Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
@@ -0,0 +1,39 @@
+
+title: Audit CVE Event
+ruletype: Sigma
+author: Florian Roth
+date: 2020/01/15
+description: Detects events generated by Windows to indicate the exploitation of a
+  known vulnerability (e.g. CVE-2020-0601)
+detection:
+  SELECTION_1:
+    Provider_Name: Microsoft-Windows-Audit-CVE
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+level: critical
+logsource:
+  product: windows
+  service: application
+modified: 2021/10/13
+references:
+- https://twitter.com/mattifestation/status/1217179698008068096
+- https://twitter.com/VM_vivisector/status/1217190929330655232
+- https://twitter.com/davisrichardg/status/1217517547576348673
+- https://twitter.com/DidierStevens/status/1217533958096924676
+- https://twitter.com/FlemmingRiis/status/1217147415482060800
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
+- attack.defense_evasion
+- attack.t1211
+- attack.credential_access
+- attack.t1212
+- attack.lateral_movement
+- attack.t1210
+- attack.impact
+- attack.t1499.004
@@ -0,0 +1,44 @@
+
+title: Relevant Anti-Virus Event
+ruletype: Sigma
+author: Florian Roth
+date: 2017/02/19
+description: This detection method points out highly relevant Antivirus events
+detection:
+  SELECTION_1:
+  - HTool-
+  - Hacktool
+  - ASP/Backdoor
+  - JSP/Backdoor
+  - PHP/Backdoor
+  - Backdoor.ASP
+  - Backdoor.JSP
+  - Backdoor.PHP
+  - Webshell
+  - Portscan
+  - Mimikatz
+  - .WinCred.
+  - PlugX
+  - Korplug
+  - Pwdump
+  - Chopper
+  - WmiExec
+  - Xscan
+  - Clearlog
+  - ASPXSpy
+  SELECTION_2:
+  - Keygen
+  - Crack
+  condition: ((SELECTION_1) and  not (SELECTION_2))
+falsepositives:
+- Some software piracy tools (key generators, cracks) are classified as hack tools
+id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/11/20
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588
@@ -0,0 +1,28 @@
+
+title: Atera Agent Installation
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/09/01
+description: Detects successful installation of Atera Remote Monitoring & Management
+  (RMM) agent as recently found to be used by Conti operators
+detection:
+  SELECTION_1:
+    EventID: 1033
+  SELECTION_2:
+    Provider_Name: MsiInstaller
+  SELECTION_3:
+    Message: '*AteraAgent*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Atera agent installation
+id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/10/13
+references:
+- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
+status: experimental
+tags:
+- attack.t1219
@@ -0,0 +1,28 @@
+
+title: Backup Catalog Deleted
+ruletype: Sigma
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+date: 2017/05/12
+description: Detects backup catalog deletions
+detection:
+  SELECTION_1:
+    EventID: 524
+  SELECTION_2:
+    Provider_Name: Microsoft-Windows-Backup
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9703792d-fd9a-456d-a672-ff92efe4806a
+level: medium
+logsource:
+  product: windows
+  service: application
+modified: 2021/10/13
+references:
+- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
@@ -0,0 +1,39 @@
+
+title: Microsoft Malware Protection Engine Crash
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/09
+description: This rule detects a suspicious crash of the Microsoft Malware Protection
+  Engine
+detection:
+  SELECTION_1:
+    Provider_Name: Application Error
+  SELECTION_2:
+    EventID: 1000
+  SELECTION_3:
+    Provider_Name: Windows Error Reporting
+  SELECTION_4:
+    EventID: 1001
+  SELECTION_5:
+  - MsMpEng.exe
+  SELECTION_6:
+  - mpengine.dll
+  condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- MsMpEng.exe can crash when C:\ is full
+id: 6c82cf5c-090d-4d57-9188-533577631108
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/10/13
+references:
+- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
+- https://technet.microsoft.com/en-us/library/security/4022344
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1211
+- attack.t1562.001
@@ -0,0 +1,32 @@
+
+title: CVE-2020-0688 Exploitation via Eventlog
+ruletype: Sigma
+author: Florian Roth, wagga
+date: 2020/02/29
+description: Detects the exploitation of Microsoft Exchange vulnerability as described
+  in CVE-2020-0688
+detection:
+  SELECTION_1:
+    EventID: 4
+  SELECTION_2:
+    Provider_Name: MSExchange Control Panel
+  SELECTION_3:
+    Level: Error
+  SELECTION_4:
+  - '&__VIEWSTATE='
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: d6266bf5-935e-4661-b477-78772735a7cb
