CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@@ -1,3 +0,0 @@
[submodule "rules"]
path = rules
url = git@github.com:Yamato-Security/hayabusa-rules.git

1
rules

Submodule rules deleted from 631db51204

2
rules/README.md Normal file
View File

@@ -0,0 +1,2 @@
# hayabusa-rules
Detection rules for hayabusa

29
rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml Normal file
View File

@@ -0,0 +1,29 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: Security log was cleared
title_jp: セキュリティログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the Security event log.
description_jp: 誰かがセキュリティログをクリアした。
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 1102
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
logsource: default
ruletype: Hayabusa

29
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml Normal file
View File

@@ -0,0 +1,29 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Unknown Reason
title_jp: ログオンに失敗 - 不明な理由
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
filter:
- SubStatus: "0xc0000064" #Non-existent user
- SubStatus: "0xc000006a" #Wrong password
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Wrong Password
title_jp: ログオンに失敗 - パスワードが間違っている
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: e87bd730-df45-4ae9-85de-6c75369c5d29
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a"
condition: selection
falsepositives:
- user mistypes password
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Username does not exist
title_jp: ログオンに失敗 - ユーザ名は存在しない
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints failed logons
description_jp: ログオンに失敗したイベントを出力する
id: 8afa97ce-a217-4f7c-aced-3e320a57756d
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064"
condition: selection
falsepositives:
- user mistypes username
tags:
references:
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
logsource: default
ruletype: Hayabusa

45
rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml Normal file
View File

@@ -0,0 +1,45 @@
author: Zach Mathis
date: 2021/12/17
modified: 2021/12/17
title: "Explicit Logon: Suspicious Process"
title_jp: "不審なプロセスからの明示的なログオン"
output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike.
description_jp:
id: 7616e857-8e41-4976-bc21-811d122b9fc9
level: medium
status: stable
detection:
selection_basic_info:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_basic_info and selection_SuspiciousProcess and not (selection_TargetUserIsComputerAccount
and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts and not filter_UsersAndTargetServerAreComputerAccounts
falsepositives:
- normal system usage
tags:
- attack.privilege_escalation
- attack.lateral_movement
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
logsource: default
ruletype: Hayabusa

49
rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml Normal file
View File

@@ -0,0 +1,49 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Unknown process used a high privilege
title_jp: 不明なプロセスが高い権限を使った
output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: |
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
Disk wipers like bcwipe will also generate this.
More legitimate filepaths may have to be added to the filter.
This is marked as a medium alert as there is a high possibility for false positives.
description_jp:
id: 5b6e58ee-c231-4a54-9eee-af2577802e08
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1561
- attack.impact
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Zach Mathis
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Hidden user account created! (Possible Backdoor)
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4720
TargetUserName|endswith: "$" #Any user account that ends with a $ will be treated as a machine account and be hidden by default.
condition: selection
falsepositives:
- machine/computer accounts being created
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Local user account created
title_jp: ローカルユーザアカウントが作成された
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A local user account was created.
description_jp: ローカルユーザアカウントが作成された.
id: 13edce80-2b02-4469-8de4-a3e37271dcdb
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4720
filter:
TargetUserName|endswith: "$" #Filter out machine/computer accounts
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
logsource: default
ruletype: Hayabusa

32
rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml Normal file
View File

@@ -0,0 +1,32 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to the global Domain Admins group
title_jp: ユーザがグローバルドメイン管理者グループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to the Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: User added to global security group
title_jp: ユーザがグローバルセキュリティグループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
description_jp: ユーザがグローバルのセキュリティグループに追加された。
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Domain Admins group
title_jp: ユーザがローカルドメイン管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: bc58e432-959f-464d-812e-d60ce5d46fa1
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
logsource: default
ruletype: Hayabusa

33
rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml Normal file
View File

@@ -0,0 +1,33 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local security group
title_jp: ユーザがローカルセキュリティグループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to a security-enabled local group.
description_jp: ユーザがローカルセキュリティグループに追加された。
id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
- TargetUserName: Administrators
- TargetUserName: None
- TargetUserName: Domain Admins
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/26
title: Possible AS-REP Roasting
title_jp: AS-REPロースティングの可能性
output: 'Possible AS-REP Roasting'
output_jp: 'AS-REPロースティングのリスクがある'
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 0 #Logon without pre-authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.004
references:
- https://attack.mitre.org/techniques/T1558/004/
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml Normal file
View File

@@ -0,0 +1,30 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Kerberoasting
title_jp: Kerberoast攻撃
output: 'Possible Kerberoasting Risk Activity.'
output_jp: 'Kerberoast攻撃のリスクがある'
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 2 #Standard password authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.003
references:
- https://attack.mitre.org/techniques/T1558/003/
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml Normal file
View File

