T1562/010/
- https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: Security log was cleared
title_jp: セキュリティログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the Security event log.
description_jp: 誰かがセキュリティログをクリアした。
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 1102
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml
View File

@@ -1,28 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Unknown Reason
title_jp: ログオンに失敗 - 不明な理由
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
filter:
- SubStatus: "0xc0000064"
- SubStatus: "0xc000006a"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Wrong Password
title_jp: ログオンに失敗 - パスワードが間違っている
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: e87bd730-df45-4ae9-85de-6c75369c5d29
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Username does not exist
title_jp: ログオンに失敗 - ユーザ名は存在しない
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: 8afa97ce-a217-4f7c-aced-3e320a57756d
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
ruletype: hayabusa

48
rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml
View File

@@ -1,48 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Unknown process used a high privilege
title_jp: 不明なプロセスが高い権限を使った
output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: |
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
Disk wipers like bcwipe will also generate this.
More legitimate filepaths may have to be added to the filter.
This is marked as a medium alert as there is a high possibility for false positives.
description_jp:
id: 5b6e58ee-c231-4a54-9eee-af2577802e08
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1561
- attack.impact
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Hidden user account created! (Possible Backdoor)
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4720
TargetUserName|endswith: "$"
falsepositives:
- domain controller
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
ruletype: hayabusa

30
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Local user account created
title_jp: ローカルユーザアカウントが作成された
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A local user account was created.
description_jp: ローカルユーザアカウントが作成された.
id: 13edce80-2b02-4469-8de4-a3e37271dcdb
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4720
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
ruletype: hayabusa

31
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml
View File

@@ -1,31 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to the global Domain Admins group
title_jp: ユーザがグローバルドメイン管理者グループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to the Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

30
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: User added to global security group
title_jp: ユーザがグローバルセキュリティグループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
description_jp: ユーザがグローバルのセキュリティグループに追加された。
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
View File

@@ -1,29 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Domain Admins group
title_jp: ユーザがローカルドメイン管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: bc58e432-959f-464d-812e-d60ce5d46fa1
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
ruletype: hayabusa

32
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
View File

@@ -1,32 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local security group
title_jp: ユーザがローカルセキュリティグループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to a security-enabled local group.
description_jp: ユーザがローカルセキュリティグループに追加された。
id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
- TargetUserName: Administrators
- TargetUserName: None
- TargetUserName: Domain Admins
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/26
title: Possible AS-REP Roasting
title_jp: AS-REPロースティングの可能性
output: 'Possible AS-REP Roasting'
output_jp: 'AS-REPロースティングのリスクがある'
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 0 #Logon without pre-authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.004
references:
- https://attack.mitre.org/techniques/T1558/004/
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Kerberoasting
title_jp: Kerberoast攻撃
output: 'Possible Kerberoasting Risk Activity.'
output_jp: 'Kerberoast攻撃のリスクがある'
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 2 #Standard password authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.003
references:
- https://attack.mitre.org/techniques/T1558/003/
ruletype: hayabusa

27
rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
View File

@@ -1,27 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: System log file was cleared
title_jp: システムログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the System event log.
description_jp: 誰かがシステムログをクリアした。
id: f481a1f3-969e-4187-b3a5-b47c272bfebd
level: high
status: stable
detection:
selection:
Channel: System
EventID: 104
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
ruletype: hayabusa

27
rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
View File

@@ -1,27 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Event log service startup type changed to disabled
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
output: 'Old setting: %param2% : New setting: %param3%'
output: '設定前: %param2% : 設定後: %param3%'
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
level: medium
status: test
detection:
selection:
Channel: System
EventID: 7040
param1: 'Windows Event Log'
param3: "disabled"
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1562.002
references:
- https://attack.mitre.org/techniques/T1562/002/
ruletype: hayabusa

32
rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
View File

@@ -1,32 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/23
title: Malicious service installed
title_jp: 悪意のあるサービスがインストールされた
output: 'Service: %ServiceName% : Image path: %ImagePath'
output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath'
description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt
id: dbbfd9f3-9508-478b-887e-03ddb9236909
level: high
status: test
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
regexes: ./config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
condition: selection
falsepositives:
- normal system usage
tags:
- attack.persistence
- attack.t1543.003
references:
- https://attack.mitre.org/techniques/T1543/003/
ruletype: hayabusa

30
rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
View File

@@ -1,30 +0,0 @@
author: Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Bits Job Creation
title_jp: Bits Jobの作成
output: 'Job Title: %JobTitle% : URL: %Url%'
output_jp: 'Job名: %JobTitle% : URL: %Url%'
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-Bits-Client/Operational
EventID: 59
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- lolbas
references:
- https://attack.mitre.org/techniques/T1197/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
ruletype: hayabusa