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/10/13
+references:
+- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
@@ -0,0 +1,27 @@
+
+title: LPE InstallerFileTakeOver PoC CVE-2021-41379
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/22
+description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
+detection:
+  SELECTION_1:
+    EventID: 1033
+  SELECTION_2:
+    Provider_Name: MsiInstaller
+  SELECTION_3:
+  - test pkg
+  condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3)
+falsepositives:
+- Other MSI packages for which your admins have used that name
+id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
+level: high
+logsource:
+  product: windows
+  service: application
+references:
+- https://github.com/klinix5/InstallerFileTakeOver
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
@@ -0,0 +1,40 @@
+
+title: Azure AD Health Monitoring Agent Registry Keys Access
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+  This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
+  This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    ObjectType: Key
+  SELECTION_4:
+    ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
+  SELECTION_5:
+    ProcessName:
+    - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
@@ -0,0 +1,42 @@
+
+title: Azure AD Health Service Agents Registry Keys Access
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+  This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
+  Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
+  This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
+  Make sure you set the SACL to propagate to its sub-keys.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    ObjectType: Key
+  SELECTION_4:
+    ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
+  SELECTION_5:
+    ProcessName:
+    - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
@@ -0,0 +1,35 @@
+
+title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
+ruletype: Sigma
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
+date: 2019/04/03
+description: backdooring domain object to grant the rights associated with DCSync
+  to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
+  Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+detection:
+  SELECTION_1:
+    EventID: 5136
+  SELECTION_2:
+    AttributeLDAPDisplayName: ntSecurityDescriptor
+  SELECTION_3:
+    AttributeValue:
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- New Domain Controller computer account, check user SIDs within the value attribute
+  of event 5136 and verify if it's a regular user or DC computer account.
+id: 2c99737c-585d-4431-b61a-c911d86ff32f
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/09
+references:
+- https://twitter.com/menasec1/status/1111556090137903104
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1098
@@ -0,0 +1,44 @@
+
+title: AD Privileged Users or Groups Reconnaissance
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect priv users or groups recon based on 4661 eventid and known privileged
+  users or groups SIDs
+detection:
+  SELECTION_1:
+    EventID: 4661
+  SELECTION_2:
+    ObjectType:
+    - SAM_USER
+    - SAM_GROUP
+  SELECTION_3:
+    ObjectName:
+    - '*-512'
+    - '*-502'
+    - '*-500'
+    - '*-505'
+    - '*-519'
+    - '*-520'
+    - '*-544'
+    - '*-551'
+    - '*-555'
+  SELECTION_4:
+    ObjectName: '*admin*'
+  condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- if source account name is not an admin then its super suspicious
+id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
+level: high
+logsource:
+  definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
+  product: windows
+  service: security
+modified: 2021/09/08
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
@@ -0,0 +1,33 @@
+
+title: AD Object WriteDAC Access
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects WRITE_DAC access to a domain object
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectServer: DS
+  SELECTION_3:
+    AccessMask: '0x40000'
+  SELECTION_4:
+    ObjectType:
+    - 19195a5b-6da0-11d0-afd3-00c04fd930c9
+    - domainDNS
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1222
+- attack.t1222.001
@@ -0,0 +1,42 @@
+
+title: Active Directory Replication from Non Machine Account
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/07/26
+description: Detects potential abuse of Active Directory Replication Service (ADRS)
+  from a non machine account to request credentials.
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    AccessMask: '0x100'
+  SELECTION_3:
+    Properties:
+    - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+  SELECTION_4:
+    SubjectUserName: '*$'
+  SELECTION_5:
+    SubjectUserName: MSOL_*
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 17d619c1-e020-4347-957e-1d1207455c93
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.006
@@ -0,0 +1,35 @@
+
+title: AD User Enumeration
+ruletype: Sigma
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/30
+description: Detects access to a domain user from a non-machine account
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
+  SELECTION_3:
+    SubjectUserName: '*$'
+  SELECTION_4:
+    SubjectUserName: MSOL_*
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrators configuring new users.
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+level: medium
+logsource:
+  definition: Requires the "Read all properties" permission on the user object to
+    be audited for the "Everyone" principal
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
@@ -0,0 +1,35 @@
+
+title: ADCS Certificate Template Configuration Vulnerability
+ruletype: Sigma
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+detection:
+  SELECTION_1:
+    EventID: 4898
+  SELECTION_2:
+    TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  SELECTION_3:
+    EventID: 4899
+  SELECTION_4:
+    NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: 5ee3a654-372f-11ec-8d3d-0242ac130003
+level: low
+logsource:
+  definition: Certificate services loaded a template would trigger event ID 4898 and
+    certificate Services template was updated would trigger event ID 4899. A risk
+    permission seems to be comming if template contain specific flag.
+  product: windows
+  service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
@@ -0,0 +1,49 @@
+
+title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
+ruletype: Sigma
+author: Orlinum , BlueDefenZer
+date: 2021/11/17
+description: Detects certificate creation with template allowing risk permission subject
+  and risky EKU
+detection:
+  SELECTION_1:
+    EventID: 4898
+  SELECTION_2:
+    TemplateContent:
+    - '*1.3.6.1.5.5.7.3.2*'
+    - '*1.3.6.1.5.2.3.4*'
+    - '*1.3.6.1.4.1.311.20.2.2*'
+    - '*2.5.29.37.0*'
+  SELECTION_3:
+    TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  SELECTION_4:
+    EventID: 4899
+  SELECTION_5:
+    NewTemplateContent:
+    - '*1.3.6.1.5.5.7.3.2*'
+    - '*1.3.6.1.5.2.3.4*'
+    - '*1.3.6.1.4.1.311.20.2.2*'
+    - '*2.5.29.37.0*'
+  SELECTION_6:
+    NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6))
+falsepositives:
+- Administrator activity
+- Penetration tests
+- Proxy SSL certificate with subject modification
+- Smart card enrollement
+id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
+level: high
+logsource:
+  definition: Certificate services loaded a template would trigger event ID 4898 and
+    certificate Services template was updated would trigger event ID 4899. A risk
+    permission seems to be comming if template contain specific flag with risky EKU.
+  product: windows
+  service: security
+references:
+- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
@@ -0,0 +1,37 @@
+
+title: Admin User Remote Logon
+ruletype: Sigma
+author: juju4
+date: 2017/10/29
+description: Detect remote login by Administrator user (depending on internal pattern).
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 10
+  SELECTION_3:
+    AuthenticationPackageName: Negotiate
+  SELECTION_4:
+    TargetUserName: Admin*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrative activity.
+id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
+level: low
+logsource:
+  definition: 'Requirements: Identifiable administrators usernames (pattern or special
+    unique character. ex: "Admin-*"), internal policy mandating use only as secondary
+    account'
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://car.mitre.org/wiki/CAR-2016-04-005
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1078
+- attack.t1078.001
+- attack.t1078.002
+- attack.t1078.003
+- car.2016-04-005
@@ -0,0 +1,29 @@
+
+title: Access to ADMIN$ Share
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/04
+description: Detects access to $ADMIN share
+detection:
+  SELECTION_1:
+    EventID: 5140
+  SELECTION_2:
+    ShareName: Admin$
+  SELECTION_3:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate administrative activity
+id: 098d7118-55bc-4912-a836-dc6483a8d150
+level: low
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit File Share"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
@@ -0,0 +1,32 @@
+
+title: Enabled User Right in AD to Control User Objects
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
+  right in Active Directory it would allow control of other AD user objects.
+detection:
+  SELECTION_1:
+    EventID: 4704
+  SELECTION_2:
+    PrivilegeList:
+    - '*SeEnableDelegationPrivilege*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
+    Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+    Change'
+  product: windows
+  service: security
+modified: 2021/12/02
+references:
+- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+status: test
+tags:
+- attack.persistence
+- attack.t1098
@@ -0,0 +1,48 @@
+
+title: Active Directory User Backdoors
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/04/13
+description: Detects scenarios where one can control another users or computers account
+  without having to use their credentials.
+detection:
+  SELECTION_1:
+    EventID: 4738
+  SELECTION_2:
+    AllowedToDelegateTo: '-'
+  SELECTION_3:
+    AllowedToDelegateTo|re: ^$
+  SELECTION_4:
+    EventID: 5136
+  SELECTION_5:
+    AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
+  SELECTION_6:
+    ObjectClass: user
+  SELECTION_7:
+    AttributeLDAPDisplayName: servicePrincipalName
+  SELECTION_8:
+    AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
+  condition: ((SELECTION_1 and  not (SELECTION_2 or SELECTION_3)) or (SELECTION_4
+    and (SELECTION_5 or (SELECTION_6 and SELECTION_7) or SELECTION_8)))
+falsepositives:
+- Unknown
+id: 300bac00-e041-4ee2-9c36-e262656a6ecc
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+    Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+    Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
+    Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
+    Policies\DS Access\Audit Directory Service Changes'
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://msdn.microsoft.com/en-us/library/cc220234.aspx
+- https://adsecurity.org/?p=3466
+- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+status: test
+tags:
+- attack.t1098
+- attack.persistence
@@ -0,0 +1,92 @@
+
+title: Weak Encryption Enabled and Kerberoast
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where weak encryption is enabled for a user profile
+  which could be used for hash/password cracking.
+detection:
+  SELECTION_1:
+    EventID: 4738
+  SELECTION_2:
+    NewUacValue:
+    - '*8???'
+    - '*9???'
+    - '*A???'
+    - '*B???'
+    - '*C???'
+    - '*D???'
+    - '*E???'
+    - '*F???'
+  SELECTION_3:
+    OldUacValue:
+    - '*8???'
+    - '*9???'
+    - '*A???'
+    - '*B???'
+    - '*C???'
+    - '*D???'
+    - '*E???'
+    - '*F???'
+  SELECTION_4:
+    NewUacValue:
+    - '*1????'
+    - '*3????'
+    - '*5????'
+    - '*7????'
+    - '*9????'
+    - '*B????'
+    - '*D????'
+    - '*F????'
+  SELECTION_5:
+    OldUacValue:
+    - '*1????'
+    - '*3????'
+    - '*5????'
+    - '*7????'
+    - '*9????'
+    - '*B????'
+    - '*D????'
+    - '*F????'
+  SELECTION_6:
+    NewUacValue:
+    - '*8??'
+    - '*9??'
+    - '*A??'
+    - '*B??'
+    - '*C??'
+    - '*D??'
+    - '*E??'
+    - '*F??'
+  SELECTION_7:
+    OldUacValue:
+    - '*8??'
+    - '*9??'
+    - '*A??'
+    - '*B??'
+    - '*C??'
+    - '*D??'
+    - '*E??'
+    - '*F??'