@@ -0,0 +1,28 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: System log file was cleared
title_jp: システムログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the System event log.
description_jp: 誰かがシステムログをクリアした。
id: f481a1f3-969e-4187-b3a5-b47c272bfebd
level: high
status: stable
detection:
selection:
Channel: System
EventID: 104
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml Normal file
View File

@@ -0,0 +1,28 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Event log service startup type changed to disabled
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
output: 'Old setting: %param2% : New setting: %param3%'
output: '設定前: %param2% : 設定後: %param3%'
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
level: medium
status: test
detection:
selection:
Channel: System
EventID: 7040
param1: 'Windows Event Log'
param3: "disabled"
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1562.002
references:
- https://attack.mitre.org/techniques/T1562/002/
logsource: default
ruletype: Hayabusa

33
rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml Normal file
View File

@@ -0,0 +1,33 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/23
title: Malicious service installed
title_jp: 悪意のあるサービスがインストールされた
output: 'Service: %ServiceName% : Path: %ImagePath%'
output_jp: 'サービス名: %ServiceName% : パス: %ImagePath%'
description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
id: dbbfd9f3-9508-478b-887e-03ddb9236909
level: high
status: test
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
regexes: ./config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
condition: selection
falsepositives:
- normal system usage
tags:
- attack.persistence
- attack.t1543.003
references:
- https://attack.mitre.org/techniques/T1543/003/
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2021/12/01
modified: 2021/12/01
title: Windows Defender Alert
title_jp: Windows Defenderアラート
output: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%'
output_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%'
description: Windows defender malware detection
description_jp: Windows defenderのマルウェア検知
id: 810bfd3a-9fb3-44e0-9016-8cdf785fddbf
level: high
status: test
detection:
selection:
Channel: Microsoft-Windows-Windows Defender/Operational
EventID: 1116
falsepositives:
- bad signature
tags:
- malware
references:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Bits Job Creation
title_jp: Bits Jobの作成
output: 'Job Title: %JobTitle% : URL: %Url%'
output_jp: 'Job名: %JobTitle% : URL: %Url%'
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-Bits-Client/Operational
EventID: 59
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- lolbas
references:
- https://attack.mitre.org/techniques/T1197/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 0 - System
title_jp: ログオンタイプ 0 - System
output: 'Bootup'
output_jp: 'システム起動'
description: Prints logon information
description_jp: Prints logon information
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 0
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 10 - RDP (Remote Interactive)
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 10
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 11 - CachedInteractive
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 11
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 12 - CachedRemoteInteractive
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 12
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 13 - CachedUnlock
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 13
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 2 - Interactive
title_jp: ログオンタイプ 2 - インタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information
description_jp: Prints logon information
id: 7beb4832-f357-47a4-afd8-803d69a5c85c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 2
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 3 - Network
title_jp: ログオンタイプ 3 - ネットワーク
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 3
filter:
- IpAddress: "-"
- IpAddress: "127.0.0.1"
- IpAddress: "::1"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 4 - Batch
title_jp: ログオンタイプ 4 - バッチ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 4
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 5 - Service
title_jp: ログオンタイプ 5 - サービス
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 5
filter:
- TargetUserName: "SYSTEM"
- TargetUserName: "NETWORK SERVICE"
- TargetUserName: "LOCAL SERVICE"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 7 - Unlock
title_jp: ログオンタイプ 7 - アンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 7
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 8 - NetworkCleartext
title_jp: ログオンタイプ 8 - ネットワーク平文
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
description_jp: Prints logon information
id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 8
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml Normal file
View File

@@ -0,0 +1,27 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 9 - NewCredentials
title_jp: ログオンタイプ 9 - 新しい資格情報
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: d80facaa-ca97-47bb-aed2-66362416eb49
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 9
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml Normal file
View File

@@ -0,0 +1,28 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff
title_jp: ログオフ
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4634
filter:
TargetUserName|endswith: "$" #filter out computer/machine accounts
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff - User Initiated
title_jp: ログオフ - ユーザが行った
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 6bad16f1-02c4-4075-b414-3cd16944bc65
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4647
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

54
rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml Normal file
View File

@@ -0,0 +1,54 @@
author: Zach Mathis
date: 2021/12/17
modified: 2021/12/17
title: Explicit Logon
title_jp: 明示的なログオン
output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
description: |
(From ultimatewindowsecurity.com)
This log is generated when
1. A user connects to a server or runs a program locally using alternate credentials.
For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,
selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.
2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.
3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.
Unfortunately the Subject does not identify the end user.
4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)
description_jp:
id: 8c1899fe-493d-4faf-aae1-0853a33a3278
level: informational
status: stable
detection:
selection_basic_info:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
condition: selection_basic_info and not (selection_TargetUserIsComputerAccount and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts
and not filter_UsersAndTargetServerAreComputerAccounts and not filter_SuspiciousProcess
falsepositives:
- normal system usage
tags:
- attack.privilege_escalation
- attack.lateral_movement
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Admin Logon
title_jp: 管理者ログオン
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4672
filter:
- SubjectUserName: "SYSTEM"
- SubjectUserName: "LOCAL SERVICE"
- SubjectUserName: "NETWORK SERVICE"
- SubjectUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos TGT was requested
title_jp: Kerberos TGTが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
description: Prints logon information.
description_jp: Prints logon information.
id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4768
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos Service Ticket Requested
title_jp: Kerberosサービスチケットが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4769
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: NTLM Logon to Local Account
title_jp: ローカルアカウントへのNTLMログオン
output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4776
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml Normal file
View File