30
rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: PowerShell Execution Pipeline
title_jp: PowerShellパイプライン実行
output: 'Command: %CommandLine%'
output_jp: 'コマンド: %CommandLine%'
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.t1059.001
- lolbas
references:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 0 - System
title_jp: ログオンタイプ 0 - System
output: 'Bootup'
output_jp: 'システム起動'
description: Prints logon information
description_jp: Prints logon information
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 0
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 10 - RDP (Remote Interactive)
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 10
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 11 - CachedInteractive
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 11
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 12 - CachedRemoteInteractive
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 12
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 13 - CachedUnlock
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 13
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 2 - Interactive
title_jp: ログオンタイプ 2 - インタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information
description_jp: Prints logon information
id: 7beb4832-f357-47a4-afd8-803d69a5c85c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 2
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 3 - Network
title_jp: ログオンタイプ 3 - ネットワーク
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 3
filter:
- IpAddress: "-"
- IpAddress: "127.0.0.1"
- IpAddress: "::1"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 4 - Batch
title_jp: ログオンタイプ 4 - バッチ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 4
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 5 - Service
title_jp: ログオンタイプ 5 - サービス
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 5
filter:
- TargetUserName: "SYSTEM"
- TargetUserName: "NETWORK SERVICE"
- TargetUserName: "LOCAL SERVICE"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 7 - Unlock
title_jp: ログオンタイプ 7 - アンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 7
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 8 - NetworkCleartext
title_jp: ログオンタイプ 8 - ネットワーク平文
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
description_jp: Prints logon information
id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 8
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 9 - NewCredentials
title_jp: ログオンタイプ 9 - 新しい資格情報
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: d80facaa-ca97-47bb-aed2-66362416eb49
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 9
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

27
rules/hayabusa/events/Security/Logons/4634_Logoff.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff
title_jp: ログオフ
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4634
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff - User Initiated
title_jp: ログオフ - ユーザが行った
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 6bad16f1-02c4-4075-b414-3cd16944bc65
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4647
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Admin Logon
title_jp: 管理者ログオン
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4672
filter:
- SubjectUserName: "SYSTEM"
- SubjectUserName: "LOCAL SERVICE"
- SubjectUserName: "NETWORK SERVICE"
- SubjectUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos TGT was requested
title_jp: Kerberos TGTが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
description: Prints logon information.
description_jp: Prints logon information.
id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4768
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos Service Ticket Requested
title_jp: Kerberosサービスチケットが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4769
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: NTLM Logon to Local Account
title_jp: ローカルアカウントへのNTLMログオン
output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4776
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Connection to wireless access point
title_jp: ローカルアカウントへのNTLMログオン
output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
description: Prints connection info to wireless access points.
description_jp: Prints connection info to wireless access points.
id: 90dd0797-f481-453d-a97e-dd78436893f9
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-WLAN-AutoConfig
EventID: 8001
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

40
rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml
View File

@@ -1,40 +0,0 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012
ruletype: SIGMA

42
rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml
View File

@@ -1,42 +0,0 @@
title: Azure AD Health Service Agents Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012
ruletype: SIGMA

35
rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml
View File

@@ -1,35 +0,0 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
date: 2019/04/03
description: backdooring domain object to grant the rights associated with DCSync
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeLDAPDisplayName: ntSecurityDescriptor
SELECTION_3:
AttributeValue:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute
of event 5136 and verify if it's a regular user or DC computer account.
id: 2c99737c-585d-4431-b61a-c911d86ff32f
level: critical
logsource:
product: windows
service: security
modified: 2021/07/09
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
status: experimental
tags:
- attack.persistence
- attack.t1098
ruletype: SIGMA

44
rules/sigma/builtin/win_account_discovery.yml
View File

@@ -1,44 +0,0 @@
title: AD Privileged Users or Groups Reconnaissance
author: Samir Bousseaden
date: 2019/04/03
description: Detect priv users or groups recon based on 4661 eventid and known privileged
users or groups SIDs
detection:
SELECTION_1:
EventID: 4661
SELECTION_2:
ObjectType:
- SAM_USER
- SAM_GROUP
SELECTION_3:
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
SELECTION_4:
ObjectName: '*admin*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- if source account name is not an admin then its super suspicious
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
level: high
logsource:
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
product: windows
service: security
modified: 2021/09/08
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002
ruletype: SIGMA

32
rules/sigma/builtin/win_ad_object_writedac_access.yml
View File

@@ -1,32 +0,0 @@
title: AD Object WriteDAC Access
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects WRITE_DAC access to a domain object
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectServer: DS
SELECTION_3:
AccessMask: '0x40000'
SELECTION_4:
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001
ruletype: SIGMA

