diff --git a/.gitmodules b/.gitmodules
index b43020e1..e69de29b 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
-[submodule "rules"]
- path = rules
- url = git@github.com:Yamato-Security/hayabusa-rules.git
diff --git a/rules b/rules
deleted file mode 160000
index 631db512..00000000
--- a/rules
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 631db51204d801fa75bfef48c31c389929fbb9be
diff --git a/rules/README.md b/rules/README.md
new file mode 100644
index 00000000..0b94ffac
--- /dev/null
+++ b/rules/README.md
@@ -0,0 +1,2 @@
+# hayabusa-rules
+Detection rules for hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
new file mode 100644
index 00000000..283c5b99
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
@@ -0,0 +1,29 @@
+author: Eric Conrad, Yamato Security
+date: 2020/11/08
+modified: 2021/11/25
+
+title: Security log was cleared
+title_jp: セキュリティログがクリアされた
+output: "User: %LogFileClearedSubjectUserName%"
+output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
+description: Somebody has cleared the Security event log.
+description_jp: 誰かがセキュリティログをクリアした。
+
+id: c2f690ac-53f8-4745-8cfe-7127dda28c74
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 1102
+ condition: selection
+falsepositives:
+ - system administrator
+tags:
+ - attack.defense_evasion
+ - attack.t1070.001
+references:
+ - https://attack.mitre.org/techniques/T1070/001/
+sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml
new file mode 100644
index 00000000..a9afd5da
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml
@@ -0,0 +1,29 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Failure - Unknown Reason
+title_jp: ログオンに失敗 - 不明な理由
+output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
+output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: a85096da-be85-48d7-8ad5-2f957cd74daa
+level: low
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4625
+ filter:
+ - SubStatus: "0xc0000064" #Non-existent user
+ - SubStatus: "0xc000006a" #Wrong password
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
new file mode 100644
index 00000000..1378efb0
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Failure - Wrong Password
+title_jp: ログオンに失敗 - パスワードが間違っている
+output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
+output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: e87bd730-df45-4ae9-85de-6c75369c5d29
+level: low
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4625
+ SubStatus: "0xc000006a"
+ condition: selection
+falsepositives:
+ - user mistypes password
+tags:
+references:
+sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
new file mode 100644
index 00000000..b4b6eb43
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Failure - Username does not exist
+title_jp: ログオンに失敗 - ユーザ名は存在しない
+output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
+output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
+description: Prints failed logons
+description_jp: ログオンに失敗したイベントを出力する
+
+id: 8afa97ce-a217-4f7c-aced-3e320a57756d
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4625
+ SubStatus: "0xc0000064"
+ condition: selection
+falsepositives:
+ - user mistypes username
+tags:
+references:
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml
new file mode 100644
index 00000000..aa0a9a71
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml
@@ -0,0 +1,45 @@
+author: Zach Mathis
+date: 2021/12/17
+modified: 2021/12/17
+
+title: "Explicit Logon: Suspicious Process"
+title_jp: "不審なプロセスからの明示的なログオン"
+output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
+output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
+description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike.
+description_jp:
+
+id: 7616e857-8e41-4976-bc21-811d122b9fc9
+level: medium
+status: stable
+detection:
+ selection_basic_info:
+ Channel: Security
+ EventID: 4648
+ selection_TargetUserIsComputerAccount:
+ TargetUserName|endswith: "$"
+ IpAddress: "-"
+ filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
+ SubjectUserName|endswith: "$"
+ TargetUserName|endswith: "$"
+ TargetInfo|endswith: "$"
+ filter_SubjectUserIsComputerAccount:
+ SubjectUserName|endswith: "$"
+ filter_SystemAccounts:
+ TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
+ IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
+ selection_SuspiciousProcess:
+ - ProcessName|endswith: "powershell.exe"
+ - ProcessName|endswith: "WMIC.exe"
+ condition: selection_basic_info and selection_SuspiciousProcess and not (selection_TargetUserIsComputerAccount
+ and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts and not filter_UsersAndTargetServerAreComputerAccounts
+falsepositives:
+ - normal system usage
+tags:
+ - attack.privilege_escalation
+ - attack.lateral_movement
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
+sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml
new file mode 100644
index 00000000..b2c7aa1d
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml
@@ -0,0 +1,49 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Unknown process used a high privilege
+title_jp: 不明なプロセスが高い権限を使った
+output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
+output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
+description: |
+ Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
+ For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
+ Disk wipers like bcwipe will also generate this.
+ More legitimate filepaths may have to be added to the filter.
+ This is marked as a medium alert as there is a high possibility for false positives.
+description_jp:
+
+id: 5b6e58ee-c231-4a54-9eee-af2577802e08
+level: medium
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4673
+ filter:
+ - ProcessName: C:\Windows\System32\net.exe
+ - ProcessName: C:\Windows\System32\lsass.exe
+ - ProcessName: C:\Windows\System32\audiodg.exe
+ - ProcessName: C:\Windows\System32\svchost.exe
+ - ProcessName: C:\Windows\System32\mmc.exe
+ - ProcessName: C:\Windows\System32\net.exe
+ - ProcessName: C:\Windows\explorer.exe
+ - ProcessName: C:\Windows\System32\SettingSyncHost.exe
+ - ProcessName: C:\Windows\System32\sdiagnhost.exe
+ - ProcessName|startswith: C:\Program Files
+ - SubjectUserName: LOCAL SERVICE
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.t1561
+ - attack.impact
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
+ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
new file mode 100644
index 00000000..9d91cf16
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
@@ -0,0 +1,30 @@
+author: Zach Mathis
+creation_date: 2020/11/08
+uodated_date: 2021/11/26
+
+title: Hidden user account created! (Possible Backdoor)
+title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
+output: 'User: %TargetUserName% : SID:%TargetSid%'
+output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
+description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
+description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
+
+id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4720
+ TargetUserName|endswith: "$" #Any user account that ends with a $ will be treated as a machine account and be hidden by default.
+ condition: selection
+falsepositives:
+ - machine/computer accounts being created
+tags:
+ - attack.persistence
+ - attack.11136.001
+references:
+ - https://attack.mitre.org/techniques/T1136/001/
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
new file mode 100644
index 00000000..0c579ce5
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
@@ -0,0 +1,31 @@
+author: Eric Conrad, Yamato Security
+creation_date: 2020/11/08
+uodated_date: 2021/11/26
+
+title: Local user account created
+title_jp: ローカルユーザアカウントが作成された
+output: 'User: %TargetUserName% : SID:%TargetSid%'
+output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
+description: A local user account was created.
+description_jp: ローカルユーザアカウントが作成された.
+
+id: 13edce80-2b02-4469-8de4-a3e37271dcdb
+level: medium
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4720
+ filter:
+ TargetUserName|endswith: "$" #Filter out machine/computer accounts
+ condition: selection and not filter
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.11136.001
+references:
+ - https://attack.mitre.org/techniques/T1136/001/
+sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml
new file mode 100644
index 00000000..e296c779
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml
@@ -0,0 +1,32 @@
+author: Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/26
+
+title: User added to the global Domain Admins group
+title_jp: ユーザがグローバルドメイン管理者グループに追加された
+output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
+output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
+description: A user was added to the Domain Admins group.
+description_jp: ユーザがドメイン管理者グループに追加された。
+
+id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4728
+ TargetUserName: Domain Admins
+ filter:
+ SubjectUserName|endswith: $
+ condition: selection and not filter
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.t1098
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml
new file mode 100644
index 00000000..5dd85f39
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml
@@ -0,0 +1,31 @@
+author: Eric Conrad, Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/22
+
+title: User added to global security group
+title_jp: ユーザがグローバルセキュリティグループに追加された
+output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
+output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
+description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
+description_jp: ユーザがグローバルのセキュリティグループに追加された。
+
+id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
+level: medium
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4728
+ filter:
+ SubjectUserName|endswith: $
+ condition: selection and not filter
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.t1098
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
new file mode 100644
index 00000000..4cb71352
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
@@ -0,0 +1,30 @@
+author: Eric Conrad, Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/26
+
+title: User added to local Administrators group
+title_jp: ユーザがローカル管理者グループに追加された
+output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
+output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
+description: A user was added to the local Administrators group.
+description_jp: ユーザがローカル管理者グループに追加された。
+
+id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4732
+ TargetUserName: Administrators
+ condition: selection
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.t1098
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml
new file mode 100644
index 00000000..9f80bb1b
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml
@@ -0,0 +1,30 @@
+author: Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/26
+
+title: User added to local Domain Admins group
+title_jp: ユーザがローカルドメイン管理者グループに追加された
+output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
+output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
+description: A user was added to the local Domain Admins group.
+description_jp: ユーザがドメイン管理者グループに追加された。
+
+id: bc58e432-959f-464d-812e-d60ce5d46fa1
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4728
+ TargetUserName: Domain Admins
+ condition: selection
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.t1098
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
new file mode 100644
index 00000000..bfdea4bd
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
@@ -0,0 +1,33 @@
+author: Eric Conrad, Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/26
+
+title: User added to local security group
+title_jp: ユーザがローカルセキュリティグループに追加された
+output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
+output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
+description: A user was added to a security-enabled local group.
+description_jp: ユーザがローカルセキュリティグループに追加された。
+
+id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
+level: low
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4728
+ filter:
+ - TargetUserName: Administrators
+ - TargetUserName: None
+ - TargetUserName: Domain Admins
+ condition: selection and not filter
+falsepositives:
+ - system administrator
+tags:
+ - attack.persistence
+ - attack.t1098
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
+sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
new file mode 100644
index 00000000..60a2dffe
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
@@ -0,0 +1,30 @@
+author: Yusuke Matsui, Yamato Security
+creation_date: 2020/11/08
+updated_date: 2021/11/26
+
+title: Possible AS-REP Roasting
+title_jp: AS-REPロースティングの可能性
+output: 'Possible AS-REP Roasting'
+output_jp: 'AS-REPロースティングのリスクがある'
+description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+
+id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
+level: medium
+status: test
+detection:
+ selection:
+ Channel: Security
+ EventID: 4768
+ TicketEncryptionType: '0x17' #RC4-HMAC
+ PreAuthType: 0 #Logon without pre-authentication
+ condition: selection
+falsepositives:
+ - legacy application
+tags:
+ - attack.credential_access
+ - attack.t1558.004
+references:
+ - https://attack.mitre.org/techniques/T1558/004/
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
new file mode 100644
index 00000000..d281507f
--- /dev/null
+++ b/rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
@@ -0,0 +1,30 @@
+author: Yusuke Matsui, Yamato Security
+creation_date: 2020/11/08
+updated_date: 2021/11/22
+
+title: Kerberoasting
+title_jp: Kerberoast攻撃
+output: 'Possible Kerberoasting Risk Activity.'
+output_jp: 'Kerberoast攻撃のリスクがある'
+description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+
+id: f19849e7-b5ba-404b-a731-9b624d7f6d19
+level: medium
+status: test
+detection:
+ selection:
+ Channel: Security
+ EventID: 4768
+ TicketEncryptionType: '0x17' #RC4-HMAC
+ PreAuthType: 2 #Standard password authentication
+ condition: selection
+falsepositives:
+ - legacy application
+tags:
+ - attack.credential_access
+ - attack.t1558.003
+references:
+ - https://attack.mitre.org/techniques/T1558/003/
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
new file mode 100644
index 00000000..18d718e6
--- /dev/null
+++ b/rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
@@ -0,0 +1,28 @@
+author: Eric Conrad, Yamato Security
+date: 2020/11/08
+modified: 2021/11/25
+
+title: System log file was cleared
+title_jp: システムログがクリアされた
+output: "User: %LogFileClearedSubjectUserName%"
+output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
+description: Somebody has cleared the System event log.
+description_jp: 誰かがシステムログをクリアした。
+
+id: f481a1f3-969e-4187-b3a5-b47c272bfebd
+level: high
+status: stable
+detection:
+ selection:
+ Channel: System
+ EventID: 104
+ condition: selection
+falsepositives:
+ - system administrator
+tags:
+ - attack.defense_evasion
+ - attack.t1070.001
+references:
+ - https://attack.mitre.org/techniques/T1070/001/
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
new file mode 100644
index 00000000..8ce77f93
--- /dev/null
+++ b/rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
@@ -0,0 +1,28 @@
+author: Eric Conrad, Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/22
+
+title: Event log service startup type changed to disabled
+title_jp: イベントログサービスのスタートアップの種類が無効に変更された
+output: 'Old setting: %param2% : New setting: %param3%'
+output: '設定前: %param2% : 設定後: %param3%'
+
+id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
+level: medium
+status: test
+detection:
+ selection:
+ Channel: System
+ EventID: 7040
+ param1: 'Windows Event Log'
+ param3: "disabled"
+ condition: selection
+falsepositives:
+ - system administrator
+tags:
+ - attack.defense_evasion
+ - attack.t1562.002
+references:
+ - https://attack.mitre.org/techniques/T1562/002/
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
new file mode 100644
index 00000000..df9c4809
--- /dev/null
+++ b/rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
@@ -0,0 +1,33 @@
+author: Eric Conrad, Zach Mathis
+creation_date: 2020/11/08
+updated_date: 2021/11/23
+
+title: Malicious service installed
+title_jp: 悪意のあるサービスがインストールされた
+output: 'Service: %ServiceName% : Path: %ImagePath%'
+output_jp: 'サービス名: %ServiceName% : パス: %ImagePath%'
+description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
+description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
+
+id: dbbfd9f3-9508-478b-887e-03ddb9236909
+level: high
+status: test
+detection:
+ selection:
+ Channel: System
+ EventID: 7045
+ ServiceName:
+ regexes: ./config/regex/detectlist_suspicous_services.txt
+ ImagePath:
+ min_length: 1000
+ allowlist: ./config/regex/allowlist_legitimate_services.txt
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+ - attack.persistence
+ - attack.t1543.003
+references:
+ - https://attack.mitre.org/techniques/T1543/003/
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml
new file mode 100644
index 00000000..dd46e4e9
--- /dev/null
+++ b/rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2021/12/01
+modified: 2021/12/01
+
+title: Windows Defender Alert
+title_jp: Windows Defenderアラート
+output: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%'
+output_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%'
+description: Windows defender malware detection
+description_jp: Windows defenderのマルウェア検知
+
+id: 810bfd3a-9fb3-44e0-9016-8cdf785fddbf
+level: high
+status: test
+detection:
+ selection:
+ Channel: Microsoft-Windows-Windows Defender/Operational
+ EventID: 1116
+falsepositives:
+ - bad signature
+tags:
+ - malware
+references:
+ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
new file mode 100644
index 00000000..b6de520f
--- /dev/null
+++ b/rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
@@ -0,0 +1,31 @@
+author: Yamato Security
+date: 2020/11/08
+modified: 2021/11/22
+
+title: Bits Job Creation
+title_jp: Bits Jobの作成
+output: 'Job Title: %JobTitle% : URL: %Url%'
+output_jp: 'Job名: %JobTitle% : URL: %Url%'
+description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+
+id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Microsoft-Windows-Bits-Client/Operational
+ EventID: 59
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1197
+ - lolbas
+references:
+ - https://attack.mitre.org/techniques/T1197/
+ - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml
new file mode 100644
index 00000000..80ee0645
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 0 - System
+title_jp: ログオンタイプ 0 - System
+output: 'Bootup'
+output_jp: 'システム起動'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 0
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
new file mode 100644
index 00000000..0a15bf4a
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 10 - RDP (Remote Interactive)
+title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 10
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
new file mode 100644
index 00000000..7e4695fd
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 11 - CachedInteractive
+title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 11
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
new file mode 100644
index 00000000..6acade5c
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 12 - CachedRemoteInteractive
+title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 12
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
new file mode 100644
index 00000000..70f5c615
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 13 - CachedUnlock
+title_jp: ログオンタイプ 13 - キャッシュされたアンロック
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: e50e3952-06d9-44a8-ab07-7a41c9801d78
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 13
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml
new file mode 100644
index 00000000..edb654fa
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 2 - Interactive
+title_jp: ログオンタイプ 2 - インタラクティブ
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: 7beb4832-f357-47a4-afd8-803d69a5c85c
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 2
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml
new file mode 100644
index 00000000..448263d6
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml
@@ -0,0 +1,31 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 3 - Network
+title_jp: ログオンタイプ 3 - ネットワーク
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: c7b22878-e5d8-4c30-b245-e51fd354359e
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 3
+ filter:
+ - IpAddress: "-"
+ - IpAddress: "127.0.0.1"
+ - IpAddress: "::1"
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml
new file mode 100644
index 00000000..61f61657
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 4 - Batch
+title_jp: ログオンタイプ 4 - バッチ
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 4
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml
new file mode 100644
index 00000000..c5ce9fc2
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml
@@ -0,0 +1,31 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 5 - Service
+title_jp: ログオンタイプ 5 - サービス
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: 408e1304-51d7-4d3e-ab31-afd07192400b
+level: low
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 5
+ filter:
+ - TargetUserName: "SYSTEM"
+ - TargetUserName: "NETWORK SERVICE"
+ - TargetUserName: "LOCAL SERVICE"
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml
new file mode 100644
index 00000000..b1db53f0
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 7 - Unlock
+title_jp: ログオンタイプ 7 - アンロック
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
+description: Prints logon information
+description_jp: Prints logon information
+
+id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 7
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
new file mode 100644
index 00000000..6736f33b
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 8 - NetworkCleartext
+title_jp: ログオンタイプ 8 - ネットワーク平文
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
+description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
+description_jp: Prints logon information
+
+id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 8
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
new file mode 100644
index 00000000..15106c68
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
@@ -0,0 +1,27 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logon Type 9 - NewCredentials
+title_jp: ログオンタイプ 9 - 新しい資格情報
+output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: d80facaa-ca97-47bb-aed2-66362416eb49
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4624
+ LogonType: 9
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml
new file mode 100644
index 00000000..030e7d69
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml
@@ -0,0 +1,28 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logoff
+title_jp: ログオフ
+output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4634
+ filter:
+ TargetUserName|endswith: "$" #filter out computer/machine accounts
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml
new file mode 100644
index 00000000..5d01ff2c
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Logoff - User Initiated
+title_jp: ログオフ - ユーザが行った
+output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
+output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: 6bad16f1-02c4-4075-b414-3cd16944bc65
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4647
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml
new file mode 100644
index 00000000..12d3bfb5
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml
@@ -0,0 +1,54 @@
+author: Zach Mathis
+date: 2021/12/17
+modified: 2021/12/17
+
+title: Explicit Logon
+title_jp: 明示的なログオン
+output: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
+output_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
+description: |
+ (From ultimatewindowsecurity.com)
+ This log is generated when
+ 1. A user connects to a server or runs a program locally using alternate credentials.
+ For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,
+ selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.
+ 2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.
+ 3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.
+ Unfortunately the Subject does not identify the end user.
+ 4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)
+description_jp:
+
+id: 8c1899fe-493d-4faf-aae1-0853a33a3278
+level: informational
+status: stable
+detection:
+ selection_basic_info:
+ Channel: Security
+ EventID: 4648
+ selection_TargetUserIsComputerAccount:
+ TargetUserName|endswith: "$"
+ IpAddress: "-"
+ filter_SuspiciousProcess:
+ - ProcessName|endswith: "powershell.exe"
+ - ProcessName|endswith: "WMIC.exe"
+ filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
+ SubjectUserName|endswith: "$"
+ TargetUserName|endswith: "$"
+ TargetInfo|endswith: "$"
+ filter_SubjectUserIsComputerAccount:
+ SubjectUserName|endswith: "$"
+ filter_SystemAccounts:
+ TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
+ IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
+ condition: selection_basic_info and not (selection_TargetUserIsComputerAccount and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts
+ and not filter_UsersAndTargetServerAreComputerAccounts and not filter_SuspiciousProcess
+falsepositives:
+ - normal system usage
+tags:
+ - attack.privilege_escalation
+ - attack.lateral_movement
+references:
+ - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
+sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml
new file mode 100644
index 00000000..94b0e120
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml
@@ -0,0 +1,31 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Admin Logon
+title_jp: 管理者ログオン
+output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
+output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4672
+ filter:
+ - SubjectUserName: "SYSTEM"
+ - SubjectUserName: "LOCAL SERVICE"
+ - SubjectUserName: "NETWORK SERVICE"
+ - SubjectUserName|endswith: "$"
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml
new file mode 100644
index 00000000..ca2d3524
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Kerberos TGT was requested
+title_jp: Kerberos TGTが要求された
+output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
+output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4768
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
new file mode 100644
index 00000000..8e1e19c2
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Kerberos Service Ticket Requested
+title_jp: Kerberosサービスチケットが要求された
+output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
+output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: da6257f3-cf49-464a-96fc-c84a7ce20636
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4769
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
new file mode 100644
index 00000000..5ca62068
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: NTLM Logon to Local Account
+title_jp: ローカルアカウントへのNTLMログオン
+output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
+output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
+description: Prints logon information.
+description_jp: Prints logon information.
+
+id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 4776
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml
new file mode 100644
index 00000000..df59377a
--- /dev/null
+++ b/rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml
@@ -0,0 +1,26 @@
+author: Zach Mathis
+date: 2020/11/08
+modified: 2021/11/26
+
+title: Connection to wireless access point
+title_jp: ローカルアカウントへのNTLMログオン
+output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
+output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
+description: Prints connection info to wireless access points.
+description_jp: Prints connection info to wireless access points.
+
+id: 90dd0797-f481-453d-a97e-dd78436893f9
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Microsoft-Windows-WLAN-AutoConfig
+ EventID: 8001
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
new file mode 100644
index 00000000..d7f55fa8
--- /dev/null
+++ b/rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
@@ -0,0 +1,31 @@
+author: Yusuke Matsui, Yamato Security
+date: 2020/11/08
+modified: 2021/11/22
+
+title: Powershell 2.0 Downgrade Attack
+title_jp: Powershell 2.0へのダウングレード攻撃
+output: 'Powershell 2.0 downgrade attack detected!'
+output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
+description: An attacker may have started Powershell 2.0 to evade detection.
+description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
+
+id: bc082394-73e6-4d00-a9af-e7b524ef5085
+level: medium
+status: testing
+detection:
+ selection:
+ Channel: Microsoft-Windows-PowerShell/Operational
+ EventID: 400
+ EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
+ condition: selection
+falsepositives:
+ - legacy application
+tags:
+ - attack.defense_evasion
+ - attack.t1562.010
+ - lolbas
+references:
+ - https://attack.mitre.org/techniques/T1562/010/
+ - https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
+logsource: non-default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
new file mode 100644
index 00000000..02cdde3c
--- /dev/null
+++ b/rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
@@ -0,0 +1,31 @@
+author: Eric Conrad, Yamato Security
+date: 2020/11/08
+modified: 2021/11/22
+
+title: PowerShell Execution Pipeline
+title_jp: PowerShellパイプライン実行
+output: 'Command: %CommandLine%'
+output_jp: 'コマンド: %CommandLine%'
+description: Displays powershell execution
+description_jp: Powershellの実行を出力する。
+
+id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Microsoft-Windows-PowerShell/Operational
+ EventID: 4103
+ ContextInfo:
+ - Host Application
+ - ホスト アプリケーション
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+ - attack.defense_evasion
+ - attack.t1059.001
+ - lolbas
+references:
+logsource: non-default
+ruletype: Hayabusa
diff --git a/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml
new file mode 100644
index 00000000..c7a49f62
--- /dev/null
+++ b/rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml
@@ -0,0 +1,28 @@
+author: Zach Mathis
+date: 2021/12/16
+modified: 2021/12/16
+
+title: Network Share Access
+title_jp: ネットワーク共有へのアクセス
+output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress%'
+output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress%'
+description:
+description_jp:
+
+id: 15d042c1-07c6-4e16-ae7d-e0e556ccd9a8
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 5140
+ condition: selection
+falsepositives:
+ - normal system usage
+tags:
+ - attack.t1039 # Data from network shared drive
+ - attack.collection
+references:
+sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+logsource: non-default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml
new file mode 100644
index 00000000..06b5eaff
--- /dev/null
+++ b/rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml
@@ -0,0 +1,33 @@
+author: Zach Mathis
+date: 2021/12/16
+modified: 2021/12/16
+
+title: Network Share File Access
+title_jp: ネットワーク共有へのアクセス
+output: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress%'
+output_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress%'
+description:
+description_jp:
+
+id: 8c6ec2b2-8dad-4996-9aba-d659afc1b919
+level: informational
+status: stable
+detection:
+ selection:
+ Channel: Security
+ EventID: 5145
+ filter:
+ - ShareLocalPath: ""
+ - ShareLocalPath: "null"
+ - ShareName: "\\\\*\\IPC$"
+ - RelativeTargetName: "\\"
+ condition: selection and not filter
+falsepositives:
+ - normal system usage
+tags:
+ - attack.t1039 # Data from network shared drive
+ - attack.collection
+references:
+sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+logsource: non-default
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml
new file mode 100644
index 00000000..486191e7
--- /dev/null
+++ b/rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml
@@ -0,0 +1,29 @@
+author: Zach Mathis
+date: 2021/12/11
+modified: 2021/12/11
+
+title: Process Creation Sysmon Rule Alert
+title_jp: プロセス起動 - Sysmonルールアラート
+output: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
+output_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
+description: Sysmon process creation
+description_jp: Sysmonログによるプロセス起動のログ
+
+id: d5e4fb89-b027-43bf-bd3a-2e7f74f105ac
+level: high
+status: stable
+detection:
+ selection:
+ Channel: Microsoft-Windows-Sysmon/Operational
+ EventID: 1
+ filter:
+ - RuleName: ""
+ - RuleName: "-"
+ condition: selection and not filter
+falsepositives:
+ - bad sysmon rule
+tags:
+references:
+sample-evtx:
+logsource: sysmon
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/sysmon/events/1_ProcessCreation.yml b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml
new file mode 100644
index 00000000..3c10e2a1
--- /dev/null
+++ b/rules/hayabusa/sysmon/events/1_ProcessCreation.yml
@@ -0,0 +1,29 @@
+author: Zach Mathis
+date: 2021/12/11
+modified: 2021/12/11
+
+title: Process Creation
+title_jp: プロセス起動
+output: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
+output_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
+description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule.
+description_jp: Sysmonログによるプロセス起動のログ
+
+id: 85790e3e-e270-499f-a6ad-f8afe85c35f1
+level: informational
+status: stable
+detection:
+ selection_1:
+ Channel: Microsoft-Windows-Sysmon/Operational
+ EventID: 1
+ selection_2:
+ - RuleName: ""
+ - RuleName: "-"
+ condition: selection_1 and selection_2
+falsepositives:
+ - normal system usage
+tags:
+references:
+sample-evtx:
+logsource: sysmon
+ruletype: Hayabusa
\ No newline at end of file
diff --git a/rules/hayabusa/testing/.gitkeep b/rules/hayabusa/testing/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/rules/sigma/builtin/application/win_audit_cve.yml b/rules/sigma/builtin/application/win_audit_cve.yml
new file mode 100644
index 00000000..403811e7
--- /dev/null
+++ b/rules/sigma/builtin/application/win_audit_cve.yml
@@ -0,0 +1,39 @@
+
+title: Audit CVE Event
+ruletype: Sigma
+author: Florian Roth
+date: 2020/01/15
+description: Detects events generated by Windows to indicate the exploitation of a
+ known vulnerability (e.g. CVE-2020-0601)
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Audit-CVE
+ condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+level: critical
+logsource:
+ product: windows
+ service: application
+modified: 2021/10/13
+references:
+- https://twitter.com/mattifestation/status/1217179698008068096
+- https://twitter.com/VM_vivisector/status/1217190929330655232
+- https://twitter.com/davisrichardg/status/1217517547576348673
+- https://twitter.com/DidierStevens/status/1217533958096924676
+- https://twitter.com/FlemmingRiis/status/1217147415482060800
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
+- attack.defense_evasion
+- attack.t1211
+- attack.credential_access
+- attack.t1212
+- attack.lateral_movement
+- attack.t1210
+- attack.impact
+- attack.t1499.004
diff --git a/rules/sigma/builtin/application/win_av_relevant_match.yml b/rules/sigma/builtin/application/win_av_relevant_match.yml
new file mode 100644
index 00000000..15490ad7
--- /dev/null
+++ b/rules/sigma/builtin/application/win_av_relevant_match.yml
@@ -0,0 +1,44 @@
+
+title: Relevant Anti-Virus Event
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/19
+description: This detection method points out highly relevant Antivirus events
+detection:
+ SELECTION_1:
+ - HTool-
+ - Hacktool
+ - ASP/Backdoor
+ - JSP/Backdoor
+ - PHP/Backdoor
+ - Backdoor.ASP
+ - Backdoor.JSP
+ - Backdoor.PHP
+ - Webshell
+ - Portscan
+ - Mimikatz
+ - .WinCred.
+ - PlugX
+ - Korplug
+ - Pwdump
+ - Chopper
+ - WmiExec
+ - Xscan
+ - Clearlog
+ - ASPXSpy
+ SELECTION_2:
+ - Keygen
+ - Crack
+ condition: ((SELECTION_1) and not (SELECTION_2))
+falsepositives:
+- Some software piracy tools (key generators, cracks) are classified as hack tools
+id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
+level: high
+logsource:
+ product: windows
+ service: application
+modified: 2021/11/20
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588
diff --git a/rules/sigma/builtin/application/win_software_atera_rmm_agent_install.yml b/rules/sigma/builtin/application/win_software_atera_rmm_agent_install.yml
new file mode 100644
index 00000000..726066d9
--- /dev/null
+++ b/rules/sigma/builtin/application/win_software_atera_rmm_agent_install.yml
@@ -0,0 +1,28 @@
+
+title: Atera Agent Installation
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/09/01
+description: Detects successful installation of Atera Remote Monitoring & Management
+ (RMM) agent as recently found to be used by Conti operators
+detection:
+ SELECTION_1:
+ EventID: 1033
+ SELECTION_2:
+ Provider_Name: MsiInstaller
+ SELECTION_3:
+ Message: '*AteraAgent*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Atera agent installation
+id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
+level: high
+logsource:
+ product: windows
+ service: application
+modified: 2021/10/13
+references:
+- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
+status: experimental
+tags:
+- attack.t1219
diff --git a/rules/sigma/builtin/application/win_susp_backup_delete.yml b/rules/sigma/builtin/application/win_susp_backup_delete.yml
new file mode 100644
index 00000000..8d864dfd
--- /dev/null
+++ b/rules/sigma/builtin/application/win_susp_backup_delete.yml
@@ -0,0 +1,28 @@
+
+title: Backup Catalog Deleted
+ruletype: Sigma
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+date: 2017/05/12
+description: Detects backup catalog deletions
+detection:
+ SELECTION_1:
+ EventID: 524
+ SELECTION_2:
+ Provider_Name: Microsoft-Windows-Backup
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9703792d-fd9a-456d-a672-ff92efe4806a
+level: medium
+logsource:
+ product: windows
+ service: application
+modified: 2021/10/13
+references:
+- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
diff --git a/rules/sigma/builtin/application/win_susp_msmpeng_crash.yml b/rules/sigma/builtin/application/win_susp_msmpeng_crash.yml
new file mode 100644
index 00000000..7f94ca0f
--- /dev/null
+++ b/rules/sigma/builtin/application/win_susp_msmpeng_crash.yml
@@ -0,0 +1,39 @@
+
+title: Microsoft Malware Protection Engine Crash
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/09
+description: This rule detects a suspicious crash of the Microsoft Malware Protection
+ Engine
+detection:
+ SELECTION_1:
+ Provider_Name: Application Error
+ SELECTION_2:
+ EventID: 1000
+ SELECTION_3:
+ Provider_Name: Windows Error Reporting
+ SELECTION_4:
+ EventID: 1001
+ SELECTION_5:
+ - MsMpEng.exe
+ SELECTION_6:
+ - mpengine.dll
+ condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
+ (SELECTION_5 and SELECTION_6))
+falsepositives:
+- MsMpEng.exe can crash when C:\ is full
+id: 6c82cf5c-090d-4d57-9188-533577631108
+level: high
+logsource:
+ product: windows
+ service: application
+modified: 2021/10/13
+references:
+- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
+- https://technet.microsoft.com/en-us/library/security/4022344
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1211
+- attack.t1562.001
diff --git a/rules/sigma/builtin/application/win_vul_cve_2020_0688.yml b/rules/sigma/builtin/application/win_vul_cve_2020_0688.yml
new file mode 100644
index 00000000..4eacc7af
--- /dev/null
+++ b/rules/sigma/builtin/application/win_vul_cve_2020_0688.yml
@@ -0,0 +1,32 @@
+
+title: CVE-2020-0688 Exploitation via Eventlog
+ruletype: Sigma
+author: Florian Roth, wagga
+date: 2020/02/29
+description: Detects the exploitation of Microsoft Exchange vulnerability as described
+ in CVE-2020-0688
+detection:
+ SELECTION_1:
+ EventID: 4
+ SELECTION_2:
+ Provider_Name: MSExchange Control Panel
+ SELECTION_3:
+ Level: Error
+ SELECTION_4:
+ - '&__VIEWSTATE='
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: d6266bf5-935e-4661-b477-78772735a7cb
+level: high
+logsource:
+ product: windows
+ service: application
+modified: 2021/10/13
+references:
+- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
diff --git a/rules/sigma/builtin/application/win_vul_cve_2021_41379.yml b/rules/sigma/builtin/application/win_vul_cve_2021_41379.yml
new file mode 100644
index 00000000..5b1c801a
--- /dev/null
+++ b/rules/sigma/builtin/application/win_vul_cve_2021_41379.yml
@@ -0,0 +1,27 @@
+
+title: LPE InstallerFileTakeOver PoC CVE-2021-41379
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/22
+description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
+detection:
+ SELECTION_1:
+ EventID: 1033
+ SELECTION_2:
+ Provider_Name: MsiInstaller
+ SELECTION_3:
+ - test pkg
+ condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3)
+falsepositives:
+- Other MSI packages for which your admins have used that name
+id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
+level: high
+logsource:
+ product: windows
+ service: application
+references:
+- https://github.com/klinix5/InstallerFileTakeOver
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
diff --git a/rules/sigma/builtin/security/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
new file mode 100644
index 00000000..b51c6f58
--- /dev/null
+++ b/rules/sigma/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
@@ -0,0 +1,40 @@
+
+title: Azure AD Health Monitoring Agent Registry Keys Access
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+ This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
+ This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ EventID: 4663
+ SELECTION_3:
+ ObjectType: Key
+ SELECTION_4:
+ ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
+ SELECTION_5:
+ ProcessName:
+ - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+ - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+ - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+ - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+ - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+ product: windows
+ service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/builtin/security/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
new file mode 100644
index 00000000..10e94b0d
--- /dev/null
+++ b/rules/sigma/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
@@ -0,0 +1,42 @@
+
+title: Azure AD Health Service Agents Registry Keys Access
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+ This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
+ Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
+ This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
+ Make sure you set the SACL to propagate to its sub-keys.
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ EventID: 4663
+ SELECTION_3:
+ ObjectType: Key
+ SELECTION_4:
+ ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
+ SELECTION_5:
+ ProcessName:
+ - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+ - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+ - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+ - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+ - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5))
+falsepositives:
+- Unknown
+id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
+level: medium
+logsource:
+ product: windows
+ service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml
new file mode 100644
index 00000000..08327fd4
--- /dev/null
+++ b/rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml
@@ -0,0 +1,35 @@
+
+title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
+ruletype: Sigma
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
+date: 2019/04/03
+description: backdooring domain object to grant the rights associated with DCSync
+ to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
+ Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+detection:
+ SELECTION_1:
+ EventID: 5136
+ SELECTION_2:
+ AttributeLDAPDisplayName: ntSecurityDescriptor
+ SELECTION_3:
+ AttributeValue:
+ - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+ - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+ - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- New Domain Controller computer account, check user SIDs within the value attribute
+ of event 5136 and verify if it's a regular user or DC computer account.
+id: 2c99737c-585d-4431-b61a-c911d86ff32f
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/09
+references:
+- https://twitter.com/menasec1/status/1111556090137903104
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/builtin/security/win_account_discovery.yml b/rules/sigma/builtin/security/win_account_discovery.yml
new file mode 100644
index 00000000..636f3e22
--- /dev/null
+++ b/rules/sigma/builtin/security/win_account_discovery.yml
@@ -0,0 +1,44 @@
+
+title: AD Privileged Users or Groups Reconnaissance
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect priv users or groups recon based on 4661 eventid and known privileged
+ users or groups SIDs
+detection:
+ SELECTION_1:
+ EventID: 4661
+ SELECTION_2:
+ ObjectType:
+ - SAM_USER
+ - SAM_GROUP
+ SELECTION_3:
+ ObjectName:
+ - '*-512'
+ - '*-502'
+ - '*-500'
+ - '*-505'
+ - '*-519'
+ - '*-520'
+ - '*-544'
+ - '*-551'
+ - '*-555'
+ SELECTION_4:
+ ObjectName: '*admin*'
+ condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- if source account name is not an admin then its super suspicious
+id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
+level: high
+logsource:
+ definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
+ product: windows
+ service: security
+modified: 2021/09/08
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/builtin/security/win_ad_object_writedac_access.yml b/rules/sigma/builtin/security/win_ad_object_writedac_access.yml
new file mode 100644
index 00000000..9b8d710e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_ad_object_writedac_access.yml
@@ -0,0 +1,33 @@
+
+title: AD Object WriteDAC Access
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects WRITE_DAC access to a domain object
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ ObjectServer: DS
+ SELECTION_3:
+ AccessMask: '0x40000'
+ SELECTION_4:
+ ObjectType:
+ - 19195a5b-6da0-11d0-afd3-00c04fd930c9
+ - domainDNS
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1222
+- attack.t1222.001
diff --git a/rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml b/rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml
new file mode 100644
index 00000000..2ddd0ae3
--- /dev/null
+++ b/rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml
@@ -0,0 +1,42 @@
+
+title: Active Directory Replication from Non Machine Account
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/07/26
+description: Detects potential abuse of Active Directory Replication Service (ADRS)
+ from a non machine account to request credentials.
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ AccessMask: '0x100'
+ SELECTION_3:
+ Properties:
+ - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+ - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+ - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+ SELECTION_4:
+ SubjectUserName: '*$'
+ SELECTION_5:
+ SubjectUserName: MSOL_*
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
+ or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 17d619c1-e020-4347-957e-1d1207455c93
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.006
diff --git a/rules/sigma/builtin/security/win_ad_user_enumeration.yml b/rules/sigma/builtin/security/win_ad_user_enumeration.yml
new file mode 100644
index 00000000..b85dee62
--- /dev/null
+++ b/rules/sigma/builtin/security/win_ad_user_enumeration.yml
@@ -0,0 +1,35 @@
+
+title: AD User Enumeration
+ruletype: Sigma
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/30
+description: Detects access to a domain user from a non-machine account
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
+ SELECTION_3:
+ SubjectUserName: '*$'
+ SELECTION_4:
+ SubjectUserName: MSOL_*
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrators configuring new users.
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+level: medium
+logsource:
+ definition: Requires the "Read all properties" permission on the user object to
+ be audited for the "Everyone" principal
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
new file mode 100644
index 00000000..92d236ac
--- /dev/null
+++ b/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
@@ -0,0 +1,35 @@
+
+title: ADCS Certificate Template Configuration Vulnerability
+ruletype: Sigma
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+detection:
+ SELECTION_1:
+ EventID: 4898
+ SELECTION_2:
+ TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+ SELECTION_3:
+ EventID: 4899
+ SELECTION_4:
+ NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+ condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: 5ee3a654-372f-11ec-8d3d-0242ac130003
+level: low
+logsource:
+ definition: Certificate services loaded a template would trigger event ID 4898 and
+ certificate Services template was updated would trigger event ID 4899. A risk
+ permission seems to be comming if template contain specific flag.
+ product: windows
+ service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
diff --git a/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml
new file mode 100644
index 00000000..2a7b2d8d
--- /dev/null
+++ b/rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml
@@ -0,0 +1,49 @@
+
+title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
+ruletype: Sigma
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+ and risky EKU
+detection:
+ SELECTION_1:
+ EventID: 4898
+ SELECTION_2:
+ TemplateContent:
+ - '*1.3.6.1.5.5.7.3.2*'
+ - '*1.3.6.1.5.2.3.4*'
+ - '*1.3.6.1.4.1.311.20.2.2*'
+ - '*2.5.29.37.0*'
+ SELECTION_3:
+ TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+ SELECTION_4:
+ EventID: 4899
+ SELECTION_5:
+ NewTemplateContent:
+ - '*1.3.6.1.5.5.7.3.2*'
+ - '*1.3.6.1.5.2.3.4*'
+ - '*1.3.6.1.4.1.311.20.2.2*'
+ - '*2.5.29.37.0*'
+ SELECTION_6:
+ NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+ and SELECTION_6))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
+level: high
+logsource:
+ definition: Certificate services loaded a template would trigger event ID 4898 and
+ certificate Services template was updated would trigger event ID 4899. A risk
+ permission seems to be comming if template contain specific flag with risky EKU.
+ product: windows
+ service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
diff --git a/rules/sigma/builtin/security/win_admin_rdp_login.yml b/rules/sigma/builtin/security/win_admin_rdp_login.yml
new file mode 100644
index 00000000..c411cac4
--- /dev/null
+++ b/rules/sigma/builtin/security/win_admin_rdp_login.yml
@@ -0,0 +1,37 @@
+
+title: Admin User Remote Logon
+ruletype: Sigma
+author: juju4
+date: 2017/10/29
+description: Detect remote login by Administrator user (depending on internal pattern).
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ LogonType: 10
+ SELECTION_3:
+ AuthenticationPackageName: Negotiate
+ SELECTION_4:
+ TargetUserName: Admin*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrative activity.
+id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
+level: low
+logsource:
+ definition: 'Requirements: Identifiable administrators usernames (pattern or special
+ unique character. ex: "Admin-*"), internal policy mandating use only as secondary
+ account'
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://car.mitre.org/wiki/CAR-2016-04-005
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1078
+- attack.t1078.001
+- attack.t1078.002
+- attack.t1078.003
+- car.2016-04-005
diff --git a/rules/sigma/builtin/security/win_admin_share_access.yml b/rules/sigma/builtin/security/win_admin_share_access.yml
new file mode 100644
index 00000000..cebdbb90
--- /dev/null
+++ b/rules/sigma/builtin/security/win_admin_share_access.yml
@@ -0,0 +1,29 @@
+
+title: Access to ADMIN$ Share
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/04
+description: Detects access to $ADMIN share
+detection:
+ SELECTION_1:
+ EventID: 5140
+ SELECTION_2:
+ ShareName: Admin$
+ SELECTION_3:
+ SubjectUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- Legitimate administrative activity
+id: 098d7118-55bc-4912-a836-dc6483a8d150
+level: low
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit File Share"
+ must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_alert_active_directory_user_control.yml b/rules/sigma/builtin/security/win_alert_active_directory_user_control.yml
new file mode 100644
index 00000000..2708da57
--- /dev/null
+++ b/rules/sigma/builtin/security/win_alert_active_directory_user_control.yml
@@ -0,0 +1,32 @@
+
+title: Enabled User Right in AD to Control User Objects
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
+ right in Active Directory it would allow control of other AD user objects.
+detection:
+ SELECTION_1:
+ EventID: 4704
+ SELECTION_2:
+ PrivilegeList:
+ - '*SeEnableDelegationPrivilege*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
+level: high
+logsource:
+ definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
+ Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+ Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+ Change'
+ product: windows
+ service: security
+modified: 2021/12/02
+references:
+- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+status: test
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml b/rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml
new file mode 100644
index 00000000..197a353e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml
@@ -0,0 +1,48 @@
+
+title: Active Directory User Backdoors
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/04/13
+description: Detects scenarios where one can control another users or computers account
+ without having to use their credentials.
+detection:
+ SELECTION_1:
+ EventID: 4738
+ SELECTION_2:
+ AllowedToDelegateTo: '-'
+ SELECTION_3:
+ AllowedToDelegateTo|re: ^$
+ SELECTION_4:
+ EventID: 5136
+ SELECTION_5:
+ AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
+ SELECTION_6:
+ ObjectClass: user
+ SELECTION_7:
+ AttributeLDAPDisplayName: servicePrincipalName
+ SELECTION_8:
+ AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
+ condition: ((SELECTION_1 and not (SELECTION_2 or SELECTION_3)) or (SELECTION_4
+ and (SELECTION_5 or (SELECTION_6 and SELECTION_7) or SELECTION_8)))
+falsepositives:
+- Unknown
+id: 300bac00-e041-4ee2-9c36-e262656a6ecc
+level: high
+logsource:
+ definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+ Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+ Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+ Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
+ Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
+ Policies\DS Access\Audit Directory Service Changes'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://msdn.microsoft.com/en-us/library/cc220234.aspx
+- https://adsecurity.org/?p=3466
+- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+status: test
+tags:
+- attack.t1098
+- attack.persistence
diff --git a/rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml b/rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml
new file mode 100644
index 00000000..071511b3
--- /dev/null
+++ b/rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml
@@ -0,0 +1,92 @@
+
+title: Weak Encryption Enabled and Kerberoast
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where weak encryption is enabled for a user profile
+ which could be used for hash/password cracking.
+detection:
+ SELECTION_1:
+ EventID: 4738
+ SELECTION_2:
+ NewUacValue:
+ - '*8???'
+ - '*9???'
+ - '*A???'
+ - '*B???'
+ - '*C???'
+ - '*D???'
+ - '*E???'
+ - '*F???'
+ SELECTION_3:
+ OldUacValue:
+ - '*8???'
+ - '*9???'
+ - '*A???'
+ - '*B???'
+ - '*C???'
+ - '*D???'
+ - '*E???'
+ - '*F???'
+ SELECTION_4:
+ NewUacValue:
+ - '*1????'
+ - '*3????'
+ - '*5????'
+ - '*7????'
+ - '*9????'
+ - '*B????'
+ - '*D????'
+ - '*F????'
+ SELECTION_5:
+ OldUacValue:
+ - '*1????'
+ - '*3????'
+ - '*5????'
+ - '*7????'
+ - '*9????'
+ - '*B????'
+ - '*D????'
+ - '*F????'
+ SELECTION_6:
+ NewUacValue:
+ - '*8??'
+ - '*9??'
+ - '*A??'
+ - '*B??'
+ - '*C??'
+ - '*D??'
+ - '*E??'
+ - '*F??'
+ SELECTION_7:
+ OldUacValue:
+ - '*8??'
+ - '*9??'
+ - '*A??'
+ - '*B??'
+ - '*C??'
+ - '*D??'
+ - '*E??'
+ - '*F??'
+ condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
+ and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
+falsepositives:
+- Unknown
+id: f6de9536-0441-4b3f-a646-f4e00f300ffd
+level: high
+logsource:
+ definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+ Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+ Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+ Management'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://adsecurity.org/?p=2053
+- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/builtin/security/win_alert_ruler.yml b/rules/sigma/builtin/security/win_alert_ruler.yml
new file mode 100644
index 00000000..2c586128
--- /dev/null
+++ b/rules/sigma/builtin/security/win_alert_ruler.yml
@@ -0,0 +1,41 @@
+
+title: Hacktool Ruler
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/31
+description: This events that are generated when using the hacktool Ruler by Sensepost
+detection:
+ SELECTION_1:
+ EventID: 4776
+ SELECTION_2:
+ Workstation: RULER
+ SELECTION_3:
+ EventID: 4624
+ SELECTION_4:
+ EventID: 4625
+ SELECTION_5:
+ WorkstationName: RULER
+ condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
+falsepositives:
+- Go utilities that use staaldraad awesome NTLM library
+id: 24549159-ac1b-479c-8175-d42aea947cae
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://github.com/sensepost/ruler
+- https://github.com/sensepost/ruler/issues/47
+- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+status: experimental
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1087
+- attack.t1075
+- attack.t1114
+- attack.t1059
+- attack.t1550.002
diff --git a/rules/sigma/builtin/security/win_apt_chafer_mar18_security.yml b/rules/sigma/builtin/security/win_apt_chafer_mar18_security.yml
new file mode 100644
index 00000000..8a1f1c4b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_apt_chafer_mar18_security.yml
@@ -0,0 +1,42 @@
+
+title: Chafer Activity
+ruletype: Sigma
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+ in March 2018
+detection:
+ SELECTION_1:
+ EventID: 4698
+ SELECTION_2:
+ TaskName:
+ - SC Scheduled Scan
+ - UpdatMachine
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c0580559-a6bd-4ef6-b9b7-83703d98b561
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/builtin/security/win_apt_slingshot.yml b/rules/sigma/builtin/security/win_apt_slingshot.yml
new file mode 100644
index 00000000..3a6f37d6
--- /dev/null
+++ b/rules/sigma/builtin/security/win_apt_slingshot.yml
@@ -0,0 +1,32 @@
+
+title: Defrag Deactivation
+ruletype: Sigma
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+ task as seen by Slingshot APT group
+detection:
+ SELECTION_1:
+ EventID: 4701
+ SELECTION_2:
+ TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
+level: medium
+logsource:
+ definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
+ product: windows
+ service: security
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+related:
+- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053
+- attack.s0111
diff --git a/rules/sigma/builtin/security/win_apt_wocao.yml b/rules/sigma/builtin/security/win_apt_wocao.yml
new file mode 100644
index 00000000..083c0d73
--- /dev/null
+++ b/rules/sigma/builtin/security/win_apt_wocao.yml
@@ -0,0 +1,38 @@
+
+title: Operation Wocao Activity
+ruletype: Sigma
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+ SELECTION_1:
+ EventID: 4799
+ SELECTION_2:
+ TargetUserName: Administr*
+ SELECTION_3:
+ CallerProcessName: '*\checkadmin.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml
new file mode 100644
index 00000000..94bfb175
--- /dev/null
+++ b/rules/sigma/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml
@@ -0,0 +1,35 @@
+
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+ruletype: Sigma
+author: Sreeman
+date: 2020/03/13
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows
+ a user to create "shortcuts" to various Windows 10 setting pages. These files are
+ simply XML and contain paths to various Windows 10 settings binaries.
+detection:
+ SELECTION_1:
+ CommandLine: '*.SettingContent-ms*'
+ SELECTION_2:
+ FilePath: '*immersivecontrolpanel*'
+ condition: (SELECTION_1 and not (SELECTION_2))
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+status: experimental
+tags:
+- attack.t1204
+- attack.t1193
+- attack.t1566.001
+- attack.execution
+- attack.initial_access
diff --git a/rules/sigma/builtin/security/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/builtin/security/win_asr_bypass_via_appvlp_re.yml
new file mode 100644
index 00000000..075cfacb
--- /dev/null
+++ b/rules/sigma/builtin/security/win_asr_bypass_via_appvlp_re.yml
@@ -0,0 +1,30 @@
+
+title: Using AppVLP To Circumvent ASR File Path Rule
+ruletype: Sigma
+author: Sreeman
+date: 2020/03/13
+description: Application Virtualization Utility is included with Microsoft Office.We
+ are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
+ for Application Virtualization, but we can use it as an abuse binary to circumvent
+ the ASR file path rule folder or to mark a file as a system file
+detection:
+ SELECTION_1:
+ CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
+ condition: SELECTION_1
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
+- attack.execution
diff --git a/rules/sigma/builtin/security/win_atsvc_task.yml b/rules/sigma/builtin/security/win_atsvc_task.yml
new file mode 100644
index 00000000..7a7f0142
--- /dev/null
+++ b/rules/sigma/builtin/security/win_atsvc_task.yml
@@ -0,0 +1,37 @@
+
+title: Remote Task Creation via ATSVC Named Pipe
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote task creation via at.exe or API interacting with ATSVC
+ namedpipe
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName: atsvc
+ SELECTION_4:
+ Accesses: '*WriteData*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: f6de6525-4509-495a-8a82-1f8b0ed73a00
+level: medium
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1053
+- car.2013-05-004
+- car.2015-04-001
+- attack.t1053.002
diff --git a/rules/sigma/builtin/security/win_camera_microphone_access.yml b/rules/sigma/builtin/security/win_camera_microphone_access.yml
new file mode 100644
index 00000000..03f32a5e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_camera_microphone_access.yml
@@ -0,0 +1,33 @@
+
+title: Processes Accessing the Microphone and Webcam
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/07
+description: Potential adversaries accessing the microphone and webcam in an endpoint.
+detection:
+ SELECTION_1:
+ EventID: 4657
+ SELECTION_2:
+ EventID: 4656
+ SELECTION_3:
+ EventID: 4663
+ SELECTION_4:
+ ObjectName:
+ - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
+ - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/duzvik/status/1269671601852813320
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+status: test
+tags:
+- attack.collection
+- attack.t1123
diff --git a/rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml
new file mode 100644
index 00000000..5ca7f28e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -0,0 +1,32 @@
+
+title: DCERPC SMB Spoolss Named Pipe
+ruletype: Sigma
+author: OTR (Open Threat Research)
+date: 2018/11/28
+description: Detects the use of the spoolss named pipe over SMB. This can be used
+ to trigger the authentication via NTLM of any machine that has the spoolservice
+ enabled.
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName: spoolss
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Domain Controllers acting as printer servers too? :)
+id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+- https://twitter.com/_dirkjan/status/1309214379003588608
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/builtin/security/win_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000..2cf27f2f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,31 @@
+
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+ Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
+ DLL Hijack scenario.
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ RelativeTargetName: '*\Internet Explorer\iertutil.dll'
+ SELECTION_3:
+ SubjectUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- Unknown
+id: c39f0c81-7348-4965-ab27-2fde35a1b641
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
diff --git a/rules/sigma/builtin/security/win_dcsync.yml b/rules/sigma/builtin/security/win_dcsync.yml
new file mode 100644
index 00000000..ed0e0711
--- /dev/null
+++ b/rules/sigma/builtin/security/win_dcsync.yml
@@ -0,0 +1,41 @@
+
+title: Mimikatz DC Sync
+ruletype: Sigma
+author: Benjamin Delpy, Florian Roth, Scott Dermott
+date: 2018/06/03
+description: Detects Mimikatz DC sync security events
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ Properties:
+ - '*Replicating Directory Changes All*'
+ - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+ SELECTION_3:
+ SubjectDomainName: Window Manager
+ SELECTION_4:
+ SubjectUserName:
+ - NT AUTHORITY*
+ - MSOL_*
+ SELECTION_5:
+ SubjectUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not ((SELECTION_3) or (SELECTION_4)
+ or (SELECTION_5)))
+falsepositives:
+- Valid DC Sync that is not covered by the filters; please report
+- Local Domain Admin account used for Azure AD Connect
+id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+status: experimental
+tags:
+- attack.credential_access
+- attack.s0002
+- attack.t1003
+- attack.t1003.006
diff --git a/rules/sigma/builtin/security/win_defender_bypass.yml b/rules/sigma/builtin/security/win_defender_bypass.yml
new file mode 100644
index 00000000..36465b15
--- /dev/null
+++ b/rules/sigma/builtin/security/win_defender_bypass.yml
@@ -0,0 +1,36 @@
+
+title: Windows Defender Exclusion Set
+ruletype: Sigma
+author: '@BarryShooshooga'
+date: 2019/10/26
+description: Detects scenarios where an windows defender exclusion was added in registry
+ where an entity would want to bypass antivirus scanning from windows defender
+detection:
+ SELECTION_1:
+ EventID: 4657
+ SELECTION_2:
+ EventID: 4656
+ SELECTION_3:
+ EventID: 4660
+ SELECTION_4:
+ EventID: 4663
+ SELECTION_5:
+ ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Intended inclusions by administrator
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+level: high
+logsource:
+ definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
+ Policy, Registry System Access Control (SACL): Auditing/User'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/builtin/security/win_disable_event_logging.yml b/rules/sigma/builtin/security/win_disable_event_logging.yml
new file mode 100644
index 00000000..6a2a67ac
--- /dev/null
+++ b/rules/sigma/builtin/security/win_disable_event_logging.yml
@@ -0,0 +1,41 @@
+
+title: Disabling Windows Event Auditing
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/11/19
+description: 'Detects scenarios where system auditing (ie: windows event log auditing)
+ is disabled. This may be used in a scenario where an entity would want to bypass
+ local logging to evade detection when windows event logging is enabled and reviewed.
+ Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
+ which will make sure that Active Directory GPOs take precedence over local/edited
+ computer policies via something such as "gpedit.msc". Please note, that disabling
+ "Local Group Policy Object Processing" may cause an issue in scenarios of one off
+ specific GPO modifications -- however it is recommended to perform these modifications
+ in Active Directory anyways.'
+detection:
+ SELECTION_1:
+ EventID: 4719
+ SELECTION_2:
+ AuditPolicyChanges:
+ - '*%%8448*'
+ - '*%%8450*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+level: high
+logsource:
+ definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
+ Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+ Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+ Change'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://bit.ly/WinLogsZero2Hero
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1054
+- attack.t1562.002
diff --git a/rules/sigma/builtin/security/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/builtin/security/win_dpapi_domain_backupkey_extraction.yml
new file mode 100644
index 00000000..7145b945
--- /dev/null
+++ b/rules/sigma/builtin/security/win_dpapi_domain_backupkey_extraction.yml
@@ -0,0 +1,32 @@
+
+title: DPAPI Domain Backup Key Extraction
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
+ Controllers
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ ObjectType: SecretObject
+ SELECTION_3:
+ AccessMask: '0x2'
+ SELECTION_4:
+ ObjectName: BCKUPKEY
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4ac1f50b-3bd0-4968-902d-868b4647937e
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
diff --git a/rules/sigma/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml
new file mode 100644
index 00000000..d7ab2519
--- /dev/null
+++ b/rules/sigma/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -0,0 +1,30 @@
+
+title: DPAPI Domain Master Key Backup Attempt
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects anyone attempting a backup for the DPAPI Master Key. This events
+ gets generated at the source and not the Domain Controller.
+detection:
+ SELECTION_1:
+ EventID: 4692
+ condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
diff --git a/rules/sigma/builtin/security/win_etw_modification.yml b/rules/sigma/builtin/security/win_etw_modification.yml
new file mode 100644
index 00000000..cda0fe78
--- /dev/null
+++ b/rules/sigma/builtin/security/win_etw_modification.yml
@@ -0,0 +1,38 @@
+
+title: COMPlus_ETWEnabled Registry Modification
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+ SELECTION_1:
+ EventID: 4657
+ SELECTION_2:
+ ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
+ SELECTION_3:
+ ObjectValueName: ETWEnabled
+ SELECTION_4:
+ NewValue: '0'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/builtin/security/win_event_log_cleared.yml b/rules/sigma/builtin/security/win_event_log_cleared.yml
new file mode 100644
index 00000000..fccfe425
--- /dev/null
+++ b/rules/sigma/builtin/security/win_event_log_cleared.yml
@@ -0,0 +1,31 @@
+
+title: Security Event Log Cleared
+ruletype: Sigma
+author: Saw Winn Naung
+date: 2021/08/15
+description: Checks for event id 1102 which indicates the security event log was cleared.
+detection:
+ SELECTION_1:
+ EventID: 1102
+ SELECTION_2:
+ Provider_Name: Microsoft-Windows-Eventlog
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative activity
+fields:
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SubjectDomainName
+id: a122ac13-daf8-4175-83a2-72c387be339d
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/10/13
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
+status: experimental
+tags:
+- attack.t1107
+- attack.t1070.001
diff --git a/rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
new file mode 100644
index 00000000..dee612ff
--- /dev/null
+++ b/rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -0,0 +1,35 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation IPC Access
+ruletype: Sigma
+author: INIT_6
+date: 2021/07/02
+description: Detects remote printer driver load from Detailed File Share in Security
+ logs that are a sign of successful exploitation attempts against print spooler vulnerability
+ CVE-2021-1675 and CVE-2021-34527
+detection:
+ SELECTION_1:
+ EventID: '5145'
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName: spoolss
+ SELECTION_4:
+ AccessMask: '0x3'
+ SELECTION_5:
+ ObjectType: File
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- nothing observed so far
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+level: critical
+logsource:
+ product: windows
+ service: security
+references:
+- https://twitter.com/INIT_3/status/1410662463641731075
+status: experimental
+tags:
+- attack.execution
+- attack.t1569
+- cve.2021.1675
+- cve.2021.34527
diff --git a/rules/sigma/builtin/security/win_external_device.yml b/rules/sigma/builtin/security/win_external_device.yml
new file mode 100644
index 00000000..e5fc7ea2
--- /dev/null
+++ b/rules/sigma/builtin/security/win_external_device.yml
@@ -0,0 +1,29 @@
+
+title: External Disk Drive Or USB Storage Device
+ruletype: Sigma
+author: Keith Wright
+date: 2019/11/20
+description: Detects external diskdrives or plugged in USB devices , EventID 6416
+ on windows 10 or later
+detection:
+ SELECTION_1:
+ EventID: 6416
+ SELECTION_2:
+ ClassName: DiskDrive
+ SELECTION_3:
+ DeviceDescription: USB Mass Storage Device
+ condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
+level: low
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+status: experimental
+tags:
+- attack.t1091
+- attack.t1200
+- attack.lateral_movement
+- attack.initial_access
diff --git a/rules/sigma/builtin/security/win_global_catalog_enumeration.yml b/rules/sigma/builtin/security/win_global_catalog_enumeration.yml
new file mode 100644
index 00000000..44b1bf8b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_global_catalog_enumeration.yml
@@ -0,0 +1,35 @@
+
+title: Enumeration via the Global Catalog
+ruletype: Sigma
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/11
+description: Detects enumeration of the global catalog (that can be performed using
+ BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
+ width.
+detection:
+ SELECTION_1:
+ EventID: 5156
+ SELECTION_2:
+ DestinationPort: 3268
+ SELECTION_3:
+ DestinationPort: 3269
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
+ > 2000
+ timeframe: 1h
+falsepositives:
+- Exclude known DCs.
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+level: medium
+logsource:
+ definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
+ Platform Connection" must be configured for Success
+ product: windows
+ service: security
+modified: 2021/06/01
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/builtin/security/win_gpo_scheduledtasks.yml b/rules/sigma/builtin/security/win_gpo_scheduledtasks.yml
new file mode 100644
index 00000000..c39e722e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_gpo_scheduledtasks.yml
@@ -0,0 +1,39 @@
+
+title: Persistence and Execution at Scale via GPO Scheduled Task
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect lateral movement using GPO scheduled task, usually used to deploy
+ ransomware at scale
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\SYSVOL
+ SELECTION_3:
+ RelativeTargetName: '*ScheduledTasks.xml'
+ SELECTION_4:
+ Accesses:
+ - '*WriteData*'
+ - '*%%4417*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- if the source IP is not localhost then it's super suspicious, better to monitor
+ both local and remote changes to GPO scheduledtasks
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/menasec1/status/1106899890377052160
+- https://www.secureworks.com/blog/ransomware-as-a-distraction
+status: test
+tags:
+- attack.persistence
+- attack.lateral_movement
+- attack.t1053
+- attack.t1053.005
diff --git a/rules/sigma/builtin/security/win_hidden_user_creation.yml b/rules/sigma/builtin/security/win_hidden_user_creation.yml
new file mode 100644
index 00000000..418773db
--- /dev/null
+++ b/rules/sigma/builtin/security/win_hidden_user_creation.yml
@@ -0,0 +1,29 @@
+
+title: Hidden Local User Creation
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+ happen for event ID 4720.
+detection:
+ SELECTION_1:
+ EventID: 4720
+ SELECTION_2:
+ TargetUserName: '*$'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+ product: windows
+ service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
diff --git a/rules/sigma/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/builtin/security/win_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000..056159e1
--- /dev/null
+++ b/rules/sigma/builtin/security/win_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,28 @@
+
+title: HybridConnectionManager Service Installation
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service installation.
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceName: HybridConnectionManager
+ SELECTION_3:
+ ServiceFileName: '*HybridConnectionManager*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+- attack.t1554
diff --git a/rules/sigma/builtin/security/win_impacket_psexec.yml b/rules/sigma/builtin/security/win_impacket_psexec.yml
new file mode 100644
index 00000000..8bdf7255
--- /dev/null
+++ b/rules/sigma/builtin/security/win_impacket_psexec.yml
@@ -0,0 +1,32 @@
+
+title: Impacket PsExec Execution
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2020/12/14
+description: Detects execution of Impacket's psexec.py.
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName:
+ - '*RemCom_stdint*'
+ - '*RemCom_stdoutt*'
+ - '*RemCom_stderrt*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- nothing observed so far
+id: 32d56ea1-417f-44ff-822b-882873f5f43b
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_impacket_secretdump.yml b/rules/sigma/builtin/security/win_impacket_secretdump.yml
new file mode 100644
index 00000000..368afad1
--- /dev/null
+++ b/rules/sigma/builtin/security/win_impacket_secretdump.yml
@@ -0,0 +1,35 @@
+
+title: Possible Impacket SecretDump Remote Activity
+ruletype: Sigma
+author: Samir Bousseaden, wagga
+date: 2019/04/03
+description: Detect AD credential dumping using impacket secretdump HKTL
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\ADMIN$
+ SELECTION_3:
+ RelativeTargetName: '*SYSTEM32\\*'
+ SELECTION_4:
+ RelativeTargetName: '*.tmp*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/06/27
+references:
+- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.003
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_clip_services_security.yml
new file mode 100644
index 00000000..6064cbd0
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_clip_services_security.yml
@@ -0,0 +1,33 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 4697
+ SELECTION_3:
+ ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml
new file mode 100644
index 00000000..4459571f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -0,0 +1,43 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+ruletype: Sigma
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+ by Invoke-Obfuscation framework from the code block linked in the references
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+ SELECTION_3:
+ ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+ SELECTION_4:
+ ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+ SELECTION_5:
+ ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+ SELECTION_6:
+ ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
+ SELECTION_7:
+ ServiceFileName|re: \$VerbosePreference\.ToString\(
+ SELECTION_8:
+ ServiceFileName|re: \String\]\s*\$VerbosePreference
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+ or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: fd0f5778-d3cb-4c9a-9695-66759d04702a
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/16
+references:
+- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+related:
+- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_stdin_services_security.yml
new file mode 100644
index 00000000..78eb22be
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_stdin_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_var_services_security.yml
new file mode 100644
index 00000000..f5df8b62
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_var_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: dcf2db1f-f091-425b-a821-c05875b8925a
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/12/02
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml
new file mode 100644
index 00000000..313776cb
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 175997c5-803c-4b08-8bb0-70b099f47595
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml
new file mode 100644
index 00000000..0f99f48c
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
new file mode 100644
index 00000000..606811cd
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Stdin
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 487c7524-f892-4054-b263-8a0ace63fc25
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
new file mode 100644
index 00000000..39d317e2
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use Clip
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml
new file mode 100644
index 00000000..e7d33d48
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml
new file mode 100644
index 00000000..46b3056c
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/builtin/security/win_invoke_obfuscation_via_var_services_security.yml
new file mode 100644
index 00000000..50578fd7
--- /dev/null
+++ b/rules/sigma/builtin/security/win_invoke_obfuscation_via_var_services_security.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_iso_mount.yml b/rules/sigma/builtin/security/win_iso_mount.yml
new file mode 100644
index 00000000..5ad6f89e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_iso_mount.yml
@@ -0,0 +1,37 @@
+
+title: ISO Image Mount
+ruletype: Sigma
+author: Syed Hasan (@syedhasan009)
+date: 2021/05/29
+description: Detects the mount of ISO images on an endpoint
+detection:
+ SELECTION_1:
+ EventID: 4663
+ SELECTION_2:
+ ObjectServer: Security
+ SELECTION_3:
+ ObjectType: File
+ SELECTION_4:
+ ObjectName: \Device\CdRom*
+ SELECTION_5:
+ ObjectName: \Device\CdRom0\setup.exe
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5))
+falsepositives:
+- Software installation ISO files
+id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+level: medium
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Removable Storage"
+ must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/11/20
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
+- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
+- https://twitter.com/MsftSecIntel/status/1257324139515269121
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
diff --git a/rules/sigma/builtin/security/win_lateral_movement_condrv.yml b/rules/sigma/builtin/security/win_lateral_movement_condrv.yml
new file mode 100644
index 00000000..b7b3c90b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_lateral_movement_condrv.yml
@@ -0,0 +1,38 @@
+
+title: Lateral Movement Indicator ConDrv
+ruletype: Sigma
+author: Janantha Marasinghe
+date: 2021/04/27
+description: This event was observed on the target host during lateral movement. The
+ process name within the event contains the process spawned post compromise. Account
+ Name within the event contains the compromised user account name. This event should
+ to be correlated with 4624 and 4688 for further intrusion context.
+detection:
+ SELECTION_1:
+ EventID: 4674
+ SELECTION_2:
+ ObjectServer: Security
+ SELECTION_3:
+ ObjectType: File
+ SELECTION_4:
+ ObjectName: \Device\ConDrv
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- legal admin action
+- Penetration tests where lateral movement has occurred. This event will be created
+ on the target host.
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+level: low
+logsource:
+ product: windows
+ service: security
+modified: 2021/12/09
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
+- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+status: deprecated
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1021
+- attack.t1059
diff --git a/rules/sigma/builtin/security/win_lm_namedpipe.yml b/rules/sigma/builtin/security/win_lm_namedpipe.yml
new file mode 100644
index 00000000..3ae1b55e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_lm_namedpipe.yml
@@ -0,0 +1,52 @@
+
+title: First Time Seen Remote Named Pipe
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: This detection excludes known namped pipes accessible remotely and notify
+ on newly observed ones, may help to detect lateral movement and remote exec using
+ named pipes
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName:
+ - atsvc
+ - samr
+ - lsarpc
+ - lsass
+ - winreg
+ - netlogon
+ - srvsvc
+ - protected_storage
+ - wkssvc
+ - browser
+ - netdfs
+ - svcctl
+ - spoolss
+ - ntsvcs
+ - LSM_API_service
+ - HydraLsPipe
+ - TermSrv_API_service
+ - MsFteWds
+ - sql\query
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- update the excluded named pipe to filter out any newly observed legit named pipe
+id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/12/06
+references:
+- https://twitter.com/menasec1/status/1104489274387451904
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/sigma/builtin/security/win_lolbas_execution_of_nltest.yml
new file mode 100644
index 00000000..812b05b6
--- /dev/null
+++ b/rules/sigma/builtin/security/win_lolbas_execution_of_nltest.yml
@@ -0,0 +1,35 @@
+
+title: Correct Execution of Nltest.exe
+ruletype: Sigma
+author: Arun Chauhan
+date: 2021/10/04
+description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers,
+ domain trusts, parent domain and the current user permissions.
+detection:
+ SELECTION_1:
+ EventID: 4689
+ SELECTION_2:
+ ProcessName: '*nltest.exe'
+ SELECTION_3:
+ Status: '0x0'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Red team activity
+- rare legitimate use by an administrator
+fields:
+- SubjectUserName
+- SubjectDomainName
+id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
+level: high
+logsource:
+ product: windows
+ service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
+- https://attack.mitre.org/software/S0359/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
+- attack.t1016
diff --git a/rules/sigma/builtin/security/win_lsass_access_non_system_account.yml b/rules/sigma/builtin/security/win_lsass_access_non_system_account.yml
new file mode 100644
index 00000000..ad6da252
--- /dev/null
+++ b/rules/sigma/builtin/security/win_lsass_access_non_system_account.yml
@@ -0,0 +1,69 @@
+
+title: LSASS Access from Non System Account
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects potential mimikatz-like tools accessing LSASS from non system
+ account
+detection:
+ SELECTION_1:
+ EventID: 4663
+ SELECTION_2:
+ EventID: 4656
+ SELECTION_3:
+ AccessMask:
+ - '0x40'
+ - '0x1400'
+ - '0x100000'
+ - '0x1410'
+ - '0x1010'
+ - '0x1438'
+ - '0x143a'
+ - '0x1418'
+ - '0x1f0fff'
+ - '0x1f1fff'
+ - '0x1f2fff'
+ - '0x1f3fff'
+ - '40'
+ - '1400'
+ - '1000'
+ - '100000'
+ - '1410'
+ - '1010'
+ - '1438'
+ - 143a
+ - '1418'
+ - 1f0fff
+ - 1f1fff
+ - 1f2fff
+ - 1f3fff
+ SELECTION_4:
+ ObjectType: Process
+ SELECTION_5:
+ ObjectName: '*\lsass.exe'
+ SELECTION_6:
+ SubjectUserName: '*$'
+ SELECTION_7:
+ ProcessName: C:\Program Files*
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ and not ((SELECTION_6) or (SELECTION_7)))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- ObjectName
+- SubjectUserName
+- ProcessName
+id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/22
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/builtin/security/win_mal_wceaux_dll.yml b/rules/sigma/builtin/security/win_mal_wceaux_dll.yml
new file mode 100644
index 00000000..f7f788ee
--- /dev/null
+++ b/rules/sigma/builtin/security/win_mal_wceaux_dll.yml
@@ -0,0 +1,35 @@
+
+title: WCE wceaux.dll Access
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects wceaux.dll access while WCE pass-the-hash remote command execution
+ on source host
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ EventID: 4658
+ SELECTION_3:
+ EventID: 4660
+ SELECTION_4:
+ EventID: 4663
+ SELECTION_5:
+ ObjectName: '*\wceaux.dll'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Penetration testing
+id: 1de68c67-af5c-4097-9c85-fe5578e09e67
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
diff --git a/rules/sigma/builtin/security/win_metasploit_authentication.yml b/rules/sigma/builtin/security/win_metasploit_authentication.yml
new file mode 100644
index 00000000..abf79297
--- /dev/null
+++ b/rules/sigma/builtin/security/win_metasploit_authentication.yml
@@ -0,0 +1,40 @@
+
+title: Metasploit SMB Authentication
+ruletype: Sigma
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+description: Alerts on Metasploit host's authentications on the domain.
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ EventID: 4624
+ SELECTION_3:
+ LogonType: 3
+ SELECTION_4:
+ AuthenticationPackageName: NTLM
+ SELECTION_5:
+ WorkstationName|re: ^[A-Za-z0-9]{16}$
+ SELECTION_6:
+ ProcessName|re: ^$
+ SELECTION_7:
+ EventID: 4776
+ SELECTION_8:
+ Workstation|re: ^[A-Za-z0-9]{16}$
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ or (SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- Linux hostnames composed of 16 characters.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_net_ntlm_downgrade.yml b/rules/sigma/builtin/security/win_net_ntlm_downgrade.yml
new file mode 100644
index 00000000..9505c48a
--- /dev/null
+++ b/rules/sigma/builtin/security/win_net_ntlm_downgrade.yml
@@ -0,0 +1,41 @@
+
+title: NetNTLM Downgrade Attack
+ruletype: Sigma
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+ SELECTION_1:
+ EventID: 4657
+ SELECTION_2:
+ ObjectName: '*\REGISTRY\MACHINE\SYSTEM*'
+ SELECTION_3:
+ ObjectName: '*ControlSet*'
+ SELECTION_4:
+ ObjectName: '*\Control\Lsa*'
+ SELECTION_5:
+ ObjectValueName:
+ - LmCompatibilityLevel
+ - NtlmMinClientSec
+ - RestrictSendingNTLMTraffic
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
+level: critical
+logsource:
+ definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+ product: windows
+ service: security
+modified: 2021/06/27
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+related:
+- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
diff --git a/rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml
new file mode 100644
index 00000000..862433da
--- /dev/null
+++ b/rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml
@@ -0,0 +1,30 @@
+
+title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+detection:
+ SELECTION_1:
+ EventID: 4720
+ SELECTION_2:
+ EventID: 4781
+ SELECTION_3:
+ SamAccountName: '*$*'
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- EventID
+- SamAccountName
+- SubjectUserName
+id: cfeed607-6aa4-4bbd-9627-b637deb723c8
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/builtin/security/win_not_allowed_rdp_access.yml b/rules/sigma/builtin/security/win_not_allowed_rdp_access.yml
new file mode 100644
index 00000000..59ee8465
--- /dev/null
+++ b/rules/sigma/builtin/security/win_not_allowed_rdp_access.yml
@@ -0,0 +1,32 @@
+
+title: Denied Access To Remote Desktop
+ruletype: Sigma
+author: Pushkarev Dmitry
+date: 2020/06/27
+description: This event is generated when an authenticated user who is not allowed
+ to log on remotely attempts to connect to this computer through Remote Desktop.
+ Often, this event can be generated by attackers when searching for available windows
+ servers in the network.
+detection:
+ SELECTION_1:
+ EventID: 4825
+ condition: SELECTION_1
+falsepositives:
+- Valid user was not added to RDP group
+fields:
+- EventCode
+- AccountName
+- ClientAddress
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1076
+- attack.t1021.001
diff --git a/rules/sigma/builtin/security/win_overpass_the_hash.yml b/rules/sigma/builtin/security/win_overpass_the_hash.yml
new file mode 100644
index 00000000..64be24e9
--- /dev/null
+++ b/rules/sigma/builtin/security/win_overpass_the_hash.yml
@@ -0,0 +1,33 @@
+
+title: Successful Overpass the Hash Attempt
+ruletype: Sigma
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+description: Detects successful logon with logon type 9 (NewCredentials) which matches
+ the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ LogonType: 9
+ SELECTION_3:
+ LogonProcessName: seclogo
+ SELECTION_4:
+ AuthenticationPackageName: Negotiate
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Runas command-line tool using /netonly parameter
+id: 192a0330-c20b-4356-90b6-7b7049ae0b87
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.s0002
+- attack.t1550.002
diff --git a/rules/sigma/builtin/security/win_pass_the_hash.yml b/rules/sigma/builtin/security/win_pass_the_hash.yml
new file mode 100644
index 00000000..8a26ade8
--- /dev/null
+++ b/rules/sigma/builtin/security/win_pass_the_hash.yml
@@ -0,0 +1,44 @@
+
+title: Pass the Hash Activity
+ruletype: Sigma
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017/03/08
+description: Detects the attack technique pass the hash which is used to move laterally
+ inside the network
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ EventID: 4625
+ SELECTION_3:
+ LogonType: '3'
+ SELECTION_4:
+ LogonProcessName: NtLmSsp
+ SELECTION_5:
+ WorkstationName: '%Workstations%'
+ SELECTION_6:
+ ComputerName: '%Workstations%'
+ SELECTION_7:
+ TargetUserName: ANONYMOUS LOGON
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
+ and SELECTION_6) and not (SELECTION_7))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+level: medium
+logsource:
+ definition: The successful use of PtH for lateral movement between workstations
+ would trigger event ID 4624, a failed logon attempt would trigger an event ID
+ 4625
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1075
+- car.2016-04-004
+- attack.t1550.002
diff --git a/rules/sigma/builtin/security/win_pass_the_hash_2.yml b/rules/sigma/builtin/security/win_pass_the_hash_2.yml
new file mode 100644
index 00000000..709052b0
--- /dev/null
+++ b/rules/sigma/builtin/security/win_pass_the_hash_2.yml
@@ -0,0 +1,45 @@
+
+title: Pass the Hash Activity 2
+ruletype: Sigma
+author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
+date: 2019/06/14
+description: Detects the attack technique pass the hash which is used to move laterally
+ inside the network
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ SubjectUserSid: S-1-0-0
+ SELECTION_3:
+ LogonType: '3'
+ SELECTION_4:
+ LogonProcessName: NtLmSsp
+ SELECTION_5:
+ KeyLength: '0'
+ SELECTION_6:
+ LogonType: '9'
+ SELECTION_7:
+ LogonProcessName: seclogo
+ SELECTION_8:
+ TargetUserName: ANONYMOUS LOGON
+ condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ or (SELECTION_6 and SELECTION_7))) and not (SELECTION_8))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
+level: medium
+logsource:
+ definition: The successful use of PtH for lateral movement between workstations
+ would trigger event ID 4624
+ product: windows
+ service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
+status: stable
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
diff --git a/rules/sigma/builtin/security/win_petitpotam_network_share.yml b/rules/sigma/builtin/security/win_petitpotam_network_share.yml
new file mode 100644
index 00000000..364debae
--- /dev/null
+++ b/rules/sigma/builtin/security/win_petitpotam_network_share.yml
@@ -0,0 +1,34 @@
+
+title: Possible PetitPotam Coerce Authentication Attempt
+ruletype: Sigma
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect PetitPotam coerced authentication activity.
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*
+ SELECTION_3:
+ ShareName: '*\IPC$'
+ SELECTION_4:
+ RelativeTargetName: lsarpc
+ SELECTION_5:
+ SubjectUserName: ANONYMOUS LOGON
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown. Feedback welcomed.
+id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Detailed File Share"
+ must be configured for Success/Failure
+ product: windows
+ service: security
+references:
+- https://github.com/topotam/PetitPotam
+- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1187
diff --git a/rules/sigma/builtin/security/win_petitpotam_susp_tgt_request.yml b/rules/sigma/builtin/security/win_petitpotam_susp_tgt_request.yml
new file mode 100644
index 00000000..ec053441
--- /dev/null
+++ b/rules/sigma/builtin/security/win_petitpotam_susp_tgt_request.yml
@@ -0,0 +1,44 @@
+
+title: PetitPotam Suspicious Kerberos TGT Request
+ruletype: Sigma
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
+ certificate by abusing Active Directory Certificate Services in combination with
+ PetitPotam, the next step would be to leverage the certificate for malicious purposes.
+ One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
+ like Rubeus. This request will generate a 4768 event with some unusual fields depending
+ on the environment. This analytic will require tuning, we recommend filtering Account_Name
+ to the Domain Controller computer accounts.
+detection:
+ SELECTION_1:
+ EventID: 4768
+ SELECTION_2:
+ TargetUserName: '*$'
+ SELECTION_3:
+ CertThumbprint: '*'
+ SELECTION_4:
+ IpAddress: ::1
+ SELECTION_5:
+ CertThumbprint: ''
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not ((SELECTION_4)
+ or (SELECTION_5)))
+falsepositives:
+- False positives are possible if the environment is using certificates for authentication.
+ We recommend filtering Account_Name to the Domain Controller computer accounts.
+id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
+level: high
+logsource:
+ definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
+ Service" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/09/07
+references:
+- https://github.com/topotam/PetitPotam
+- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
+- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1187
diff --git a/rules/sigma/builtin/security/win_possible_dc_shadow.yml b/rules/sigma/builtin/security/win_possible_dc_shadow.yml
new file mode 100644
index 00000000..7dbe1f0a
--- /dev/null
+++ b/rules/sigma/builtin/security/win_possible_dc_shadow.yml
@@ -0,0 +1,35 @@
+
+title: Possible DC Shadow
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2019/10/25
+description: Detects DCShadow via create new SPN
+detection:
+ SELECTION_1:
+ EventID: 4742
+ SELECTION_2:
+ ServicePrincipalNames: '*GC/*'
+ SELECTION_3:
+ EventID: 5136
+ SELECTION_4:
+ AttributeLDAPDisplayName: servicePrincipalName
+ SELECTION_5:
+ AttributeValue: GC/*
+ condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
+falsepositives:
+- Exclude known DCs
+id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1207
diff --git a/rules/sigma/builtin/security/win_privesc_cve_2020_1472.yml b/rules/sigma/builtin/security/win_privesc_cve_2020_1472.yml
new file mode 100644
index 00000000..81b1eaf0
--- /dev/null
+++ b/rules/sigma/builtin/security/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,32 @@
+
+title: Possible Zerologon (CVE-2020-1472) Exploitation
+ruletype: Sigma
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
+date: 2020/10/15
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+detection:
+ SELECTION_1:
+ EventID: 4742
+ SELECTION_2:
+ SubjectUserName: ANONYMOUS LOGON
+ SELECTION_3:
+ TargetUserName: '%DC-MACHINE-NAME%'
+ SELECTION_4:
+ PasswordLastSet: '-'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- automatic DC computer account password change
+- legitimate DC computer account password change
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+status: experimental
+tags:
+- attack.t1068
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_protected_storage_service_access.yml b/rules/sigma/builtin/security/win_protected_storage_service_access.yml
new file mode 100644
index 00000000..d650a0f8
--- /dev/null
+++ b/rules/sigma/builtin/security/win_protected_storage_service_access.yml
@@ -0,0 +1,30 @@
+
+title: Protected Storage Service Access
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects access to a protected_storage service over the network. Potential
+ abuse of DPAPI to extract domain backup keys from Domain Controllers
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: '*IPC*'
+ SELECTION_3:
+ RelativeTargetName: protected_storage
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 45545954-4016-43c6-855e-eae8f1c369dc
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_rare_schtasks_creations.yml b/rules/sigma/builtin/security/win_rare_schtasks_creations.yml
new file mode 100644
index 00000000..b196e64d
--- /dev/null
+++ b/rules/sigma/builtin/security/win_rare_schtasks_creations.yml
@@ -0,0 +1,34 @@
+
+title: Rare Schtasks Creations
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/23
+description: Detects rare scheduled tasks creations that only appear a few times per
+ time frame and could reveal password dumpers, backdoor installs or other types of
+ malicious code
+detection:
+ SELECTION_1:
+ EventID: 4698
+ condition: SELECTION_1 | count() by TaskName < 5
+ timeframe: 7d
+falsepositives:
+- Software installation
+- Software updates
+id: b0d77106-7bb0-41fe-bd94-d1752164d066
+level: low
+logsource:
+ definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+ Access Events has to be configured to allow this detection (not in the baseline
+ recommendations by Microsoft). We also recommend extracting the Command field
+ from the embedded XML in the event data.
+ product: windows
+ service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
diff --git a/rules/sigma/builtin/security/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/builtin/security/win_rdp_bluekeep_poc_scanner.yml
new file mode 100644
index 00000000..0aa49f51
--- /dev/null
+++ b/rules/sigma/builtin/security/win_rdp_bluekeep_poc_scanner.yml
@@ -0,0 +1,29 @@
+
+title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
+ruletype: Sigma
+author: Florian Roth (rule), Adam Bradbury (idea)
+date: 2019/06/02
+description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable
+ to CVE-2019-0708 RDP RCE aka BlueKeep
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ TargetUserName: AAAAAAA
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 8400629e-79a9-4737-b387-5db940ab2367
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/12
+references:
+- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
+- https://github.com/zerosum0x0/CVE-2019-0708
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
diff --git a/rules/sigma/builtin/security/win_rdp_localhost_login.yml b/rules/sigma/builtin/security/win_rdp_localhost_login.yml
new file mode 100644
index 00000000..70f837db
--- /dev/null
+++ b/rules/sigma/builtin/security/win_rdp_localhost_login.yml
@@ -0,0 +1,32 @@
+
+title: RDP Login from Localhost
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/01/28
+description: RDP login with localhost source address may be a tunnelled login
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ LogonType: 10
+ SELECTION_3:
+ IpAddress:
+ - ::1
+ - 127.0.0.1
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 51e33403-2a37-4d66-a574-1fda1782cc31
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- car.2013-07-002
+- attack.t1021.001
diff --git a/rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml b/rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..afe66a0e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml
@@ -0,0 +1,45 @@
+
+title: RDP over Reverse SSH Tunnel WFP
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+ address
+detection:
+ SELECTION_1:
+ EventID: 5156
+ SELECTION_2:
+ SourcePort: 3389
+ SELECTION_3:
+ DestAddress:
+ - 127.*
+ - ::1
+ SELECTION_4:
+ DestPort: 3389
+ SELECTION_5:
+ SourceAddress:
+ - 127.*
+ - ::1
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- unknown
+id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.command_and_control
+- attack.lateral_movement
+- attack.t1076
+- attack.t1090
+- attack.t1090.001
+- attack.t1090.002
+- attack.t1021.001
+- car.2013-07-002
diff --git a/rules/sigma/builtin/security/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/builtin/security/win_register_new_logon_process_by_rubeus.yml
new file mode 100644
index 00000000..2c970f82
--- /dev/null
+++ b/rules/sigma/builtin/security/win_register_new_logon_process_by_rubeus.yml
@@ -0,0 +1,28 @@
+
+title: Register new Logon Process by Rubeus
+ruletype: Sigma
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: Detects potential use of Rubeus via registered new trusted logon process
+detection:
+ SELECTION_1:
+ EventID: 4611
+ SELECTION_2:
+ LogonProcessName: User32LogonProcesss
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 12e6d621-194f-4f59-90cc-1959e21e69f7
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/builtin/security/win_remote_powershell_session.yml b/rules/sigma/builtin/security/win_remote_powershell_session.yml
new file mode 100644
index 00000000..2ad3c1f7
--- /dev/null
+++ b/rules/sigma/builtin/security/win_remote_powershell_session.yml
@@ -0,0 +1,32 @@
+
+title: Remote PowerShell Sessions Network Connections (WinRM)
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
+ connections to ports 5985 OR 5986
+detection:
+ SELECTION_1:
+ EventID: 5156
+ SELECTION_2:
+ DestPort: 5985
+ SELECTION_3:
+ DestPort: 5986
+ SELECTION_4:
+ LayerRTID: 44
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of remote PowerShell execution
+id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/builtin/security/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/builtin/security/win_remote_registry_management_using_reg_utility.yml
new file mode 100644
index 00000000..493de4df
--- /dev/null
+++ b/rules/sigma/builtin/security/win_remote_registry_management_using_reg_utility.yml
@@ -0,0 +1,33 @@
+
+title: Remote Registry Management Using Reg Utility
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Remote registry management using REG utility from non-admin workstation
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ RelativeTargetName: '*\winreg*'
+ SELECTION_3:
+ IpAddress: '%Admins_Workstations%'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- Legitimate usage of remote registry management by administrator
+id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1112
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
+- attack.s0075
diff --git a/rules/sigma/builtin/security/win_sam_registry_hive_handle_request.yml b/rules/sigma/builtin/security/win_sam_registry_hive_handle_request.yml
new file mode 100644
index 00000000..482ea76d
--- /dev/null
+++ b/rules/sigma/builtin/security/win_sam_registry_hive_handle_request.yml
@@ -0,0 +1,36 @@
+
+title: SAM Registry Hive Handle Request
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handles requested to SAM registry hive
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ ObjectType: Key
+ SELECTION_3:
+ ObjectName: '*\SAM'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ObjectName
+id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
+status: test
+tags:
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
diff --git a/rules/sigma/builtin/security/win_scheduled_task_deletion.yml b/rules/sigma/builtin/security/win_scheduled_task_deletion.yml
new file mode 100644
index 00000000..bbed9911
--- /dev/null
+++ b/rules/sigma/builtin/security/win_scheduled_task_deletion.yml
@@ -0,0 +1,32 @@
+
+title: Scheduled Task Deletion
+ruletype: Sigma
+author: David Strassegger
+date: 2021/01/22
+description: Detects scheduled task deletion events. Scheduled tasks are likely to
+ be deleted if not used for persistence. Malicious Software often creates tasks directly
+ under the root node e.g. \TASKNAME
+detection:
+ SELECTION_1:
+ EventID: 4699
+ condition: SELECTION_1
+falsepositives:
+- Software installation
+id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
+level: medium
+logsource:
+ definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+ Access Events has to be configured to allow this detection. We also recommend
+ extracting the Command field from the embedded XML in the event data.
+ product: windows
+ service: security
+references:
+- https://twitter.com/matthewdunwoody/status/1352356685982146562
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
diff --git a/rules/sigma/builtin/security/win_scm_database_handle_failure.yml b/rules/sigma/builtin/security/win_scm_database_handle_failure.yml
new file mode 100644
index 00000000..2a22ecbe
--- /dev/null
+++ b/rules/sigma/builtin/security/win_scm_database_handle_failure.yml
@@ -0,0 +1,30 @@
+
+title: SCM Database Handle Failure
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects non-system users failing to get a handle of the SCM database.
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ ObjectType: SC_MANAGER OBJECT
+ SELECTION_3:
+ ObjectName: ServicesActive
+ SELECTION_4:
+ SubjectLogonId: '0x3e4'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 13addce7-47b2-4ca0-a98f-1de964d1d669
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/12
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1010
diff --git a/rules/sigma/builtin/security/win_scm_database_privileged_operation.yml b/rules/sigma/builtin/security/win_scm_database_privileged_operation.yml
new file mode 100644
index 00000000..ea39de1b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_scm_database_privileged_operation.yml
@@ -0,0 +1,33 @@
+
+title: SCM Database Privileged Operation
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects non-system users performing privileged operation os the SCM database
+detection:
+ SELECTION_1:
+ EventID: 4674
+ SELECTION_2:
+ ObjectType: SC_MANAGER OBJECT
+ SELECTION_3:
+ ObjectName: servicesactive
+ SELECTION_4:
+ PrivilegeList: SeTakeOwnershipPrivilege
+ SELECTION_5:
+ SubjectLogonId: '0x3e4'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5))
+falsepositives:
+- Unknown
+id: dae8171c-5ec6-4396-b210-8466585b53e9
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1548
diff --git a/rules/sigma/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..7241ed31
--- /dev/null
+++ b/rules/sigma/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml
@@ -0,0 +1,33 @@
+
+title: Remote WMI ActiveScriptEventConsumers
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers
+ remotely to move laterally in a network
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ LogonType: 3
+ SELECTION_3:
+ ProcessName: '*scrcons.exe'
+ SELECTION_4:
+ TargetLogonId: '0x3e7'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- SCCM
+id: 9599c180-e3a8-4743-8f92-7fb96d3be648
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..8b3f9357
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml
@@ -0,0 +1,52 @@
+
+title: CobaltStrike Service Installations
+ruletype: Sigma
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+ a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName: '*ADMIN$*'
+ SELECTION_3:
+ ServiceFileName: '*.exe*'
+ SELECTION_4:
+ ServiceFileName: '*%COMSPEC%*'
+ SELECTION_5:
+ ServiceFileName: '*start*'
+ SELECTION_6:
+ ServiceFileName: '*powershell*'
+ SELECTION_7:
+ ServiceFileName: '*powershell -nop -w hidden -encodedcommand*'
+ SELECTION_8:
+ ServiceFileName:
+ - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+ - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+ - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+ and SELECTION_6) or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+related:
+- id: 5a105d34-05fc-401e-8553-272b45c1522d
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/builtin/security/win_security_mal_creddumper.yml b/rules/sigma/builtin/security/win_security_mal_creddumper.yml
new file mode 100644
index 00000000..5342f87f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_mal_creddumper.yml
@@ -0,0 +1,46 @@
+
+title: Credential Dumping Tools Service Execution
+ruletype: Sigma
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+ events
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName:
+ - '*fgexec*'
+ - '*dumpsvc*'
+ - '*cachedump*'
+ - '*mimidrv*'
+ - '*gsecdump*'
+ - '*servpw*'
+ - '*pwdump*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+ type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/builtin/security/win_security_mal_service_installs.yml b/rules/sigma/builtin/security/win_security_mal_service_installs.yml
new file mode 100644
index 00000000..93ca7395
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_mal_service_installs.yml
@@ -0,0 +1,38 @@
+
+title: Malicious Service Installations
+ruletype: Sigma
+author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+date: 2017/03/27
+description: Detects known malicious service installs that only appear in cases of
+ lateral movement, credential dumping, and other suspicious activities.
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceName: javamtsup
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration testing
+id: cb062102-587e-4414-8efa-dbe3c7bf19c6
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://awakesecurity.com/blog/threat-hunting-for-paexec/
+- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
+- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+related:
+- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1003
+- attack.t1035
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
new file mode 100644
index 00000000..a0c5d001
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
@@ -0,0 +1,49 @@
+
+title: Metasploit Or Impacket Service Installation Via SMB PsExec
+ruletype: Sigma
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/21
+description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and
+ Impacket psexec.py by triggering on specific service installation
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$
+ SELECTION_3:
+ ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)
+ SELECTION_4:
+ ServiceStartType: '3'
+ SELECTION_5:
+ ServiceType: '0x10'
+ SELECTION_6:
+ ServiceName: PSEXESVC
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ and not (SELECTION_6))
+falsepositives:
+- Possible, different agents with a 8 character binary and a 4, 8 or 16 character
+ service name
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceName
+- ServiceFileName
+id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/23
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+related:
+- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
+ type: derived
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
new file mode 100644
index 00000000..eb800446
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
@@ -0,0 +1,69 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+ruletype: Sigma
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+ a specific service installation
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_10:
+ ServiceFileName: '*cmd.exe*'
+ SELECTION_11:
+ ServiceFileName: '*/c*'
+ SELECTION_12:
+ ServiceFileName: '*echo*'
+ SELECTION_13:
+ ServiceFileName: '*\pipe\\*'
+ SELECTION_14:
+ ServiceFileName: '*rundll32*'
+ SELECTION_15:
+ ServiceFileName: '*.dll,a*'
+ SELECTION_16:
+ ServiceFileName: '*/p:*'
+ SELECTION_2:
+ ServiceFileName: '*cmd*'
+ SELECTION_3:
+ ServiceFileName: '*/c*'
+ SELECTION_4:
+ ServiceFileName: '*echo*'
+ SELECTION_5:
+ ServiceFileName: '*\pipe\\*'
+ SELECTION_6:
+ ServiceFileName: '*%COMSPEC%*'
+ SELECTION_7:
+ ServiceFileName: '*/c*'
+ SELECTION_8:
+ ServiceFileName: '*echo*'
+ SELECTION_9:
+ ServiceFileName: '*\pipe\\*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+ and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+ and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceFileName
+id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+ type: derived
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..acb6725f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell Scripts Installed as Services
+ruletype: Sigma
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName:
+ - '*powershell*'
+ - '*pwsh*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/builtin/security/win_security_tap_driver_installation.yml b/rules/sigma/builtin/security/win_security_tap_driver_installation.yml
new file mode 100644
index 00000000..b30ccd9b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_tap_driver_installation.yml
@@ -0,0 +1,28 @@
+
+title: Tap Driver Installation
+ruletype: Sigma
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+ using tunnelling techniques
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName: '*tap0901*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 9c8afa4d-0022-48f0-9456-3712466f9701
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+related:
+- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+ type: derived
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
diff --git a/rules/sigma/builtin/security/win_security_wmi_persistence.yml b/rules/sigma/builtin/security/win_security_wmi_persistence.yml
new file mode 100644
index 00000000..f173a0f3
--- /dev/null
+++ b/rules/sigma/builtin/security/win_security_wmi_persistence.yml
@@ -0,0 +1,35 @@
+
+title: WMI Persistence
+ruletype: Sigma
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+ on WMI and Security Logs.
+detection:
+ SELECTION_1:
+ EventID: 4662
+ SELECTION_2:
+ ObjectType: WMI Namespace
+ SELECTION_3:
+ ObjectName: '*subscription*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: f033f3f3-fd24-4995-97d8-a3bb17550a88
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+related:
+- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
diff --git a/rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml b/rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml
new file mode 100644
index 00000000..f8c2606a
--- /dev/null
+++ b/rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml
@@ -0,0 +1,32 @@
+
+title: SMB Create Remote File Admin Share
+ruletype: Sigma
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/08/06
+description: Look for non-system accounts SMB accessing a file with write (0x2) access
+ mask via administrative share (i.e C$).
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: '*C$'
+ SELECTION_3:
+ AccessMask: '0x2'
+ SELECTION_4:
+ SubjectUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Unknown
+id: b210394c-ba12-4f89-9117-44a2464b9511
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
+- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_susp_add_domain_trust.yml b/rules/sigma/builtin/security/win_susp_add_domain_trust.yml
new file mode 100644
index 00000000..0f40be09
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_add_domain_trust.yml
@@ -0,0 +1,21 @@
+
+title: Addition of Domain Trusts
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/12/03
+description: Addition of domains is seldom and should be verified for legitimacy.
+detection:
+ SELECTION_1:
+ EventID: 4706
+ condition: SELECTION_1
+falsepositives:
+- Legitimate extension of domain structure
+id: 0255a820-e564-4e40-af2b-6ac61160335c
+level: medium
+logsource:
+ product: windows
+ service: security
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/builtin/security/win_susp_add_sid_history.yml b/rules/sigma/builtin/security/win_susp_add_sid_history.yml
new file mode 100644
index 00000000..e5bec11e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_add_sid_history.yml
@@ -0,0 +1,36 @@
+
+title: Addition of SID History to Active Directory Object
+ruletype: Sigma
+author: Thomas Patzke, @atc_project (improvements)
+date: 2017/02/19
+description: An attacker can use the SID history attribute to gain additional privileges.
+detection:
+ SELECTION_1:
+ EventID: 4765
+ SELECTION_2:
+ EventID: 4766
+ SELECTION_3:
+ EventID: 4738
+ SELECTION_4:
+ SidHistory:
+ - '-'
+ - '%%1793'
+ SELECTION_5:
+ SidHistory|re: ^$
+ condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and not (SELECTION_4))
+ and not (SELECTION_5)))
+falsepositives:
+- Migration of an account into a new domain
+id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
+level: medium
+logsource:
+ product: windows
+ service: security
+references:
+- https://adsecurity.org/?p=1772
+status: stable
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1178
+- attack.t1134.005
diff --git a/rules/sigma/builtin/security/win_susp_codeintegrity_check_failure.yml b/rules/sigma/builtin/security/win_susp_codeintegrity_check_failure.yml
new file mode 100644
index 00000000..2c0f393b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_codeintegrity_check_failure.yml
@@ -0,0 +1,25 @@
+
+title: Failed Code Integrity Checks
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/12/03
+description: Code integrity failures may indicate tampered executables.
+detection:
+ SELECTION_1:
+ EventID: 5038
+ SELECTION_2:
+ EventID: 6281
+ condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Disk device errors
+id: 470ec5fa-7b4e-4071-b200-4c753100f49b
+level: low
+logsource:
+ product: windows
+ service: security
+modified: 2020/08/23
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1009
+- attack.t1027.001
diff --git a/rules/sigma/builtin/security/win_susp_dsrm_password_change.yml b/rules/sigma/builtin/security/win_susp_dsrm_password_change.yml
new file mode 100644
index 00000000..20246dd2
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_dsrm_password_change.yml
@@ -0,0 +1,25 @@
+
+title: Password Change on Directory Service Restore Mode (DSRM) Account
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/02/19
+description: The Directory Service Restore Mode (DSRM) account is a local administrator
+ account on Domain Controllers. Attackers may change the password to gain persistence.
+detection:
+ SELECTION_1:
+ EventID: 4794
+ condition: SELECTION_1
+falsepositives:
+- Initial installation of a domain controller
+id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2020/08/23
+references:
+- https://adsecurity.org/?p=1714
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/builtin/security/win_susp_eventlog_cleared.yml b/rules/sigma/builtin/security/win_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..4e881719
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_eventlog_cleared.yml
@@ -0,0 +1,37 @@
+
+title: Eventlog Cleared
+ruletype: Sigma
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+ cl" command execution
+detection:
+ SELECTION_1:
+ EventID: 517
+ SELECTION_2:
+ EventID: 1102
+ SELECTION_3:
+ Provider_Name: Microsoft-Windows-Eventlog
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+ local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/10/13
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+- id: f2f01843-e7b8-4f95-a35a-d23584476423
+ type: obsoletes
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
diff --git a/rules/sigma/builtin/security/win_susp_failed_logon_reasons.yml b/rules/sigma/builtin/security/win_susp_failed_logon_reasons.yml
new file mode 100644
index 00000000..058712e9
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logon_reasons.yml
@@ -0,0 +1,41 @@
+
+title: Account Tampering - Suspicious Failed Logon Reasons
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/19
+description: This method uses uncommon error codes on failed logons to determine suspicious
+ activity and tampering with accounts that have been disabled or somehow restricted.
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ EventID: 4776
+ SELECTION_3:
+ Status:
+ - '0xC0000072'
+ - '0xC000006F'
+ - '0xC0000070'
+ - '0xC0000413'
+ - '0xC000018C'
+ - '0xC000015B'
+ SELECTION_4:
+ SubjectUserSid: S-1-0-0
+ condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- User using a disabled account
+id: 9eb99343-d336-4020-a3cd-67f3819e68ee
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/10/29
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
+- https://twitter.com/SBousseaden/status/1101431884540710913
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.initial_access
+- attack.t1078
diff --git a/rules/sigma/builtin/security/win_susp_failed_logon_source.yml b/rules/sigma/builtin/security/win_susp_failed_logon_source.yml
new file mode 100644
index 00000000..4dd27de8
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logon_source.yml
@@ -0,0 +1,58 @@
+
+title: Failed Logon From Public IP
+ruletype: Sigma
+author: NVISO
+date: 2020/05/06
+description: A login from a public IP can indicate a misconfigured firewall or network
+ boundary.
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ IpAddress: '*-*'
+ SELECTION_3:
+ IpAddress:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ - 127.*
+ - 169.254.*
+ SELECTION_4:
+ IpAddress: ::1
+ SELECTION_5:
+ IpAddress:
+ - fe80::*
+ - fc00::*
+ condition: (SELECTION_1 and not ((SELECTION_2) or (SELECTION_3) or (SELECTION_4
+ or SELECTION_5)))
+falsepositives:
+- Legitimate logon attempts over the internet
+- IPv4-to-IPv6 mapped IPs
+id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.initial_access
+- attack.persistence
+- attack.t1078
+- attack.t1190
+- attack.t1133
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
new file mode 100644
index 00000000..34bf0a12
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
@@ -0,0 +1,30 @@
+
+title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+ruletype: Sigma
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects a source user failing to authenticate with multiple users using
+ explicit credentials on a host.
+detection:
+ SELECTION_1:
+ EventID: 4648
+ condition: SELECTION_1 | count(Account_Name) by ComputerName > 10
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_process.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_process.yml
new file mode 100644
index 00000000..1cbd1015
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_process.yml
@@ -0,0 +1,36 @@
+
+title: Multiple Users Failing to Authenticate from Single Process
+ruletype: Sigma
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple accounts from a single process on
+ the system.
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ LogonType: 2
+ SELECTION_3:
+ ProcessName: '-'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by ProcessName > 10
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+- https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
new file mode 100644
index 00000000..2c36b3ab
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
@@ -0,0 +1,34 @@
+
+title: Failed Logins with Different Accounts from Single Source System
+ruletype: Sigma
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+ single source system
+detection:
+ SELECTION_1:
+ EventID: 529
+ SELECTION_2:
+ EventID: 4625
+ SELECTION_3:
+ TargetUserName: '*'
+ SELECTION_4:
+ WorkstationName: '*'
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName)
+ by WorkstationName > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
new file mode 100644
index 00000000..b88d9eae
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
@@ -0,0 +1,36 @@
+
+title: Failed Logins with Different Accounts from Single Source System
+ruletype: Sigma
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+ single source system
+detection:
+ SELECTION_1:
+ EventID: 4776
+ SELECTION_2:
+ TargetUserName: '*'
+ SELECTION_3:
+ Workstation: '*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName)
+ by Workstation > 3
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/09/21
+related:
+- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml
new file mode 100644
index 00000000..990504b1
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml
@@ -0,0 +1,36 @@
+
+title: Valid Users Failing to Authenticate From Single Source Using Kerberos
+ruletype: Sigma
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects multiple failed logins with multiple valid domain accounts from
+ a single source system using the Kerberos protocol.
+detection:
+ SELECTION_1:
+ EventID: 4771
+ SELECTION_2:
+ Status: '0x18'
+ SELECTION_3:
+ TargetUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by IpAddress > 10
+ timeframe: 24h
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml
new file mode 100644
index 00000000..649e0480
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml
@@ -0,0 +1,36 @@
+
+title: Disabled Users Failing To Authenticate From Source Using Kerberos
+ruletype: Sigma
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects failed logins with multiple disabled domain accounts from a single
+ source system using the Kerberos protocol.
+detection:
+ SELECTION_1:
+ EventID: 4768
+ SELECTION_2:
+ Status: '0x12'
+ SELECTION_3:
+ TargetUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by IpAddress > 10
+ timeframe: 24h
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml
new file mode 100644
index 00000000..dac2f177
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml
@@ -0,0 +1,36 @@
+
+title: Invalid Users Failing To Authenticate From Source Using Kerberos
+ruletype: Sigma
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects failed logins with multiple invalid domain accounts from a single
+ source system using the Kerberos protocol.
+detection:
+ SELECTION_1:
+ EventID: 4768
+ SELECTION_2:
+ Status: '0x6'
+ SELECTION_3:
+ TargetUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by IpAddress > 10
+ timeframe: 24h
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm.yml
new file mode 100644
index 00000000..883691c6
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm.yml
@@ -0,0 +1,35 @@
+
+title: Valid Users Failing to Authenticate from Single Source Using NTLM
+ruletype: Sigma
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple valid domain accounts from a single
+ source system using the NTLM protocol.
+detection:
+ SELECTION_1:
+ EventID: 4776
+ SELECTION_2:
+ Status: '*0xC000006A'
+ SELECTION_3:
+ TargetUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by Workstation > 10
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml
new file mode 100644
index 00000000..9e48d352
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml
@@ -0,0 +1,35 @@
+
+title: Invalid Users Failing To Authenticate From Single Source Using NTLM
+ruletype: Sigma
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple invalid domain accounts from a single
+ source system using the NTLM protocol.
+detection:
+ SELECTION_1:
+ EventID: 4776
+ SELECTION_2:
+ Status: '*0xC0000064'
+ SELECTION_3:
+ TargetUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by Workstation > 10
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
new file mode 100644
index 00000000..1f6b011b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
@@ -0,0 +1,35 @@
+
+title: Multiple Users Remotely Failing To Authenticate From Single Source
+ruletype: Sigma
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects a source system failing to authenticate against a remote host
+ with multiple users.
+detection:
+ SELECTION_1:
+ EventID: 4625
+ SELECTION_2:
+ LogonType: 3
+ SELECTION_3:
+ IpAddress: '-'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName)
+ by IpAddress > 10
+ timeframe: 24h
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/09
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+status: experimental
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/builtin/security/win_susp_interactive_logons.yml b/rules/sigma/builtin/security/win_susp_interactive_logons.yml
new file mode 100644
index 00000000..d90af17b
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_interactive_logons.yml
@@ -0,0 +1,39 @@
+
+title: Interactive Logon to Server Systems
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/17
+description: Detects interactive console logons to Server Systems
+detection:
+ SELECTION_1:
+ EventID: 528
+ SELECTION_2:
+ EventID: 529
+ SELECTION_3:
+ EventID: 4624
+ SELECTION_4:
+ EventID: 4625
+ SELECTION_5:
+ LogonType: 2
+ SELECTION_6:
+ ComputerName:
+ - '%ServerSystems%'
+ - '%DomainControllers%'
+ SELECTION_7:
+ LogonProcessName: Advapi
+ SELECTION_8:
+ ComputerName: '%Workstations%'
+ condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
+ and SELECTION_6) and not (SELECTION_7 and SELECTION_8))
+falsepositives:
+- Administrative activity via KVM or ILO board
+id: 3ff152b2-1388-4984-9cd9-a323323fdadf
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1078
diff --git a/rules/sigma/builtin/security/win_susp_kerberos_manipulation.yml b/rules/sigma/builtin/security/win_susp_kerberos_manipulation.yml
new file mode 100644
index 00000000..34786ccf
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_kerberos_manipulation.yml
@@ -0,0 +1,61 @@
+
+title: Kerberos Manipulation
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/10
+description: This method triggers on rare Kerberos Failure Codes caused by manipulations
+ of Kerberos messages
+detection:
+ SELECTION_1:
+ EventID: 675
+ SELECTION_2:
+ EventID: 4768
+ SELECTION_3:
+ EventID: 4769
+ SELECTION_4:
+ EventID: 4771
+ SELECTION_5:
+ FailureCode:
+ - '0x9'
+ - '0xA'
+ - '0xB'
+ - '0xF'
+ - '0x10'
+ - '0x11'
+ - '0x13'
+ - '0x14'
+ - '0x1A'
+ - '0x1F'
+ - '0x21'
+ - '0x22'
+ - '0x23'
+ - '0x24'
+ - '0x26'
+ - '0x27'
+ - '0x28'
+ - '0x29'
+ - '0x2C'
+ - '0x2D'
+ - '0x2E'
+ - '0x2F'
+ - '0x31'
+ - '0x32'
+ - '0x3E'
+ - '0x3F'
+ - '0x40'
+ - '0x41'
+ - '0x43'
+ - '0x44'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Faulty legacy applications
+id: f7644214-0eb0-4ace-9455-331ec4c09253
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.credential_access
+- attack.t1212
diff --git a/rules/sigma/builtin/security/win_susp_ldap_dataexchange.yml b/rules/sigma/builtin/security/win_susp_ldap_dataexchange.yml
new file mode 100644
index 00000000..56277216
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_ldap_dataexchange.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious LDAP-Attributes Used
+ruletype: Sigma
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of particular AttributeLDAPDisplayNames, which are
+ known for data exchange via LDAP by the tool LDAPFragger and are additionally not
+ commonly used in companies.
+detection:
+ SELECTION_1:
+ EventID: 5136
+ SELECTION_2:
+ AttributeValue: '*'
+ SELECTION_3:
+ AttributeLDAPDisplayName:
+ - primaryInternationalISDNNumber
+ - otherFacsimileTelephoneNumber
+ - primaryTelexNumber
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Companies, who may use these default LDAP-Attributes for personal information
+id: d00a9a72-2c09-4459-ad03-5e0a23351e36
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: test
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
diff --git a/rules/sigma/builtin/security/win_susp_local_anon_logon_created.yml b/rules/sigma/builtin/security/win_susp_local_anon_logon_created.yml
new file mode 100644
index 00000000..665c159f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_local_anon_logon_created.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Windows ANONYMOUS LOGON Local Account Created
+ruletype: Sigma
+author: James Pemberton / @4A616D6573
+date: 2019/10/31
+description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON,
+ such as using additional spaces. Created as an covering detection for exclusion
+ of Logon Type 3 from ANONYMOUS LOGON accounts.
+detection:
+ SELECTION_1:
+ EventID: 4720
+ SELECTION_2:
+ SamAccountName: '*ANONYMOUS*'
+ SELECTION_3:
+ SamAccountName: '*LOGON*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 1bbf25b9-8038-4154-a50b-118f2a32be27
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1189469425482829824
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+- attack.t1136.002
diff --git a/rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml b/rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml
new file mode 100644
index 00000000..a54bce0f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Remote Logon with Explicit Credentials
+ruletype: Sigma
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st
+date: 2020/10/05
+description: Detects suspicious processes logging on with explicit credentials
+detection:
+ SELECTION_1:
+ EventID: 4648
+ SELECTION_2:
+ ProcessName:
+ - '*\cmd.exe'
+ - '*\powershell.exe'
+ - '*\pwsh.exe'
+ - '*\winrs.exe'
+ - '*\wmic.exe'
+ - '*\net.exe'
+ - '*\net1.exe'
+ - '*\reg.exe'
+ SELECTION_3:
+ TargetServerName: localhost
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- Administrators that use the RunAS command or scheduled tasks
+id: 941e5c45-cda7-4864-8cea-bbb7458d194a
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/12
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.t1078
+- attack.lateral_movement
diff --git a/rules/sigma/builtin/security/win_susp_lsass_dump.yml b/rules/sigma/builtin/security/win_susp_lsass_dump.yml
new file mode 100644
index 00000000..e4d5f691
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_lsass_dump.yml
@@ -0,0 +1,32 @@
+
+title: Password Dumper Activity on LSASS
+ruletype: Sigma
+author: sigma
+date: 2017/02/12
+description: Detects process handle on LSASS process with certain access mask and
+ object type SAM_DOMAIN
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ ProcessName: '*\lsass.exe'
+ SELECTION_3:
+ AccessMask: '0x705'
+ SELECTION_4:
+ ObjectType: SAM_DOMAIN
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/06/21
+references:
+- https://twitter.com/jackcr/status/807385668833968128
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml b/rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml
new file mode 100644
index 00000000..b5769d76
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml
@@ -0,0 +1,86 @@
+
+title: Generic Password Dumper Activity on LSASS
+ruletype: Sigma
+author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich,
+ Aleksey Potapov, oscd.community (update)
+date: 2019/11/01
+description: Detects process handle on LSASS process with certain access mask
+detection:
+ SELECTION_1:
+ ObjectName: '*\lsass.exe'
+ SELECTION_2:
+ EventID: 4656
+ SELECTION_3:
+ AccessMask:
+ - '*0x40*'
+ - '*0x1400*'
+ - '*0x100000*'
+ - '*0x1410*'
+ - '*0x1010*'
+ - '*0x1438*'
+ - '*0x143a*'
+ - '*0x1418*'
+ - '*0x1f0fff*'
+ - '*0x1f1fff*'
+ - '*0x1f2fff*'
+ - '*0x1f3fff*'
+ SELECTION_4:
+ EventID: 4663
+ SELECTION_5:
+ AccessList:
+ - '*4484*'
+ - '*4416*'
+ SELECTION_6:
+ ProcessName:
+ - '*\wmiprvse.exe'
+ - '*\taskmgr.exe'
+ - '*\procexp64.exe'
+ - '*\procexp.exe'
+ - '*\lsm.exe'
+ - '*\csrss.exe'
+ - '*\wininit.exe'
+ - '*\vmtoolsd.exe'
+ - '*\minionhost.exe'
+ - '*\VsTskMgr.exe'
+ - '*\thor64.exe'
+ - '*\MicrosoftEdgeUpdate.exe'
+ - '*\GamingServices.exe'
+ - '*\svchost.exe'
+ - '*\MsMpEng.exe'
+ SELECTION_7:
+ ProcessName:
+ - C:\Windows\System32\\*
+ - C:\Windows\SysWow64\\*
+ - C:\Windows\SysNative\\*
+ - C:\Program Files\\*
+ - C:\Windows\Temp\asgard2-agent\\*
+ - C:\ProgramData\Microsoft\Windows Defender\Platform\\*
+ SELECTION_8:
+ ProcessName:
+ - C:\Program Files*
+ condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+ SELECTION_5))) and not ((SELECTION_6 and SELECTION_7) or (SELECTION_8)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+ with it
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ProcessID
+id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/22
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- car.2019-04-004
+- attack.t1003.001
diff --git a/rules/sigma/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml
new file mode 100644
index 00000000..3148ea5a
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml
@@ -0,0 +1,37 @@
+
+title: Suspicious Multiple File Rename Or Delete Occurred
+ruletype: Sigma
+author: Vasiliy Burov, oscd.community
+date: 2020/10/16
+description: Detects multiple file rename or delete events occurrence within a specified
+ period of time by a same user (these events may signalize about ransomware activity).
+detection:
+ SELECTION_1:
+ EventID: 4663
+ SELECTION_2:
+ ObjectType: File
+ SELECTION_3:
+ AccessList: '%%1537'
+ SELECTION_4:
+ Keywords: '0x8020000000000000'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) | count()
+ by SubjectLogonId > 10
+ timeframe: 30s
+falsepositives:
+- Software uninstallation
+- Files restore activities
+id: 97919310-06a7-482c-9639-92b67ed63cf8
+level: medium
+logsource:
+ definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local
+ Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security
+ Settings/Advanced Audit Policy Configuration/Object Access'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
+status: test
+tags:
+- attack.impact
+- attack.t1486
diff --git a/rules/sigma/builtin/security/win_susp_net_recon_activity.yml b/rules/sigma/builtin/security/win_susp_net_recon_activity.yml
new file mode 100644
index 00000000..42ad9d67
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_net_recon_activity.yml
@@ -0,0 +1,46 @@
+
+title: Reconnaissance Activity
+ruletype: Sigma
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements),
+ oscd.community
+date: 2017/03/07
+description: Detects activity as "net user administrator /domain" and "net group domain
+ admins /domain"
+detection:
+ SELECTION_1:
+ EventID: 4661
+ SELECTION_2:
+ ObjectType:
+ - SAM_USER
+ - SAM_GROUP
+ SELECTION_3:
+ ObjectName: S-1-5-21-*
+ SELECTION_4:
+ AccessMask: '0x2d'
+ SELECTION_5:
+ ObjectName:
+ - '*-500'
+ - '*-512'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 968eef52-9cff-4454-8992-1e74b9cbad6c
+level: high
+logsource:
+ definition: The volume of Event ID 4661 is high on Domain Controllers and therefore
+ "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured
+ in the recommendations for server systems
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+status: test
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+- attack.t1069
+- attack.t1069.002
+- attack.s0039
diff --git a/rules/sigma/builtin/security/win_susp_psexec.yml b/rules/sigma/builtin/security/win_susp_psexec.yml
new file mode 100644
index 00000000..1cde6ee1
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_psexec.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious PsExec Execution
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: detects execution of psexec or paexec with renamed service name, this
+ rule helps to filter out the noise if psexec is used for legit purposes or if attacker
+ uses a different psexec client other than sysinternal one
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName:
+ - '*-stdin'
+ - '*-stdout'
+ - '*-stderr'
+ SELECTION_4:
+ RelativeTargetName: PSEXESVC*
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- nothing observed so far
+id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
+level: high
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/12/08
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml b/rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml
new file mode 100644
index 00000000..4066af73
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml
@@ -0,0 +1,43 @@
+
+title: Suspicious Access to Sensitive File Extensions
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects known sensitive file extensions accessed on a network share
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ RelativeTargetName:
+ - '*.pst'
+ - '*.ost'
+ - '*.msg'
+ - '*.nst'
+ - '*.oab'
+ - '*.edb'
+ - '*.nsf'
+ - '*.bak'
+ - '*.dmp'
+ - '*.kirbi'
+ - '*\groups.xml'
+ - '*.rdp'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Help Desk operator doing backup or re-imaging end user machine or pentest or backup
+ software
+- Users working with these data types or exchanging message files
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- RelativeTargetName
+id: 91c945bc-2ad1-4799-a591-4d00198a1215
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/09
+status: experimental
+tags:
+- attack.collection
+- attack.t1039
diff --git a/rules/sigma/builtin/security/win_susp_rc4_kerberos.yml b/rules/sigma/builtin/security/win_susp_rc4_kerberos.yml
new file mode 100644
index 00000000..b8828cac
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_rc4_kerberos.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Kerberos RC4 Ticket Encryption
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/06
+description: Detects service ticket requests using RC4 encryption type
+detection:
+ SELECTION_1:
+ EventID: 4769
+ SELECTION_2:
+ TicketOptions: '0x40810000'
+ SELECTION_3:
+ TicketEncryptionType: '0x17'
+ SELECTION_4:
+ ServiceName: $*
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Service accounts used on legacy systems (e.g. NetApp)
+- Windows Domains with DFL 2003 and legacy systems
+id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/08/14
+references:
+- https://adsecurity.org/?p=3458
+- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/builtin/security/win_susp_rottenpotato.yml b/rules/sigma/builtin/security/win_susp_rottenpotato.yml
new file mode 100644
index 00000000..8b37045e
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_rottenpotato.yml
@@ -0,0 +1,35 @@
+
+title: RottenPotato Like Attack Pattern
+ruletype: Sigma
+author: '@SBousseaden, Florian Roth'
+date: 2019/11/15
+description: Detects logon events that have characteristics of events generated during
+ an attack with RottenPotato and the like
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ LogonType: 3
+ SELECTION_3:
+ TargetUserName: ANONYMOUS_LOGON
+ SELECTION_4:
+ WorkstationName: '-'
+ SELECTION_5:
+ IpAddress: 127.0.0.1
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/07/07
+references:
+- https://twitter.com/SBousseaden/status/1195284233729777665
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
+- attack.t1171
+- attack.t1557.001
diff --git a/rules/sigma/builtin/security/win_susp_sdelete.yml b/rules/sigma/builtin/security/win_susp_sdelete.yml
new file mode 100644
index 00000000..e00aafcb
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_sdelete.yml
@@ -0,0 +1,41 @@
+
+title: Secure Deletion with SDelete
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects renaming of file while deletion with SDelete tool.
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ EventID: 4663
+ SELECTION_3:
+ EventID: 4658
+ SELECTION_4:
+ ObjectName:
+ - '*.AAA'
+ - '*.ZZZ'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate usage of SDelete
+id: 39a80702-d7ca-4a83-b776-525b1f86a36d
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
+status: test
+tags:
+- attack.impact
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
+- attack.t1066
+- attack.t1027.005
+- attack.t1485
+- attack.t1553.002
+- attack.s0195
diff --git a/rules/sigma/builtin/security/win_susp_time_modification.yml b/rules/sigma/builtin/security/win_susp_time_modification.yml
new file mode 100644
index 00000000..a5049586
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_time_modification.yml
@@ -0,0 +1,40 @@
+
+title: Unauthorized System Time Modification
+ruletype: Sigma
+author: '@neu5ron'
+date: 2019/02/05
+description: Detect scenarios where a potentially unauthorized application or user
+ is modifying the system time.
+detection:
+ SELECTION_1:
+ EventID: 4616
+ SELECTION_2:
+ ProcessName:
+ - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
+ - C:\Windows\System32\VBoxService.exe
+ SELECTION_3:
+ ProcessName: C:\Windows\System32\svchost.exe
+ SELECTION_4:
+ SubjectUserSid: S-1-5-19
+ condition: (SELECTION_1 and not ((SELECTION_2) or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- HyperV or other virtualization technologies with binary not listed in filter portion
+ of detection
+id: faa031b5-21ed-4e02-8881-2591f98d82ed
+level: medium
+logsource:
+ definition: 'Requirements: Audit Policy : System > Audit Security State Change,
+ Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+ Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+- Live environment caused by malware
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1099
+- attack.t1070.006
diff --git a/rules/sigma/builtin/security/win_susp_wmi_login.yml b/rules/sigma/builtin/security/win_susp_wmi_login.yml
new file mode 100644
index 00000000..1cda7b8f
--- /dev/null
+++ b/rules/sigma/builtin/security/win_susp_wmi_login.yml
@@ -0,0 +1,24 @@
+
+title: Login with WMI
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/12/04
+description: Detection of logins performed with WMI
+detection:
+ SELECTION_1:
+ EventID: 4624
+ SELECTION_2:
+ ProcessName: '*\WmiPrvSE.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Monitoring tools
+- Legitimate system administration
+id: 5af54681-df95-4c26-854f-2565e13cfab0
+level: low
+logsource:
+ product: windows
+ service: security
+status: stable
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/builtin/security/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/builtin/security/win_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..3f63fce1
--- /dev/null
+++ b/rules/sigma/builtin/security/win_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Outbound Kerberos Connection
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+ indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+ SELECTION_1:
+ EventID: 5156
+ SELECTION_2:
+ DestinationPort: 88
+ SELECTION_3:
+ Image:
+ - '*\lsass.exe'
+ - '*\opera.exe'
+ - '*\chrome.exe'
+ - '*\firefox.exe'
+ condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
+falsepositives:
+- Other browsers
+id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://github.com/GhostPack/Rubeus
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/builtin/security/win_svcctl_remote_service.yml b/rules/sigma/builtin/security/win_svcctl_remote_service.yml
new file mode 100644
index 00000000..5ff57b04
--- /dev/null
+++ b/rules/sigma/builtin/security/win_svcctl_remote_service.yml
@@ -0,0 +1,35 @@
+
+title: Remote Service Activity via SVCCTL Named Pipe
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote service activity via remote access to the svcctl named
+ pipe
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ShareName: \\\*\IPC$
+ SELECTION_3:
+ RelativeTargetName: svcctl
+ SELECTION_4:
+ Accesses: '*WriteData*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
+level: medium
+logsource:
+ definition: The advanced audit policy setting "Object Access > Audit Detailed File
+ Share" must be configured for Success/Failure
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/builtin/security/win_syskey_registry_access.yml b/rules/sigma/builtin/security/win_syskey_registry_access.yml
new file mode 100644
index 00000000..f2d157de
--- /dev/null
+++ b/rules/sigma/builtin/security/win_syskey_registry_access.yml
@@ -0,0 +1,35 @@
+
+title: SysKey Registry Keys Access
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handle requests and access operations to specific registry keys
+ to calculate the SysKey
+detection:
+ SELECTION_1:
+ EventID: 4656
+ SELECTION_2:
+ EventID: 4663
+ SELECTION_3:
+ ObjectType: key
+ SELECTION_4:
+ ObjectName:
+ - '*lsa\JD'
+ - '*lsa\GBG'
+ - '*lsa\Skew1'
+ - '*lsa\Data'
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html
+status: test
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/builtin/security/win_sysmon_channel_reference_deletion.yml b/rules/sigma/builtin/security/win_sysmon_channel_reference_deletion.yml
new file mode 100644
index 00000000..cf6b74bd
--- /dev/null
+++ b/rules/sigma/builtin/security/win_sysmon_channel_reference_deletion.yml
@@ -0,0 +1,41 @@
+
+title: Sysmon Channel Reference Deletion
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/07/14
+description: Potential threat actor tampering with Sysmon manifest and eventually
+ disabling it
+detection:
+ SELECTION_1:
+ ObjectName:
+ - '*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*'
+ - '*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational*'
+ SELECTION_2:
+ EventID: 4657
+ SELECTION_3:
+ ObjectValueName: Enabled
+ SELECTION_4:
+ NewValue: '0'
+ SELECTION_5:
+ EventID: 4663
+ SELECTION_6:
+ AccessMask: 65536
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+ and SELECTION_6)))
+falsepositives:
+- unknown
+id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/Flangvik/status/1283054508084473861
+- https://twitter.com/SecurityJosh/status/1283027365770276866
+- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
+- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml
new file mode 100644
index 00000000..34d83155
--- /dev/null
+++ b/rules/sigma/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml
@@ -0,0 +1,40 @@
+
+title: Transferring Files with Credential Data via Network Shares
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Transferring files with well-known filenames (sensitive files with credential
+ data) using network shares
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ EventID: 5145
+ SELECTION_3:
+ RelativeTargetName:
+ - '*\mimidrv*'
+ - '*\lsass*'
+ - '*\windows\minidump\\*'
+ - '*\hiberfil*'
+ - '*\sqldmpr*'
+ - '*\sam*'
+ - '*\ntds.dit*'
+ - '*\security*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Transferring sensitive files for legitimate administration work by legitimate administrator
+id: 910ab938-668b-401b-b08c-b596e80fdca5
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.001
+- attack.t1003.003
diff --git a/rules/sigma/builtin/security/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
new file mode 100644
index 00000000..991d51d6
--- /dev/null
+++ b/rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
@@ -0,0 +1,34 @@
+
+title: User Added to Local Administrators
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/14
+description: This rule triggers on user accounts that are added to the local Administrators
+ group, which could be legitimate activity or a sign of privilege escalation activity
+detection:
+ SELECTION_1:
+ provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ EventID: 4732
+ SELECTION_3:
+ TargetUserName: Administr*
+ SELECTION_4:
+ TargetSid: S-1-5-32-544
+ SELECTION_5:
+ SubjectUserName: '*$'
+ condition: (((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4)) and not
+ (SELECTION_5))
+falsepositives:
+- Legitimate administrative activity
+id: c265cf08-3f99-46c1-8d59-328247057d57
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1078
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
new file mode 100644
index 00000000..31d9c6d7
--- /dev/null
+++ b/rules/sigma/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
@@ -0,0 +1,34 @@
+
+title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
+ruletype: Sigma
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: The 'LsaRegisterLogonProcess' function verifies that the application
+ making the function call is a logon process by checking that it has the SeTcbPrivilege
+ privilege set. Possible Rubeus tries to get a handle to LSA.
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ EventID: 4673
+ SELECTION_3:
+ Service: LsaRegisterLogonProcess()
+ SELECTION_4:
+ Keywords: '0x8010000000000000'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
+level: high
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/builtin/security/win_user_creation.yml b/rules/sigma/builtin/security/win_user_creation.yml
new file mode 100644
index 00000000..b87e5694
--- /dev/null
+++ b/rules/sigma/builtin/security/win_user_creation.yml
@@ -0,0 +1,34 @@
+
+title: Local User Creation
+ruletype: Sigma
+author: Patrick Bareiss
+date: 2019/04/18
+description: Detects local user creation on windows servers, which shouldn't happen
+ in an Active Directory environment. Apply this Sigma Use Case on your windows server
+ logs and not on your DC logs.
+detection:
+ SELECTION_1:
+ provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ EventID: 4720
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Domain Controller Logs
+- Local accounts managed by privileged account management tools
+fields:
+- EventCode
+- AccountName
+- AccountDomain
+id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+level: low
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
+status: test
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
diff --git a/rules/sigma/builtin/security/win_user_driver_loaded.yml b/rules/sigma/builtin/security/win_user_driver_loaded.yml
new file mode 100644
index 00000000..3dec1266
--- /dev/null
+++ b/rules/sigma/builtin/security/win_user_driver_loaded.yml
@@ -0,0 +1,56 @@
+
+title: Suspicious Driver Loaded By User
+ruletype: Sigma
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
+ load or unload a device driver. With this privilege, the user can dynamically load
+ and unload device drivers or other code in to kernel mode. This user right does
+ not apply to Plug and Play device drivers. If you exclude privileged users/admins
+ and processes, which are allowed to do so, you are maybe left with bad programs
+ trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
+ and the usage of Sysinternals and various other tools. So you have to work with
+ a whitelist to find the bad stuff.
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ EventID: 4673
+ SELECTION_3:
+ PrivilegeList: SeLoadDriverPrivilege
+ SELECTION_4:
+ Service: '-'
+ SELECTION_5:
+ ProcessName:
+ - '*\Windows\System32\Dism.exe'
+ - '*\Windows\System32\rundll32.exe'
+ - '*\Windows\System32\fltMC.exe'
+ - '*\Windows\HelpPane.exe'
+ - '*\Windows\System32\mmc.exe'
+ - '*\Windows\System32\svchost.exe'
+ - '*\Windows\System32\wimserv.exe'
+ - '*\procexp64.exe'
+ - '*\procexp.exe'
+ - '*\procmon64.exe'
+ - '*\procmon.exe'
+ - '*\Google\Chrome\Application\chrome.exe'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5))
+falsepositives:
+- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
+ etc. - but not much. You have to baseline this according to your used products and
+ allowed tools. Also try to exclude users, which are allowed to load drivers.'
+id: f63508a0-c809-4435-b3be-ed819394d612
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+status: test
+tags:
+- attack.t1089
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/builtin/security/win_vssaudit_secevent_source_registration.yml b/rules/sigma/builtin/security/win_vssaudit_secevent_source_registration.yml
new file mode 100644
index 00000000..eaee906a
--- /dev/null
+++ b/rules/sigma/builtin/security/win_vssaudit_secevent_source_registration.yml
@@ -0,0 +1,31 @@
+
+title: VSSAudit Security Event Source Registration
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects the registration of the security event source VSSAudit. It would
+ usually trigger when volume shadow copy operations happen.
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Security-Auditing
+ SELECTION_2:
+ AuditSourceName: VSSAudit
+ SELECTION_3:
+ EventID: 4904
+ SELECTION_4:
+ EventID: 4905
+ condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
+id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b
+level: low
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..b3655fcb
--- /dev/null
+++ b/rules/sigma/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,33 @@
+
+title: T1047 Wmiprvse Wbemcomn DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+ directory over the network for a WMI DLL Hijack scenario.
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Eventlog
+ SELECTION_2:
+ EventID: 5145
+ SELECTION_3:
+ RelativeTargetName: '*\wbem\wbemcomn.dll'
+ SELECTION_4:
+ SubjectUserName: '*$'
+ condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Unknown
+id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
+level: critical
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/30
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: test
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/builtin/system/win_apt_carbonpaper_turla.yml b/rules/sigma/builtin/system/win_apt_carbonpaper_turla.yml
new file mode 100644
index 00000000..68b01e39
--- /dev/null
+++ b/rules/sigma/builtin/system/win_apt_carbonpaper_turla.yml
@@ -0,0 +1,34 @@
+
+title: Turla Service Install
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/31
+description: This method detects a service install of malicious services mentioned
+ in Carbon Paper - Turla report by ESET
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName:
+ - srservice
+ - ipvpn
+ - hkmsvc
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+status: test
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/builtin/system/win_apt_chafer_mar18_system.yml b/rules/sigma/builtin/system/win_apt_chafer_mar18_system.yml
new file mode 100644
index 00000000..dd73a21e
--- /dev/null
+++ b/rules/sigma/builtin/system/win_apt_chafer_mar18_system.yml
@@ -0,0 +1,41 @@
+
+title: Chafer Activity
+ruletype: Sigma
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+ in March 2018
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName:
+ - SC Scheduled Scan
+ - UpdatMachine
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+status: experimental
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/builtin/system/win_apt_stonedrill.yml b/rules/sigma/builtin/system/win_apt_stonedrill.yml
new file mode 100644
index 00000000..a3a1e644
--- /dev/null
+++ b/rules/sigma/builtin/system/win_apt_stonedrill.yml
@@ -0,0 +1,33 @@
+
+title: StoneDrill Service Install
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/07
+description: This method detects a service install of the malicious Microsoft Network
+ Realtime Inspection Service service described in StoneDrill report by Kaspersky
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName: NtsSrv
+ SELECTION_4:
+ ServiceFileName: '* LocalService'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+status: test
+tags:
+- attack.persistence
+- attack.g0064
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/builtin/system/win_apt_turla_service_png.yml b/rules/sigma/builtin/system/win_apt_turla_service_png.yml
new file mode 100644
index 00000000..82bd70bb
--- /dev/null
+++ b/rules/sigma/builtin/system/win_apt_turla_service_png.yml
@@ -0,0 +1,31 @@
+
+title: Turla PNG Dropper Service
+ruletype: Sigma
+author: Florian Roth
+date: 2018/11/23
+description: This method detects malicious services mentioned in Turla PNG dropper
+ report by NCC Group in November 2018
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName: WerFaultSvc
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unlikely
+id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+status: test
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/builtin/system/win_cobaltstrike_service_installs.yml b/rules/sigma/builtin/system/win_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..20b85d60
--- /dev/null
+++ b/rules/sigma/builtin/system/win_cobaltstrike_service_installs.yml
@@ -0,0 +1,51 @@
+
+title: CobaltStrike Service Installations
+ruletype: Sigma
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+ a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath: '*ADMIN$*'
+ SELECTION_4:
+ ImagePath: '*.exe*'
+ SELECTION_5:
+ ImagePath: '*%COMSPEC%*'
+ SELECTION_6:
+ ImagePath: '*start*'
+ SELECTION_7:
+ ImagePath: '*powershell*'
+ SELECTION_8:
+ ImagePath: '*powershell -nop -w hidden -encodedcommand*'
+ SELECTION_9:
+ ImagePath:
+ - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+ - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+ - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+ condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 and SELECTION_4) or
+ (SELECTION_5 and SELECTION_6 and SELECTION_7) or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unknown
+id: 5a105d34-05fc-401e-8553-272b45c1522d
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/09/30
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/builtin/system/win_hack_smbexec.yml b/rules/sigma/builtin/system/win_hack_smbexec.yml
new file mode 100644
index 00000000..8a522cad
--- /dev/null
+++ b/rules/sigma/builtin/system/win_hack_smbexec.yml
@@ -0,0 +1,38 @@
+
+title: smbexec.py Service Installation
+ruletype: Sigma
+author: Omer Faruk Celik
+date: 2018/03/20
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName: BTOBTO
+ SELECTION_4:
+ ServiceFileName: '*\execute.bat'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Penetration Test
+- Unknown
+fields:
+- ServiceName
+- ServiceFileName
+id: 52a85084-6989-40c3-8f32-091e12e13f09
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+status: test
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1077
+- attack.t1021.002
+- attack.t1035
+- attack.t1569.002
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_clip_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_clip_services.yml
new file mode 100644
index 00000000..6b190d78
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_clip_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
new file mode 100644
index 00000000..70fa8718
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -0,0 +1,38 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+ruletype: Sigma
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+ by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+ SELECTION_1:
+ EventID: 7045
+ SELECTION_2:
+ ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+ SELECTION_3:
+ ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+ SELECTION_4:
+ ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+ SELECTION_5:
+ ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+ SELECTION_6:
+ ImagePath|re: \\*mdr\*\W\s*\)\.Name
+ SELECTION_7:
+ ImagePath|re: \$VerbosePreference\.ToString\(
+ SELECTION_8:
+ ImagePath|re: \String\]\s*\$VerbosePreference
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+ or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/09/16
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_stdin_services.yml
new file mode 100644
index 00000000..110696e2
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_stdin_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_var_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_var_services.yml
new file mode 100644
index 00000000..19df5df8
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_var_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_compress_services.yml
new file mode 100644
index 00000000..be6535b4
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_compress_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 175997c5-803c-4b08-8bb0-70b099f47595
+level: medium
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
new file mode 100644
index 00000000..80119e37
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_rundll_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+level: medium
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
new file mode 100644
index 00000000..b45b8b13
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_stdin_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Stdin
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 487c7524-f892-4054-b263-8a0ace63fc25
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 00000000..c8e6b267
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use Clip
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml
new file mode 100644
index 00000000..38000dbf
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
new file mode 100644
index 00000000..6790a8fe
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/builtin/system/win_invoke_obfuscation_via_var_services.yml
new file mode 100644
index 00000000..e6d59ff7
--- /dev/null
+++ b/rules/sigma/builtin/system/win_invoke_obfuscation_via_var_services.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/builtin/system/win_mal_creddumper.yml b/rules/sigma/builtin/system/win_mal_creddumper.yml
new file mode 100644
index 00000000..bf15ec8f
--- /dev/null
+++ b/rules/sigma/builtin/system/win_mal_creddumper.yml
@@ -0,0 +1,45 @@
+
+title: Credential Dumping Tools Service Execution
+ruletype: Sigma
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+ events
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath:
+ - '*fgexec*'
+ - '*dumpsvc*'
+ - '*cachedump*'
+ - '*mimidrv*'
+ - '*gsecdump*'
+ - '*servpw*'
+ - '*pwdump*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..449fa624
--- /dev/null
+++ b/rules/sigma/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,68 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+ruletype: Sigma
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+ a specific service installation
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_10:
+ ImagePath: '*\pipe\\*'
+ SELECTION_11:
+ ImagePath: '*cmd.exe*'
+ SELECTION_12:
+ ImagePath: '*/c*'
+ SELECTION_13:
+ ImagePath: '*echo*'
+ SELECTION_14:
+ ImagePath: '*\pipe\\*'
+ SELECTION_15:
+ ImagePath: '*rundll32*'
+ SELECTION_16:
+ ImagePath: '*.dll,a*'
+ SELECTION_17:
+ ImagePath: '*/p:*'
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath: '*cmd*'
+ SELECTION_4:
+ ImagePath: '*/c*'
+ SELECTION_5:
+ ImagePath: '*echo*'
+ SELECTION_6:
+ ImagePath: '*\pipe\\*'
+ SELECTION_7:
+ ImagePath: '*%COMSPEC%*'
+ SELECTION_8:
+ ImagePath: '*/c*'
+ SELECTION_9:
+ ImagePath: '*echo*'
+ condition: ((SELECTION_1 and SELECTION_2) and ((SELECTION_3 and SELECTION_4 and
+ SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9 and
+ SELECTION_10) or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)
+ or (SELECTION_15 and SELECTION_16 and SELECTION_17)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/builtin/system/win_moriya_rootkit.yml b/rules/sigma/builtin/system/win_moriya_rootkit.yml
new file mode 100644
index 00000000..85ae98ba
--- /dev/null
+++ b/rules/sigma/builtin/system/win_moriya_rootkit.yml
@@ -0,0 +1,30 @@
+
+title: Moriya Rootkit
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+ TunnelSnake report
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName: ZzNetSvc
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- None
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
diff --git a/rules/sigma/builtin/system/win_ntfs_vuln_exploit.yml b/rules/sigma/builtin/system/win_ntfs_vuln_exploit.yml
new file mode 100644
index 00000000..5c628e4a
--- /dev/null
+++ b/rules/sigma/builtin/system/win_ntfs_vuln_exploit.yml
@@ -0,0 +1,34 @@
+
+title: NTFS Vulnerability Exploitation
+ruletype: Sigma
+author: Florian Roth
+date: 2021/01/11
+description: This the exploitation of a NTFS vulnerability as reported without many
+ details via Twitter
+detection:
+ SELECTION_1:
+ Provider_Name: Ntfs
+ SELECTION_2:
+ EventID: 55
+ SELECTION_3:
+ Origin: File System Driver
+ SELECTION_4:
+ Description: '*contains a corrupted file record*'
+ SELECTION_5:
+ Description: '*The name of the file is "\"*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unlikely
+id: f14719ce-d3ab-4e25-9ce6-2899092260b0
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/17
+references:
+- https://twitter.com/jonasLyk/status/1347900440000811010
+- https://twitter.com/wdormann/status/1347958161609809921
+status: experimental
+tags:
+- attack.impact
+- attack.t1499.001
diff --git a/rules/sigma/builtin/system/win_pcap_drivers.yml b/rules/sigma/builtin/system/win_pcap_drivers.yml
new file mode 100644
index 00000000..b703a1c9
--- /dev/null
+++ b/rules/sigma/builtin/system/win_pcap_drivers.yml
@@ -0,0 +1,44 @@
+
+title: Windows Pcap Drivers
+ruletype: Sigma
+author: Cian Heasley
+date: 2020/06/10
+description: Detects Windows Pcap driver installation based on a list of associated
+ .sys files.
+detection:
+ SELECTION_1:
+ EventID: 4697
+ SELECTION_2:
+ ServiceFileName:
+ - '*pcap*'
+ - '*npcap*'
+ - '*npf*'
+ - '*nm3*'
+ - '*ndiscap*'
+ - '*nmnt*'
+ - '*windivert*'
+ - '*USBPcap*'
+ - '*pktmon*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- ServiceFileName
+- Account_Name
+- Computer_Name
+- Originating_Computer
+- ServiceName
+id: 7b687634-ab20-11ea-bb37-0242ac130002
+level: medium
+logsource:
+ product: windows
+ service: security
+modified: 2021/11/27
+references:
+- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
+status: test
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
diff --git a/rules/sigma/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/sigma/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
new file mode 100644
index 00000000..bc44f5e1
--- /dev/null
+++ b/rules/sigma/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml
@@ -0,0 +1,30 @@
+
+title: Zerologon Exploitation Using Well-known Tools
+ruletype: Sigma
+author: Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community
+date: 2020/10/13
+description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472)
+ vulnerability using mimikatz zerologon module or other exploits from machine with
+ "kali" hostname.