@@ -0,0 +1,26 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Connection to wireless access point
title_jp: ローカルアカウントへのNTLMログオン
output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
description: Prints connection info to wireless access points.
description_jp: Prints connection info to wireless access points.
id: 90dd0797-f481-453d-a97e-dd78436893f9
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-WLAN-AutoConfig
EventID: 8001
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Yusuke Matsui, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Powershell 2.0 Downgrade Attack
title_jp: Powershell 2.0へのダウングレード攻撃
output: 'Powershell 2.0 downgrade attack detected!'
output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
description: An attacker may have started Powershell 2.0 to evade detection.
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
id: bc082394-73e6-4d00-a9af-e7b524ef5085
level: medium
status: testing
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
condition: selection
falsepositives:
- legacy application
tags:
- attack.defense_evasion
- attack.t1562.010
- lolbas
references:
- https://attack.mitre.org/techniques/T1562/010/
- https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
logsource: non-default
ruletype: Hayabusa

31
rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml Normal file
View File

@@ -0,0 +1,31 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: PowerShell Execution Pipeline
title_jp: PowerShellパイプライン実行
output: 'Command: %CommandLine%'
output_jp: 'コマンド: %CommandLine%'
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.t1059.001
- lolbas
references:
logsource: non-default
ruletype: Hayabusa

28
rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml Normal file
View File

@@ -0,0 +1,28 @@
author: Zach Mathis
date: 2021/12/16
modified: 2021/12/16
title: Network Share Access
title_jp: ネットワーク共有へのアクセス
output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress%'
output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress%'
description:
description_jp:
id: 15d042c1-07c6-4e16-ae7d-e0e556ccd9a8
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 5140
condition: selection
falsepositives:
- normal system usage
tags:
- attack.t1039 # Data from network shared drive
- attack.collection
references:
sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
logsource: non-default
ruletype: Hayabusa

33
rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml Normal file
View File

@@ -0,0 +1,33 @@
author: Zach Mathis
date: 2021/12/16
modified: 2021/12/16
title: Network Share File Access
title_jp: ネットワーク共有へのアクセス
output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress%'
output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress%'
description:
description_jp:
id: 8c6ec2b2-8dad-4996-9aba-d659afc1b919
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 5145
filter:
- ShareLocalPath: ""
- ShareLocalPath: "null"
- ShareName: "\\\\*\\IPC$"
- RelativeTargetName: "\\"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.t1039 # Data from network shared drive
- attack.collection
references:
sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
logsource: non-default
ruletype: Hayabusa

29
rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml Normal file
View File

@@ -0,0 +1,29 @@
author: Zach Mathis
date: 2021/12/11
modified: 2021/12/11
title: Process Creation Sysmon Rule Alert
title_jp: プロセス起動 - Sysmonルールアラート
output: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
output_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
description: Sysmon process creation
description_jp: Sysmonログによるプロセス起動のログ
id: d5e4fb89-b027-43bf-bd3a-2e7f74f105ac
level: high
status: stable
detection:
selection:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
filter:
- RuleName: ""
- RuleName: "-"
condition: selection and not filter
falsepositives:
- bad sysmon rule
tags:
references:
sample-evtx:
logsource: sysmon
ruletype: Hayabusa

29
rules/hayabusa/sysmon/events/1_ProcessCreation.yml Normal file
View File

@@ -0,0 +1,29 @@
author: Zach Mathis
date: 2021/12/11
modified: 2021/12/11
title: Process Creation
title_jp: プロセス起動
output: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
output_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule.
description_jp: Sysmonログによるプロセス起動のログ
id: 85790e3e-e270-499f-a6ad-f8afe85c35f1
level: informational
status: stable
detection:
selection_1:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
selection_2:
- RuleName: ""
- RuleName: "-"
condition: selection_1 and selection_2
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: sysmon
ruletype: Hayabusa

0
rules/hayabusa/testing/.gitkeep Normal file
View File

39
rules/sigma/builtin/application/win_audit_cve.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Audit CVE Event
ruletype: Sigma
author: Florian Roth
date: 2020/01/15
description: Detects events generated by Windows to indicate the exploitation of a
known vulnerability (e.g. CVE-2020-0601)
detection:
SELECTION_1:
Provider_Name: Microsoft-Windows-Audit-CVE
condition: SELECTION_1
falsepositives:
- Unknown
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
level: critical
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://twitter.com/mattifestation/status/1217179698008068096
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
status: experimental
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004

44
rules/sigma/builtin/application/win_av_relevant_match.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Relevant Anti-Virus Event
ruletype: Sigma
author: Florian Roth
date: 2017/02/19
description: This detection method points out highly relevant Antivirus events
detection:
SELECTION_1:
- HTool-
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- .WinCred.
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
SELECTION_2:
- Keygen
- Crack
condition: ((SELECTION_1) and not (SELECTION_2))
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
level: high
logsource:
product: windows
service: application
modified: 2021/11/20
status: experimental
tags:
- attack.resource_development
- attack.t1588

28
rules/sigma/builtin/application/win_software_atera_rmm_agent_install.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Atera Agent Installation
ruletype: Sigma
author: Bhabesh Raj
date: 2021/09/01
description: Detects successful installation of Atera Remote Monitoring & Management
(RMM) agent as recently found to be used by Conti operators
detection:
SELECTION_1:
EventID: 1033
SELECTION_2:
Provider_Name: MsiInstaller
SELECTION_3:
Message: '*AteraAgent*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate Atera agent installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
status: experimental
tags:
- attack.t1219

28
rules/sigma/builtin/application/win_susp_backup_delete.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Backup Catalog Deleted
ruletype: Sigma
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
date: 2017/05/12
description: Detects backup catalog deletions
detection:
SELECTION_1:
EventID: 524
SELECTION_2:
Provider_Name: Microsoft-Windows-Backup
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 9703792d-fd9a-456d-a672-ff92efe4806a
level: medium
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
status: experimental
tags:
- attack.defense_evasion
- attack.t1107
- attack.t1070.004

39
rules/sigma/builtin/application/win_susp_msmpeng_crash.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Microsoft Malware Protection Engine Crash
ruletype: Sigma
author: Florian Roth
date: 2017/05/09
description: This rule detects a suspicious crash of the Microsoft Malware Protection
Engine
detection:
SELECTION_1:
Provider_Name: Application Error
SELECTION_2:
EventID: 1000
SELECTION_3:
Provider_Name: Windows Error Reporting
SELECTION_4:
EventID: 1001
SELECTION_5:
- MsMpEng.exe
SELECTION_6:
- mpengine.dll
condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
(SELECTION_5 and SELECTION_6))
falsepositives:
- MsMpEng.exe can crash when C:\ is full
id: 6c82cf5c-090d-4d57-9188-533577631108
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1211
- attack.t1562.001

32
rules/sigma/builtin/application/win_vul_cve_2020_0688.yml Normal file
View File

@@ -0,0 +1,32 @@
title: CVE-2020-0688 Exploitation via Eventlog
ruletype: Sigma
author: Florian Roth, wagga
date: 2020/02/29
description: Detects the exploitation of Microsoft Exchange vulnerability as described
in CVE-2020-0688
detection:
SELECTION_1:
EventID: 4
SELECTION_2:
Provider_Name: MSExchange Control Panel
SELECTION_3:
Level: Error
SELECTION_4:
- '&__VIEWSTATE='
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: d6266bf5-935e-4661-b477-78772735a7cb
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
status: experimental
tags:
- attack.initial_access
- attack.t1190

27
rules/sigma/builtin/application/win_vul_cve_2021_41379.yml Normal file
View File

@@ -0,0 +1,27 @@
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
ruletype: Sigma
author: Florian Roth
date: 2021/11/22
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
detection:
SELECTION_1:
EventID: 1033
SELECTION_2:
Provider_Name: MsiInstaller
SELECTION_3:
- test pkg
condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3)
falsepositives:
- Other MSI packages for which your admins have used that name
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
level: high
logsource:
product: windows
service: application
references:
- https://github.com/klinix5/InstallerFileTakeOver
status: experimental
tags:
- attack.initial_access
- attack.t1190

40
rules/sigma/builtin/security/win_aadhealth_mon_agent_regkey_access.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

42
rules/sigma/builtin/security/win_aadhealth_svc_agent_regkey_access.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Azure AD Health Service Agents Registry Keys Access
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

35
rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
ruletype: Sigma
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
date: 2019/04/03
description: backdooring domain object to grant the rights associated with DCSync
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeLDAPDisplayName: ntSecurityDescriptor
SELECTION_3:
AttributeValue:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute
of event 5136 and verify if it's a regular user or DC computer account.
id: 2c99737c-585d-4431-b61a-c911d86ff32f
level: critical
logsource:
product: windows
service: security
modified: 2021/07/09
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
status: experimental
tags:
- attack.persistence
- attack.t1098

44
rules/sigma/builtin/security/win_account_discovery.yml Normal file
View File

@@ -0,0 +1,44 @@
title: AD Privileged Users or Groups Reconnaissance
ruletype: Sigma
author: Samir Bousseaden
date: 2019/04/03
description: Detect priv users or groups recon based on 4661 eventid and known privileged
users or groups SIDs
detection:
SELECTION_1:
EventID: 4661
SELECTION_2:
ObjectType:
- SAM_USER
- SAM_GROUP
SELECTION_3:
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
SELECTION_4:
ObjectName: '*admin*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- if source account name is not an admin then its super suspicious
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
level: high
logsource:
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
product: windows
service: security
modified: 2021/09/08
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

33
rules/sigma/builtin/security/win_ad_object_writedac_access.yml Normal file
View File

@@ -0,0 +1,33 @@
title: AD Object WriteDAC Access
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects WRITE_DAC access to a domain object
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectServer: DS
SELECTION_3:
AccessMask: '0x40000'
SELECTION_4:
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
status: test
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001

42
rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Active Directory Replication from Non Machine Account
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/07/26
description: Detects potential abuse of Active Directory Replication Service (ADRS)
from a non machine account to request credentials.
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
AccessMask: '0x100'
SELECTION_3:
Properties:
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
SELECTION_4:
SubjectUserName: '*$'
SELECTION_5:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 17d619c1-e020-4347-957e-1d1207455c93
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
status: test
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.006

35
rules/sigma/builtin/security/win_ad_user_enumeration.yml Normal file
View File

@@ -0,0 +1,35 @@
title: AD User Enumeration
ruletype: Sigma
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
SELECTION_3:
SubjectUserName: '*$'
SELECTION_4:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
definition: Requires the "Read all properties" permission on the user object to
be audited for the "Everyone" principal
product: windows
service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

35
rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml Normal file
View File

@@ -0,0 +1,35 @@
title: ADCS Certificate Template Configuration Vulnerability
ruletype: Sigma
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_3:
EventID: 4899
SELECTION_4:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
level: low
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access

49
rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml Normal file
View File

@@ -0,0 +1,49 @@
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
ruletype: Sigma
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
and risky EKU
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_3:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_4:
EventID: 4899
SELECTION_5:
NewTemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_6:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
level: high
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag with risky EKU.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access

37
rules/sigma/builtin/security/win_admin_rdp_login.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Admin User Remote Logon
ruletype: Sigma
author: juju4
date: 2017/10/29
description: Detect remote login by Administrator user (depending on internal pattern).
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 10
SELECTION_3:
AuthenticationPackageName: Negotiate
SELECTION_4:
TargetUserName: Admin*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administrative activity.
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
level: low
logsource:
definition: 'Requirements: Identifiable administrators usernames (pattern or special
unique character. ex: "Admin-*"), internal policy mandating use only as secondary
account'
product: windows
service: security
modified: 2021/07/07
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005

29
rules/sigma/builtin/security/win_admin_share_access.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Access to ADMIN$ Share
ruletype: Sigma
author: Florian Roth
date: 2017/03/04
description: Detects access to $ADMIN share
detection:
SELECTION_1:
EventID: 5140
SELECTION_2:
ShareName: Admin$
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate administrative activity
id: 098d7118-55bc-4912-a836-dc6483a8d150
level: low
logsource:
definition: The advanced audit policy setting "Object Access > Audit File Share"
must be configured for Success/Failure
product: windows
service: security
modified: 2021/11/27
status: test
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002

32
rules/sigma/builtin/security/win_alert_active_directory_user_control.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Enabled User Right in AD to Control User Objects
ruletype: Sigma
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
right in Active Directory it would allow control of other AD user objects.
detection:
SELECTION_1:
EventID: 4704
SELECTION_2:
PrivilegeList:
- '*SeEnableDelegationPrivilege*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
level: high
logsource:
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2021/12/02
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
status: test
tags:
- attack.persistence
- attack.t1098

48
rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml Normal file
View File

@@ -0,0 +1,48 @@
title: Active Directory User Backdoors
ruletype: Sigma
author: '@neu5ron'
date: 2017/04/13
description: Detects scenarios where one can control another users or computers account
without having to use their credentials.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
AllowedToDelegateTo: '-'
SELECTION_3:
AllowedToDelegateTo|re: ^$
SELECTION_4:
EventID: 5136
SELECTION_5:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
SELECTION_6:
ObjectClass: user
SELECTION_7:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_8:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
condition: ((SELECTION_1 and not (SELECTION_2 or SELECTION_3)) or (SELECTION_4
and (SELECTION_5 or (SELECTION_6 and SELECTION_7) or SELECTION_8)))
falsepositives:
- Unknown
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\DS Access\Audit Directory Service Changes'
product: windows
service: security
modified: 2021/11/27
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
status: test
tags:
- attack.t1098
- attack.persistence

92
rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml Normal file
View File

@@ -0,0 +1,92 @@
title: Weak Encryption Enabled and Kerberoast
ruletype: Sigma
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where weak encryption is enabled for a user profile
which could be used for hash/password cracking.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
NewUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_3:
OldUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_4:
NewUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_5:
OldUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_6:
NewUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
SELECTION_7:
OldUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
falsepositives:
- Unknown
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management'
product: windows
service: security
modified: 2021/11/27
references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
status: test
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001

41
rules/sigma/builtin/security/win_alert_ruler.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Hacktool Ruler
ruletype: Sigma
author: Florian Roth
date: 2017/05/31
description: This events that are generated when using the hacktool Ruler by Sensepost
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
Workstation: RULER
SELECTION_3:
EventID: 4624
SELECTION_4:
EventID: 4625
SELECTION_5:
WorkstationName: RULER
condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
falsepositives:
- Go utilities that use staaldraad awesome NTLM library
id: 24549159-ac1b-479c-8175-d42aea947cae
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1087
- attack.t1075
- attack.t1114
- attack.t1059
- attack.t1550.002

42
rules/sigma/builtin/security/win_apt_chafer_mar18_security.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Chafer Activity
ruletype: Sigma
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 4698
SELECTION_2:
TaskName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
level: critical
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004

32
rules/sigma/builtin/security/win_apt_slingshot.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Defrag Deactivation
ruletype: Sigma
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 4701
SELECTION_2:
TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
level: medium
logsource:
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
product: windows
service: security
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
status: experimental
tags:
- attack.persistence
- attack.t1053
- attack.s0111

38
rules/sigma/builtin/security/win_apt_wocao.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Operation Wocao Activity
ruletype: Sigma
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 4799
SELECTION_2:
TargetUserName: Administr*
SELECTION_3:
CallerProcessName: '*\checkadmin.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
level: high
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086

35
rules/sigma/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
ruletype: Sigma
author: Sreeman
date: 2020/03/13
description: The .SettingContent-ms file type was introduced in Windows 10 and allows
a user to create "shortcuts" to various Windows 10 setting pages. These files are
simply XML and contain paths to various Windows 10 settings binaries.
detection:
SELECTION_1:
CommandLine: '*.SettingContent-ms*'
SELECTION_2:
FilePath: '*immersivecontrolpanel*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
level: medium
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
status: experimental
tags:
- attack.t1204
- attack.t1193
- attack.t1566.001
- attack.execution
- attack.initial_access

30
rules/sigma/builtin/security/win_asr_bypass_via_appvlp_re.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Using AppVLP To Circumvent ASR File Path Rule
ruletype: Sigma
author: Sreeman
date: 2020/03/13
description: Application Virtualization Utility is included with Microsoft Office.We
are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
for Application Virtualization, but we can use it as an abuse binary to circumvent
the ASR file path rule folder or to mark a file as a system file
detection:
SELECTION_1:
CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
condition: SELECTION_1
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
level: medium
logsource:
product: windows
service: security
modified: 2021/06/11
status: experimental
tags:
- attack.t1218
- attack.defense_evasion
- attack.execution

37
rules/sigma/builtin/security/win_atsvc_task.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Remote Task Creation via ATSVC Named Pipe
ruletype: Sigma
author: Samir Bousseaden
date: 2019/04/03
description: Detects remote task creation via at.exe or API interacting with ATSVC
namedpipe
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName: atsvc
SELECTION_4:
Accesses: '*WriteData*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
level: medium
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
modified: 2021/11/27
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
status: test
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002

33
rules/sigma/builtin/security/win_camera_microphone_access.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Processes Accessing the Microphone and Webcam
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: test
tags:
- attack.collection
- attack.t1123

32
rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml Normal file
View File

@@ -0,0 +1,32 @@
title: DCERPC SMB Spoolss Named Pipe
ruletype: Sigma
author: OTR (Open Threat Research)
date: 2018/11/28
description: Detects the use of the spoolss named pipe over SMB. This can be used
to trigger the authentication via NTLM of any machine that has the spoolservice
enabled.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Domain Controllers acting as printer servers too? :)
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
level: medium
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
status: test
tags:
- attack.lateral_movement
- attack.t1021.002

31
rules/sigma/builtin/security/win_dcom_iertutil_dll_hijack.yml Normal file
View File

@@ -0,0 +1,31 @@
title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020/10/12
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
DLL Hijack scenario.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
RelativeTargetName: '*\Internet Explorer\iertutil.dll'
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Unknown
id: c39f0c81-7348-4965-ab27-2fde35a1b641
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
status: test
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003

41
rules/sigma/builtin/security/win_dcsync.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Mimikatz DC Sync
ruletype: Sigma
author: Benjamin Delpy, Florian Roth, Scott Dermott
date: 2018/06/03
description: Detects Mimikatz DC sync security events
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
Properties:
- '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
SELECTION_3:
SubjectDomainName: Window Manager
SELECTION_4:
SubjectUserName:
- NT AUTHORITY*
- MSOL_*
SELECTION_5:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not ((SELECTION_3) or (SELECTION_4)
or (SELECTION_5)))
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
status: experimental
tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006

36
rules/sigma/builtin/security/win_defender_bypass.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Windows Defender Exclusion Set
ruletype: Sigma
author: '@BarryShooshooga'
date: 2019/10/26
description: Detects scenarios where an windows defender exclusion was added in registry
where an entity would want to bypass antivirus scanning from windows defender
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4660
SELECTION_4:
EventID: 4663
SELECTION_5:
ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
falsepositives:
- Intended inclusions by administrator
id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
level: high
logsource:
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
Policy, Registry System Access Control (SACL): Auditing/User'
product: windows
service: security
modified: 2021/11/27
references:
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
status: test
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001

41
rules/sigma/builtin/security/win_disable_event_logging.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Disabling Windows Event Auditing
ruletype: Sigma
author: '@neu5ron'
date: 2017/11/19
description: 'Detects scenarios where system auditing (ie: windows event log auditing)
is disabled. This may be used in a scenario where an entity would want to bypass
local logging to evade detection when windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
which will make sure that Active Directory GPOs take precedence over local/edited
computer policies via something such as "gpedit.msc". Please note, that disabling
"Local Group Policy Object Processing" may cause an issue in scenarios of one off
specific GPO modifications -- however it is recommended to perform these modifications
in Active Directory anyways.'
detection:
SELECTION_1:
EventID: 4719
SELECTION_2:
AuditPolicyChanges:
- '*%%8448*'
- '*%%8450*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 69aeb277-f15f-4d2d-b32a-55e883609563
level: high
logsource:
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2021/11/27
references:
- https://bit.ly/WinLogsZero2Hero
status: test
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.002

32
rules/sigma/builtin/security/win_dpapi_domain_backupkey_extraction.yml Normal file
View File

@@ -0,0 +1,32 @@
title: DPAPI Domain Backup Key Extraction
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/06/20
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
Controllers
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: SecretObject
SELECTION_3:
AccessMask: '0x2'
SELECTION_4:
ObjectName: BCKUPKEY
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: test
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004

30
rules/sigma/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml Normal file
View File

@@ -0,0 +1,30 @@
title: DPAPI Domain Master Key Backup Attempt
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects anyone attempting a backup for the DPAPI Master Key. This events
gets generated at the source and not the Domain Controller.
detection:
SELECTION_1:
EventID: 4692
condition: SELECTION_1
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: test
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004

38
rules/sigma/builtin/security/win_etw_modification.yml Normal file
View File

@@ -0,0 +1,38 @@
title: COMPlus_ETWEnabled Registry Modification
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
SELECTION_3:
ObjectValueName: ETWEnabled
SELECTION_4:
NewValue: '0'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
status: test
tags:
- attack.defense_evasion
- attack.t1112

31
rules/sigma/builtin/security/win_event_log_cleared.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Security Event Log Cleared
ruletype: Sigma
author: Saw Winn Naung
date: 2021/08/15
description: Checks for event id 1102 which indicates the security event log was cleared.
detection:
SELECTION_1:
EventID: 1102
SELECTION_2:
Provider_Name: Microsoft-Windows-Eventlog
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative activity
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
id: a122ac13-daf8-4175-83a2-72c387be339d
level: medium
logsource:
product: windows
service: security
modified: 2021/10/13
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
status: experimental
tags:
- attack.t1107
- attack.t1070.001

35
rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml Normal file
View File

@@ -0,0 +1,35 @@
title: CVE-2021-1675 Print Spooler Exploitation IPC Access
ruletype: Sigma
author: INIT_6
date: 2021/07/02
description: Detects remote printer driver load from Detailed File Share in Security
logs that are a sign of successful exploitation attempts against print spooler vulnerability
CVE-2021-1675 and CVE-2021-34527
detection:
SELECTION_1:
EventID: '5145'
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName: spoolss
SELECTION_4:
AccessMask: '0x3'
SELECTION_5:
ObjectType: File
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- nothing observed so far
id: 8fe1c584-ee61-444b-be21-e9054b229694
level: critical
logsource:
product: windows
service: security
references:
- https://twitter.com/INIT_3/status/1410662463641731075
status: experimental
tags:
- attack.execution
- attack.t1569
- cve.2021.1675
- cve.2021.34527