42
rules/sigma/builtin/win_ad_replication_non_machine_account.yml
View File

@@ -1,42 +0,0 @@
title: Active Directory Replication from Non Machine Account
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/07/26
description: Detects potential abuse of Active Directory Replication Service (ADRS)
from a non machine account to request credentials.
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
AccessMask: '0x100'
SELECTION_3:
Properties:
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
SELECTION_4:
SubjectUserName: '*$'
SELECTION_5:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 17d619c1-e020-4347-957e-1d1207455c93
level: critical
logsource:
product: windows
service: security
modified: 2020/08/23
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.006
ruletype: SIGMA

35
rules/sigma/builtin/win_ad_user_enumeration.yml
View File

@@ -1,35 +0,0 @@
title: AD User Enumeration
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
SELECTION_3:
SubjectUserName: '*$'
SELECTION_4:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
definition: Requires the "Read all properties" permission on the user object to
be audited for the "Everyone" principal
product: windows
service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002
ruletype: SIGMA

35
rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml
View File

@@ -1,35 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_3:
EventID: 4899
SELECTION_4:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
level: low
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access
ruletype: SIGMA

49
rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml
View File

@@ -1,49 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
and risky EKU
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_3:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_4:
EventID: 4899
SELECTION_5:
NewTemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_6:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
level: high
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag with risky EKU.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access
ruletype: SIGMA

37
rules/sigma/builtin/win_admin_rdp_login.yml
View File

@@ -1,37 +0,0 @@
title: Admin User Remote Logon
author: juju4
date: 2017/10/29
description: Detect remote login by Administrator user (depending on internal pattern).
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 10
SELECTION_3:
AuthenticationPackageName: Negotiate
SELECTION_4:
TargetUserName: Admin*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administrative activity.
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
level: low
logsource:
definition: 'Requirements: Identifiable administrators usernames (pattern or special
unique character. ex: "Admin-*"), internal policy mandating use only as secondary
account'
product: windows
service: security
modified: 2021/07/07
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
ruletype: SIGMA

29
rules/sigma/builtin/win_admin_share_access.yml
View File

@@ -1,29 +0,0 @@
title: Access to ADMIN$ Share
author: Florian Roth
date: 2017/03/04
description: Detects access to $ADMIN share
detection:
SELECTION_1:
EventID: 5140
SELECTION_2:
ShareName: Admin$
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate administrative activity
id: 098d7118-55bc-4912-a836-dc6483a8d150
level: low
logsource:
definition: The advanced audit policy setting "Object Access > Audit File Share"
must be configured for Success/Failure
product: windows
service: security
modified: 2020/08/23
status: experimental
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
ruletype: SIGMA

32
rules/sigma/builtin/win_alert_active_directory_user_control.yml
View File

@@ -1,32 +0,0 @@
title: Enabled User Right in AD to Control User Objects
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
right in Active Directory it would allow control of other AD user objects.
detection:
SELECTION_1:
EventID: 4704
SELECTION_2:
PrivilegeList:
- '*SeEnableDelegationPrivilege*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
level: high
logsource:
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2020/08/23
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
status: experimental
tags:
- attack.persistence
- attack.t1098
ruletype: SIGMA

53
rules/sigma/builtin/win_alert_ad_user_backdoors.yml
View File

@@ -1,53 +0,0 @@
title: Active Directory User Backdoors
author: '@neu5ron'
date: 2017/04/13
description: Detects scenarios where one can control another users or computers account
without having to use their credentials.
detection:
SELECTION_1:
EventID: 4738
SELECTION_10:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
SELECTION_2:
AllowedToDelegateTo: '-'
SELECTION_3:
AllowedToDelegateTo|re: ^$
SELECTION_4:
EventID: 5136
SELECTION_5:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
SELECTION_6:
EventID: 5136
SELECTION_7:
ObjectClass: user
SELECTION_8:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_9:
EventID: 5136
condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or (SELECTION_4
and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9
and SELECTION_10))
falsepositives:
- Unknown
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\DS Access\Audit Directory Service Changes'
product: windows
service: security
modified: 2020/08/23
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
status: experimental
tags:
- attack.t1098
- attack.persistence
ruletype: SIGMA

91
rules/sigma/builtin/win_alert_enable_weak_encryption.yml
View File

@@ -1,91 +0,0 @@
title: Weak Encryption Enabled and Kerberoast
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where weak encryption is enabled for a user profile
which could be used for hash/password cracking.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
NewUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_3:
OldUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_4:
NewUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_5:
OldUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_6:
NewUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
SELECTION_7:
OldUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
falsepositives:
- Unknown
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management'
product: windows
service: security
references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA

31
rules/sigma/builtin/win_alert_lsass_access.yml
View File

@@ -1,31 +0,0 @@
title: LSASS Access Detected via Attack Surface Reduction
author: Markus Neis
date: 2018/08/26
description: Detects Access to LSASS Process
detection:
SELECTION_1:
EventID: 1121
SELECTION_2:
Path: '*\lsass.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
level: high
logsource:
definition: 'Requirements:Enabled Block credential stealing from the Windows local
security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
product: windows
service: windefend
modified: 2021/11/13
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
ruletype: SIGMA

46
rules/sigma/builtin/win_alert_mimikatz_keywords.yml
View File

@@ -1,46 +0,0 @@
title: Mimikatz Use
author: Florian Roth
date: 2017/01/10
description: This method detects mimikatz keywords in different Eventlogs (some of
them only appear in older Mimikatz version that are however still used by different
threat groups)
detection:
SELECTION_1:
- \mimikatz
- mimikatz.exe
- \mimilib.dll
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
- ' p::d '
- ' s::l '
- gentilkiwi.com
- Kiwi Legit Printer
condition: (SELECTION_1)
falsepositives:
- Naughty administrators
- Penetration test
- AV Signature updates
- Files with Mimikatz in their filename
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
level: critical
logsource:
product: windows
modified: 2021/08/26
status: experimental
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
ruletype: SIGMA

41
rules/sigma/builtin/win_alert_ruler.yml
View File

@@ -1,41 +0,0 @@
title: Hacktool Ruler
author: Florian Roth
date: 2017/05/31
description: This events that are generated when using the hacktool Ruler by Sensepost
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
Workstation: RULER
SELECTION_3:
EventID: 4624
SELECTION_4:
EventID: 4625
SELECTION_5:
WorkstationName: RULER
condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
falsepositives:
- Go utilities that use staaldraad awesome NTLM library
id: 24549159-ac1b-479c-8175-d42aea947cae
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1087
- attack.t1075
- attack.t1114
- attack.t1059
- attack.t1550.002
ruletype: SIGMA

48
rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml
View File

@@ -1,48 +0,0 @@
title: File Was Not Allowed To Run
author: Pushkarev Dmitry
date: 2020/06/28
description: Detect run not allowed files. Applocker is a very useful tool, especially
on servers where unprivileged users have access. For example terminal servers. You
need configure applocker and log collect to receive these events.
detection:
SELECTION_1:
EventID: 8004
SELECTION_2:
EventID: 8007
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- need tuning applocker or add exceptions in SIEM
fields:
- PolicyName
- RuleId
- RuleName
- TargetUser
- TargetProcessId
- FilePath
- FileHash
- Fqbn
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
level: medium
logsource:
product: windows
service: applocker
modified: 2020/08/23
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1064
- attack.t1204
- attack.t1035
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
ruletype: SIGMA

31
rules/sigma/builtin/win_apt_carbonpaper_turla.yml
View File

@@ -1,31 +0,0 @@
title: Turla Service Install
author: Florian Roth
date: 2017/03/31
description: This method detects a service install of malicious services mentioned
in Carbon Paper - Turla report by ESET
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- srservice
- ipvpn
- hkmsvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
level: high
logsource:
product: windows
service: system
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
status: experimental
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

42
rules/sigma/builtin/win_apt_chafer_mar18_security.yml
View File

@@ -1,42 +0,0 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 4698
SELECTION_2:
TaskName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
level: critical
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
ruletype: SIGMA

39
rules/sigma/builtin/win_apt_chafer_mar18_system.yml
View File

@@ -1,39 +0,0 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
level: critical
logsource:
product: windows
service: system
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
ruletype: SIGMA

39
rules/sigma/builtin/win_apt_gallium.yml
View File

@@ -1,39 +0,0 @@
title: GALLIUM Artefacts
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 257
SELECTION_2:
QNAME:
- asyspy256.ddns.net
- hotkillmail9sddcc.ddns.net
- rosaf112.ddns.net
- cvdfhjh1231.myftp.biz
- sz2016rose.ddns.net
- dffwescwer4325.myftp.biz
- cvdfhjh1231.ddns.net
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 3db10f25-2527-4b79-8d4b-471eb900ee29
level: high
logsource:
product: windows
service: dns-server
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: experimental
tags:
- attack.credential_access
- attack.command_and_control
- attack.t1071
ruletype: SIGMA

32
rules/sigma/builtin/win_apt_slingshot.yml
View File

@@ -1,32 +0,0 @@
title: Defrag Deactivation
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 4701
SELECTION_2:
TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
level: medium
logsource:
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
product: windows
service: security
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
status: experimental
tags:
- attack.persistence
- attack.t1053
- attack.s0111
ruletype: SIGMA

30
rules/sigma/builtin/win_apt_stonedrill.yml
View File

@@ -1,30 +0,0 @@
title: StoneDrill Service Install
author: Florian Roth
date: 2017/03/07
description: This method detects a service install of the malicious Microsoft Network
Realtime Inspection Service service described in StoneDrill report by Kaspersky
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: NtsSrv
SELECTION_3:
ServiceFileName: '* LocalService'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unlikely
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
level: high
logsource:
product: windows
service: system
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
status: experimental
tags:
- attack.persistence
- attack.g0064
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

28
rules/sigma/builtin/win_apt_turla_service_png.yml
View File

@@ -1,28 +0,0 @@
title: Turla PNG Dropper Service
author: Florian Roth
date: 2018/11/23
description: This method detects malicious services mentioned in Turla PNG dropper
report by NCC Group in November 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: WerFaultSvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unlikely
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
level: critical
logsource:
product: windows
service: system
references:
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
status: experimental
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

38
rules/sigma/builtin/win_apt_wocao.yml
View File

@@ -1,38 +0,0 @@
title: Operation Wocao Activity
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 4799
SELECTION_2:
TargetUserName: Administr*
SELECTION_3:
CallerProcessName: '*\checkadmin.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
level: high
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

35
rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
View File

@@ -1,35 +0,0 @@
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
author: Sreeman
date: 2020/03/13
description: The .SettingContent-ms file type was introduced in Windows 10 and allows
a user to create "shortcuts" to various Windows 10 setting pages. These files are
simply XML and contain paths to various Windows 10 settings binaries.
detection:
SELECTION_1:
CommandLine: '*.SettingContent-ms*'
SELECTION_2:
FilePath: '*immersivecontrolpanel*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
level: medium
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
status: experimental
tags:
- attack.t1204
- attack.t1193
- attack.t1566.001
- attack.execution
- attack.initial_access
ruletype: SIGMA

30
rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml
View File

@@ -1,30 +0,0 @@
title: Using AppVLP To Circumvent ASR File Path Rule
author: Sreeman
date: 2020/03/13
description: Application Virtualization Utility is included with Microsoft Office.We
are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
for Application Virtualization, but we can use it as an abuse binary to circumvent
the ASR file path rule folder or to mark a file as a system file
detection:
SELECTION_1:
CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
condition: SELECTION_1
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
level: medium
logsource:
product: windows
service: security
modified: 2021/06/11
status: experimental
tags:
- attack.t1218
- attack.defense_evasion
- attack.execution
ruletype: SIGMA

36
rules/sigma/builtin/win_atsvc_task.yml
View File

@@ -1,36 +0,0 @@
title: Remote Task Creation via ATSVC Named Pipe
author: Samir Bousseaden
date: 2019/04/03
description: Detects remote task creation via at.exe or API interacting with ATSVC
namedpipe
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName: atsvc
SELECTION_4:
Accesses: '*WriteData*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
level: medium
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
status: experimental
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
ruletype: SIGMA

39
rules/sigma/builtin/win_audit_cve.yml
View File

@@ -1,39 +0,0 @@
title: Audit CVE Event
author: Florian Roth
date: 2020/01/15
description: Detects events generated by Windows to indicate the exploitation of a
known vulnerability (e.g. CVE-2020-0601)
detection:
SELECTION_1:
Provider_Name: Microsoft-Windows-Audit-CVE
condition: SELECTION_1
falsepositives:
- Unknown
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
level: critical
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://twitter.com/mattifestation/status/1217179698008068096
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
status: experimental
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004
ruletype: SIGMA

44
rules/sigma/builtin/win_av_relevant_match.yml
View File

@@ -1,44 +0,0 @@
title: Relevant Anti-Virus Event
author: Florian Roth
date: 2017/02/19
description: This detection method points out highly relevant Antivirus events
detection:
SELECTION_1:
- HTool-
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- .WinCred.
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
SELECTION_2:
- Keygen
- Crack
condition: ((SELECTION_1) and not (SELECTION_2))
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
level: high
logsource:
product: windows
service: application
modified: 2021/11/20
status: experimental
tags:
- attack.resource_development
- attack.t1588
ruletype: SIGMA

32
rules/sigma/builtin/win_camera_microphone_access.yml
View File

@@ -1,32 +0,0 @@
title: Processes Accessing the Microphone and Webcam
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
SELECTION_5:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: experimental
tags:
- attack.collection
- attack.t1123
ruletype: SIGMA

49
rules/sigma/builtin/win_cobaltstrike_service_installs.yml
View File

@@ -1,49 +0,0 @@
title: CobaltStrike Service Installations
author: Florian Roth, Wojciech Lesicki
date: 2021/05/26
description: Detects known malicious service installs that appear in cases in which
a Cobalt Strike beacon elevates privileges or lateral movement
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath: '*ADMIN$*'
SELECTION_3:
ImagePath: '*.exe*'
SELECTION_4:
ImagePath: '*%COMSPEC%*'
SELECTION_5:
ImagePath: '*start*'
SELECTION_6:
ImagePath: '*powershell*'
SELECTION_7:
ImagePath: '*powershell -nop -w hidden -encodedcommand*'
SELECTION_8:
ImagePath:
- '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
- '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
- '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6) or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 5a105d34-05fc-401e-8553-272b45c1522d
level: critical
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
ruletype: SIGMA