+detection:
+ SELECTION_1:
+ EventID:
+ - '5805'
+ - '5723'
+ SELECTION_2:
+ - kali
+ - mimikatz
+ condition: (SELECTION_1 and (SELECTION_2))
+id: 18f37338-b9bd-4117-a039-280c81f7a596
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/05/30
+references:
+- https://www.secura.com/blog/zero-logon
+- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
+status: stable
+tags:
+- attack.t1210
+- attack.lateral_movement
diff --git a/rules/sigma/builtin/system/win_powershell_script_installed_as_service.yml b/rules/sigma/builtin/system/win_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..e410a55a
--- /dev/null
+++ b/rules/sigma/builtin/system/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell Scripts Installed as Services
+ruletype: Sigma
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath:
+ - '*powershell*'
+ - '*pwsh*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml
new file mode 100644
index 00000000..89f1bb01
--- /dev/null
+++ b/rules/sigma/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml
@@ -0,0 +1,27 @@
+
+title: QuarksPwDump Clearing Access History
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/15
+description: Detects QuarksPwDump clearing access history in hive
+detection:
+ SELECTION_1:
+ EventID: 16
+ SELECTION_2:
+ HiveName: '*\AppData\Local\Temp\SAM*'
+ SELECTION_3:
+ HiveName: '*.dmp'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/27
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/builtin/system/win_rare_service_installs.yml b/rules/sigma/builtin/system/win_rare_service_installs.yml
new file mode 100644
index 00000000..82adf2e8
--- /dev/null
+++ b/rules/sigma/builtin/system/win_rare_service_installs.yml
@@ -0,0 +1,31 @@
+
+title: Rare Service Installs
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/08
+description: Detects rare service installs that only appear a few times per time frame
+ and could reveal password dumpers, backdoor installs or other types of malicious
+ services
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ condition: (SELECTION_1 and SELECTION_2) | count() by ServiceName < 5
+ timeframe: 7d
+falsepositives:
+- Software installation
+- Software updates
+id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
+level: low
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+status: test
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
diff --git a/rules/sigma/builtin/system/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/builtin/system/win_rdp_potential_cve_2019_0708.yml
new file mode 100644
index 00000000..4d49fa8c
--- /dev/null
+++ b/rules/sigma/builtin/system/win_rdp_potential_cve_2019_0708.yml
@@ -0,0 +1,30 @@
+
+title: Potential RDP Exploit CVE-2019-0708
+ruletype: Sigma
+author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements)
+date: 2019/05/24
+description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
+detection:
+ SELECTION_1:
+ EventID: 56
+ SELECTION_2:
+ EventID: 50
+ SELECTION_3:
+ Provider_Name: TermDD
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Bad connections or network interruptions
+id: aaa5b30d-f418-420b-83a0-299cb6024885
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/10/13
+references:
+- https://github.com/zerosum0x0/CVE-2019-0708
+- https://github.com/Ekultek/BlueKeep
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
diff --git a/rules/sigma/builtin/system/win_susp_dhcp_config.yml b/rules/sigma/builtin/system/win_susp_dhcp_config.yml
new file mode 100644
index 00000000..6e1e53f0
--- /dev/null
+++ b/rules/sigma/builtin/system/win_susp_dhcp_config.yml
@@ -0,0 +1,30 @@
+
+title: DHCP Server Loaded the CallOut DLL
+ruletype: Sigma
+author: Dimitrios Slamaris
+date: 2017/05/15
+description: This rule detects a DHCP server in which a specified Callout DLL (in
+ registry) was loaded
+detection:
+ SELECTION_1:
+ EventID: 1033
+ SELECTION_2:
+ Provider_Name: Microsoft-Windows-DHCP-Server
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/10/13
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/builtin/system/win_susp_dhcp_config_failed.yml b/rules/sigma/builtin/system/win_susp_dhcp_config_failed.yml
new file mode 100644
index 00000000..b3fc3d9c
--- /dev/null
+++ b/rules/sigma/builtin/system/win_susp_dhcp_config_failed.yml
@@ -0,0 +1,34 @@
+
+title: DHCP Server Error Failed Loading the CallOut DLL
+ruletype: Sigma
+author: Dimitrios Slamaris, @atc_project (fix)
+date: 2017/05/15
+description: This rule detects a DHCP server error in which a specified Callout DLL
+ (in registry) could not be loaded
+detection:
+ SELECTION_1:
+ EventID: 1031
+ SELECTION_2:
+ EventID: 1032
+ SELECTION_3:
+ EventID: 1034
+ SELECTION_4:
+ Provider_Name: Microsoft-Windows-DHCP-Server
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 75edd3fd-7146-48e5-9848-3013d7f0282c
+level: critical
+logsource:
+ product: windows
+ service: system
+modified: 2021/10/13
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/builtin/system/win_susp_proceshacker.yml b/rules/sigma/builtin/system/win_susp_proceshacker.yml
new file mode 100644
index 00000000..e611f628
--- /dev/null
+++ b/rules/sigma/builtin/system/win_susp_proceshacker.yml
@@ -0,0 +1,33 @@
+
+title: ProcessHacker Privilege Elevation
+ruletype: Sigma
+author: Florian Roth
+date: 2021/05/27
+description: Detects a ProcessHacker tool that elevated privileges to a very high
+ level
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceName: ProcessHacker*
+ SELECTION_4:
+ AccountName: LocalSystem
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://twitter.com/1kwpeter/status/1397816101455765504
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/builtin/system/win_susp_sam_dump.yml b/rules/sigma/builtin/system/win_susp_sam_dump.yml
new file mode 100644
index 00000000..c2ff043e
--- /dev/null
+++ b/rules/sigma/builtin/system/win_susp_sam_dump.yml
@@ -0,0 +1,29 @@
+
+title: SAM Dump to AppData
+ruletype: Sigma
+author: Florian Roth
+date: 2018/01/27
+description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
+ password dumpers
+detection:
+ SELECTION_1:
+ EventID: 16
+ SELECTION_2:
+ - \AppData\Local\Temp\SAM-
+ SELECTION_3:
+ - .dmp
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration testing
+id: 839dd1e8-eda8-4834-8145-01beeee33acd
+level: high
+logsource:
+ definition: The source of this type of event is Kernel-General
+ product: windows
+ service: system
+modified: 2021/11/27
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/builtin/system/win_susp_system_update_error.yml b/rules/sigma/builtin/system/win_susp_system_update_error.yml
new file mode 100644
index 00000000..54d62d1d
--- /dev/null
+++ b/rules/sigma/builtin/system/win_susp_system_update_error.yml
@@ -0,0 +1,34 @@
+
+title: Windows Update Error
+ruletype: Sigma
+author: frack113
+date: 2021/12/04
+description: Windows Update get some error Check if need a 0-days KB
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-WindowsUpdateClient
+ SELECTION_2:
+ EventID: 16
+ SELECTION_3:
+ EventID: 20
+ SELECTION_4:
+ EventID: 24
+ SELECTION_5:
+ EventID: 213
+ SELECTION_6:
+ EventID: 217
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+ or SELECTION_6))
+falsepositives:
+- unknown
+id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
+level: low
+logsource:
+ definition: Other error are in Microsoft-Windows-WindowsUpdateClient/Operational
+ product: windows
+ service: system
+status: experimental
+tags:
+- attack.impact
+- attack.resource_development
+- attack.t1584
diff --git a/rules/sigma/builtin/system/win_system_defender_disabled.yml b/rules/sigma/builtin/system/win_system_defender_disabled.yml
new file mode 100644
index 00000000..6b65734b
--- /dev/null
+++ b/rules/sigma/builtin/system/win_system_defender_disabled.yml
@@ -0,0 +1,37 @@
+
+title: Windows Defender Threat Detection Disabled
+ruletype: Sigma
+author: Ján Trenčanský, frack113
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+ SELECTION_1:
+ EventID: 7036
+ SELECTION_2:
+ Provider_Name: Service Control Manager
+ SELECTION_3:
+ param1:
+ - Windows Defender Antivirus Service
+ - Service antivirus Microsoft Defender
+ SELECTION_4:
+ param2: stopped
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Administrator actions
+id: 6c0a7755-6d31-44fa-80e1-133e57752680
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/22
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+related:
+- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+ type: derived
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/sigma/builtin/system/win_system_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..99aa7cf0
--- /dev/null
+++ b/rules/sigma/builtin/system/win_system_susp_eventlog_cleared.yml
@@ -0,0 +1,37 @@
+
+title: Eventlog Cleared
+ruletype: Sigma
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+ cl" command execution
+detection:
+ SELECTION_1:
+ EventID: 104
+ SELECTION_2:
+ Provider_Name: Microsoft-Windows-Eventlog
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+ local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/10/13
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+- id: f2f01843-e7b8-4f95-a35a-d23584476423
+ type: obsoletes
+- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
diff --git a/rules/sigma/builtin/system/win_tap_driver_installation.yml b/rules/sigma/builtin/system/win_tap_driver_installation.yml
new file mode 100644
index 00000000..ebc88f04
--- /dev/null
+++ b/rules/sigma/builtin/system/win_tap_driver_installation.yml
@@ -0,0 +1,27 @@
+
+title: Tap Driver Installation
+ruletype: Sigma
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+ using tunnelling techniques
+detection:
+ SELECTION_1:
+ Provider_Name: Service Control Manager
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ImagePath: '*tap0901*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+level: medium
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
diff --git a/rules/sigma/builtin/system/win_tool_psexec.yml b/rules/sigma/builtin/system/win_tool_psexec.yml
new file mode 100644
index 00000000..4023ff3b
--- /dev/null
+++ b/rules/sigma/builtin/system/win_tool_psexec.yml
@@ -0,0 +1,42 @@
+
+title: PsExec Tool Execution
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+ Sysmon)
+detection:
+ SELECTION_1:
+ ServiceName: PSEXESVC
+ SELECTION_2:
+ EventID: 7045
+ SELECTION_3:
+ ServiceFileName: '*\PSEXESVC.exe'
+ SELECTION_4:
+ EventID: 7036
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+level: low
+logsource:
+ product: windows
+ service: system
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/builtin/system/win_volume_shadow_copy_mount.yml b/rules/sigma/builtin/system/win_volume_shadow_copy_mount.yml
new file mode 100644
index 00000000..8156fb8f
--- /dev/null
+++ b/rules/sigma/builtin/system/win_volume_shadow_copy_mount.yml
@@ -0,0 +1,28 @@
+
+title: Volume Shadow Copy Mount
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects volume shadow copy mount
+detection:
+ SELECTION_1:
+ Provider_Name: Microsoft-Windows-Ntfs
+ SELECTION_2:
+ EventID: 98
+ SELECTION_3:
+ DeviceName: '*HarddiskVolumeShadowCopy*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of volume shadow copy mounts (backups maybe).
+id: f512acbf-e662-4903-843e-97ce4652b740
+level: medium
+logsource:
+ product: windows
+ service: system
+modified: 2021/10/13
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/builtin/system/win_vul_cve_2020_1472.yml b/rules/sigma/builtin/system/win_vul_cve_2020_1472.yml
new file mode 100644
index 00000000..ee254256
--- /dev/null
+++ b/rules/sigma/builtin/system/win_vul_cve_2020_1472.yml
@@ -0,0 +1,29 @@
+
+title: Vulnerable Netlogon Secure Channel Connection Allowed
+ruletype: Sigma
+author: NVISO
+date: 2020/09/15
+description: Detects that a vulnerable Netlogon secure channel connection was allowed,
+ which could be an indicator of CVE-2020-1472.
+detection:
+ SELECTION_1:
+ Provider_Name: NetLogon
+ SELECTION_2:
+ EventID: 5829
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- SAMAccountName
+id: a0cb7110-edf0-47a4-9177-541a4083128a
+level: high
+logsource:
+ product: windows
+ service: system
+modified: 2021/11/30
+references:
+- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
diff --git a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml
new file mode 100644
index 00000000..4828a2c2
--- /dev/null
+++ b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml
@@ -0,0 +1,48 @@
+
+title: Mimikatz Use
+ruletype: Sigma
+author: Florian Roth
+date: 2017/01/10
+description: This method detects mimikatz keywords in different Eventlogs (some of
+ them only appear in older Mimikatz version that are however still used by different
+ threat groups)
+detection:
+ SELECTION_1:
+ - \mimikatz
+ - mimikatz.exe
+ - \mimilib.dll
+ - <3 eo.oe
+ - eo.oe.kiwi
+ - privilege::debug
+ - sekurlsa::logonpasswords
+ - lsadump::sam
+ - mimidrv.sys
+ - ' p::d '
+ - ' s::l '
+ - gentilkiwi.com
+ - Kiwi Legit Printer
+ SELECTION_2:
+ EventID: 15
+ condition: ((SELECTION_1) and not (SELECTION_2))
+falsepositives:
+- Naughty administrators
+- Penetration test
+- AV Signature updates
+- Files with Mimikatz in their filename
+id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
+level: critical
+logsource:
+ product: windows
+modified: 2021/12/01
+status: experimental
+tags:
+- attack.s0002
+- attack.t1003
+- attack.lateral_movement
+- attack.credential_access
+- car.2013-07-001
+- car.2019-04-004
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.001
+- attack.t1003.006
diff --git a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
new file mode 100644
index 00000000..933fb247
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
@@ -0,0 +1,42 @@
+
+title: CACTUSTORCH Remote Thread Creation
+ruletype: Sigma
+author: '@SBousseaden (detection), Thomas Patzke (rule)'
+date: 2019/02/01
+description: Detects remote thread creation from CACTUSTORCH as described in references.
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ SourceImage:
+ - '*\System32\cscript.exe'
+ - '*\System32\wscript.exe'
+ - '*\System32\mshta.exe'
+ - '*\winword.exe'
+ - '*\excel.exe'
+ SELECTION_3:
+ TargetImage: '*\SysWOW64\\*'
+ SELECTION_4:
+ StartModule|re: ^$
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 2e4e488a-6164-4811-9ea1-f960c7359c40
+level: high
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/11/12
+references:
+- https://twitter.com/SBousseaden/status/1090588499517079552
+- https://github.com/mdsecactivebreach/CACTUSTORCH
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1093
+- attack.t1055.012
+- attack.execution
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1218.005
diff --git a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
new file mode 100644
index 00000000..780818b5
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -0,0 +1,32 @@
+
+title: CobaltStrike Process Injection
+ruletype: Sigma
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+description: Detects a possible remote threat creation with certain characteristics
+ which are typical for Cobalt Strike beacons
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ StartAddress:
+ - '*0B80'
+ - '*0C7C'
+ - '*0C88'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+level: high
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/11/20
+references:
+- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
diff --git a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
new file mode 100644
index 00000000..6c891bea
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
@@ -0,0 +1,30 @@
+
+title: CreateRemoteThread API and LoadLibrary
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects potential use of CreateRemoteThread api and LoadLibrary function
+ to inject DLL into a process
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ StartModule: '*\kernel32.dll'
+ SELECTION_3:
+ StartFunction: LoadLibraryA
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 052ec6f6-1adc-41e6-907a-f1c813478bee
+level: critical
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
diff --git a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
new file mode 100644
index 00000000..af1ed3a9
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
@@ -0,0 +1,33 @@
+
+title: Password Dumper Remote Thread in LSASS
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/02/19
+description: Detects password dumper activity by monitoring remote thread creation
+ EventID 8 in combination with the lsass.exe process as TargetImage. The process
+ in field Process is the malicious program. A single execution can lead to hundreds
+ of events.
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ TargetImage: '*\lsass.exe'
+ SELECTION_3:
+ StartModule: ''
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Antivirus products
+id: f239b326-2f41-4d6b-9dfa-c846a60ef505
+level: high
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/06/21
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
+- attack.t1003.001
diff --git a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
new file mode 100644
index 00000000..a8c965d0
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
@@ -0,0 +1,28 @@
+
+title: Accessing WinAPI in PowerShell. Code Injection.
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting Code injection with PowerShell in another process
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ SourceImage: '*\powershell.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+level: high
+logsource:
+ category: create_remote_thread
+ definition: Note that you have to configure logging for CreateRemoteThread in Symson
+ config
+ product: windows
+modified: 2021/11/27
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
new file mode 100644
index 00000000..4f519073
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
@@ -0,0 +1,32 @@
+
+title: PowerShell Rundll32 Remote Thread Creation
+ruletype: Sigma
+author: Florian Roth
+date: 2018/06/25
+description: Detects PowerShell remote thread creation in Rundll32.exe
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ SourceImage: '*\powershell.exe'
+ SELECTION_3:
+ TargetImage: '*\rundll32.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99b97608-3e21-4bfe-8217-2a127c396a0e
+level: high
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/11/12
+references:
+- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
new file mode 100644
index 00000000..32ca5703
--- /dev/null
+++ b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
@@ -0,0 +1,89 @@
+
+title: Suspicious Remote Thread Created
+ruletype: Sigma
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
+ however, this is still largely observed in the wild. This rule aims to detect suspicious
+ processes (those we would not expect to behave in this way like word.exe or outlook.exe)
+ creating remote threads on other processes. It is a generalistic rule, but it should
+ have a low FP ratio due to the selected range of processes.
+detection:
+ SELECTION_1:
+ EventID: 8
+ SELECTION_2:
+ SourceImage:
+ - '*\bash.exe'
+ - '*\cvtres.exe'
+ - '*\defrag.exe'
+ - '*\dnx.exe'
+ - '*\esentutl.exe'
+ - '*\excel.exe'
+ - '*\expand.exe'
+ - '*\explorer.exe'
+ - '*\find.exe'
+ - '*\findstr.exe'
+ - '*\forfiles.exe'
+ - '*\git.exe'
+ - '*\gpupdate.exe'
+ - '*\hh.exe'
+ - '*\iexplore.exe'
+ - '*\installutil.exe'
+ - '*\lync.exe'
+ - '*\makecab.exe'
+ - '*\mDNSResponder.exe'
+ - '*\monitoringhost.exe'
+ - '*\msbuild.exe'
+ - '*\mshta.exe'
+ - '*\msiexec.exe'
+ - '*\mspaint.exe'
+ - '*\outlook.exe'
+ - '*\ping.exe'
+ - '*\powerpnt.exe'
+ - '*\powershell.exe'
+ - '*\provtool.exe'
+ - '*\python.exe'
+ - '*\regsvr32.exe'
+ - '*\robocopy.exe'
+ - '*\runonce.exe'
+ - '*\sapcimc.exe'
+ - '*\schtasks.exe'
+ - '*\smartscreen.exe'
+ - '*\spoolsv.exe'
+ - '*\tstheme.exe'
+ - '*\userinit.exe'
+ - '*\vssadmin.exe'
+ - '*\vssvc.exe'
+ - '*\w3wp.exe'
+ - '*\winlogon.exe'
+ - '*\winscp.exe'
+ - '*\wmic.exe'
+ - '*\word.exe'
+ - '*\wscript.exe'
+ SELECTION_3:
+ SourceImage: '*Visual Studio*'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+id: 66d31e5f-52d6-40a4-9615-002d3789a119
+level: high
+logsource:
+ category: create_remote_thread
+ product: windows
+modified: 2021/06/27
+notes:
+- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
+ for process injection for .NET in-memory offensive tools.
+references:
+- Personal research, statistical analysis
+- https://lolbas-project.github.io
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml
new file mode 100644
index 00000000..fcfb7db7
--- /dev/null
+++ b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml
@@ -0,0 +1,35 @@
+
+title: Executable in ADS
+ruletype: Sigma
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+ (non-empty imphash)
+detection:
+ SELECTION_1:
+ EventID: 15
+ SELECTION_2:
+ Hashes: '*IMPHASH=*'
+ SELECTION_3:
+ Hashes: '*IMPHASH=00000000000000000000000000000000*'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+ category: create_stream_hash
+ definition: 'Requirements: Sysmon config with Imphash logging activated'
+ product: windows
+modified: 2021/12/08
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004
diff --git a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml
new file mode 100644
index 00000000..ed5d0f3b
--- /dev/null
+++ b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml
@@ -0,0 +1,30 @@
+
+title: Exports Registry Key To an Alternate Data Stream
+ruletype: Sigma
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Exports the target Registry key and hides it in the specified alternate
+ data stream.
+detection:
+ SELECTION_1:
+ EventID: 15
+ SELECTION_2:
+ Image: '*\regedit.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- TargetFilename
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+level: high
+logsource:
+ category: create_stream_hash
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1564.004
diff --git a/rules/sigma/deprecated/powershell_suspicious_download.yml b/rules/sigma/deprecated/powershell_suspicious_download.yml
new file mode 100644
index 00000000..586b83cf
--- /dev/null
+++ b/rules/sigma/deprecated/powershell_suspicious_download.yml
@@ -0,0 +1,26 @@
+
+title: Suspicious PowerShell Download
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+ SELECTION_1:
+ - System.Net.WebClient
+ SELECTION_2:
+ - .DownloadFile(
+ - .DownloadString(
+ condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+level: medium
+logsource:
+ product: windows
+ service: powershell
+modified: 2021/09/21
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml b/rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml
new file mode 100644
index 00000000..76db79e5
--- /dev/null
+++ b/rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious PowerShell Invocations - Generic
+ruletype: Sigma
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+ SELECTION_1:
+ - ' -enc '
+ - ' -EncodedCommand '
+ SELECTION_2:
+ - ' -w hidden '
+ - ' -window hidden '
+ - ' -windowstyle hidden '
+ SELECTION_3:
+ - ' -noni '
+ - ' -noninteractive '
+ condition: ((SELECTION_1) and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: 3d304fda-78aa-43ed-975c-d740798a49c1
+level: high
+logsource:
+ product: windows
+ service: powershell
+modified: 2021/12/02
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml b/rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml
new file mode 100644
index 00000000..47f9fe6a
--- /dev/null
+++ b/rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml
@@ -0,0 +1,79 @@
+
+title: Suspicious PowerShell Invocations - Specific
+ruletype: Sigma
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+ SELECTION_1:
+ - ' -w '
+ SELECTION_10:
+ - bypass
+ SELECTION_11:
+ - -Enc
+ SELECTION_12:
+ - powershell
+ SELECTION_13:
+ - reg
+ SELECTION_14:
+ - add
+ SELECTION_15:
+ - HKCU\software\microsoft\windows\currentversion\run
+ SELECTION_16:
+ - bypass
+ SELECTION_17:
+ - -noprofile
+ SELECTION_18:
+ - -windowstyle
+ SELECTION_19:
+ - hidden
+ SELECTION_2:
+ - hidden
+ SELECTION_20:
+ - new-object
+ SELECTION_21:
+ - system.net.webclient
+ SELECTION_22:
+ - .download
+ SELECTION_23:
+ - iex
+ SELECTION_24:
+ - New-Object
+ SELECTION_25:
+ - Net.WebClient
+ SELECTION_26:
+ - .Download
+ SELECTION_3:
+ - -nop
+ SELECTION_4:
+ - ' -c '
+ SELECTION_5:
+ - '[Convert]::FromBase64String'
+ SELECTION_6:
+ - -noni
+ SELECTION_7:
+ - iex
+ SELECTION_8:
+ - New-Object
+ SELECTION_9:
+ - -ep
+ condition: ((((SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+ ((SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_5)) or (SELECTION_9
+ and SELECTION_10 and SELECTION_11))) or (SELECTION_12 and SELECTION_13 and SELECTION_14
+ and SELECTION_15)) or (SELECTION_16 and SELECTION_17 and SELECTION_18 and SELECTION_19
+ and SELECTION_20 and SELECTION_21 and SELECTION_22)) or (SELECTION_23 and SELECTION_24
+ and SELECTION_25 and SELECTION_26))
+falsepositives:
+- Penetration tests
+id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+level: high
+logsource:
+ definition: Script block logging must be enabled for 4104, Module Logging must be
+ enabled for 4103
+ product: windows
+ service: powershell
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml b/rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..a0ef8a13
--- /dev/null
+++ b/rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
@@ -0,0 +1,26 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+ by adversaries to bypass PowerShell execution restrictions.
+detection:
+ condition: SyncAppvPublishingServer.exe
+falsepositives:
+- App-V clients
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+level: medium
+logsource:
+ product: windows
+ service: powershell
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+- id: fde7929d-8beb-4a4c-b922-be9974671667
+ type: derived
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/deprecated/process_creation_syncappvpublishingserver_exe.yml b/rules/sigma/deprecated/process_creation_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..ae8dc230
--- /dev/null
+++ b/rules/sigma/deprecated/process_creation_syncappvpublishingserver_exe.yml
@@ -0,0 +1,27 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+ by adversaries to bypass PowerShell execution restrictions.
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ Image: '*\SyncAppvPublishingServer.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- App-V clients
+id: fde7929d-8beb-4a4c-b922-be9974671667
+level: medium
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml
new file mode 100644
index 00000000..1ac5ab81
--- /dev/null
+++ b/rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml
@@ -0,0 +1,45 @@
+
+title: Mimikatz Detection LSASS Access
+ruletype: Sigma
+author: Sherif Eldeeb
+date: 2017/10/18
+description: Detects process access to LSASS which is typical for Mimikatz (0x1000
+ PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
+ versions", 0x0010 PROCESS_VM_READ)
+detection:
+ SELECTION_1:
+ EventID: 10
+ SELECTION_2:
+ TargetImage: '*\lsass.exe'
+ SELECTION_3:
+ GrantedAccess:
+ - '0x1410'
+ - '0x1010'
+ - '0x410'
+ SELECTION_4:
+ SourceImage: C:\Program Files\WindowsApps\\*
+ SELECTION_5:
+ SourceImage: '*\GamingServices.exe'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4
+ and SELECTION_5))
+falsepositives:
+- Some security products access LSASS in this way.
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
+level: high
+logsource:
+ category: process_access
+ product: windows
+modified: 2021/11/30
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+status: deprecated
+tags:
+- attack.t1003
+- attack.s0002
+- attack.credential_access
+- car.2019-04-004
diff --git a/rules/sigma/deprecated/sysmon_rclone_execution.yml b/rules/sigma/deprecated/sysmon_rclone_execution.yml
new file mode 100644
index 00000000..50b5c4ff
--- /dev/null
+++ b/rules/sigma/deprecated/sysmon_rclone_execution.yml
@@ -0,0 +1,54 @@
+
+title: RClone Execution
+ruletype: Sigma
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+ ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ Description: Rsync for cloud storage
+ SELECTION_3:
+ CommandLine: '*--config *'
+ SELECTION_4:
+ CommandLine: '*--no-check-certificate *'
+ SELECTION_5:
+ CommandLine: '* copy *'
+ SELECTION_6:
+ Image:
+ - '*\rclone.exe'
+ SELECTION_7:
+ CommandLine:
+ - '*mega*'
+ - '*pcloud*'
+ - '*ftp*'
+ - '*--progress*'
+ - '*--ignore-existing*'
+ - '*--auto-confirm*'
+ - '*--transfers*'
+ - '*--multi-thread-streams*'
+ condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+ or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+level: high
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/06/29
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/deprecated/win_susp_esentutl_activity.yml b/rules/sigma/deprecated/win_susp_esentutl_activity.yml
new file mode 100644
index 00000000..a8c38b90
--- /dev/null
+++ b/rules/sigma/deprecated/win_susp_esentutl_activity.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Esentutl Use
+ruletype: Sigma
+author: Florian Roth
+date: 2020/05/23
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity.
+ It could be used in rare cases by administrators to access locked files or during
+ maintenance.
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ CommandLine: '* /vss *'
+ SELECTION_3:
+ CommandLine: '* /y *'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+level: high
+logsource:
+ category: process_creation
+ product: windows
+references:
+- https://lolbas-project.github.io/
+- https://twitter.com/chadtilbury/status/1264226341408452610
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.s0404
+- attack.t1218
diff --git a/rules/sigma/deprecated/win_susp_rclone_exec.yml b/rules/sigma/deprecated/win_susp_rclone_exec.yml
new file mode 100644
index 00000000..58b6d4e7
--- /dev/null
+++ b/rules/sigma/deprecated/win_susp_rclone_exec.yml
@@ -0,0 +1,42 @@
+
+title: Rclone Execution via Command Line or PowerShell
+ruletype: Sigma
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone which is commonly used by ransomware groups for exfiltration
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ CommandLine:
+ - '* pass *'
+ - '* user *'
+ - '* copy *'
+ - '* mega *'
+ - '* sync *'
+ - '* config *'
+ - '* lsd *'
+ - '* remote *'
+ - '* ls *'
+ SELECTION_3:
+ Description: Rsync for cloud storage
+ SELECTION_4:
+ Image: '*\rclone.exe'
+ SELECTION_5:
+ ParentImage:
+ - '*\PowerShell.exe'
+ - '*\cmd.exe'
+ condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: cb7286ba-f207-44ab-b9e6-760d82b84253
+level: high
+logsource:
+ category: process_creation
+ product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/deprecated/win_susp_vssadmin_ntds_activity.yml b/rules/sigma/deprecated/win_susp_vssadmin_ntds_activity.yml
new file mode 100644
index 00000000..16d968cb
--- /dev/null
+++ b/rules/sigma/deprecated/win_susp_vssadmin_ntds_activity.yml
@@ -0,0 +1,42 @@
+
+title: Activity Related to NTDS.dit Domain Hash Retrieval
+ruletype: Sigma
+author: Florian Roth, Michael Haag
+date: 2019/01/16
+description: Detects suspicious commands that could be related to activity that uses
+ volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ CommandLine:
+ - vssadmin.exe Delete Shadows
+ - 'vssadmin create shadow /for=C:'
+ - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
+ - copy \\?\GLOBALROOT\Device\\*\config\SAM
+ - 'vssadmin delete shadows /for=C:'
+ - 'reg SAVE HKLM\SYSTEM '
+ - esentutl.exe /y /vss *\ntds.dit*
+ - esentutl.exe /y /vss *\SAM
+ - esentutl.exe /y /vss *\SYSTEM
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
+level: high
+logsource:
+ category: process_creation
+ product: windows
+references:
+- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
+- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: deprecated
+tags:
+- attack.credential_access
+- attack.t1003
diff --git a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml
new file mode 100644
index 00000000..67bce96f
--- /dev/null
+++ b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Cobalt Strike DNS Beaconing
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/09
+description: Detects a program that invoked suspicious DNS queries known from Cobalt
+ Strike beacons
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ QueryName:
+ - aaa.stage.*
+ - post.1*
+ SELECTION_3:
+ QueryName: '*.stage.123456.*'
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- Image
+- CommandLine
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+level: critical
+logsource:
+ category: dns_query
+ product: windows
+references:
+- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/dns_query/dns_net_susp_ipify.yml b/rules/sigma/dns_query/dns_net_susp_ipify.yml
new file mode 100644
index 00000000..83f889fa
--- /dev/null
+++ b/rules/sigma/dns_query/dns_net_susp_ipify.yml
@@ -0,0 +1,52 @@
+
+title: Suspicious DNS Query for IP Lookup Service APIs
+ruletype: Sigma
+author: Brandon George (blog post), Thomas Patzke (rule)
+date: 2021/07/08
+description: Detects DNS queries for ip lookup services such as api.ipify.org not
+ originating from a browser process.
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ QueryName:
+ - canireachthe.net
+ - ipv4.icanhazip.com
+ - ip.anysrc.net
+ - edns.ip-api.com
+ - wtfismyip.com
+ - checkip.dyndns.org
+ - api.2ip.ua
+ - icanhazip.com
+ - api.ipify.org
+ - ip-api.com
+ - checkip.amazonaws.com
+ - ipecho.net
+ - ipinfo.io
+ - ipv4bot.whatismyipaddress.com
+ - freegeoip.app
+ SELECTION_3:
+ Image:
+ - '*\chrome.exe'
+ - '*\iexplore.exe'
+ - '*\firefox.exe'
+ - '*\brave.exe'
+ - '*\opera.exe'
+ - '*\msedge.exe'
+ - '*\vivaldi.exe'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- Legitimate usage of ip lookup services such as ipify API
+id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
+level: medium
+logsource:
+ category: dns_query
+ product: windows
+modified: 2021/09/10
+references:
+- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
+- https://twitter.com/neonprimetime/status/1436376497980428318
+status: experimental
+tags:
+- attack.reconnaissance
+- attack.t1590
diff --git a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml
new file mode 100644
index 00000000..eaa5d87c
--- /dev/null
+++ b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml
@@ -0,0 +1,29 @@
+
+title: DNS HybridConnectionManager Service Bus
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects Azure Hybrid Connection Manager services querying the Azure service
+ bus service
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ QueryName: '*servicebus.windows.net*'
+ SELECTION_3:
+ Image: '*HybridConnectionManager*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+level: high
+logsource:
+ category: dns_query
+ product: windows
+modified: 2021/06/10
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+- attack.t1554
diff --git a/rules/sigma/dns_query/dns_query_mega_nz.yml b/rules/sigma/dns_query/dns_query_mega_nz.yml
new file mode 100644
index 00000000..2ba08e54
--- /dev/null
+++ b/rules/sigma/dns_query/dns_query_mega_nz.yml
@@ -0,0 +1,25 @@
+
+title: DNS Query for MEGA.io Upload Domain
+ruletype: Sigma
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects DNS queries for subdomains used for upload to MEGA.io
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ QueryName: '*userstorage.mega.co.nz*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Mega upload
+id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+level: high
+logsource:
+ category: dns_query
+ product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml
new file mode 100644
index 00000000..2ce9cff0
--- /dev/null
+++ b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml
@@ -0,0 +1,77 @@
+
+title: Possible DNS Rebinding
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects several different DNS-answers by one domain with IPs from internal
+ and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved
+ in host cache for a while TTL).
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ QueryName: '*'
+ SELECTION_3:
+ QueryStatus: '0'
+ SELECTION_4:
+ QueryResults:
+ - (::ffff:)?10.*
+ - (::ffff:)?192.168.*
+ - (::ffff:)?172.16.*
+ - (::ffff:)?172.17.*
+ - (::ffff:)?172.18.*
+ - (::ffff:)?172.19.*
+ - (::ffff:)?172.20.*
+ - (::ffff:)?172.21.*
+ - (::ffff:)?172.22.*
+ - (::ffff:)?172.23.*
+ - (::ffff:)?172.24.*
+ - (::ffff:)?172.25.*
+ - (::ffff:)?172.26.*
+ - (::ffff:)?172.27.*
+ - (::ffff:)?172.28.*
+ - (::ffff:)?172.29.*
+ - (::ffff:)?172.30.*
+ - (::ffff:)?172.31.*
+ - (::ffff:)?127.*
+ SELECTION_5:
+ QueryName: '*'
+ SELECTION_6:
+ QueryStatus: '0'
+ SELECTION_7:
+ QueryResults:
+ - (::ffff:)?10.*
+ - (::ffff:)?192.168.*
+ - (::ffff:)?172.16.*
+ - (::ffff:)?172.17.*
+ - (::ffff:)?172.18.*
+ - (::ffff:)?172.19.*
+ - (::ffff:)?172.20.*
+ - (::ffff:)?172.21.*
+ - (::ffff:)?172.22.*
+ - (::ffff:)?172.23.*
+ - (::ffff:)?172.24.*
+ - (::ffff:)?172.25.*
+ - (::ffff:)?172.26.*
+ - (::ffff:)?172.27.*
+ - (::ffff:)?172.28.*
+ - (::ffff:)?172.29.*
+ - (::ffff:)?172.30.*
+ - (::ffff:)?172.31.*
+ - (::ffff:)?127.*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+ and SELECTION_6) and not (SELECTION_7)) | count(QueryName) by ComputerName >
+ 3
+ timeframe: 30s
+id: eb07e747-2552-44cd-af36-b659ae0958e4
+level: medium
+logsource:
+ category: dns_query
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+status: test
+tags:
+- attack.initial_access
+- attack.t1189
diff --git a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml
new file mode 100644
index 00000000..45b83253
--- /dev/null
+++ b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml
@@ -0,0 +1,41 @@
+
+title: Regsvr32 Network Activity
+ruletype: Sigma
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ Image: '*\regsvr32.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: 36e037c4-c228-4866-b6a3-48eb292b9955
+level: high
+logsource:
+ category: dns_query
+ product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+related:
+- id: c7e91a02-d771-4a6d-a700-42587e0b1095
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/dns_query/win_dq_lobas_appinstaller.yml b/rules/sigma/dns_query/win_dq_lobas_appinstaller.yml
new file mode 100644
index 00000000..f8385b6e
--- /dev/null
+++ b/rules/sigma/dns_query/win_dq_lobas_appinstaller.yml
@@ -0,0 +1,29 @@
+
+title: AppInstaller Attempts From URL by DNS
+ruletype: Sigma
+author: frack113
+date: 2021/11/24
+description: AppInstaller.exe is spawned by the default handler for the URI, it attempts
+ to load/install a package from the URL
+detection:
+ SELECTION_1:
+ EventID: 22
+ SELECTION_2:
+ Image: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*
+ SELECTION_3:
+ Image: '*\AppInstaller.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
+level: medium
+logsource:
+ category: dns_query
+ product: windows
+references:
+- https://twitter.com/notwhickey/status/1333900137232523264
+- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/driver_load/driver_load_mal_creddumper.yml
new file mode 100644
index 00000000..0f7b7dd3
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_mal_creddumper.yml
@@ -0,0 +1,46 @@
+
+title: Credential Dumping Tools Service Execution
+ruletype: Sigma
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+ events
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ ImageLoaded:
+ - '*fgexec*'
+ - '*dumpsvc*'
+ - '*cachedump*'
+ - '*mimidrv*'
+ - '*gsecdump*'
+ - '*servpw*'
+ - '*pwdump*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
+level: critical
+logsource:
+ category: driver_load
+ product: windows
+modified: 2021/11/10
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+ type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..c39a0fd5
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,69 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+ruletype: Sigma
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+ a specific service installation
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_10:
+ ImagePath: '*cmd.exe*'
+ SELECTION_11:
+ ImagePath: '*/c*'
+ SELECTION_12:
+ ImagePath: '*echo*'
+ SELECTION_13:
+ ImagePath: '*\pipe\\*'
+ SELECTION_14:
+ ImagePath: '*rundll32*'
+ SELECTION_15:
+ ImagePath: '*.dll,a*'
+ SELECTION_16:
+ ImagePath: '*/p:*'
+ SELECTION_2:
+ ImagePath: '*cmd*'
+ SELECTION_3:
+ ImagePath: '*/c*'
+ SELECTION_4:
+ ImagePath: '*echo*'
+ SELECTION_5:
+ ImagePath: '*\pipe\\*'
+ SELECTION_6:
+ ImagePath: '*%COMSPEC%*'
+ SELECTION_7:
+ ImagePath: '*/c*'
+ SELECTION_8:
+ ImagePath: '*echo*'
+ SELECTION_9:
+ ImagePath: '*\pipe\\*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+ or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+ and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+ and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: d585ab5a-6a69-49a8-96e8-4a726a54de46
+level: critical
+logsource:
+ category: driver_load
+ product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+ type: derived
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..55e41d08
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell Scripts Run by a Services
+ruletype: Sigma
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ ImageLoaded:
+ - '*powershell*'
+ - '*pwsh*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
+level: high
+logsource:
+ category: driver_load
+ product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/driver_load/driver_load_susp_temp_use.yml
new file mode 100644
index 00000000..6f0a514b
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_susp_temp_use.yml
@@ -0,0 +1,26 @@
+
+title: Suspicious Driver Load from Temp
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/12
+description: Detects a driver load from a temporary directory
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ ImageLoaded: '*\Temp\\*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- there is a relevant set of false positives depending on applications in the environment
+id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
+level: high
+logsource:
+ category: driver_load
+ product: windows
+modified: 2021/11/27
+status: test
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml
new file mode 100644
index 00000000..b93f3dec
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml
@@ -0,0 +1,35 @@
+
+title: Vulnerable Dell BIOS Update Driver Load
+ruletype: Sigma
+author: Florian Roth
+date: 2021/05/05
+description: Detects the load of the vulnerable Dell BIOS update driver as reported
+ in CVE-2021-21551
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ ImageLoaded: '*\DBUtil_2_3.Sys*'
+ SELECTION_3:
+ Hashes:
+ - '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
+ - '*c948ae14761095e4d76b55d9de86412258be7afd*'
+ - '*c996d7971c49252c582171d9380360f2*'
+ - '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
+ - '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
+ - '*d2fd132ab7bbc6bbb87a84f026fa0244*'
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- legitimate BIOS driver updates (should be rare)
+id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
+level: high
+logsource:
+ category: driver_load
+ product: windows
+references:
+- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+status: experimental
+tags:
+- attack.privilege_escalation
+- cve.2021.21551
+- attack.t1543
diff --git a/rules/sigma/driver_load/driver_load_windivert.yml b/rules/sigma/driver_load/driver_load_windivert.yml
new file mode 100644
index 00000000..ba31fa4e
--- /dev/null
+++ b/rules/sigma/driver_load/driver_load_windivert.yml
@@ -0,0 +1,31 @@
+
+title: WinDivert Driver Load
+ruletype: Sigma
+author: Florian Roth
+date: 2021/07/30
+description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
+ package for Windows
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ ImageLoaded:
+ - '*\WinDivert.sys*'
+ - '*\WinDivert64.sys*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate WinDivert driver usage
+id: 679085d5-f427-4484-9f58-1dc30a7c426d
+level: high
+logsource:
+ category: driver_load
+ product: windows
+references:
+- https://reqrypt.org/windivert-doc.html
+- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
+status: experimental
+tags:
+- attack.collection
+- attack.defense_evasion
+- attack.t1599.001
+- attack.t1557.001
diff --git a/rules/sigma/edr/edr_command_execution_by_office_applications.yml b/rules/sigma/edr/edr_command_execution_by_office_applications.yml
new file mode 100644
index 00000000..582c1483
--- /dev/null
+++ b/rules/sigma/edr/edr_command_execution_by_office_applications.yml
@@ -0,0 +1,37 @@
+title: EDR WMI Command Execution by Office Applications
+ruletype: Sigma
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic Win32_Process::Create
+ to execute the file with regsvr32
+detection:
+ SELECTION_1:
+ EventLog: EDR
+ SELECTION_2:
+ EventType: WMIExecution
+ SELECTION_3:
+ WMIcommand: '*Win32_Process\:\:Create*'
+ SELECTION_4:
+ Image:
+ - '*\winword.exe'
+ - '*\excel.exe'
+ - '*\powerpnt.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
+level: high
+logsource:
+ category: edr
+ product: windows
+modified: 2021/11/09
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/file_delete/sysmon_delete_prefetch.yml
new file mode 100644
index 00000000..5ce6b88a
--- /dev/null
+++ b/rules/sigma/file_delete/sysmon_delete_prefetch.yml
@@ -0,0 +1,32 @@
+
+title: Prefetch File Deletion
+ruletype: Sigma
+author: Cedric MAURUGEON
+date: 2021/09/29
+description: Detects the deletion of a prefetch file (AntiForensic)
+detection:
+ SELECTION_1:
+ EventID: 23
+ SELECTION_2:
+ EventID: 26
+ SELECTION_3:
+ TargetFilename: C:\Windows\Prefetch\\*
+ SELECTION_4:
+ TargetFilename: '*.pf'
+ SELECTION_5:
+ Image: C:\windows\system32\svchost.exe
+ SELECTION_6:
+ User: NT AUTHORITY\SYSTEM
+ condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5 and SELECTION_6))
+falsepositives:
+- Unknown
+id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
+level: high
+logsource:
+ category: file_delete
+ product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
diff --git a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
new file mode 100644
index 00000000..258d06b6
--- /dev/null
+++ b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
@@ -0,0 +1,32 @@
+
+title: Sysinternals SDelete File Deletion
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for the deletion of files by Sysinternals
+ SDelete. It looks for the common name pattern used to rename files.
