CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Sigma Rules

Browse Source
This commit is contained in:
Tanaka Zakku
2021-11-14 11:00:56 +09:00
parent ac3ea7b20b
commit 50aebce32e
1078 changed files with 45490 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/Sigma/sysmon_rclone_execution.yml
+61
View File
@@ -0,0 +1,61 @@
title: RClone Execution
author: Bhabesh Raj, Sittikorn S
date: 2021/05/10
description: Detects execution of RClone utility for exfiltration as used by various
ransomwares strains like REvil, Conti, FiveHands, etc
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*--progress*'
SELECTION_11:
CommandLine: '*--ignore-existing*'
SELECTION_12:
CommandLine: '*--auto-confirm*'
SELECTION_13:
CommandLine: '*--transfers*'
SELECTION_14:
CommandLine: '*--multi-thread-streams*'
SELECTION_2:
Description: Rsync for cloud storage
SELECTION_3:
CommandLine: '*--config *'
SELECTION_4:
CommandLine: '*--no-check-certificate *'
SELECTION_5:
CommandLine: '* copy *'
SELECTION_6:
Image: '*\rclone.exe'
SELECTION_7:
CommandLine: '*mega*'
SELECTION_8:
CommandLine: '*pcloud*'
SELECTION_9:
CommandLine: '*ftp*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
or ((SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))))
falsepositives:
- Legitimate RClone use
fields:
- CommandLine
- ParentCommandLine
- Details
id: a0d63692-a531-4912-ad39-4393325b2a9c
level: high
logsource:
category: process_creation
product: windows
modified: 2021/06/29
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
status: deprecated
tags:
- attack.exfiltration
- attack.t1567.002
yml_filename: sysmon_rclone_execution.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated