Added Sigma Rules

2021-11-14 11:00:56 +09:00
parent ac3ea7b20b
commit 50aebce32e
1078 changed files with 45490 additions and 0 deletions
--- a/rules/Sigma/sysmon_ads_executable.yml
+++ b/rules/Sigma/sysmon_ads_executable.yml
@@ -0,0 +1,36 @@
+title: Executable in ADS
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+    (non-empty imphash)
+detection:
+    SELECTION_1:
+        EventID: 15
+    SELECTION_2:
+        Imphash: '00000000000000000000000000000000'
+    SELECTION_3:
+        Imphash|re: ^$
+    condition: (SELECTION_1 and  not ((SELECTION_2) or (SELECTION_3)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+    category: create_stream_hash
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
+    product: windows
+modified: 2020/08/26
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004
+yml_filename: sysmon_ads_executable.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_stream_hash
+