29
rules/sigma/builtin/security/win_external_device.yml Normal file
View File

@@ -0,0 +1,29 @@
title: External Disk Drive Or USB Storage Device
ruletype: Sigma
author: Keith Wright
date: 2019/11/20
description: Detects external diskdrives or plugged in USB devices , EventID 6416
on windows 10 or later
detection:
SELECTION_1:
EventID: 6416
SELECTION_2:
ClassName: DiskDrive
SELECTION_3:
DeviceDescription: USB Mass Storage Device
condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
falsepositives:
- Legitimate administrative activity
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
level: low
logsource:
product: windows
service: security
modified: 2021/08/09
status: experimental
tags:
- attack.t1091
- attack.t1200
- attack.lateral_movement
- attack.initial_access

35
rules/sigma/builtin/security/win_global_catalog_enumeration.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Enumeration via the Global Catalog
ruletype: Sigma
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/11
description: Detects enumeration of the global catalog (that can be performed using
BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
width.
detection:
SELECTION_1:
EventID: 5156
SELECTION_2:
DestinationPort: 3268
SELECTION_3:
DestinationPort: 3269
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
> 2000
timeframe: 1h
falsepositives:
- Exclude known DCs.
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
level: medium
logsource:
definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
Platform Connection" must be configured for Success
product: windows
service: security
modified: 2021/06/01
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

39
rules/sigma/builtin/security/win_gpo_scheduledtasks.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Persistence and Execution at Scale via GPO Scheduled Task
ruletype: Sigma
author: Samir Bousseaden
date: 2019/04/03
description: Detect lateral movement using GPO scheduled task, usually used to deploy
ransomware at scale
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*\SYSVOL
SELECTION_3:
RelativeTargetName: '*ScheduledTasks.xml'
SELECTION_4:
Accesses:
- '*WriteData*'
- '*%%4417*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor
both local and remote changes to GPO scheduledtasks
id: a8f29a7b-b137-4446-80a0-b804272f3da2
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
modified: 2021/11/27
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
status: test
tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
- attack.t1053.005

29
rules/sigma/builtin/security/win_hidden_user_creation.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Hidden Local User Creation
ruletype: Sigma
author: Christian Burkard
date: 2021/05/03
description: Detects the creation of a local hidden user account which should not
happen for event ID 4720.
detection:
SELECTION_1:
EventID: 4720
SELECTION_2:
TargetUserName: '*$'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventCode
- AccountName
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
level: high
logsource:
product: windows
service: security
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
status: experimental
tags:
- attack.persistence
- attack.t1136.001

28
rules/sigma/builtin/security/win_hybridconnectionmgr_svc_installation.yml Normal file
View File

@@ -0,0 +1,28 @@
title: HybridConnectionManager Service Installation
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
description: Rule to detect the Hybrid Connection Manager service installation.
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceName: HybridConnectionManager
SELECTION_3:
ServiceFileName: '*HybridConnectionManager*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
status: experimental
tags:
- attack.persistence
- attack.t1554

32
rules/sigma/builtin/security/win_impacket_psexec.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Impacket PsExec Execution
ruletype: Sigma
author: Bhabesh Raj
date: 2020/12/14
description: Detects execution of Impacket's psexec.py.
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*\IPC$
SELECTION_3:
RelativeTargetName:
- '*RemCom_stdint*'
- '*RemCom_stdoutt*'
- '*RemCom_stderrt*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- nothing observed so far
id: 32d56ea1-417f-44ff-822b-882873f5f43b
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.002

35
rules/sigma/builtin/security/win_impacket_secretdump.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Possible Impacket SecretDump Remote Activity
ruletype: Sigma
author: Samir Bousseaden, wagga
date: 2019/04/03
description: Detect AD credential dumping using impacket secretdump HKTL
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\\*\ADMIN$
SELECTION_3:
RelativeTargetName: '*SYSTEM32\\*'
SELECTION_4:
RelativeTargetName: '*.tmp*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
level: high
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
modified: 2021/06/27
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003

33
rules/sigma/builtin/security/win_invoke_obfuscation_clip_services_security.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Invoke-Obfuscation CLIP+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
Provider_Name: Service Control Manager
SELECTION_2:
EventID: 4697
SELECTION_3:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
level: high
logsource:
product: windows
service: security
modified: 2021/11/30
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

43
rules/sigma/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml Normal file
View File

@@ -0,0 +1,43 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
ruletype: Sigma
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the code block linked in the references
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
SELECTION_7:
ServiceFileName|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ServiceFileName|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
level: high
logsource:
product: windows
service: security
modified: 2021/09/16
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027

31
rules/sigma/builtin/security/win_invoke_obfuscation_stdin_services_security.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation STDIN+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
level: high
logsource:
product: windows
service: security
modified: 2021/09/17
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/builtin/security/win_invoke_obfuscation_var_services_security.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation VAR+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 4697
SELECTION_2:
ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: dcf2db1f-f091-425b-a821-c05875b8925a
level: high
logsource:
product: windows
service: security
modified: 2021/12/02
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

Some files were not shown because too many files have changed in this diff Show More