+  condition: (SELECTION_1 and (((SELECTION_2 and  not (SELECTION_3)) or (SELECTION_4
+    and  not (SELECTION_5))) or (SELECTION_6 and  not (SELECTION_7))))
+falsepositives:
+- Unknown
+id: f6de9536-0441-4b3f-a646-f4e00f300ffd
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+    Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+    Management'
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://adsecurity.org/?p=2053
+- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
@@ -0,0 +1,41 @@
+
+title: Hacktool Ruler
+ruletype: Sigma
+author: Florian Roth
+date: 2017/05/31
+description: This events that are generated when using the hacktool Ruler by Sensepost
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    Workstation: RULER
+  SELECTION_3:
+    EventID: 4624
+  SELECTION_4:
+    EventID: 4625
+  SELECTION_5:
+    WorkstationName: RULER
+  condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
+falsepositives:
+- Go utilities that use staaldraad awesome NTLM library
+id: 24549159-ac1b-479c-8175-d42aea947cae
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://github.com/sensepost/ruler
+- https://github.com/sensepost/ruler/issues/47
+- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+status: experimental
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1087
+- attack.t1075
+- attack.t1114
+- attack.t1059
+- attack.t1550.002
@@ -0,0 +1,42 @@
+
+title: Chafer Activity
+ruletype: Sigma
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+  in March 2018
+detection:
+  SELECTION_1:
+    EventID: 4698
+  SELECTION_2:
+    TaskName:
+    - SC Scheduled Scan
+    - UpdatMachine
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c0580559-a6bd-4ef6-b9b7-83703d98b561
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
@@ -0,0 +1,32 @@
+
+title: Defrag Deactivation
+ruletype: Sigma
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+  task as seen by Slingshot APT group
+detection:
+  SELECTION_1:
+    EventID: 4701
+  SELECTION_2:
+    TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
+level: medium
+logsource:
+  definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+related:
+- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053
+- attack.s0111
@@ -0,0 +1,38 @@
+
+title: Operation Wocao Activity
+ruletype: Sigma
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+  SELECTION_1:
+    EventID: 4799
+  SELECTION_2:
+    TargetUserName: Administr*
+  SELECTION_3:
+    CallerProcessName: '*\checkadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
@@ -0,0 +1,35 @@
+
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+ruletype: Sigma
+author: Sreeman
+date: 2020/03/13
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows
+  a user to create "shortcuts" to various Windows 10 setting pages. These files are
+  simply XML and contain paths to various Windows 10 settings binaries.
+detection:
+  SELECTION_1:
+    CommandLine: '*.SettingContent-ms*'
+  SELECTION_2:
+    FilePath: '*immersivecontrolpanel*'
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+status: experimental
+tags:
+- attack.t1204
+- attack.t1193
+- attack.t1566.001
+- attack.execution
+- attack.initial_access
@@ -0,0 +1,30 @@
+
+title: Using AppVLP To Circumvent ASR File Path Rule
+ruletype: Sigma
+author: Sreeman
+date: 2020/03/13
+description: Application Virtualization Utility is included with Microsoft Office.We
+  are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
+  for Application Virtualization, but we can use it as an abuse binary to circumvent
+  the ASR file path rule folder or to mark a file as a system file
+detection:
+  SELECTION_1:
+    CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
+  condition: SELECTION_1
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
+- attack.execution
@@ -0,0 +1,37 @@
+
+title: Remote Task Creation via ATSVC Named Pipe
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote task creation via at.exe or API interacting with ATSVC
+  namedpipe
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: atsvc
+  SELECTION_4:
+    Accesses: '*WriteData*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: f6de6525-4509-495a-8a82-1f8b0ed73a00
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1053
+- car.2013-05-004
+- car.2015-04-001
+- attack.t1053.002
@@ -0,0 +1,33 @@
+
+title: Processes Accessing the Microphone and Webcam
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/07
+description: Potential adversaries accessing the microphone and webcam in an endpoint.
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    EventID: 4663
+  SELECTION_4:
+    ObjectName:
+    - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
+    - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/duzvik/status/1269671601852813320
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+status: test
+tags:
+- attack.collection
+- attack.t1123
@@ -0,0 +1,32 @@
+
+title: DCERPC SMB Spoolss Named Pipe
+ruletype: Sigma
+author: OTR (Open Threat Research)
+date: 2018/11/28
+description: Detects the use of the spoolss named pipe over SMB. This can be used
+  to trigger the authentication via NTLM of any machine that has the spoolservice
+  enabled.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: spoolss
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Domain Controllers acting as printer servers too? :)
+id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+- https://twitter.com/_dirkjan/status/1309214379003588608
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
@@ -0,0 +1,31 @@
+
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+  Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
+  DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName: '*\Internet Explorer\iertutil.dll'
+  SELECTION_3:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: c39f0c81-7348-4965-ab27-2fde35a1b641
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
@@ -0,0 +1,41 @@
+
+title: Mimikatz DC Sync
+ruletype: Sigma
+author: Benjamin Delpy, Florian Roth, Scott Dermott
+date: 2018/06/03
+description: Detects Mimikatz DC sync security events
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    Properties:
+    - '*Replicating Directory Changes All*'
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+  SELECTION_3:
+    SubjectDomainName: Window Manager
+  SELECTION_4:
+    SubjectUserName:
+    - NT AUTHORITY*
+    - MSOL_*
+  SELECTION_5:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not ((SELECTION_3) or (SELECTION_4)
+    or (SELECTION_5)))
+falsepositives:
+- Valid DC Sync that is not covered by the filters; please report
+- Local Domain Admin account used for Azure AD Connect
+id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+status: experimental
+tags:
+- attack.credential_access
+- attack.s0002
+- attack.t1003
+- attack.t1003.006
@@ -0,0 +1,36 @@
+
+title: Windows Defender Exclusion Set
+ruletype: Sigma
+author: '@BarryShooshooga'
+date: 2019/10/26
+description: Detects scenarios where an windows defender exclusion was added in registry
+  where an entity would want to bypass antivirus scanning from windows defender
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    EventID: 4660
+  SELECTION_4:
+    EventID: 4663
+  SELECTION_5:
+    ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Intended inclusions by administrator
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
+    Policy, Registry System Access Control (SACL): Auditing/User'
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
@@ -0,0 +1,41 @@
+
+title: Disabling Windows Event Auditing
+ruletype: Sigma
+author: '@neu5ron'
+date: 2017/11/19
+description: 'Detects scenarios where system auditing (ie: windows event log auditing)
+  is disabled. This may be used in a scenario where an entity would want to bypass
+  local logging to evade detection when windows event logging is enabled and reviewed.
+  Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
+  which will make sure that Active Directory GPOs take precedence over local/edited
+  computer policies via something such as "gpedit.msc". Please note, that disabling
+  "Local Group Policy Object Processing" may cause an issue in scenarios of one off
+  specific GPO modifications -- however it is recommended to perform these modifications
+  in Active Directory anyways.'
+detection:
+  SELECTION_1:
+    EventID: 4719
+  SELECTION_2:
+    AuditPolicyChanges:
+    - '*%%8448*'
+    - '*%%8450*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
+    Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+    Change'
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://bit.ly/WinLogsZero2Hero
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1054
+- attack.t1562.002
@@ -0,0 +1,32 @@
+
+title: DPAPI Domain Backup Key Extraction
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
+  Controllers
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: SecretObject
+  SELECTION_3:
+    AccessMask: '0x2'
+  SELECTION_4:
+    ObjectName: BCKUPKEY
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4ac1f50b-3bd0-4968-902d-868b4647937e
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
@@ -0,0 +1,30 @@
+
+title: DPAPI Domain Master Key Backup Attempt
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects anyone attempting a backup for the DPAPI Master Key. This events
+  gets generated at the source and not the Domain Controller.
+detection:
+  SELECTION_1:
+    EventID: 4692
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
@@ -0,0 +1,38 @@
+
+title: COMPlus_ETWEnabled Registry Modification
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
+  SELECTION_3:
+    ObjectValueName: ETWEnabled
+  SELECTION_4:
+    NewValue: '0'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1112
@@ -0,0 +1,31 @@
+
+title: Security Event Log Cleared
+ruletype: Sigma
+author: Saw Winn Naung
+date: 2021/08/15
+description: Checks for event id 1102 which indicates the security event log was cleared.
+detection:
+  SELECTION_1:
+    EventID: 1102
+  SELECTION_2:
+    Provider_Name: Microsoft-Windows-Eventlog
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative activity
+fields:
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SubjectDomainName
+id: a122ac13-daf8-4175-83a2-72c387be339d
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/10/13
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
+status: experimental
+tags:
+- attack.t1107
+- attack.t1070.001
@@ -0,0 +1,35 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation IPC Access
+ruletype: Sigma
+author: INIT_6
+date: 2021/07/02
+description: Detects remote printer driver load from Detailed File Share in Security
+  logs that are a sign of successful exploitation attempts against print spooler vulnerability
+  CVE-2021-1675 and CVE-2021-34527
+detection:
+  SELECTION_1:
+    EventID: '5145'
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: spoolss
+  SELECTION_4:
+    AccessMask: '0x3'
+  SELECTION_5:
+    ObjectType: File
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- nothing observed so far
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/INIT_3/status/1410662463641731075
+status: experimental
+tags:
+- attack.execution
+- attack.t1569
+- cve.2021.1675
+- cve.2021.34527
@@ -0,0 +1,29 @@
+
+title: External Disk Drive Or USB Storage Device
+ruletype: Sigma
+author: Keith Wright
+date: 2019/11/20
+description: Detects external diskdrives or plugged in USB devices , EventID 6416
+  on windows 10 or later
+detection:
+  SELECTION_1:
+    EventID: 6416
+  SELECTION_2:
+    ClassName: DiskDrive
+  SELECTION_3:
+    DeviceDescription: USB Mass Storage Device
+  condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+status: experimental
+tags:
+- attack.t1091
+- attack.t1200
+- attack.lateral_movement
+- attack.initial_access
@@ -0,0 +1,35 @@
+
+title: Enumeration via the Global Catalog
+ruletype: Sigma
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/11
+description: Detects enumeration of the global catalog (that can be performed using
+  BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
+  width.
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestinationPort: 3268
+  SELECTION_3:
+    DestinationPort: 3269
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
+    > 2000
+  timeframe: 1h
+falsepositives:
+- Exclude known DCs.
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
+    Platform Connection" must be configured for Success
+  product: windows
+  service: security
+modified: 2021/06/01
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
@@ -0,0 +1,39 @@
+
+title: Persistence and Execution at Scale via GPO Scheduled Task
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect lateral movement using GPO scheduled task, usually used to deploy
+  ransomware at scale
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\SYSVOL
+  SELECTION_3:
+    RelativeTargetName: '*ScheduledTasks.xml'
+  SELECTION_4:
+    Accesses:
+    - '*WriteData*'
+    - '*%%4417*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- if the source IP is not localhost then it's super suspicious, better to monitor
+  both local and remote changes to GPO scheduledtasks
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://twitter.com/menasec1/status/1106899890377052160
+- https://www.secureworks.com/blog/ransomware-as-a-distraction
+status: test
+tags:
+- attack.persistence
+- attack.lateral_movement
+- attack.t1053
+- attack.t1053.005
@@ -0,0 +1,29 @@
+
+title: Hidden Local User Creation
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+  happen for event ID 4720.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    TargetUserName: '*$'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
@@ -0,0 +1,28 @@
+
+title: HybridConnectionManager Service Installation
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service installation.
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceName: HybridConnectionManager
+  SELECTION_3:
+    ServiceFileName: '*HybridConnectionManager*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+- attack.t1554
@@ -0,0 +1,32 @@
+
+title: Impacket PsExec Execution
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2020/12/14
+description: Detects execution of Impacket's psexec.py.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName:
+    - '*RemCom_stdint*'
+    - '*RemCom_stdoutt*'
+    - '*RemCom_stderrt*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- nothing observed so far
+id: 32d56ea1-417f-44ff-822b-882873f5f43b
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
@@ -0,0 +1,35 @@
+
+title: Possible Impacket SecretDump Remote Activity
+ruletype: Sigma
+author: Samir Bousseaden, wagga
+date: 2019/04/03
+description: Detect AD credential dumping using impacket secretdump HKTL
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\ADMIN$
+  SELECTION_3:
+    RelativeTargetName: '*SYSTEM32\\*'
+  SELECTION_4:
+    RelativeTargetName: '*.tmp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/06/27
+references:
+- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.003
@@ -0,0 +1,33 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    Provider_Name: Service Control Manager
+  SELECTION_2:
+    EventID: 4697
+  SELECTION_3:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/30