+detection:
+ SELECTION_1:
+ EventID: 23
+ SELECTION_2:
+ EventID: 26
+ SELECTION_3:
+ TargetFilename:
+ - '*.AAA'
+ - '*.ZZZ'
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitime usage of SDelete
+id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
+level: medium
+logsource:
+ category: file_delete
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/9
+- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1070.004
diff --git a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml
new file mode 100644
index 00000000..7285084e
--- /dev/null
+++ b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml
@@ -0,0 +1,34 @@
+
+title: Windows Spooler Service Suspicious File Deletion
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/07/01
+description: Detect DLL deletions from Spooler Service driver folder
+detection:
+ SELECTION_1:
+ EventID: 23
+ SELECTION_2:
+ EventID: 26
+ SELECTION_3:
+ Image: '*spoolsv.exe'
+ SELECTION_4:
+ TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*'
+ condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
+level: high
+logsource:
+ category: file_delete
+ product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
+- cve.2021.1675
diff --git a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml
new file mode 100644
index 00000000..f2637068
--- /dev/null
+++ b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml
@@ -0,0 +1,34 @@
+
+title: Advanced IP Scanner
+ruletype: Sigma
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
+ ransomware groups.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative use
+id: fed85bf9-e075-4280-9159-fbe8a023d6fa
+level: medium
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/11
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+related:
+- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+ type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1046
diff --git a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml
new file mode 100644
index 00000000..f12ba537
--- /dev/null
+++ b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml
@@ -0,0 +1,30 @@
+
+title: Unidentified Attacker November 2018
+ruletype: Sigma
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2018/11/20
+description: A sigma rule detecting an unidetefied attacker who used phishing emails
+ to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29
+ campaign in 2016.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*ds7002.lnk*'
+ condition: (SELECTION_1 and SELECTION_2)
+id: 3a3f81ca-652c-482b-adeb-b1c804727f74
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/DrunkBinary/status/1063075530180886529
+related:
+- id: 7453575c-a747-40b9-839b-125a0aae324b
+ type: derived
+status: stable
+tags:
+- attack.execution
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
new file mode 100644
index 00000000..5889ee4b
--- /dev/null
+++ b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -0,0 +1,41 @@
+
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+ruletype: Sigma
+author: Sittikorn S
+date: 2021/07/16
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
+ CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*C:\Windows\system32\physmem.sys*'
+ - '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
+ - '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
+ - '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
+ - '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
+ - '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
+ - '*C:\Windows\system32\config\config\startwus.dat*'
+ - '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
+ - '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
+ - '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/09
+references:
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1566
+- attack.t1203
+- cve.2021.33771
+- cve.2021.31979
diff --git a/rules/sigma/file_event/file_event_cve_2021_41379_msi_lpe.yml b/rules/sigma/file_event/file_event_cve_2021_41379_msi_lpe.yml
new file mode 100644
index 00000000..c4487c06
--- /dev/null
+++ b/rules/sigma/file_event/file_event_cve_2021_41379_msi_lpe.yml
@@ -0,0 +1,35 @@
+
+title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/22
+description: Detects signs of the exploitation of LPE CVE-2021-41379 that include
+ an msiexec process that creates an elevation_service.exe file
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*\msiexec.exe'
+ SELECTION_3:
+ TargetFilename: C:\Program Files (x86)\Microsoft\Edge\Application*
+ SELECTION_4:
+ TargetFilename: '*\elevation_service.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- Possibly some Microsoft Edge upgrades
+fields:
+- ComputerName
+- TargetFilename
+id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
+level: critical
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/klinix5/InstallerFileTakeOver
+- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
diff --git a/rules/sigma/file_event/file_event_hack_dumpert.yml b/rules/sigma/file_event/file_event_hack_dumpert.yml
new file mode 100644
index 00000000..88dcc5e0
--- /dev/null
+++ b/rules/sigma/file_event/file_event_hack_dumpert.yml
@@ -0,0 +1,32 @@
+
+title: Dumpert Process Dumper
+ruletype: Sigma
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+ process memory
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Windows\Temp\dumpert.dmp
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+related:
+- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+ type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/file_event/file_event_hktl_createminidump.yml b/rules/sigma/file_event/file_event_hktl_createminidump.yml
new file mode 100644
index 00000000..35b27510
--- /dev/null
+++ b/rules/sigma/file_event/file_event_hktl_createminidump.yml
@@ -0,0 +1,31 @@
+
+title: CreateMiniDump Hacktool
+ruletype: Sigma
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+ memory for credential extraction on the attacker's machine
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\lsass.dmp'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: db2110f3-479d-42a6-94fb-d35bc1e46492
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+related:
+- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+ type: derived
+status: deprecated
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/file_event/file_event_hktl_nppspy.yml b/rules/sigma/file_event/file_event_hktl_nppspy.yml
new file mode 100644
index 00000000..bcb38f5f
--- /dev/null
+++ b/rules/sigma/file_event/file_event_hktl_nppspy.yml
@@ -0,0 +1,28 @@
+
+title: NPPSpy Hacktool Usage
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/29
+description: Detects the use of NPPSpy hacktool that stores cleartext passwords of
+ users that logged in to a local file
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\NPPSpy.txt'
+ - '*\NPPSpy.dll'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: cad1fe90-2406-44dc-bd03-59d0b58fe722
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
+- https://twitter.com/0gtweet/status/1465282548494487554
+status: experimental
+tags:
+- attack.credential_access
diff --git a/rules/sigma/file_event/file_event_lsass_dump.yml b/rules/sigma/file_event/file_event_lsass_dump.yml
new file mode 100644
index 00000000..3dc51d9a
--- /dev/null
+++ b/rules/sigma/file_event/file_event_lsass_dump.yml
@@ -0,0 +1,40 @@
+
+title: LSASS Process Memory Dump Files
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/15
+description: Detects file names used by different memory dumping tools to create a
+ memory dump of the LSASS process memory, which contains user credentials
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\lsass.dmp'
+ - '*\lsass.zip'
+ - '*\lsass.rar'
+ - '*\Temp\dumpert.dmp'
+ SELECTION_3:
+ TargetFilename:
+ - '*\lsass_2*'
+ - '*\lsassdump*'
+ - '*\lsassdmp*'
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: a5a2d357-1ab8-4675-a967-ef9990a59391
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://www.google.com/search?q=procdump+lsass
+- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
+related:
+- id: db2110f3-479d-42a6-94fb-d35bc1e46492
+ type: obsoletes
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/file_event/file_event_mal_adwind.yml b/rules/sigma/file_event/file_event_mal_adwind.yml
new file mode 100644
index 00000000..8ec26e87
--- /dev/null
+++ b/rules/sigma/file_event/file_event_mal_adwind.yml
@@ -0,0 +1,36 @@
+
+title: Adwind RAT / JRAT
+ruletype: Sigma
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
+ SELECTION_3:
+ TargetFilename: '*.exe*'
+ SELECTION_4:
+ TargetFilename: '*\Retrive*'
+ SELECTION_5:
+ TargetFilename: '*.vbs*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+related:
+- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/file_event/file_event_mal_vhd_download.yml b/rules/sigma/file_event/file_event_mal_vhd_download.yml
new file mode 100644
index 00000000..6bc45b4d
--- /dev/null
+++ b/rules/sigma/file_event/file_event_mal_vhd_download.yml
@@ -0,0 +1,41 @@
+
+title: Suspicious VHD Image Download From Browser
+ruletype: Sigma
+author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+date: 2021/10/25
+description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate
+ payloads and evade security controls
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image:
+ - '*chrome.exe'
+ - '*firefox.exe'
+ - '*microsoftedge.exe'
+ - '*microsoftedgecp.exe'
+ - '*msedge.exe'
+ - '*iexplorer.exe'
+ - '*brave.exe'
+ - '*opera.exe'
+ SELECTION_3:
+ TargetFilename: '*.vhd*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate user creation
+id: 8468111a-ef07-4654-903b-b863a80bbc95
+level: medium
+logsource:
+ category: file_event
+ definition: in sysmon add ".vhd
+ "
+ product: windows
+modified: 2021/10/29
+references:
+- https://redcanary.com/blog/intelligence-insights-october-2021/
+- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
+- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
+status: test
+tags:
+- attack.resource_development
+- attack.t1587.001
diff --git a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml
new file mode 100644
index 00000000..1f8cce28
--- /dev/null
+++ b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml
@@ -0,0 +1,26 @@
+
+title: Mimikatz Kirbi File Creation
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/08
+description: Detects the creation of files that contain Kerberos tickets based on
+ an extension used by the popular tool Mimikatz
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*.kirbi'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
+level: critical
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://cobalt.io/blog/kerberoast-attack-techniques
+status: test
+tags:
+- attack.credential_access
+- attack.t1558
diff --git a/rules/sigma/file_event/file_event_moriya_rootkit.yml b/rules/sigma/file_event/file_event_moriya_rootkit.yml
new file mode 100644
index 00000000..b0967a2b
--- /dev/null
+++ b/rules/sigma/file_event/file_event_moriya_rootkit.yml
@@ -0,0 +1,31 @@
+
+title: Moriya Rootkit
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+ TunnelSnake report
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: a1507d71-0b60-44f6-b17c-bf53220fdd88
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/21
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+related:
+- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+ type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
diff --git a/rules/sigma/file_event/file_event_pingback_backdoor.yml b/rules/sigma/file_event/file_event_pingback_backdoor.yml
new file mode 100644
index 00000000..0c0ec5c1
--- /dev/null
+++ b/rules/sigma/file_event/file_event_pingback_backdoor.yml
@@ -0,0 +1,30 @@
+
+title: Pingback Backdoor
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+ as described in the trustwave report
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*updata.exe'
+ SELECTION_3:
+ TargetFilename: C:\Windows\oci.dll
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
diff --git a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml
new file mode 100644
index 00000000..52041907
--- /dev/null
+++ b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml
@@ -0,0 +1,47 @@
+
+title: Created Files by Office Applications
+ruletype: Sigma
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor executable and script file creation by office
+ applications. Please add more file extensions or magic bytes to the logic of your
+ choice.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image:
+ - '*winword.exe'
+ - '*excel.exe'
+ - '*powerpnt.exe'
+ SELECTION_3:
+ TargetFilename:
+ - '*.exe'
+ - '*.dll'
+ - '*.ocx'
+ - '*.com'
+ - '*.ps1'
+ - '*.vbs'
+ - '*.sys'
+ - '*.bat'
+ - '*.scr'
+ - '*.proj'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/10
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/file_event/file_event_susp_system_interactive_powershell.yml b/rules/sigma/file_event/file_event_susp_system_interactive_powershell.yml
new file mode 100644
index 00000000..3ac992b2
--- /dev/null
+++ b/rules/sigma/file_event/file_event_susp_system_interactive_powershell.yml
@@ -0,0 +1,26 @@
+
+title: Suspicious Interactive PowerShell as SYSTEM
+ruletype: Sigma
+author: Florian Roth
+date: 2021/12/07
+description: Detects the creation of files that indicator an interactive use of PowerShell
+ in the SYSTEM user context
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+ - C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+- PowerShell scripts running as SYSTEM user
+id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
+status: experimental
diff --git a/rules/sigma/file_event/file_event_susp_task_write.yml b/rules/sigma/file_event/file_event_susp_task_write.yml
new file mode 100644
index 00000000..416a63a9
--- /dev/null
+++ b/rules/sigma/file_event/file_event_susp_task_write.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious Scheduled Task Writ to System32 Tasks
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/16
+description:
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\Windows\System32\Tasks*'
+ SELECTION_3:
+ Image:
+ - '*\AppData\\*'
+ - '*C:\PerfLogs*'
+ - '*\Windows\System32\config\systemprofile*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 80e1f67a-4596-4351-98f5-a9c3efabac95
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+status: experimental
+tags:
+- attack.persistence
+- attack.execution
+- attack.t1053
diff --git a/rules/sigma/file_event/file_event_tool_psexec.yml b/rules/sigma/file_event/file_event_tool_psexec.yml
new file mode 100644
index 00000000..fbcf6ff0
--- /dev/null
+++ b/rules/sigma/file_event/file_event_tool_psexec.yml
@@ -0,0 +1,41 @@
+
+title: PsExec Tool Execution
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+ Sysmon)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\PSEXESVC.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
+level: low
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml
new file mode 100644
index 00000000..a2a13cef
--- /dev/null
+++ b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml
@@ -0,0 +1,31 @@
+
+title: UAC Bypass Abusing Winsat Path Parsing - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+ (UACMe 52)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Users\\*
+ SELECTION_3:
+ TargetFilename:
+ - '*\AppData\Local\Temp\system32\winsat.exe'
+ - '*\AppData\Local\Temp\system32\winmm.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml
new file mode 100644
index 00000000..9063d90d
--- /dev/null
+++ b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml
@@ -0,0 +1,33 @@
+
+title: UAC Bypass Using Windows Media Player - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+ (UACMe 32)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Users\\*
+ SELECTION_3:
+ TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
+ SELECTION_4:
+ Image: C:\Windows\system32\DllHost.exe
+ SELECTION_5:
+ TargetFilename: C:\Program Files\Windows Media Player\osk.exe
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown
+id: 68578b43-65df-4f81-9a9b-92f32711a951
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml
new file mode 100644
index 00000000..664041fb
--- /dev/null
+++ b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml
@@ -0,0 +1,52 @@
+
+title: Windows Shell File Write to Suspicious Folder
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/20
+description: Detects a Windows executable that writes files to suspicious folders
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image:
+ - '*\cmd.exe'
+ - '*\powershell.exe'
+ - '*\wscript.exe'
+ - '*\cscript.exe'
+ - '*\sh.exe'
+ - '*\bash.exe'
+ - '*\msbuild.exe'
+ - '*\certutil.exe'
+ SELECTION_3:
+ TargetFilename:
+ - '*C:\Users\Public*'
+ - '*C:\PerfLogs*'
+ SELECTION_4:
+ Image:
+ - '*\schtasks.exe'
+ - '*\wmic.exe'
+ - '*\mshta.exe'
+ - '*\forfiles.exe'
+ - '*\scriptrunner.exe'
+ - '*\certutil.exe'
+ SELECTION_5:
+ TargetFilename:
+ - '*C:\Users\Public*'
+ - '*C:\PerfLogs*'
+ - '*\AppData\\*'
+ - '*C:\Windows\Temp*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/24
+references:
+- No references
+status: experimental
diff --git a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml
new file mode 100644
index 00000000..22ed7033
--- /dev/null
+++ b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml
@@ -0,0 +1,36 @@
+
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+ruletype: Sigma
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
+ winrm.vbs and copied cscript.exe (can be renamed)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*WsmPty.xsl'
+ - '*WsmTxt.xsl'
+ SELECTION_3:
+ TargetFilename:
+ - C:\Windows\System32\\*
+ - C:\Windows\SysWOW64\\*
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- Unlikely
+id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
+level: medium
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/19
+references:
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+related:
+- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..4354ebe7
--- /dev/null
+++ b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,31 @@
+
+title: Wmiprvse Wbemcomn DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+ directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: System
+ SELECTION_3:
+ TargetFilename: '*\wbem\wbemcomn.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/file_event/sysmon_creation_system_file.yml b/rules/sigma/file_event/sysmon_creation_system_file.yml
new file mode 100644
index 00000000..031f68e2
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_creation_system_file.yml
@@ -0,0 +1,68 @@
+
+title: File Created with System Process Name
+ruletype: Sigma
+author: Sander Wiebing
+date: 2020/05/26
+description: Detects the creation of an executable with a system process name in a
+ suspicious folder
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\svchost.exe'
+ - '*\rundll32.exe'
+ - '*\services.exe'
+ - '*\powershell.exe'
+ - '*\regsvr32.exe'
+ - '*\spoolsv.exe'
+ - '*\lsass.exe'
+ - '*\smss.exe'
+ - '*\csrss.exe'
+ - '*\conhost.exe'
+ - '*\wininit.exe'
+ - '*\lsm.exe'
+ - '*\winlogon.exe'
+ - '*\explorer.exe'
+ - '*\taskhost.exe'
+ - '*\Taskmgr.exe'
+ - '*\taskmgr.exe'
+ - '*\sihost.exe'
+ - '*\RuntimeBroker.exe'
+ - '*\runtimebroker.exe'
+ - '*\smartscreen.exe'
+ - '*\dllhost.exe'
+ - '*\audiodg.exe'
+ - '*\wlanext.exe'
+ SELECTION_3:
+ TargetFilename:
+ - C:\Windows\System32\\*
+ - C:\Windows\system32\\*
+ - C:\Windows\SysWow64\\*
+ - C:\Windows\SysWOW64\\*
+ - C:\Windows\winsxs\\*
+ - C:\Windows\WinSxS\\*
+ - \SystemRoot\System32\\*
+ SELECTION_4:
+ Image: '*\Windows\System32\dism.exe'
+ SELECTION_5:
+ TargetFilename: C:\$WINDOWS.~BT\\*
+ SELECTION_6:
+ Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe
+ condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3 and SELECTION_4))
+ and not (SELECTION_5 and SELECTION_6))
+falsepositives:
+- System processes copied outside the default folder
+fields:
+- Image
+id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/10/28
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
diff --git a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml
new file mode 100644
index 00000000..0e4ca9cb
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml
@@ -0,0 +1,58 @@
+
+title: Cred Dump Tools Dropped Files
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Files with well-known filenames (parts of credential dump software or
+ files produced by them) creation
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\pwdump*'
+ - '*\kirbi*'
+ - '*\pwhashes*'
+ - '*\wce_ccache*'
+ - '*\wce_krbtkts*'
+ - '*\fgdump-log*'
+ SELECTION_3:
+ TargetFilename:
+ - '*\test.pwd'
+ - '*\lsremora64.dll'
+ - '*\lsremora.dll'
+ - '*\fgexec.exe'
+ - '*\wceaux.dll'
+ - '*\SAM.out'
+ - '*\SECURITY.out'
+ - '*\SYSTEM.out'
+ - '*\NTDS.out'
+ - '*\DumpExt.dll'
+ - '*\DumpSvc.exe'
+ - '*\cachedump64.exe'
+ - '*\cachedump.exe'
+ - '*\pstgdump.exe'
+ - '*\servpw.exe'
+ - '*\servpw64.exe'
+ - '*\pwdump.exe'
+ - '*\procdump64.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.003
+- attack.t1003.004
+- attack.t1003.005
diff --git a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml
new file mode 100644
index 00000000..97a52b96
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml
@@ -0,0 +1,39 @@
+
+title: CVE-2021-26858 Exchange Exploitation
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/03/03
+description: Detects possible successful exploitation for vulnerability described
+ in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange
+ Server’s Unified Messaging service | which could indicate dropping web shells or
+ other malicious content
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*UMWorkerProcess.exe'
+ SELECTION_3:
+ TargetFilename:
+ - '*CacheCleanup.bin'
+ - '*.txt'
+ - '*.LOG'
+ - '*.cfg'
+ - '*cleanup.bin'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
+level: critical
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+status: experimental
+tags:
+- attack.t1203
+- attack.execution
+- cve.2021.26858
diff --git a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml
new file mode 100644
index 00000000..93a25e35
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml
@@ -0,0 +1,33 @@
+
+title: Powerup Write Hijack DLL
+ruletype: Sigma
+author: Subhash Popuri (@pbssubhash)
+date: 2021/08/21
+description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege
+ escalation. In it's default mode, it builds a self deleting .bat file which executes
+ malicious command. The detection rule relies on creation of the malicious bat file
+ (debug.bat by default).
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*\powershell.exe'
+ SELECTION_3:
+ TargetFilename: '*.bat'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Pentest
+- Any powershell script that creates bat files
+id: 602a1f13-c640-4d73-b053-be9a2fa58b96
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1574.001
diff --git a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml
new file mode 100644
index 00000000..bb8dfdb5
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml
@@ -0,0 +1,27 @@
+
+title: Detection of SafetyKatz
+ruletype: Sigma
+author: Markus Neis
+date: 2018/07/24
+description: Detects possible SafetyKatz Behaviour
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\Temp\debug.bin'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e074832a-eada-4fd7-94a1-10642b130e16
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/GhostPack/SafetyKatz
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml
new file mode 100644
index 00000000..913b24a5
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml
@@ -0,0 +1,35 @@
+
+title: LSASS Memory Dump File Creation
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: LSASS memory dump creation using operating systems utilities. Procdump
+ will use process name in output file if no name is specified
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*lsass*'
+ SELECTION_3:
+ TargetFilename: '*dmp'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Dumping lsass memory for forensic investigation purposes by legitimate incident
+ responder or forensic invetigator
+- Dumps of another process that contains lsass in its process name (substring)
+fields:
+- ComputerName
+- TargetFilename
+id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/08/16
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/file_event/sysmon_office_persistence.yml b/rules/sigma/file_event/sysmon_office_persistence.yml
new file mode 100644
index 00000000..db267032
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_office_persistence.yml
@@ -0,0 +1,41 @@
+
+title: Microsoft Office Add-In Loading
+ruletype: Sigma
+author: NVISO
+date: 2020/05/11
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll
+ are simply .dll fit for Word or Excel).
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\Microsoft\Word\Startup\\*'
+ SELECTION_3:
+ TargetFilename: '*.wll'
+ SELECTION_4:
+ TargetFilename: '*\Microsoft\Excel\Startup\\*'
+ SELECTION_5:
+ TargetFilename: '*.xll'
+ SELECTION_6:
+ TargetFilename: '*\Microsoft\Addins\\*'
+ SELECTION_7:
+ TargetFilename:
+ - '*.xlam'
+ - '*.xla'
+ condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+ SELECTION_5)) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate add-ins
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- Internal Research
+status: test
+tags:
+- attack.persistence
+- attack.t1137
+- attack.t1137.006
diff --git a/rules/sigma/file_event/sysmon_outlook_newform.yml b/rules/sigma/file_event/sysmon_outlook_newform.yml
new file mode 100644
index 00000000..e5d9cb33
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_outlook_newform.yml
@@ -0,0 +1,30 @@
+
+title: Outlook Form Installation
+ruletype: Sigma
+author: Tobias Michalski
+date: 2021/06/10
+description: Detects the creation of new Outlook form which can contain malicious
+ code
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: \outlook.exe
+ SELECTION_3:
+ TargetFilename: '*\appdata\local\microsoft\FORMS\\*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: c3edc6a5-d9d4-48d8-930e-aab518390917
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137.003
diff --git a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml
new file mode 100644
index 00000000..ceccad04
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml
@@ -0,0 +1,27 @@
+
+title: PCRE.NET Package Temp Files
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes creating temp files related to PCRE.NET package
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml
new file mode 100644
index 00000000..1e75ba4a
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml
@@ -0,0 +1,122 @@
+
+title: Malicious PowerShell Commandlet Names
+ruletype: Sigma
+author: Markus Neis
+date: 2018/04/07
+description: Detects the creation of known powershell scripts for exploitation
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\Invoke-DllInjection.ps1'
+ - '*\Invoke-WmiCommand.ps1'
+ - '*\Get-GPPPassword.ps1'
+ - '*\Get-Keystrokes.ps1'
+ - '*\Get-VaultCredential.ps1'
+ - '*\Invoke-CredentialInjection.ps1'
+ - '*\Invoke-Mimikatz.ps1'
+ - '*\Invoke-NinjaCopy.ps1'
+ - '*\Invoke-TokenManipulation.ps1'
+ - '*\Out-Minidump.ps1'
+ - '*\VolumeShadowCopyTools.ps1'
+ - '*\Invoke-ReflectivePEInjection.ps1'
+ - '*\Get-TimedScreenshot.ps1'
+ - '*\Invoke-UserHunter.ps1'
+ - '*\Find-GPOLocation.ps1'
+ - '*\Invoke-ACLScanner.ps1'
+ - '*\Invoke-DowngradeAccount.ps1'
+ - '*\Get-ServiceUnquoted.ps1'
+ - '*\Get-ServiceFilePermission.ps1'
+ - '*\Get-ServicePermission.ps1'
+ - '*\Invoke-ServiceAbuse.ps1'
+ - '*\Install-ServiceBinary.ps1'
+ - '*\Get-RegAutoLogon.ps1'
+ - '*\Get-VulnAutoRun.ps1'
+ - '*\Get-VulnSchTask.ps1'
+ - '*\Get-UnattendedInstallFile.ps1'
+ - '*\Get-WebConfig.ps1'
+ - '*\Get-ApplicationHost.ps1'
+ - '*\Get-RegAlwaysInstallElevated.ps1'
+ - '*\Get-Unconstrained.ps1'
+ - '*\Add-RegBackdoor.ps1'
+ - '*\Add-ScrnSaveBackdoor.ps1'
+ - '*\Gupt-Backdoor.ps1'
+ - '*\Invoke-ADSBackdoor.ps1'
+ - '*\Enabled-DuplicateToken.ps1'
+ - '*\Invoke-PsUaCme.ps1'
+ - '*\Remove-Update.ps1'
+ - '*\Check-VM.ps1'
+ - '*\Get-LSASecret.ps1'
+ - '*\Get-PassHashes.ps1'
+ - '*\Show-TargetScreen.ps1'
+ - '*\Port-Scan.ps1'
+ - '*\Invoke-PoshRatHttp.ps1'
+ - '*\Invoke-PowerShellTCP.ps1'
+ - '*\Invoke-PowerShellWMI.ps1'
+ - '*\Add-Exfiltration.ps1'
+ - '*\Add-Persistence.ps1'
+ - '*\Do-Exfiltration.ps1'
+ - '*\Start-CaptureServer.ps1'
+ - '*\Invoke-ShellCode.ps1'
+ - '*\Get-ChromeDump.ps1'
+ - '*\Get-ClipboardContents.ps1'
+ - '*\Get-FoxDump.ps1'
+ - '*\Get-IndexedItem.ps1'
+ - '*\Get-Screenshot.ps1'
+ - '*\Invoke-Inveigh.ps1'
+ - '*\Invoke-NetRipper.ps1'
+ - '*\Invoke-EgressCheck.ps1'
+ - '*\Invoke-PostExfil.ps1'
+ - '*\Invoke-PSInject.ps1'
+ - '*\Invoke-RunAs.ps1'
+ - '*\MailRaider.ps1'
+ - '*\New-HoneyHash.ps1'
+ - '*\Set-MacAttribute.ps1'
+ - '*\Invoke-DCSync.ps1'
+ - '*\Invoke-PowerDump.ps1'
+ - '*\Exploit-Jboss.ps1'
+ - '*\Invoke-ThunderStruck.ps1'
+ - '*\Invoke-VoiceTroll.ps1'
+ - '*\Set-Wallpaper.ps1'
+ - '*\Invoke-InveighRelay.ps1'
+ - '*\Invoke-PsExec.ps1'
+ - '*\Invoke-SSHCommand.ps1'
+ - '*\Get-SecurityPackages.ps1'
+ - '*\Install-SSP.ps1'
+ - '*\Invoke-BackdoorLNK.ps1'
+ - '*\PowerBreach.ps1'
+ - '*\Get-SiteListPassword.ps1'
+ - '*\Get-System.ps1'
+ - '*\Invoke-BypassUAC.ps1'
+ - '*\Invoke-Tater.ps1'
+ - '*\Invoke-WScriptBypassUAC.ps1'
+ - '*\PowerUp.ps1'
+ - '*\PowerView.ps1'
+ - '*\Get-RickAstley.ps1'
+ - '*\Find-Fruit.ps1'
+ - '*\HTTP-Login.ps1'
+ - '*\Find-TrustedDocuments.ps1'
+ - '*\Invoke-Paranoia.ps1'
+ - '*\Invoke-WinEnum.ps1'
+ - '*\Invoke-ARPScan.ps1'
+ - '*\Invoke-PortScan.ps1'
+ - '*\Invoke-ReverseDNSLookup.ps1'
+ - '*\Invoke-SMBScanner.ps1'
+ - '*\Invoke-Mimikittenz.ps1'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration Tests
+id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml
new file mode 100644
index 00000000..ab727758
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml
@@ -0,0 +1,38 @@
+
+title: PowerShell Writing Startup Shortcuts
+ruletype: Sigma
+author: Christopher Peacock '@securepeacock', SCYTHE
+date: 2021/10/24
+description: Attempts to detect PowerShell writing startup shortcuts. This procedure
+ was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries
+ using PowerShell to write malicious .lnk files into the startup directory to establish
+ persistence. Accordingly, this detection opportunity is likely to identify persistence
+ mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence
+ mechanism eventually launches the command-line script that leads to the installation
+ of a malicious DLL"
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*\powershell.exe'
+ SELECTION_3:
+ TargetFilename: '*\start menu\programs\startup\\*'
+ SELECTION_4:
+ TargetFilename: '*.lnk'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- Depending on your environment accepted applications may leverage this at times.
+ It is recomended to search for anomolies inidicative of malware.
+id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://redcanary.com/blog/intelligence-insights-october-2021/
+- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+status: experimental
+tags:
+- attack.registry_run_keys_/_startup_folder
+- attack.t1547.001
diff --git a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml
new file mode 100644
index 00000000..b4c90518
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml
@@ -0,0 +1,29 @@
+
+title: QuarksPwDump Dump File
+ruletype: Sigma
+author: Florian Roth
+date: 2018/02/10
+description: Detects a dump file written by QuarksPwDump password dumper
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Local\Temp\SAM-*'
+ SELECTION_3:
+ TargetFilename: '*.dmp*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 847def9e-924d-4e90-b7c4-5f581395a2b4
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml
new file mode 100644
index 00000000..a88b81dd
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml
@@ -0,0 +1,29 @@
+
+title: RedMimicry Winnti Playbook Dropped File
+ruletype: Sigma
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*gthread-3.6.dll*'
+ - '*sigcmm-2.4.dll*'
+ - '*\Windows\Temp\tmp.bat*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://redmimicry.com
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml
new file mode 100644
index 00000000..61e0a3a3
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml
@@ -0,0 +1,28 @@
+
+title: Startup Folder File Write
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for files being created in the Windows startup directory.
+ This could be an indicator of persistence.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+level: low
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/12
+- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+status: test
+tags:
+- attack.persistence
+- attack.t1547.001
diff --git a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml
new file mode 100644
index 00000000..1f7fa090
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious ADSI-Cache Usage By Unknown Tool
+ruletype: Sigma
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect
+ tools like LDAPFragger.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*'
+ SELECTION_3:
+ TargetFilename: '*.sch'
+ SELECTION_4:
+ Image:
+ - C:\windows\system32\svchost.exe
+ - C:\windows\system32\dllhost.exe
+ - C:\windows\system32\mmc.exe
+ - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
+ - C:\Windows\CCM\CcmExec.exe
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity
+ by MMC, Powershell, Windows etc.
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: test
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
diff --git a/rules/sigma/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/file_event/sysmon_susp_clr_logs.yml
new file mode 100644
index 00000000..0ad5e0a5
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_susp_clr_logs.yml
@@ -0,0 +1,45 @@
+
+title: Suspcious CLR Logs Creation
+ruletype: Sigma
+author: omkar72, oscd.community, Wojciech Lesicki
+date: 2020/10/12
+description: Detects suspicious .NET assembly executions. Could detect using Cobalt
+ Strike's command execute-assembly.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Local\Microsoft\CLR*'
+ SELECTION_3:
+ TargetFilename: '*\UsageLogs\\*'
+ SELECTION_4:
+ TargetFilename:
+ - '*mshta*'
+ - '*cscript*'
+ - '*wscript*'
+ - '*regsvr32*'
+ - '*wmic*'
+ - '*rundll32*'
+ - '*svchost*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc
+ in command line and msiexec.exe as parent process
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+level: high
+logsource:
+ category: file_event
+ definition: Check your sysmon configuration for monitoring UsageLogs folder. In
+ SwiftOnSecurity configuration we have that thanks @SBousseaden
+ product: windows
+modified: 2021/11/17
+references:
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
+- https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1059.001
+- attack.t1218
diff --git a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml
new file mode 100644
index 00000000..39153c05
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious desktop.ini Action
+ruletype: Sigma
+author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
+date: 2020/03/19
+description: Detects unusual processes accessing desktop.ini, which can be leveraged
+ to alter how Explorer displays a folder's content (i.e. renaming files) without
+ changing them on disk.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\desktop.ini'
+ SELECTION_3:
+ Image:
+ - C:\Windows\\*
+ - C:\Program Files\\*
+ - C:\Program Files (x86)\\*
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- Operations performed through Windows SCCM or equivalent
+- read only access list authority
+id: 81315b50-6b60-4d8f-9928-3466e1022515
+level: medium
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/12/03
+references:
+- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+status: test
+tags:
+- attack.persistence
+- attack.t1023
+- attack.t1547.009
diff --git a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml
new file mode 100644
index 00000000..c0e22da9
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml
@@ -0,0 +1,28 @@
+
+title: Suspicious PFX File Creation
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A general detection for processes creating PFX files. This could be an
+ indicator of an adversary exporting a local certificate to a PFX file.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*.pfx'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- System administrators managing certififcates.