31
rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
View File

@@ -1,31 +0,0 @@
title: DCERPC SMB Spoolss Named Pipe
author: OTR (Open Threat Research)
date: 2018/11/28
description: Detects the use of the spoolss named pipe over SMB. This can be used
to trigger the authentication via NTLM of any machine that has the spoolservice
enabled.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Domain Controllers acting as printer servers too? :)
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
level: medium
logsource:
product: windows
service: security
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
ruletype: SIGMA

30
rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml
View File

@@ -1,30 +0,0 @@
title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020/10/12
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
DLL Hijack scenario.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
RelativeTargetName: '*\Internet Explorer\iertutil.dll'
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Unknown
id: c39f0c81-7348-4965-ab27-2fde35a1b641
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003
ruletype: SIGMA

41
rules/sigma/builtin/win_dcsync.yml
View File

@@ -1,41 +0,0 @@
title: Mimikatz DC Sync
author: Benjamin Delpy, Florian Roth, Scott Dermott
date: 2018/06/03
description: Detects Mimikatz DC sync security events
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
Properties:
- '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
SELECTION_3:
SubjectDomainName: Window Manager
SELECTION_4:
SubjectUserName:
- NT AUTHORITY*
- MSOL_*
SELECTION_5:
SubjectUserName: '*$'
condition: ((((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) and not (SELECTION_4))
and not (SELECTION_5))
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
status: experimental
tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006
ruletype: SIGMA

40
rules/sigma/builtin/win_disable_event_logging.yml
View File

@@ -1,40 +0,0 @@
title: Disabling Windows Event Auditing
author: '@neu5ron'
date: 2017/11/19
description: 'Detects scenarios where system auditing (ie: windows event log auditing)
is disabled. This may be used in a scenario where an entity would want to bypass
local logging to evade detection when windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
which will make sure that Active Directory GPOs take precedence over local/edited
computer policies via something such as "gpedit.msc". Please note, that disabling
"Local Group Policy Object Processing" may cause an issue in scenarios of one off
specific GPO modifications -- however it is recommended to perform these modifications
in Active Directory anyways.'
detection:
SELECTION_1:
EventID: 4719
SELECTION_2:
AuditPolicyChanges:
- '*%%8448*'
- '*%%8450*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 69aeb277-f15f-4d2d-b32a-55e883609563
level: high
logsource:
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
references:
- https://bit.ly/WinLogsZero2Hero
status: experimental
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.002
ruletype: SIGMA

31
rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml
View File

@@ -1,31 +0,0 @@
title: DPAPI Domain Backup Key Extraction
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/06/20
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
Controllers
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: SecretObject
SELECTION_3:
AccessMask: '0x2'
SELECTION_4:
ObjectName: BCKUPKEY
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004
ruletype: SIGMA

29
rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
View File

@@ -1,29 +0,0 @@
title: DPAPI Domain Master Key Backup Attempt
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects anyone attempting a backup for the DPAPI Master Key. This events
gets generated at the source and not the Domain Controller.
detection:
SELECTION_1:
EventID: 4692
condition: SELECTION_1
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004
ruletype: SIGMA

37
rules/sigma/builtin/win_etw_modification.yml
View File

@@ -1,37 +0,0 @@
title: COMPlus_ETWEnabled Registry Modification
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
SELECTION_3:
ObjectValueName: ETWEnabled
SELECTION_4:
NewValue: '0'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
level: critical
logsource:
product: windows
service: security
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
status: experimental
tags:
- attack.defense_evasion
- attack.t1112
ruletype: SIGMA

31
rules/sigma/builtin/win_event_log_cleared.yml
View File

@@ -1,31 +0,0 @@
title: Security Event Log Cleared
author: Saw Winn Naung
date: 2021/08/15
description: Checks for event id 1102 which indicates the security event log was cleared.
detection:
SELECTION_1:
EventID: 1102
SELECTION_2:
Provider_Name: Microsoft-Windows-Eventlog
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative activity
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
id: a122ac13-daf8-4175-83a2-72c387be339d
level: medium
logsource:
product: windows
service: security
modified: 2021/10/13
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
status: experimental
tags:
- attack.t1107
- attack.t1070.001
ruletype: SIGMA