+id: dca1b3e8-e043-4ec8-85d7-867f334b5724
+level: medium
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/14
+- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1552.004
diff --git a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
new file mode 100644
index 00000000..f62548b4
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious PROCEXP152.sys File Created In TMP
+ruletype: Sigma
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the creation of the PROCEXP152.sys file in the application-data
+ local temporary folder. This driver is used by Sysinternals Process Explorer but
+ also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
+ which uses KDU.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\AppData\Local\Temp\\*'
+ SELECTION_3:
+ TargetFilename: '*PROCEXP152.sys'
+ SELECTION_4:
+ Image:
+ - '*\procexp64.exe*'
+ - '*\procexp.exe*'
+ - '*\procmon64.exe*'
+ - '*\procmon.exe*'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Other legimate tools using this driver and filename (like Sysinternals). Note -
+ Clever attackers may easily bypass this detection by just renaming the driver filename.
+ Therefore just Medium-level and don't rely on it.
+id: 3da70954-0f2c-4103-adff-b7440368f50e
+level: medium
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+status: test
+tags:
+- attack.t1089
+- attack.t1562.001
+- attack.defense_evasion
diff --git a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml
new file mode 100644
index 00000000..623fe9ac
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml
@@ -0,0 +1,31 @@
+
+title: Powershell Profile.ps1 Modification
+ruletype: Sigma
+author: HieuTT35
+date: 2019/10/24
+description: Detects a change in profile.ps1 of the Powershell profile
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\profile.ps1*'
+ SELECTION_3:
+ TargetFilename: '*\My Documents\PowerShell\\*'
+ SELECTION_4:
+ TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*'
+ condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- System administrator create Powershell profile manually
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+status: test
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.013
diff --git a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml
new file mode 100644
index 00000000..5a4d0b16
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -0,0 +1,27 @@
+
+title: Hijack Legit RDP Session to Move Laterally
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/02/21
+description: Detects the usage of tsclient share to place a backdoor on the RDP source
+ machine's startup folder
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*\mstsc.exe'
+ SELECTION_3:
+ TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 52753ea4-b3a0-4365-910d-36cff487b789
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+status: test
+tags:
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml
new file mode 100644
index 00000000..ae94d924
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml
@@ -0,0 +1,29 @@
+
+title: UAC Bypass Using Consent and Comctl32 - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
+ (UACMe 22)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Windows\System32\consent.exe.@*
+ SELECTION_3:
+ TargetFilename: '*\comctl32.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml
new file mode 100644
index 00000000..770eb059
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@@ -0,0 +1,29 @@
+
+title: UAC Bypass Using .NET Code Profiler on MMC
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe
+ DLL hijacking (UACMe 39)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Users\\*
+ SELECTION_3:
+ TargetFilename: '*\AppData\Local\Temp\pe386.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 93a19907-d4f9-4deb-9f91-aac4692776a6
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml
new file mode 100644
index 00000000..2abf1d6d
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Using IEInstal - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: C:\Program Files\Internet Explorer\IEInstal.exe
+ SELECTION_3:
+ TargetFilename: C:\Users\\*
+ SELECTION_4:
+ TargetFilename: '*\AppData\Local\Temp\\*'
+ SELECTION_5:
+ TargetFilename: '*consent.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml
new file mode 100644
index 00000000..cc979709
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml
@@ -0,0 +1,28 @@
+
+title: UAC Bypass Using MSConfig Token Modification - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Users\\*
+ SELECTION_3:
+ TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 41bb431f-56d8-4691-bb56-ed34e390906f
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
new file mode 100644
index 00000000..06556a65
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
@@ -0,0 +1,29 @@
+
+title: UAC Bypass Using NTFS Reparse Point - File
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
+ DLL hijacking (UACMe 36)
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: C:\Users\\*
+ SELECTION_3:
+ TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml
new file mode 100644
index 00000000..25cb8b97
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml
@@ -0,0 +1,60 @@
+
+title: Windows Webshell Creation
+ruletype: Sigma
+author: Beyu Denis, oscd.community
+date: 2019/10/22
+description: Possible webshell file creation on a static web site
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_10:
+ TargetFilename: '*.pl*'
+ SELECTION_11:
+ TargetFilename:
+ - '*\AppData\Local\Temp\\*'
+ - '*\Windows\Temp\\*'
+ SELECTION_2:
+ TargetFilename: '*\inetpub\wwwroot\\*'
+ SELECTION_3:
+ TargetFilename:
+ - '*.asp*'
+ - '*.ashx*'
+ - '*.ph*'
+ SELECTION_4:
+ TargetFilename:
+ - '*\AppData\Local\Temp\\*'
+ - '*\Windows\Temp\\*'
+ SELECTION_5:
+ TargetFilename:
+ - '*\www\\*'
+ - '*\htdocs\\*'
+ - '*\html\\*'
+ SELECTION_6:
+ TargetFilename: '*.ph*'
+ SELECTION_7:
+ TargetFilename:
+ - '*\AppData\Local\Temp\\*'
+ - '*\Windows\Temp\\*'
+ SELECTION_8:
+ TargetFilename: '*.jsp'
+ SELECTION_9:
+ TargetFilename: '*\cgi-bin\\*'
+ condition: (SELECTION_1 and ((((SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+ or ((SELECTION_5 and SELECTION_6) and not (SELECTION_7))) or ((SELECTION_8 or
+ (SELECTION_9 and SELECTION_10)) and not (SELECTION_11))))
+falsepositives:
+- Legitimate administrator or developer creating legitimate executable files in a
+ web application folder
+id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- PT ESC rule and personal experience
+status: test
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
diff --git a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
new file mode 100644
index 00000000..c7dd86ac
--- /dev/null
+++ b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -0,0 +1,27 @@
+
+title: WMI Persistence - Script Event Consumer File Write
+ruletype: Sigma
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects file writes of WMI script event consumer
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: C:\WINDOWS\system32\wbem\scrcons.exe
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: test
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
diff --git a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000..cdec5a20
--- /dev/null
+++ b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,36 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
+ruletype: Sigma
+author: Florian Roth
+date: 2021/06/29
+description: Detects the default filename used in PoC code against print spooler vulnerability
+ CVE-2021-1675
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/12/01
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.resource_development
+- attack.t1587
+- cve.2021.1675
diff --git a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml
new file mode 100644
index 00000000..08a9b1c3
--- /dev/null
+++ b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious Word Cab File Write CVE-2021-40444
+ruletype: Sigma
+author: Florian Roth, Sittikorn S
+date: 2021/09/10
+description: Detects file creation patterns noticeable during the exploitation of
+ CVE-2021-40444
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: \winword.exe
+ SELECTION_3:
+ TargetFilename: '*.cab'
+ SELECTION_4:
+ TargetFilename: '*\Windows\INetCache*'
+ SELECTION_5:
+ TargetFilename: '*\AppData\Local\Temp\\*'
+ SELECTION_6:
+ TargetFilename: '*.inf*'
+ condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+ and SELECTION_6)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
+level: critical
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/09/13
+references:
+- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
+- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1587
diff --git a/rules/sigma/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/file_event/win_hivenightmare_file_exports.yml
new file mode 100644
index 00000000..26faf65c
--- /dev/null
+++ b/rules/sigma/file_event/win_hivenightmare_file_exports.yml
@@ -0,0 +1,40 @@
+
+title: Typical HiveNightmare SAM File Export
+ruletype: Sigma
+author: Florian Roth
+date: 2021/07/23
+description: Detects files written by the different tools that exploit HiveNightmare
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\hive_sam_*'
+ - '*\SAM-2021-*'
+ - '*\SAM-2022-*'
+ - '*\SAM-haxx*'
+ - '*\Sam.save*'
+ SELECTION_3:
+ TargetFilename:
+ - C:\windows\temp\sam
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Files that accidentally contain these strings
+fields:
+- CommandLine
+- ParentCommandLine
+id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
+level: high
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://github.com/GossiTheDog/HiveNightmare
+- https://github.com/FireFart/hivenightmare/
+- https://github.com/WiredPulse/Invoke-HiveNightmare
+- https://twitter.com/cube0x0/status/1418920190759378944
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.001
+- cve.2021.36934
diff --git a/rules/sigma/file_event/win_net_share_obj_susp_desktop_ini.yml b/rules/sigma/file_event/win_net_share_obj_susp_desktop_ini.yml
new file mode 100644
index 00000000..f2d592d0
--- /dev/null
+++ b/rules/sigma/file_event/win_net_share_obj_susp_desktop_ini.yml
@@ -0,0 +1,38 @@
+
+title: Windows Network Access Suspicious desktop.ini Action
+ruletype: Sigma
+author: Tim Shelton (HAWK.IO)
+date: 2021/12/06
+description: Detects unusual processes accessing desktop.ini remotely over network
+ share, which can be leveraged to alter how Explorer displays a folder's content
+ (i.e. renaming files) without changing them on disk.
+detection:
+ SELECTION_1:
+ EventID: 5145
+ SELECTION_2:
+ ObjectType: File
+ SELECTION_3:
+ RelativeTargetName: '*\desktop.ini'
+ SELECTION_4:
+ AccessList:
+ - '*WriteData*'
+ - '*DELETE*'
+ - '*WriteDAC*'
+ - '*AppendData*'
+ - '*AddSubdirectory*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Read only access list authority
+id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e
+level: medium
+logsource:
+ category: security
+ product: windows
+modified: 2021/12/06
+references:
+- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+status: test
+tags:
+- attack.persistence
+- attack.t1023
+- attack.t1547.009
diff --git a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml
new file mode 100644
index 00000000..a8782c6b
--- /dev/null
+++ b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml
@@ -0,0 +1,30 @@
+
+title: Outlook C2 Macro Creation
+ruletype: Sigma
+author: '@ScoubiMtl'
+date: 2021/04/05
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key.
+ VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both
+ events Registry & File Creation happens at the same time.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- User genuinly creates a VB Macro for their email
+id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
+level: medium
+logsource:
+ category: file_event
+ product: windows
+references:
+- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.command_and_control
+- attack.t1137
+- attack.t1008
+- attack.t1546
diff --git a/rules/sigma/file_event/win_rclone_exec_file.yml b/rules/sigma/file_event/win_rclone_exec_file.yml
new file mode 100644
index 00000000..f5ea0650
--- /dev/null
+++ b/rules/sigma/file_event/win_rclone_exec_file.yml
@@ -0,0 +1,28 @@
+
+title: Rclone Config File Creation
+ruletype: Sigma
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone config file being created
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename: '*:\Users\\*'
+ SELECTION_3:
+ TargetFilename: '*\.config\rclone\\*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/10/04
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml
new file mode 100644
index 00000000..167968bf
--- /dev/null
+++ b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Desktopimgdownldr Target File
+ruletype: Sigma
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores
+ a file to a suspicious location or contains a file with a suspicious extension
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ Image: '*svchost.exe'
+ SELECTION_3:
+ TargetFilename: '*\Personalization\LockScreenImage\\*'
+ SELECTION_4:
+ TargetFilename: '*C:\Windows\\*'
+ SELECTION_5:
+ TargetFilename:
+ - '*.jpg*'
+ - '*.jpeg*'
+ - '*.png*'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+ and not (SELECTION_5))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+ environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+- https://twitter.com/SBousseaden/status/1278977301745741825
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1105
diff --git a/rules/sigma/image_load/image_load_pingback_backdoor.yml b/rules/sigma/image_load/image_load_pingback_backdoor.yml
new file mode 100644
index 00000000..9bba2f6b
--- /dev/null
+++ b/rules/sigma/image_load/image_load_pingback_backdoor.yml
@@ -0,0 +1,30 @@
+
+title: Pingback Backdoor
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+ as described in the trustwave report
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*msdtc.exe'
+ SELECTION_3:
+ ImageLoaded: C:\Windows\oci.dll
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
diff --git a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml
new file mode 100644
index 00000000..4e16bcd1
--- /dev/null
+++ b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml
@@ -0,0 +1,29 @@
+
+title: SILENTTRINITY Stager Execution
+ruletype: Sigma
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Description: '*st2stager*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/10/04
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+related:
+- id: 03552375-cc2c-4883-bbe4-7958d5a980be
+ type: derived
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
diff --git a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..cf122def
--- /dev/null
+++ b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,31 @@
+
+title: Wmiprvse Wbemcomn DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+ directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*\wmiprvse.exe'
+ SELECTION_3:
+ ImageLoaded: '*\wbem\wbemcomn.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7707a579-e0d8-4886-a853-ce47e4575aaa
+level: critical
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/image_load/image_load_wsman_provider_image_load.yml b/rules/sigma/image_load/image_load_wsman_provider_image_load.yml
new file mode 100644
index 00000000..75a35e6c
--- /dev/null
+++ b/rules/sigma/image_load/image_load_wsman_provider_image_load.yml
@@ -0,0 +1,57 @@
+
+title: Suspicious WSMAN Provider Image Loads
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects signs of potential use of the WSMAN provider from uncommon processes
+ locally and remote execution.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\WsmSvc.dll'
+ - '*\WsmAuto.dll'
+ - '*\Microsoft.WSMan.Management.ni.dll'
+ SELECTION_3:
+ OriginalFileName:
+ - WsmSvc.dll
+ - WSMANAUTOMATION.DLL
+ - Microsoft.WSMan.Management.dll
+ SELECTION_4:
+ Image: '*\svchost.exe'
+ SELECTION_5:
+ OriginalFileName: WsmWmiPl.dll
+ SELECTION_6:
+ Image:
+ - '*\powershell.exe'
+ - '*C:\Windows\System32\sdiagnhost.exe'
+ SELECTION_7:
+ CommandLine:
+ - '*svchost.exe -k netsvcs -p -s BITS*'
+ - '*svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc*'
+ SELECTION_8:
+ Image: C:\Windows\Microsoft.NET\Framework64\\*
+ SELECTION_9:
+ Image: '*\mscorsvw.exe'
+ condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5))
+ and not ((SELECTION_6) or (SELECTION_7) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unknown
+id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
+level: medium
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/03
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
diff --git a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml
new file mode 100644
index 00000000..1f9c4029
--- /dev/null
+++ b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml
@@ -0,0 +1,34 @@
+
+title: Time Travel Debugging Utility Usage
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+ malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ ParentImage: '*\tttracer.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
+level: high
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+related:
+- id: e76c8240-d68f-4773-8880-5c6f63595aaf
+ type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
diff --git a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml
new file mode 100644
index 00000000..0c8020bc
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml
@@ -0,0 +1,40 @@
+
+title: Abusing Azure Browser SSO
+ruletype: Sigma
+author: Den Iuzvyk
+date: 2020/07/15
+description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens
+ for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure
+ AD and a user logs in with their Azure AD account) wanting to perform SSO authentication
+ in the browser. An attacker can use this to authenticate to Azure AD in a browser
+ as that user.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded: '*MicrosoftAccountTokenProvider.dll'
+ SELECTION_3:
+ Image:
+ - '*\BackgroundTaskHost.exe'
+ - '*\devenv.exe'
+ - '*\iexplore.exe'
+ - '*\MicrosoftEdge.exe'
+ - '*\Microsoft\Edge\Application\msedge.exe'
+ - '*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- unknown
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/08
+references:
+- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+status: test
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
new file mode 100644
index 00000000..9bf932a1
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -0,0 +1,39 @@
+
+title: Alternate PowerShell Hosts
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+ for powershell.exe
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Description: System.Management.Automation
+ SELECTION_3:
+ ImageLoaded: '*System.Management.Automation*'
+ SELECTION_4:
+ Image:
+ - '*\powershell.exe'
+ - '*\mscorsvw.exe'
+ SELECTION_5:
+ Image:
+ - C:\Program Files (x86)\Microsoft Visual Studio\\*
+ - C:\Program Files\Microsoft Visual Studio\\*
+ - C:\Windows\System32\\*
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4
+ or SELECTION_5))
+falsepositives:
+- Unknown
+id: fe6e002f-f244-4278-9263-20e4b593827f
+level: medium
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/07
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml
new file mode 100644
index 00000000..22af91c4
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml
@@ -0,0 +1,25 @@
+
+title: FoggyWeb Backdoor DLL Loading
+ruletype: Sigma
+author: Florian Roth
+date: 2021/09/27
+description: Detects DLL image load activity as used by FoggyWeb backdoor loader
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: C:\Windows\ADFS\version.dll
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
+level: critical
+logsource:
+ category: image_load
+ product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1587
diff --git a/rules/sigma/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/image_load/sysmon_in_memory_powershell.yml
new file mode 100644
index 00000000..3580ef3e
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_in_memory_powershell.yml
@@ -0,0 +1,60 @@
+
+title: In-memory PowerShell
+ruletype: Sigma
+author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
+date: 2019/11/14
+description: Detects loading of essential DLL used by PowerShell, but not by the process
+ powershell.exe. Detects meterpreter's "load powershell" extension.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\System.Management.Automation.Dll'
+ - '*\System.Management.Automation.ni.Dll'
+ SELECTION_3:
+ Image:
+ - '*\powershell.exe'
+ - '*\powershell_ise.exe'
+ - '*\WINDOWS\System32\sdiagnhost.exe'
+ - '*\mscorsvw.exe'
+ - '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
+ - '*\sqlps.exe'
+ - '*\wsmprovhost.exe'
+ - '*\winrshost.exe'
+ - '*\syncappvpublishingserver.exe'
+ - '*\runscripthelper.exe'
+ - '*\ServerManager.exe'
+ - '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
+ - '*\IDE\devenv.exe'
+ - '*\ServiceHub.VSDetouredHost.exe'
+ - '*\ServiceHub.SettingsHost.exe'
+ - '*\ServiceHub.Host.CLR.x86.exe'
+ SELECTION_4:
+ Image:
+ - C:\Program Files (x86)\Microsoft Visual Studio\\*
+ - C:\Program Files\Microsoft Visual Studio\\*
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3 or SELECTION_4))
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Used by some .NET binaries, minimal on user workstation.
+- Used by Microsoft SQL Server Management Studio
+id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://adsecurity.org/?p=2921
+- https://github.com/p3nt4/PowerShdll
+related:
+- id: 867613fb-fa60-4497-a017-a82df74a172c
+ type: obsoletes
+status: experimental
+tags:
+- attack.t1086
+- attack.t1059.001
+- attack.execution
diff --git a/rules/sigma/image_load/sysmon_pcre_net_load.yml b/rules/sigma/image_load/sysmon_pcre_net_load.yml
new file mode 100644
index 00000000..58299b83
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_pcre_net_load.yml
@@ -0,0 +1,27 @@
+
+title: PCRE.NET Package Image Load
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes loading modules related to PCRE.NET package
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..4c3252c0
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
@@ -0,0 +1,37 @@
+
+title: WMI Script Host Process Image Loaded
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe
+ functionality being used via images being loaded by a process.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*\scrcons.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\vbscript.dll'
+ - '*\wbemdisp.dll'
+ - '*\wshom.ocx'
+ - '*\scrrun.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/HunterPlaybook/status/1301207718355759107
+- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml
new file mode 100644
index 00000000..298a3e94
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: Windows Spooler Service Suspicious Binary Load
+ruletype: Sigma
+author: FPT.EagleEye, Thomas Patzke (improvements)
+date: 2021/06/29
+description: Detect DLL Load from Spooler Service backup folder
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*spoolsv.exe'
+ SELECTION_3:
+ ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*'
+ SELECTION_4:
+ ImageLoaded: '*.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Loading of legitimate driver
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+level: informational
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
+- cve.2021.1675
+- cve.2021.34527
diff --git a/rules/sigma/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/image_load/sysmon_susp_fax_dll.yml
new file mode 100644
index 00000000..3d4f1404
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_fax_dll.yml
@@ -0,0 +1,38 @@
+
+title: Fax Service DLL Search Order Hijack
+ruletype: Sigma
+author: NVISO
+date: 2020/05/04
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An
+ attacker can then (side)load their own malicious DLL using this service.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*fxssvc.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*ualapi.dll'
+ SELECTION_4:
+ ImageLoaded:
+ - C:\Windows\WinSxS\\*
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Unlikely
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://windows-internals.com/faxing-your-way-to-system/
+status: test
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1038
+- attack.t1574.001
+- attack.t1574.002
diff --git a/rules/sigma/image_load/sysmon_susp_image_load.yml b/rules/sigma/image_load/sysmon_susp_image_load.yml
new file mode 100644
index 00000000..20117bbd
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_image_load.yml
@@ -0,0 +1,33 @@
+
+title: Possible Process Hollowing Image Loading
+ruletype: Sigma
+author: Markus Neis
+date: 2018/01/07
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.
+ through process hollowing by Mimikatz
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\notepad.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\samlib.dll'
+ - '*\WinSCard.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very likely, needs more tuning
+id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
new file mode 100644
index 00000000..d164a5c7
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: dotNET DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any assembly DLL being loaded by an Office Product
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - C:\Windows\assembly\\*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..9854363c
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: CLR DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects CLR DLL being loaded by an Office Product
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\clr.dll*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
new file mode 100644
index 00000000..fa696ee2
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: GAC DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any GAC DLL being loaded by an Office Product
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - C:\Windows\Microsoft.NET\assembly\GAC_MSIL*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml
new file mode 100644
index 00000000..a118584d
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: Active Directory Parsing DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DSParse DLL being loaded by an Office Product
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\dsparse.dll*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml
new file mode 100644
index 00000000..00f4e7bb
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects Kerberos DLL being loaded by an Office Product
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\kerberos.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/image_load/sysmon_susp_python_image_load.yml
new file mode 100644
index 00000000..acc9d410
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_python_image_load.yml
@@ -0,0 +1,37 @@
+
+title: Python Py2Exe Image Load
+ruletype: Sigma
+author: Patrick St. John, OTR (Open Threat Research)
+date: 2020/05/03
+description: Detects the image load of Python Core indicative of a Python script bundled
+ with Py2Exe.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Description: Python Core
+ SELECTION_3:
+ Image:
+ - '*Python*'
+ SELECTION_4:
+ Image:
+ - C:\Program Files\\*
+ - C:\Program Files (x86)\\*
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legit Py2Exe Binaries
+fields:
+- Description
+id: cbb56d62-4060-40f7-9466-d8aaf3123f83
+level: medium
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/05
+references:
+- https://www.py2exe.org/
+- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.002
diff --git a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..44790096
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
@@ -0,0 +1,37 @@
+
+title: CLR DLL Loaded Via Scripting Applications
+ruletype: Sigma
+author: omkar72, oscd.community
+date: 2020/10/14
+description: Detects CLR DLL being loaded by an scripting applications
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\wscript.exe'
+ - '*\cscript.exe'
+ - '*\mshta.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\clr.dll'
+ - '*\mscoree.dll'
+ - '*\mscorlib.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://github.com/tyranid/DotNetToJScript
+- https://thewover.github.io/Introducing-Donut/
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: test
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml
new file mode 100644
index 00000000..8fa0bf15
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious System.Drawing Load
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for processes loading System.Drawing.ni.dll. This
+ could be an indicator of potential Screen Capture.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded: '*\System.Drawing.ni.dll'
+ SELECTION_3:
+ Image:
+ - C:\Program Files\\*
+ - C:\Program Files (x86)\\*
+ - C:\Windows\System32\\*
+ - C:\Windows\Microsoft.NET\\*
+ - C:\Windows\ImmersiveControlPanel\\*
+ SELECTION_4:
+ Image:
+ - C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe
+ - C:\Users\\*\GitHubDesktop\Update.exe
+ - C:\Windows\System32\NhNotifSys.exe
+ condition: (SELECTION_1 and SELECTION_2 and not ((SELECTION_3) or (SELECTION_4)))
+falsepositives:
+- unknown
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+level: low
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/05
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
diff --git a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml
new file mode 100644
index 00000000..15405864
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -0,0 +1,36 @@
+
+title: VBA DLL Loaded Via Microsoft Word
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\VBE7.DLL'
+ - '*\VBEUI.DLL'
+ - '*\VBE7INTL.DLL'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml
new file mode 100644
index 00000000..2c0af7fe
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -0,0 +1,38 @@
+
+title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
+ruletype: Sigma
+author: Michael R. (@nahamike01)
+date: 2019/12/26
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\winword.exe'
+ - '*\powerpnt.exe'
+ - '*\excel.exe'
+ - '*\outlook.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\wmiutils.dll'
+ - '*\wbemcomn.dll'
+ - '*\wbemprox.dll'
+ - '*\wbemdisp.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Possible. Requires further testing.
+id: a457f232-7df9-491d-898f-b5aabd2cbe2f
+level: informational
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/22
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+status: deprecated
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
new file mode 100644
index 00000000..44ecf3fd
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
@@ -0,0 +1,72 @@
+
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+ruletype: Sigma
+author: Perez Diego (@darkquassar), oscd.community, Ecco
+date: 2019/10/27
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by
+ suspicious processes. Tools like ProcessHacker and some attacker tradecract use
+ MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity
+ C2 Framework has a module that leverages this API to dump the contents of Lsass.exe
+ and transfer it over the network back to the attacker's machine.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\dbghelp.dll'
+ - '*\dbgcore.dll'
+ SELECTION_3:
+ Image:
+ - '*\msbuild.exe'
+ - '*\cmd.exe'
+ - '*\svchost.exe'
+ - '*\rundll32.exe'
+ - '*\powershell.exe'
+ - '*\word.exe'
+ - '*\excel.exe'
+ - '*\powerpnt.exe'
+ - '*\outlook.exe'
+ - '*\monitoringhost.exe'
+ - '*\wmic.exe'
+ - '*\bash.exe'
+ - '*\wscript.exe'
+ - '*\cscript.exe'
+ - '*\mshta.exe'
+ - '*\regsvr32.exe'
+ - '*\schtasks.exe'
+ - '*\dnx.exe'
+ - '*\regsvcs.exe'
+ - '*\sc.exe'
+ - '*\scriptrunner.exe'
+ SELECTION_4:
+ Signed: 'FALSE'
+ SELECTION_5:
+ Image: '*Visual Studio*'
+ SELECTION_6:
+ CommandLine: '*-k LocalSystemNetworkRestricted*'
+ SELECTION_7:
+ CommandLine: C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding
+ condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) and not
+ (SELECTION_5 or SELECTION_6)) and not (SELECTION_7))
+falsepositives:
+- Penetration tests
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/05
+references:
+- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml
new file mode 100644
index 00000000..3ada014d
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -0,0 +1,43 @@
+
+title: Svchost DLL Search Order Hijack
+ruletype: Sigma
+author: SBousseaden
+date: 2019/10/28
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that
+ do not exist within C:\Windows\System32\ by default. An attacker can place their
+ malicious logic within the PROCESS_ATTACH block of their library and restart the
+ aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote
+ machine.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\svchost.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\tsmsisrv.dll'
+ - '*\tsvipsrv.dll'
+ - '*\wlbsctrl.dll'
+ SELECTION_4:
+ ImageLoaded:
+ - C:\Windows\WinSxS\\*
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Pentest
+id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+status: test
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1038
+- attack.t1574.001
diff --git a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml
new file mode 100644
index 00000000..94f8f5d7
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml
@@ -0,0 +1,34 @@
+
+title: Time Travel Debugging Utility Usage
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+ malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\ttdrecord.dll'
+ - '*\ttdwriter.dll'
+ - '*\ttdloader.dll'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
diff --git a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml
new file mode 100644
index 00000000..4f16760c
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml
@@ -0,0 +1,37 @@
+
+title: UAC Bypass With Fake DLL
+ruletype: Sigma
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+description: Attempts to load dismcore.dll after dropping it
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image:
+ - '*\dism.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\dismcore.dll'
+ SELECTION_4:
+ ImageLoaded:
+ - C:\Windows\System32\Dism\dismcore.dll
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Pentests
+- Actions of a legitimate telnet client
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/23
+references:
+- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1574.002
diff --git a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml
new file mode 100644
index 00000000..0e7b1fde
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -0,0 +1,48 @@
+
+title: UIPromptForCredentials DLLs
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects potential use of UIPromptForCredentials functions by looking
+ for some of the DLLs needed for it.
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\credui.dll'
+ - '*\wincredui.dll'
+ SELECTION_3:
+ OriginalFileName:
+ - credui.dll
+ - wincredui.dll
+ SELECTION_4:
+ Image:
+ - C:\Windows\System32\\*
+ - C:\Windows\explorer.exe*
+ - C:\Program Files\\*
+ - C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe*
+ - C:\Program Files (x86)\\*
+ - C:\Windows\ImmersiveControlPanel\SystemSettings.exe*
+ - C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe*
+ SELECTION_5:
+ Image: '*\opera_autoupdate.exe'
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4 or
+ SELECTION_5))
+falsepositives:
+- other legitimate processes loading those DLLs in your environment.
+id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
+level: medium
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/12/03
+references:
+- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
+- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
diff --git a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
new file mode 100644
index 00000000..ffae006c
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
@@ -0,0 +1,29 @@
+
+title: Unsigned Image Loaded Into LSASS Process
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Loading unsigned image (DLL, EXE) into LSASS process
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*\lsass.exe'
+ SELECTION_3:
+ Signed: 'false'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Valid user connecting using RDP
+id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
+level: medium
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/image_load/sysmon_wmi_module_load.yml b/rules/sigma/image_load/sysmon_wmi_module_load.yml
new file mode 100644
index 00000000..cf9fe8a9
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_wmi_module_load.yml
@@ -0,0 +1,67 @@
+
+title: WMI Modules Loaded
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects non wmiprvse loading WMI modules
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\wmiclnt.dll'
+ - '*\WmiApRpl.dll'
+ - '*\wmiprov.dll'
+ - '*\wmiutils.dll'
+ - '*\wbemcomn.dll'
+ - '*\wbemprox.dll'
+ - '*\WMINet_Utils.dll'
+ - '*\wbemsvc.dll'
+ - '*\fastprox.dll'
+ SELECTION_3:
+ Image:
+ - '*\WmiPrvSE.exe'
+ - '*\WmiApSrv.exe'
+ - '*\svchost.exe'
+ - '*\DeviceCensus.exe'
+ - '*\CompatTelRunner.exe'
+ - '*\sdiagnhost.exe'
+ - '*\SIHClient.exe'
+ - '*\ngentask.exe'
+ - '*\windows\system32\taskhostw.exe'
+ - '*\windows\system32\MoUsoCoreWorker.exe'
+ - '*\windows\system32\wbem\WMIADAP.exe'
+ - '*C:\Windows\Sysmon64.exe'
+ - '*C:\Windows\Sysmon.exe'
+ - '*C:\Windows\System32\wbem\unsecapp.exe'
+ - '*\logman.exe'
+ - '*\systeminfo.exe'
+ - '*\nvcontainer.exe'
+ - '*C:\Windows\System32\wbem\WMIC.exe'
+ - '*\explorer.exe'
+ - '*\opera_autoupdate.exe'
+ - '*\MsMpEng.exe'
+ SELECTION_4:
+ Image:
+ - C:\Program Files\\*
+ - C:\Program Files (x86)\\*
+ condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3)) and not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+level: informational
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/25
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
new file mode 100644
index 00000000..28a6f9d5
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -0,0 +1,29 @@
+
+title: WMI Persistence - Command Line Event Consumer
+ruletype: Sigma
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI command line event consumers
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: C:\Windows\System32\wbem\WmiPrvSE.exe
+ SELECTION_3:
+ ImageLoaded: '*\wbemcons.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: test
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
diff --git a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
new file mode 100644
index 00000000..7d8ef803
--- /dev/null
+++ b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
@@ -0,0 +1,34 @@
+
+title: WMIC Loading Scripting Libraries
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/17
+description: Detects threat actors proxy executing code and bypassing application
+ controls by leveraging wmic and the `/FORMAT` argument switch to download and execute
+ an XSL file (i.e js, vbs, etc).
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*\wmic.exe'
+ SELECTION_3:
+ ImageLoaded:
+ - '*\jscript.dll'
+ - '*\vbscript.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Apparently, wmic os get lastboottuptime loads vbscript.dll
+id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
+level: high
+logsource:
+ category: image_load
+ product: windows
+modified: 2021/11/27
+references:
+- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+- https://twitter.com/dez_/status/986614411711442944
+- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1220
diff --git a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml
new file mode 100644
index 00000000..e1887e4b
--- /dev/null
+++ b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml
@@ -0,0 +1,29 @@
+
+title: APT PRIVATELOG Image Load Pattern
+ruletype: Sigma
+author: Florian Roth
+date: 2021/09/07
+description: Detects an image load pattern as seen when a tool named PRIVATELOG is
+ used and rarely observed under legitimate circumstances
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ Image: '*\svchost.exe'
+ SELECTION_3:
+ ImageLoaded: '*\clfsw32.dll'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Rarely observed
+id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
+level: high
+logsource:
+ category: image_load
+ product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml
new file mode 100644
index 00000000..b39b51ac
--- /dev/null
+++ b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml
@@ -0,0 +1,43 @@
+
+title: Image Load of VSS_PS.dll by Uncommon Executable
+ruletype: Sigma
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName
+ datapoint
+detection:
+ SELECTION_1:
+ EventID: 7
+ SELECTION_2:
+ ImageLoaded:
+ - '*\vss_ps.dll'
+ SELECTION_3:
+ Image:
+ - '*\svchost.exe'
+ - '*\msiexec.exe'
+ - '*\vssvc.exe'
+ - '*\srtasks.exe'
+ - '*\tiworker.exe'
+ - '*\dllhost.exe'
+ - '*\searchindexer.exe'
+ - '*dismhost.exe'
+ - '*taskhostw.exe'
+ - '*\clussvc.exe'
+ SELECTION_4:
+ Image: '*c:\windows\\*'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- unknown
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+level: high
+logsource:
+ category: image_load
+ product: windows
+references:
+- 1bd85e1caa1415ebdc8852c91e37bbb7
+- https://twitter.com/am0nsec/status/1412232114980982787
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/malware/av_exploiting.yml b/rules/sigma/malware/av_exploiting.yml
new file mode 100644
index 00000000..001c5af6
--- /dev/null
+++ b/rules/sigma/malware/av_exploiting.yml
@@ -0,0 +1,42 @@
+
+title: Antivirus Exploitation Framework Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports an exploitation
+ framework
+detection:
+ SELECTION_1:
+ Signature:
+ - '*MeteTool*'
+ - '*MPreter*'
+ - '*Meterpreter*'
+ - '*Metasploit*'
+ - '*PowerSploit*'
+ - '*CobaltSrike*'
+ - '*Swrort*'
+ - '*Rozena*'
+ - '*Backdoor.Cobalt*'
+ - '*CobaltStr*'
+ - '*COBEACON*'
+ - '*Cometer*'
+ - '*Razy*'
+ condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
+level: critical
+logsource:
+ product: antivirus
+modified: 2021/11/27
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+status: test
+tags:
+- attack.execution
+- attack.t1203
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/malware/av_hacktool.yml b/rules/sigma/malware/av_hacktool.yml
new file mode 100644
index 00000000..c577031d
--- /dev/null
+++ b/rules/sigma/malware/av_hacktool.yml
@@ -0,0 +1,33 @@
+
+title: Antivirus Hacktool Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2021/08/16
+description: Detects a highly relevant Antivirus alert that reports a hack tool or
+ other attack tool
+detection:
+ SELECTION_1:
+ Signature:
+ - HTOOL*
+ - HKTL*
+ - SecurityTool*
+ - ATK/*
+ SELECTION_2:
+ Signature:
+ - '*Hacktool*'
+ condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+level: high
+logsource:
+ product: antivirus
+references:
+- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/malware/av_password_dumper.yml b/rules/sigma/malware/av_password_dumper.yml
new file mode 100644
index 00000000..8c2af18e
--- /dev/null
+++ b/rules/sigma/malware/av_password_dumper.yml
@@ -0,0 +1,42 @@
+
+title: Antivirus Password Dumper Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a password dumper
+detection:
+ SELECTION_1:
+ Signature:
+ - '*DumpCreds*'
+ - '*Mimikatz*'
+ - '*PWCrack*'
+ - '*HTool/WCE*'
+ - '*PSWtool*'
+ - '*PWDump*'
+ - '*SecurityTool*'
+ - '*PShlSpy*'
+ - '*Rubeus*'
+ - '*Kekeo*'
+ - '*LsassDump*'
+ - '*Outflank*'
+ condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
+level: critical
+logsource:
+ product: antivirus
+modified: 2021/11/27
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558
+- attack.t1003.001
+- attack.t1003.002
diff --git a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml
new file mode 100644
index 00000000..f08f4f69
--- /dev/null
+++ b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml
@@ -0,0 +1,31 @@
+
+title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
+ruletype: Sigma
+author: Sittikorn S, Nuttakorn T
+date: 2021/07/01
+description: Detects the suspicious file that is created from PoC code against Windows
+ Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
+ CVE-2021-1675 .
+detection:
+ SELECTION_1:
+ Filename: '*C:\Windows\System32\spool\drivers\x64\\*'
+ condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- Filename
+- ComputerName
+id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
+level: critical
+logsource:
+ product: antivirus
+modified: 2021/11/23
+references:
+- https://twitter.com/mvelazco/status/1410291741241102338
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/malware/av_relevant_files.yml b/rules/sigma/malware/av_relevant_files.yml
new file mode 100644
index 00000000..e926aa22
--- /dev/null
+++ b/rules/sigma/malware/av_relevant_files.yml
@@ -0,0 +1,82 @@
+
+title: Antivirus Relevant File Paths Alerts
+ruletype: Sigma
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects an Antivirus alert in a highly relevant file path or with a relevant
+ file name
+detection:
+ SELECTION_1:
+ Filename:
+ - C:\Windows\\*
+ - C:\Temp\\*
+ - C:\PerfLogs\\*
+ - C:\Users\Public\\*
+ - C:\Users\Default\\*
+ SELECTION_2:
+ Filename:
+ - '*\Client\\*'
+ - '*\tsclient\\*'
+ - '*\inetpub\\*'
+ - '*/www/*'
+ - '*apache*'
+ - '*tomcat*'
+ - '*nginx*'
+ - '*weblogic*'
+ SELECTION_3:
+ Filename:
+ - '*.ps1'
+ - '*.psm1'
+ - '*.vbs'
+ - '*.bat'
+ - '*.cmd'
+ - '*.sh'
+ - '*.chm'
+ - '*.xml'
+ - '*.txt'
+ - '*.jsp'
+ - '*.jspx'
+ - '*.asp'
+ - '*.aspx'
+ - '*.ashx'
+ - '*.asax'
+ - '*.asmx'
+ - '*.php'
+ - '*.cfm'
+ - '*.py'
+ - '*.pyc'
+ - '*.pl'
+ - '*.rb'
+ - '*.cgi'
+ - '*.war'
+ - '*.ear'
+ - '*.hta'
+ - '*.lnk'
+ - '*.scf'
+ - '*.sct'
+ - '*.vbe'
+ - '*.wsf'
+ - '*.wsh'
+ - '*.gif'
+ - '*.png'
+ - '*.jpg'
+ - '*.jpeg'
+ - '*.svg'
+ - '*.dat'
+ condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- User
+id: c9a88268-0047-4824-ba6e-4d81ce0b907c
+level: high
+logsource:
+ product: antivirus
+modified: 2021/11/23
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588
diff --git a/rules/sigma/malware/av_webshell.yml b/rules/sigma/malware/av_webshell.yml
new file mode 100644
index 00000000..816ae0e1
--- /dev/null
+++ b/rules/sigma/malware/av_webshell.yml
@@ -0,0 +1,80 @@
+
+title: Antivirus Web Shell Detection
+ruletype: Sigma
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a web shell. It's
+ highly recommended to tune this rule to the specific strings used by your anti virus
+ solution by downloading a big webshell repo from e.g. github and checking the matches.
+detection:
+ SELECTION_1:
+ Signature:
+ - PHP/*
+ - JSP/*
+ - ASP/*
+ - Perl/*
+ - PHP.*
+ - JSP.*
+ - ASP.*
+ - Perl.*
+ - VBS/Uxor*
+ - IIS/BackDoor*
+ - JAVA/Backdoor*
+ - Troj/ASP*
+ - Troj/PHP*
+ - Troj/JSP*
+ SELECTION_2:
+ Signature:
+ - '*Webshell*'
+ - '*Chopper*'
+ - '*SinoChoper*'
+ - '*ASPXSpy*'
+ - '*Aspdoor*'
+ - '*filebrowser*'
+ - '*PHP_*'
+ - '*JSP_*'
+ - '*ASP_*'
+ - '*PHP:*'
+ - '*JSP:*'
+ - '*ASP:*'
+ - '*Perl:*'
+ - '*PHPShell*'
+ - '*Trojan.PHP*'
+ - '*Trojan.ASP*'
+ - '*Trojan.JSP*'
+ - '*Trojan.VBS*'
+ - '*PHP?Agent*'
+ - '*ASP?Agent*'
+ - '*JSP?Agent*'
+ - '*VBS?Agent*'
+ - '*Backdoor?PHP*'
+ - '*Backdoor?JSP*'
+ - '*Backdoor?ASP*'
+ - '*Backdoor?VBS*'
+ - '*Backdoor?Java*'
+ condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fdf135a2-9241-4f96-a114-bb404948f736
+level: critical
+logsource:
+ product: antivirus
+modified: 2021/05/08
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+- https://github.com/tennc/webshell
+- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
+- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
+- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
+- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
+- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
+- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
+- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
+status: experimental
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
diff --git a/rules/sigma/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/malware/file_event_mal_octopus_scanner.yml
new file mode 100644
index 00000000..149d5e6e
--- /dev/null
+++ b/rules/sigma/malware/file_event_mal_octopus_scanner.yml
@@ -0,0 +1,28 @@
+
+title: Octopus Scanner Malware
+ruletype: Sigma
+author: NVISO
+date: 2020/06/09
+description: Detects Octopus Scanner Malware.
+detection:
+ SELECTION_1:
+ EventID: 11
+ SELECTION_2:
+ TargetFilename:
+ - '*\AppData\Local\Microsoft\Cache134.dat'
+ - '*\AppData\Local\Microsoft\ExplorerSync.db'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+level: high
+logsource:
+ category: file_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+status: test
+tags:
+- attack.t1195
+- attack.t1195.001
diff --git a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..9dca8abf
--- /dev/null
+++ b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml
@@ -0,0 +1,39 @@
+
+title: Blue Mockingbird
+ruletype: Sigma
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ Image: '*\cmd.exe'
+ SELECTION_3:
+ CommandLine: '*sc config*'
+ SELECTION_4:
+ CommandLine: '*wercplsupporte.dll*'
+ SELECTION_5:
+ Image: '*\wmic.exe'
+ SELECTION_6:
+ CommandLine: '*COR_PROFILER'
+ condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+ and SELECTION_6)))
+falsepositives:
+- unknown
+id: c3198a27-23a0-4c2c-af19-e5328d49680e
+level: high
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: ce239692-aa94-41b3-b32f-9cab259c96ea
+ type: merged
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
diff --git a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml
new file mode 100644
index 00000000..87b4adda
--- /dev/null
+++ b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml
@@ -0,0 +1,36 @@
+
+title: DarkSide Ransomware Pattern
+ruletype: Sigma
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ CommandLine:
+ - "*=[char][byte]('0x'+*"
+ - '* -work worker0 -path *'
+ SELECTION_3:
+ ParentCommandLine:
+ - '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+ SELECTION_4:
+ Image:
+ - '*\AppData\Local\Temp\\*'
+ condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Unknown
+- UAC bypass method used by other malware
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+level: critical
+logsource:
+ category: process_creation
+ product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml
new file mode 100644
index 00000000..e47205be
--- /dev/null
+++ b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml
@@ -0,0 +1,28 @@
+
+title: LockerGoga Ransomware
+ruletype: Sigma
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ CommandLine: '*-i SM-tgytutrc -s*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 74db3488-fd28-480a-95aa-b7af626de068
+level: critical
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+status: test
+tags:
+- attack.impact
+- attack.t1486
diff --git a/rules/sigma/malware/process_creation_mal_ryuk.yml b/rules/sigma/malware/process_creation_mal_ryuk.yml
new file mode 100644
index 00000000..b87be930
--- /dev/null
+++ b/rules/sigma/malware/process_creation_mal_ryuk.yml
@@ -0,0 +1,35 @@
+
+title: Ryuk Ransomware
+ruletype: Sigma
+author: Vasiliy Burov
+date: 2019/08/06
+description: Detects Ryuk Ransomware command lines
+detection:
+ SELECTION_1:
+ EventID: 1
+ SELECTION_2:
+ Image:
+ - '*\net.exe'
+ - '*\net1.exe'
+ SELECTION_3:
+ CommandLine: '*stop*'
+ SELECTION_4:
+ CommandLine:
+ - '*samss*'
+ - '*audioendpointbuilder*'
+ - '*unistoresvc_?????*'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 0acaad27-9f02-4136-a243-c357202edd74
+level: critical
+logsource:
+ category: process_creation
+ product: windows
+modified: 2021/11/27
+references:
+- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
+status: test
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/malware/registry_event_mal_azorult.yml b/rules/sigma/malware/registry_event_mal_azorult.yml
new file mode 100644
index 00000000..046003b1
--- /dev/null
+++ b/rules/sigma/malware/registry_event_mal_azorult.yml
@@ -0,0 +1,41 @@
+
+title: Registry Entries For Azorult Malware
+ruletype: Sigma
+author: Trent Liffick
+date: 2020/05/08
+description: Detects the presence of a registry key created during Azorult execution
+detection:
+ SELECTION_1:
+ EventID: 12
+ SELECTION_2:
+ EventID: 13
+ SELECTION_3:
+ EventID: 14
+ SELECTION_4:
+ EventID: 12
+ SELECTION_5:
+ EventID: 13
+ SELECTION_6:
+ TargetObject: '*SYSTEM\\*'
+ SELECTION_7:
+ TargetObject: '*\services\localNETService'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+ and SELECTION_6 and SELECTION_7)
+falsepositives:
+- unknown
+fields:
+- Image
+- TargetObject
+- TargetDetails
+id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
+level: critical
+logsource:
+ category: registry_event
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+status: test
+tags:
+- attack.execution
+- attack.t1112
diff --git a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..d886e1c2
--- /dev/null
+++ b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml
@@ -0,0 +1,34 @@
+
+title: Blue Mockingbird
+ruletype: Sigma
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+ SELECTION_1:
+ EventID: 12
+ SELECTION_2:
+ EventID: 13
+ SELECTION_3:
+ EventID: 14
+ SELECTION_4:
+ TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 92b0b372-a939-44ed-a11b-5136cf680e27
+level: high
+logsource:
+ category: registry_event
+ product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: c3198a27-23a0-4c2c-af19-e5328d49680e
+ type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
diff --git a/rules/sigma/malware/registry_event_mal_flowcloud.yml b/rules/sigma/malware/registry_event_mal_flowcloud.yml
new file mode 100644
index 00000000..4c22c718
--- /dev/null
+++ b/rules/sigma/malware/registry_event_mal_flowcloud.yml
@@ -0,0 +1,36 @@
+
+title: FlowCloud Malware
+ruletype: Sigma
+author: NVISO
+date: 2020/06/09
+description: Detects FlowCloud malware from threat group TA410.
+detection:
+ SELECTION_1:
+ EventID: 12
+ SELECTION_2:
+ EventID: 13
+ SELECTION_3:
+ EventID: 14
+ SELECTION_4:
+ TargetObject:
+ - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
+ - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
+ - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
+ SELECTION_5:
+ TargetObject:
+ - HKLM\SYSTEM\Setup\PrintResponsor\\*
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+level: critical
+logsource:
+ category: registry_event
+ product: windows
+modified: 2021/07/22
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
diff --git a/rules/sigma/malware/registry_event_mal_netwire.yml b/rules/sigma/malware/registry_event_mal_netwire.yml
new file mode 100644
index 00000000..a5c56e82
--- /dev/null
+++ b/rules/sigma/malware/registry_event_mal_netwire.yml
@@ -0,0 +1,38 @@
+
+title: NetWire RAT Registry Key
+ruletype: Sigma
+Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity
+ "Because Sysmon runs as a service, it has no filtering ability for, or concept of,
+ HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation"
+ Therefore I set netwire in my
+ configuration.
+author: Christopher Peacock
+date: 2021/10/07
+description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
+detection:
+ SELECTION_1:
+ EventID: 12
+ SELECTION_2:
+ EventID: 13
+ SELECTION_3:
+ EventID: 14
+ SELECTION_4:
+ TargetObject: '*\software\NetWire*'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- No known false positives
+id: 1d218616-71b0-4c40-855b-9dbe75510f7f
+level: high
+logsource:
+ category: registry_event
+ product: windows
+references:
+- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
+- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
+- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
+- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
+- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/malware/registry_event_mal_ursnif.yml b/rules/sigma/malware/registry_event_mal_ursnif.yml
new file mode 100644
index 00000000..e6107092
--- /dev/null
+++ b/rules/sigma/malware/registry_event_mal_ursnif.yml
@@ -0,0 +1,38 @@
+
+title: Ursnif
+ruletype: Sigma
+author: megan201296
+date: 2019/02/13
+description: Detects new registry key created by Ursnif malware.
+detection:
+ SELECTION_1:
+ EventID: 12
+ SELECTION_2:
+ EventID: 13
+ SELECTION_3:
+ EventID: 14
+ SELECTION_4:
+ TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+ SELECTION_5:
+ TargetObject:
+ - '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*'
+ - '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*'
+ - '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*'
+ - '*\SOFTWARE\AppDataLow\Software\Microsoft\Edge\\*'
+ condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not
+ (SELECTION_5))
+falsepositives:
+- Unknown
+id: 21f17060-b282-4249-ade0-589ea3591558
+level: critical
+logsource:
+ category: registry_event
+ product: windows
+modified: 2021/11/15
+references:
+- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
diff --git a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml
new file mode 100644
index 00000000..19216504
--- /dev/null
+++ b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml
@@ -0,0 +1,32 @@
+
+title: Silenttrinity Stager Msbuild Activity
+ruletype: Sigma
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+description: Detects a possible remote connections to Silenttrinity c2
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\msbuild.exe'
+ SELECTION_3:
+ DestinationPort:
+ - '80'
+ - '443'
+ SELECTION_4:
+ Initiated: 'true'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+status: test
+tags:
+- attack.execution
+- attack.t1127.001
diff --git a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml
new file mode 100644
index 00000000..224f7e20
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml
@@ -0,0 +1,56 @@
+
+title: Dllhost Internet Connection
+ruletype: Sigma
+author: bartblaze
+date: 2020/07/13
+description: Detects Dllhost that communicates with public IP addresses
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\dllhost.exe'
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ DestinationIp:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ SELECTION_5:
+ DestinationIp:
+ - 0:0:0:0:0:0:0:1
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4)
+ or (SELECTION_5)))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+ spaces
+id: cfed2f44-16df-4bf3-833a-79405198b277
+level: medium
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/12/07
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+- attack.t1559.001
+- attack.t1175
diff --git a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml
new file mode 100644
index 00000000..03ee6414
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml
@@ -0,0 +1,61 @@
+
+title: Excel Network Connections
+ruletype: Sigma
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
+date: 2021/11/10
+description: Detects an Excel process that opens suspicious network connections to
+ non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
+ have to tune this rule for your organization, but it is certainly something you
+ should look for and could have applications for malicious activity beyond CVE-2021-42292.
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\excel.exe'
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ DestinationIsIpv6: 'false'
+ SELECTION_5:
+ DestinationIp:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ - 127.0.0.1*
+ SELECTION_6:
+ DestinationIsIpv6: 'false'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5 and SELECTION_6))
+falsepositives:
+- You may have to tune certain domains out that Excel may call out to, such as microsoft
+ or other business use case domains.
+- Office documents commonly have templates that refer to external addresses, like
+ sharepoint.ourcompany.com may have to be tuned.
+- It is highly recomended to baseline your activity and tune out common business use
+ cases.
+id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
+level: medium
+logsource:
+ category: network_connection
+ product: windows
+references:
+- https://corelight.com/blog/detecting-cve-2021-42292
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
diff --git a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml
new file mode 100644
index 00000000..01557365
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml
@@ -0,0 +1,109 @@
+
+title: Suspicious Typical Malware Back Connect Ports
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs that connect to typical malware back connect ports based
+ on statistical analysis from two different sandbox system databases
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Initiated: 'true'
+ SELECTION_3:
+ DestinationPort:
+ - '4443'
+ - '2448'
+ - '8143'
+ - '1777'
+ - '1443'
+ - '243'
+ - '65535'
+ - '13506'
+ - '3360'
+ - '200'
+ - '198'
+ - '49180'
+ - '13507'
+ - '6625'
+ - '4444'
+ - '4438'
+ - '1904'
+ - '13505'
+ - '13504'
+ - '12102'
+ - '9631'
+ - '5445'
+ - '2443'
+ - '777'
+ - '13394'
+ - '13145'
+ - '12103'
+ - '5552'
+ - '3939'
+ - '3675'
+ - '666'
+ - '473'
+ - '5649'
+ - '4455'
+ - '4433'
+ - '1817'
+ - '100'
+ - '65520'
+ - '1960'
+ - '1515'
+ - '743'
+ - '700'
+ - '14154'
+ - '14103'
+ - '14102'
+ - '12322'
+ - '10101'
+ - '7210'
+ - '4040'
+ - '9943'
+ SELECTION_4:
+ Image: '*\Program Files*'
+ SELECTION_5:
+ DestinationIp:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ - 127.*
+ SELECTION_6:
+ DestinationIsIpv6: 'false'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4
+ or (SELECTION_5 and SELECTION_6))))
+falsepositives:
+- unknown
+id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+level: medium
+logsource:
+ category: network_connection
+ definition: 'Use the following config to generate the necessary Event ID 10 Process
+ Access events: VBE7.DLLUNKNOWN'
+ product: windows
+modified: 2021/11/27
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: test
+tags:
+- attack.command_and_control
+- attack.t1571
+- attack.t1043
diff --git a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml
new file mode 100644
index 00000000..aa2d7042
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml
@@ -0,0 +1,31 @@
+
+title: Notepad Making Network Connection
+ruletype: Sigma
+author: EagleEye Team
+date: 2020/05/14
+description: Detects suspicious network connection by Notepad
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\notepad.exe'
+ SELECTION_3:
+ DestinationPort: '9100'
+ condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
+falsepositives:
+- None observed so far
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+status: test
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml
new file mode 100644
index 00000000..26259ef4
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml
@@ -0,0 +1,61 @@
+
+title: PowerShell Network Connections
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/13
+description: Detects a Powershell process that opens network connections - check for
+ suspicious target ports and target systems - adjust to your environment (e.g. extend
+ filters with company's ip range')
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\powershell.exe'
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ DestinationIsIpv6: 'false'
+ SELECTION_5:
+ DestinationIp:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ - 127.0.0.1*
+ SELECTION_6:
+ User: NT AUTHORITY\SYSTEM
+ SELECTION_7:
+ User: '*AUT*'
+ SELECTION_8:
+ User: '* NT*'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
+ (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- Administrative scripts
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
+level: low
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/12/01
+references:
+- https://www.youtube.com/watch?v=DLtJTxMWZ2o
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..61b781a9
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -0,0 +1,42 @@
+
+title: RDP Over Reverse SSH Tunnel
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+ address and on TCP port 3389
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\svchost.exe'
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ SourcePort: 3389
+ SELECTION_5:
+ DestinationIp:
+ - 127.*
+ SELECTION_6:
+ DestinationIp:
+ - ::1
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5
+ or SELECTION_6))
+falsepositives:
+- unknown
+id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/05/11
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
diff --git a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml
new file mode 100644
index 00000000..d922d938
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml
@@ -0,0 +1,38 @@
+
+title: Regsvr32 Network Activity
+ruletype: Sigma
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\regsvr32.exe'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: c7e91a02-d771-4a6d-a700-42587e0b1095
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml
new file mode 100644
index 00000000..65e664f9
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml
@@ -0,0 +1,35 @@
+
+title: Remote PowerShell Session
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell connections by monitoring network outbound
+ connections to ports 5985 or 5986 from a non-network service account.
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ DestinationPort: 5985
+ SELECTION_3:
+ DestinationPort: 5986
+ SELECTION_4:
+ User: NT AUTHORITY\NETWORK SERVICE
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+id: c539afac-c12a-46ed-b1bd-5a5567c9f045
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
diff --git a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml
new file mode 100644
index 00000000..13a47533
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml
@@ -0,0 +1,52 @@
+
+title: Rundll32 Internet Connection
+ruletype: Sigma
+author: Florian Roth
+date: 2017/11/04
+description: Detects a rundll32 that communicates with public IP addresses
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*\rundll32.exe'
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ DestinationIp:
+ - 10.*
+ - 192.168.*
+ - 172.16.*
+ - 172.17.*
+ - 172.18.*
+ - 172.19.*
+ - 172.20.*
+ - 172.21.*
+ - 172.22.*
+ - 172.23.*
+ - 172.24.*
+ - 172.25.*
+ - 172.26.*
+ - 172.27.*
+ - 172.28.*
+ - 172.29.*
+ - 172.30.*
+ - 172.31.*
+ - 127.*
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+ spaces
+id: cdc8da7d-c303-42f8-b08c-b4ab47230263
+level: medium
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.execution
diff --git a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml
new file mode 100644
index 00000000..13e687d2
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -0,0 +1,44 @@
+
+title: Suspicious Program Location with Network Connections
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs with network connections running in suspicious files
+ system locations
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image:
+ - '*\Users\All Users\\*'
+ - '*\Users\Default\\*'
+ - '*\Users\Public\\*'
+ - '*\Users\Contacts\\*'
+ - '*\Users\Searches\\*'
+ - '*\config\systemprofile\\*'
+ - '*\Windows\Fonts\\*'
+ - '*\Windows\IME\\*'
+ - '*\Windows\addins\\*'
+ SELECTION_3:
+ Image:
+ - '*\$Recycle.bin'
+ SELECTION_4:
+ Image:
+ - C:\Perflogs\\*
+ condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
+level: high
+logsource:
+ category: network_connection
+ definition: Use the following config to generate the necessary Event ID 3 Network
+ Connection events
+ product: windows
+modified: 2021/11/27
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: test
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/network_connection/sysmon_susp_rdp.yml b/rules/sigma/network_connection/sysmon_susp_rdp.yml
new file mode 100644
index 00000000..54737167
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_susp_rdp.yml
@@ -0,0 +1,54 @@
+
+title: Suspicious Outbound RDP Connections
+ruletype: Sigma
+author: Markus Neis - Swisscom
+date: 2019/05/15
+description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
+ lateral movement
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ DestinationPort: 3389
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ Image:
+ - '*\mstsc.exe'
+ - '*\RTSApp.exe'
+ - '*\RTS2App.exe'
+ - '*\RDCMan.exe'
+ - '*\ws_TunnelService.exe'
+ - '*\RSSensor.exe'
+ - '*\RemoteDesktopManagerFree.exe'
+ - '*\RemoteDesktopManager.exe'
+ - '*\RemoteDesktopManager64.exe'
+ - '*\mRemoteNG.exe'
+ - '*\mRemote.exe'
+ - '*\Terminals.exe'
+ - '*\spiceworks-finder.exe'
+ - '*\FSDiscovery.exe'
+ - '*\FSAssessment.exe'
+ - '*\MobaRTE.exe'
+ - '*\chrome.exe'
+ - '*\System32\dns.exe'
+ - '*\thor.exe'
+ - '*\thor64.exe'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Other Remote Desktop RDP tools
+- domain controller using dns.exe
+id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
diff --git a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..b4e2697c
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious Outbound Kerberos Connection
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+ indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ DestinationPort: 88
+ SELECTION_3:
+ Initiated: 'true'
+ SELECTION_4:
+ Image:
+ - '*\lsass.exe'
+ - '*\opera.exe'
+ - '*\chrome.exe'
+ - '*\firefox.exe'
+ - '*\tomcat\bin\tomcat8.exe'
+ condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
+falsepositives:
+- Other browsers
+id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/12/02
+references:
+- https://github.com/GhostPack/Rubeus
+status: test
+tags:
+- attack.credential_access
+- attack.t1558
+- attack.t1208
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
diff --git a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml
new file mode 100644
index 00000000..d7289961
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml
@@ -0,0 +1,38 @@
+
+title: Microsoft Binary Github Communication
+ruletype: Sigma
+author: Michael Haag (idea), Florian Roth (rule)
+date: 2017/08/24
+description: Detects an executable in the Windows folder accessing github.com
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Initiated: 'true'
+ SELECTION_3:
+ DestinationHostname:
+ - '*.github.com'
+ - '*.githubusercontent.com'
+ SELECTION_4:
+ Image: C:\Windows\\*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- '@subTee in your network'
+id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1105
+- attack.exfiltration
+- attack.t1567.001
+- attack.t1048
diff --git a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml
new file mode 100644
index 00000000..03e0c5df
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml
@@ -0,0 +1,34 @@
+
+title: Microsoft Binary Suspicious Communication Endpoint
+ruletype: Sigma
+author: Florian Roth
+date: 2018/08/30
+description: Detects an executable in the Windows folder accessing suspicious domains
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Initiated: 'true'
+ SELECTION_3:
+ DestinationHostname:
+ - '*dl.dropboxusercontent.com'
+ - '*.pastebin.com'
+ - '*.githubusercontent.com'
+ SELECTION_4:
+ Image: C:\Windows\\*
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+level: high
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1105
diff --git a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml
new file mode 100644
index 00000000..8b08f247
--- /dev/null
+++ b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml
@@ -0,0 +1,29 @@
+
+title: Wuauclt Network Connection
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+ proxy execute code and making a network connections. One could easily make the DLL
+ spawn a new process and inject to it to proxy the network connection and bypass
+ this rule.
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Image: '*wuauclt*'
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of wuauclt.exe over the network.
+id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+level: medium
+logsource:
+ category: network_connection
+ product: windows
+modified: 2021/11/27
+references:
+- https://dtm.uk/wuauclt/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/network_connection/win_net_crypto_mining.yml b/rules/sigma/network_connection/win_net_crypto_mining.yml
new file mode 100644
index 00000000..12862266
--- /dev/null
+++ b/rules/sigma/network_connection/win_net_crypto_mining.yml
@@ -0,0 +1,47 @@
+
+title: Windows Crypto Mining Pool Connections
+ruletype: Sigma
+author: Florian Roth
+date: 2021/10/26
+description: Detects process connections to a Monero crypto mining pool
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ DestinationHostname:
+ - pool.minexmr.com
+ - fr.minexmr.com
+ - de.minexmr.com
+ - sg.minexmr.com
+ - ca.minexmr.com
+ - us-west.minexmr.com
+ - pool.supportxmr.com
+ - mine.c3pool.com
+ - xmr-eu1.nanopool.org
+ - xmr-eu2.nanopool.org
+ - xmr-us-east1.nanopool.org
+ - xmr-us-west1.nanopool.org
+ - xmr-asia1.nanopool.org
+ - xmr-jp1.nanopool.org
+ - xmr-au1.nanopool.org
+ - xmr.2miners.com
+ - xmr.hashcity.org
+ - xmr.f2pool.com
+ - xmrpool.eu
+ - pool.hashvault.pro
+ - moneroocean.stream
+ - monerocean.stream
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of crypto miners
+id: fa5b1358-b040-4403-9868-15f7d9ab6329
+level: high
+logsource:
+ category: network_connection
+ product: windows
+references:
+- https://www.poolwatch.io/coin/monero
+status: stable
+tags:
+- attack.impact
+- attack.t1496
diff --git a/rules/sigma/network_connection/win_net_mega_nz.yml b/rules/sigma/network_connection/win_net_mega_nz.yml
new file mode 100644
index 00000000..0415712d
--- /dev/null
+++ b/rules/sigma/network_connection/win_net_mega_nz.yml
@@ -0,0 +1,29 @@
+
+title: Communication To Mega.nz
+ruletype: Sigma
+author: Florian Roth
+date: 2021/12/06
+description: Detects an executable accessing mega.co.nz, which could be a sign of
+ forbidden file sharing use of data exfiltration by malicious actors
+detection:
+ SELECTION_1:
+ EventID: 3
+ SELECTION_2:
+ Initiated: 'true'
+ SELECTION_3:
+ DestinationHostname: '*api.mega.co.nz'
+ condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of mega.nz uploaders and tools
+id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
+level: high
+logsource:
+ category: network_connection
+ product: windows
+references:
+- https://megatools.megous.com/
+- https://www.mandiant.com/resources/russian-targeting-gov-business
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.001
diff --git a/rules/sigma/other/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/other/applocker/win_applocker_file_was_not_allowed_to_run.yml
new file mode 100644
index 00000000..00948225
--- /dev/null
+++ b/rules/sigma/other/applocker/win_applocker_file_was_not_allowed_to_run.yml
@@ -0,0 +1,48 @@
+
+title: File Was Not Allowed To Run
+ruletype: Sigma
+author: Pushkarev Dmitry
+date: 2020/06/28
+description: Detect run not allowed files. Applocker is a very useful tool, especially
+ on servers where unprivileged users have access. For example terminal servers. You
+ need configure applocker and log collect to receive these events.
+detection:
+ SELECTION_1:
+ EventID: 8004
+ SELECTION_2:
+ EventID: 8007
+ condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- need tuning applocker or add exceptions in SIEM
+fields:
+- PolicyName
+- RuleId
+- RuleName
+- TargetUser
+- TargetProcessId
+- FilePath
+- FileHash
+- Fqbn
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+level: medium
+logsource:
+ product: windows
+ service: applocker
+modified: 2021/11/27
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1064
+- attack.t1204
+- attack.t1035
+- attack.t1204.002
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.006
+- attack.t1059.007
diff --git a/rules/sigma/other/dns_server/win_apt_gallium.yml b/rules/sigma/other/dns_server/win_apt_gallium.yml
new file mode 100644
index 00000000..2bd5241f
--- /dev/null
+++ b/rules/sigma/other/dns_server/win_apt_gallium.yml
@@ -0,0 +1,39 @@
+
+title: GALLIUM Artefacts
+ruletype: Sigma
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+ Threat Intelligence Center indicators released in December 2019.
+detection:
+ SELECTION_1:
+ EventID: 257
+ SELECTION_2:
+ QNAME:
+ - asyspy256.ddns.net
+ - hotkillmail9sddcc.ddns.net
+ - rosaf112.ddns.net
+ - cvdfhjh1231.myftp.biz
+ - sz2016rose.ddns.net
+ - dffwescwer4325.myftp.biz
+ - cvdfhjh1231.ddns.net
+ condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3db10f25-2527-4b79-8d4b-471eb900ee29
+level: high
+logsource:
+ product: windows
+ service: dns-server
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+related:
+- id: 440a56bf-7873-4439-940a-1c8a671073c2
+ type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
+- attack.t1071
diff --git a/rules/sigma/other/dns_server/win_susp_dns_config.yml b/rules/sigma/other/dns_server/win_susp_dns_config.yml
new file mode 100644
index 00000000..0c69978b
--- /dev/null
+++ b/rules/sigma/other/dns_server/win_susp_dns_config.yml
@@ -0,0 +1,30 @@
+
+title: DNS Server Error Failed Loading the ServerLevelPluginDLL
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/08
+description: This rule detects a DNS server error in which a specified plugin DLL
+ (in registry) could not be loaded
+detection:
+ SELECTION_1:
+ EventID: 150
+ SELECTION_2:
+ EventID: 770
+ condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: cbe51394-cd93-4473-b555-edf0144952d9
+level: critical
+logsource:
+ product: windows
+ service: dns-server
+modified: 2021/11/27
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
+- https://twitter.com/gentilkiwi/status/861641945944391680
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/other/driverframeworks/win_usb_device_plugged.yml b/rules/sigma/other/driverframeworks/win_usb_device_plugged.yml
new file mode 100644
index 00000000..6d206473
--- /dev/null
+++ b/rules/sigma/other/driverframeworks/win_usb_device_plugged.yml
@@ -0,0 +1,30 @@
+
+title: USB Device Plugged
+ruletype: Sigma
+author: Florian Roth
+date: 2017/11/09
+description: Detects plugged USB devices
+detection:
+ SELECTION_1:
+ EventID: 2003
+ SELECTION_2:
+ EventID: 2100
+ SELECTION_3:
+ EventID: 2102
+ condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
+level: low
+logsource:
+ definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+ product: windows
+ service: driver-framework
+modified: 2021/11/30
+references:
+- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
+- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
+status: test
+tags:
+- attack.initial_access
+- attack.t1200
diff --git a/rules/sigma/other/ldap/win_ldap_recon.yml b/rules/sigma/other/ldap/win_ldap_recon.yml
new file mode 100644
index 00000000..1ae92ed1
--- /dev/null
+++ b/rules/sigma/other/ldap/win_ldap_recon.yml
@@ -0,0 +1,82 @@
+
+title: LDAP Reconnaissance / Active Directory Enumeration
+ruletype: Sigma
+author: Adeem Mawani
+date: 2021/06/22
+description: Detects possible Active Directory enumeration via LDAP
+detection:
+ SELECTION_1:
+ EventID: 30
+ SELECTION_2:
+ SearchFilter:
+ - '*(groupType:1.2.840.113556.1.4.803:=2147483648)*'
+ - '*(groupType:1.2.840.113556.1.4.803:=2147483656)*'
+ - '*(groupType:1.2.840.113556.1.4.803:=2147483652)*'
+ - '*(groupType:1.2.840.113556.1.4.803:=2147483650)*'
+ - '*(sAMAccountType=805306369)*'
+ - '*(sAMAccountType=805306368)*'
+ - '*(sAMAccountType=536870913)*'
+ - '*(sAMAccountType=536870912)*'
+ - '*(sAMAccountType=268435457)*'
+ - '*(sAMAccountType=268435456)*'
+ - '*(objectCategory=groupPolicyContainer)*'
+ - '*(objectCategory=organizationalUnit)*'
+ - '*(objectCategory=Computer)*'
+ - '*(objectCategory=nTDSDSA)*'
+ - '*(objectCategory=server)*'
+ - '*(objectCategory=domain)*'
+ - '*(objectCategory=person)*'
+ - '*(objectCategory=group)*'
+ - '*(objectCategory=user)*'
+ - '*(objectClass=trustedDomain)*'
+ - '*(objectClass=computer)*'
+ - '*(objectClass=server)*'
+ - '*(objectClass=group)*'
+ - '*(objectClass=user)*'
+ - '*(primaryGroupID=521)*'
+ - '*(primaryGroupID=516)*'
+ - '*(primaryGroupID=515)*'
+ - '*(primaryGroupID=512)*'
+ - '*Domain Admins*'
+ SELECTION_3:
+ EventID: 30
+ SELECTION_4:
+ SearchFilter:
+ - '*(domainSid=*)*'
+ - '*(objectSid=*)*'
+ SELECTION_5:
+ EventID: 30
+ SELECTION_6:
+ SearchFilter:
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=4194304)*'
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=2097152)*'
+ - '*!(userAccountControl:1.2.840.113556.1.4.803:=1048574)*'
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=524288)*'
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=65536)*'
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=8192)*'
+ - '*(userAccountControl:1.2.840.113556.1.4.803:=544)*'
+ - '*!(UserAccountControl:1.2.840.113556.1.4.803:=2)*'
+ - '*msDS-AllowedToActOnBehalfOfOtherIdentity*'
+ - '*msDS-AllowedToDelegateTo*'
+ - '*(accountExpires=9223372036854775807)*'
+ - '*(accountExpires=0)*'
+ - '*(adminCount=1)*'
+ - '*ms-MCS-AdmPwd*'
+ condition: (((SELECTION_1 and SELECTION_2) and not (SELECTION_3 and SELECTION_4))
+ or (SELECTION_5 and SELECTION_6))
+id: 31d68132-4038-47c7-8f8e-635a39a7c174
+level: medium
+logsource:
+ definition: Requires Microsoft-Windows-LDAP-Client/Debug ETW logging
+ product: windows
+ service: ldap_debug
+references:
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
+- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+- https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
+status: experimental
+tags:
+- attack.discovery
+- attack.t1069.002
+- attack.t1087.002
+- attack.t1482
diff --git a/rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml b/rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
new file mode 100644
index 00000000..a3440532
--- /dev/null
+++ b/rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
@@ -0,0 +1,29 @@
+
+title: Possible Exploitation of Exchange RCE CVE-2021-42321
+ruletype: Sigma
+author: Florian Roth, @testanull
+date: 2021/11/18
+description: Detects log entries that appear in exploitation attempts against MS Exchange
+ RCE CVE-2021-42321
+detection:
+ SELECTION_1:
+ EventID: 6
+ SELECTION_2:
+ EventID: 8
+ SELECTION_3:
+ - 'Cmdlet failed. Cmdlet Get-App, '
+ - 'Task Get-App throwing unhandled exception: System.InvalidCastException:'
+ condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
+id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
+level: critical
+logsource:
+ product: windows
+ service: msexchange-management
+references:
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
diff --git a/rules/sigma/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
new file mode 100644
index 00000000..a6c8be23
--- /dev/null
+++ b/rules/sigma/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -0,0 +1,31 @@
+
+title: ProxyLogon MSExchange OabVirtualDirectory
+ruletype: Sigma
+author: Florian Roth
+date: 2021/08/09
+description: Detects specific patterns found after a successful ProxyLogon exploitation
+ in relation to a Commandlet invocation of Set-OabVirtualDirectory
+detection:
+ SELECTION_1:
+ - OabVirtualDirectory
+ SELECTION_2:
+ - ' -ExternalUrl '
+ SELECTION_3:
+ - eval(request
+ - http://f/