28
rules/sigma/builtin/win_exchange_transportagent.yml
View File

@@ -1,28 +0,0 @@
title: MSExchange Transport Agent Installation
author: Tobias Michalski
date: 2021/06/08
description: Detects the Installation of a Exchange Transport Agent
detection:
condition: Install-TransportAgent
falsepositives:
- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
for this.
fields:
- AssemblyPath
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
level: medium
logsource:
product: windows
service: msexchange-management
modified: 2021/09/19
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: derived
status: experimental
tags:
- attack.persistence
- attack.t1505.002
ruletype: SIGMA

46
rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml
View File

@@ -1,46 +0,0 @@
title: Possible CVE-2021-1675 Print Spooler Exploitation
author: Florian Roth, KevTheHermit, fuzzyf10w
date: 2021/06/30
description: Detects events of driver load errors in print service logs that could
be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
detection:
SELECTION_1:
EventID: 808
SELECTION_2:
EventID: 4909
SELECTION_3:
ErrorCode:
- '0x45A'
- '0x7e'
SELECTION_4:
- The print spooler failed to load a plug-in module
- MyExploit.dll
- evil.dll
- \addCube.dll
- \rev.dll
- \rev2.dll
- \main64.dll
- \mimilib.dll
- \mimispool.dll
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4))
falsepositives:
- Problems with printer drivers
fields:
- PluginDllName
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
level: high
logsource:
product: windows
service: printservice-admin
modified: 2021/07/08
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://twitter.com/fuzzyf10w/status/1410202370835898371
status: experimental
tags:
- attack.execution
- attack.t1569
- cve.2021.1675
ruletype: SIGMA

32
rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
View File

@@ -1,32 +0,0 @@
title: CVE-2021-1675 Print Spooler Exploitation
author: Florian Roth
date: 2021/07/01
description: Detects driver load events print service operational log that are a sign
of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
detection:
SELECTION_1:
EventID: '316'
SELECTION_2:
- 'UNIDRV.DLL, kernelbase.dll, '
- ' 123 '
- ' 1234 '
- mimispool
condition: (SELECTION_1 and (SELECTION_2))
falsepositives:
- Unknown
fields:
- DriverAdded
id: f34d942d-c8c4-4f1f-b196-22471aecf10a
level: critical
logsource:
product: windows
service: printservice-operational
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
status: experimental
tags:
- attack.execution
- attack.t1569
- cve.2021.1675
ruletype: SIGMA

35
rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
View File

@@ -1,35 +0,0 @@
title: CVE-2021-1675 Print Spooler Exploitation IPC Access
author: INIT_6
date: 2021/07/02
description: Detects remote printer driver load from Detailed File Share in Security
logs that are a sign of successful exploitation attempts against print spooler vulnerability
CVE-2021-1675 and CVE-2021-34527
detection:
SELECTION_1:
EventID: '5145'
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
SELECTION_4:
AccessMask: '0x3'
SELECTION_5:
ObjectType: File
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- nothing observed so far
id: 8fe1c584-ee61-444b-be21-e9054b229694
level: critical
logsource:
product: windows
service: security
references:
- https://twitter.com/INIT_3/status/1410662463641731075
status: experimental
tags:
- attack.execution
- attack.t1569
- cve.2021.1675
- cve.2021.34527
ruletype: SIGMA

29
rules/sigma/builtin/win_external_device.yml
View File

@@ -1,29 +0,0 @@
title: External Disk Drive Or USB Storage Device
author: Keith Wright
date: 2019/11/20
description: Detects external diskdrives or plugged in USB devices , EventID 6416
on windows 10 or later
detection:
SELECTION_1:
EventID: 6416
SELECTION_2:
ClassName: DiskDrive
SELECTION_3:
DeviceDescription: USB Mass Storage Device
condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
falsepositives:
- Legitimate administrative activity
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
level: low
logsource:
product: windows
service: security
modified: 2021/08/09
status: experimental
tags:
- attack.t1091
- attack.t1200
- attack.lateral_movement
- attack.initial_access
ruletype: SIGMA

34
rules/sigma/builtin/win_global_catalog_enumeration.yml
View File

@@ -1,34 +0,0 @@
title: Enumeration via the Global Catalog
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/11
description: Detects enumeration of the global catalog (that can be performed using
BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
width.
detection:
SELECTION_1:
EventID: 5156
SELECTION_2:
DestinationPort: 3268
SELECTION_3:
DestinationPort: 3269
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
> 2000
falsepositives:
- Exclude known DCs.
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
level: medium
logsource:
definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
Platform Connection" must be configured for Success
product: windows
service: security
modified: 2021/06/01
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002
ruletype: SIGMA

38
rules/sigma/builtin/win_gpo_scheduledtasks.yml
View File

@@ -1,38 +0,0 @@
title: Persistence and Execution at Scale via GPO Scheduled Task
author: Samir Bousseaden
date: 2019/04/03
description: Detect lateral movement using GPO scheduled task, usually used to deploy
ransomware at scale
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\SYSVOL
SELECTION_3:
RelativeTargetName: '*ScheduledTasks.xml'
SELECTION_4:
Accesses:
- '*WriteData*'
- '*%%4417*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor
both local and remote changes to GPO scheduledtasks
id: a8f29a7b-b137-4446-80a0-b804272f3da2
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
status: experimental
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
- attack.t1053.005
ruletype: SIGMA

36
rules/sigma/builtin/win_hack_smbexec.yml
View File

@@ -1,36 +0,0 @@
title: smbexec.py Service Installation
author: Omer Faruk Celik
date: 2018/03/20
description: Detects the use of smbexec.py tool by detecting a specific service installation
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: BTOBTO
SELECTION_3:
ServiceFileName: '*\execute.bat'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration Test
- Unknown
fields:
- ServiceName
- ServiceFileName
id: 52a85084-6989-40c3-8f32-091e12e13f09
level: critical
logsource:
product: windows
service: system
modified: 2020/08/23
references:
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
status: experimental
tags:
- attack.lateral_movement
- attack.execution
- attack.t1077
- attack.t1021.002
- attack.t1035
- attack.t1569.002
ruletype: SIGMA

28
rules/sigma/builtin/win_hidden_user_creation.yml
View File

@@ -1,28 +0,0 @@
title: Hidden Local User Creation
author: Christian Burkard
date: 2021/05/03
description: Detects the creation of a local hidden user account which should not
happen for event ID 4720.
detection:
SELECTION_1:
EventID: 4720
SELECTION_2:
TargetUserName: '*$'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventCode
- AccountName
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
level: high
logsource:
product: windows
service: security
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
status: experimental
tags:
- attack.persistence
- attack.t1136.001
ruletype: SIGMA

28
rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml
View File

@@ -1,28 +0,0 @@
title: HybridConnectionManager Service Installation
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Rule to detect the Hybrid Connection Manager service installation.
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceName: HybridConnectionManager
SELECTION_3:
ServiceFileName: '*HybridConnectionManager*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence
- attack.t1554
ruletype: SIGMA

32
rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml
View File

@@ -1,32 +0,0 @@
title: HybridConnectionManager Service Running
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
detection:
SELECTION_1:
EventID: 40300
SELECTION_2:
EventID: 40301
SELECTION_3:
EventID: 40302
SELECTION_4:
- HybridConnection
- sb://
- servicebus.windows.net
- HybridConnectionManage
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
id: b55d23e5-6821-44ff-8a6e-67218891e49f
level: high
logsource:
product: windows
service: microsoft-servicebus-client
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence
- attack.t1554
ruletype: SIGMA

32
rules/sigma/builtin/win_impacket_psexec.yml
View File

@@ -1,32 +0,0 @@
title: Impacket PsExec Execution
author: Bhabesh Raj
date: 2020/12/14
description: Detects execution of Impacket's psexec.py.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName:
- '*RemCom_stdint*'
- '*RemCom_stdoutt*'
- '*RemCom_stderrt*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- nothing observed so far
id: 32d56ea1-417f-44ff-822b-882873f5f43b
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002
ruletype: SIGMA

35
rules/sigma/builtin/win_impacket_secretdump.yml
View File

@@ -1,35 +0,0 @@
title: Possible Impacket SecretDump Remote Activity
author: Samir Bousseaden, wagga
date: 2019/04/03
description: Detect AD credential dumping using impacket secretdump HKTL
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\ADMIN$
SELECTION_3:
RelativeTargetName: '*SYSTEM32\\*'
SELECTION_4:
RelativeTargetName: '*.tmp*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
modified: 2021/06/27
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
ruletype: SIGMA

28
rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
level: high
logsource:
product: windows
service: system
modified: 2021/09/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

31
rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml
View File

@@ -1,31 +0,0 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
SELECTION_2:
EventID: 4697
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
level: high
logsource:
product: windows
service: security
modified: 2021/09/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

38
rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
View File

@@ -1,38 +0,0 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ImagePath|re: \\*mdr\*\W\s*\)\.Name
SELECTION_7:
ImagePath|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ImagePath|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
level: high
logsource:
product: windows
service: system
modified: 2021/09/16
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
ruletype: SIGMA

43
rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
View File

@@ -1,43 +0,0 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the code block linked in the references
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
SELECTION_7:
ServiceFileName|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ServiceFileName|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
level: high
logsource:
product: windows
service: security
modified: 2021/09/16
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
ruletype: SIGMA

28
rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml
View File

@@ -1,28 +0,0 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
SELECTION_2:
EventID: 7045
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
product: windows
service: system
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
ruletype: SIGMA

Some files were not shown because too many files have changed in this diff Show More