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,43 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+ruletype: Sigma
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the code block linked in the references
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
+  SELECTION_7:
+    ServiceFileName|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    ServiceFileName|re: \String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: fd0f5778-d3cb-4c9a-9695-66759d04702a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/16
+references:
+- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+related:
+- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+ruletype: Sigma
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: dcf2db1f-f091-425b-a821-c05875b8925a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/12/02
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 175997c5-803c-4b08-8bb0-70b099f47595
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Stdin
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 487c7524-f892-4054-b263-8a0ace63fc25
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use Clip
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,37 @@
+
+title: ISO Image Mount
+ruletype: Sigma
+author: Syed Hasan (@syedhasan009)
+date: 2021/05/29
+description: Detects the mount of ISO images on an endpoint
+detection:
+  SELECTION_1:
+    EventID: 4663
+  SELECTION_2:
+    ObjectServer: Security
+  SELECTION_3:
+    ObjectType: File
+  SELECTION_4:
+    ObjectName: \Device\CdRom*
+  SELECTION_5:
+    ObjectName: \Device\CdRom0\setup.exe
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Software installation ISO files
+id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Removable Storage"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/11/20
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
+- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
+- https://twitter.com/MsftSecIntel/status/1257324139515269121
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
@@ -0,0 +1,38 @@
+
+title: Lateral Movement Indicator ConDrv
+ruletype: Sigma
+author: Janantha Marasinghe
+date: 2021/04/27
+description: This event was observed on the target host during lateral movement. The
+  process name within the event contains the process spawned post compromise. Account
+  Name within the event contains the compromised user account name. This event should
+  to be correlated with 4624 and 4688 for further intrusion context.
+detection:
+  SELECTION_1:
+    EventID: 4674
+  SELECTION_2:
+    ObjectServer: Security
+  SELECTION_3:
+    ObjectType: File
+  SELECTION_4:
+    ObjectName: \Device\ConDrv
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- legal admin action
+- Penetration tests where lateral movement has occurred. This event will be created
+  on the target host.
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2021/12/09
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
+- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+status: deprecated
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1021
+- attack.t1059
@@ -0,0 +1,52 @@
+
+title: First Time Seen Remote Named Pipe
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: This detection excludes known namped pipes accessible remotely and notify
+  on newly observed ones, may help to detect lateral movement and remote exec using
+  named pipes
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName:
+    - atsvc
+    - samr
+    - lsarpc
+    - lsass
+    - winreg
+    - netlogon
+    - srvsvc
+    - protected_storage
+    - wkssvc
+    - browser
+    - netdfs
+    - svcctl
+    - spoolss
+    - ntsvcs
+    - LSM_API_service
+    - HydraLsPipe
+    - TermSrv_API_service
+    - MsFteWds
+    - sql\query
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- update the excluded named pipe to filter out any newly observed legit named pipe
+id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/12/06
+references:
+- https://twitter.com/menasec1/status/1104489274387451904
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
@@ -0,0 +1,35 @@
+
+title: Correct Execution of Nltest.exe
+ruletype: Sigma
+author: Arun Chauhan
+date: 2021/10/04
+description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers,
+  domain trusts, parent domain and the current user permissions.
+detection:
+  SELECTION_1:
+    EventID: 4689
+  SELECTION_2:
+    ProcessName: '*nltest.exe'
+  SELECTION_3:
+    Status: '0x0'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Red team activity
+- rare legitimate use by an administrator
+fields:
+- SubjectUserName
+- SubjectDomainName
+id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
+- https://attack.mitre.org/software/S0359/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
+- attack.t1016
@@ -0,0 +1,69 @@
+
+title: LSASS Access from Non System Account
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects potential mimikatz-like tools accessing LSASS from non system
+  account
+detection:
+  SELECTION_1:
+    EventID: 4663
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    AccessMask:
+    - '0x40'
+    - '0x1400'
+    - '0x100000'
+    - '0x1410'
+    - '0x1010'
+    - '0x1438'
+    - '0x143a'
+    - '0x1418'
+    - '0x1f0fff'
+    - '0x1f1fff'
+    - '0x1f2fff'
+    - '0x1f3fff'
+    - '40'
+    - '1400'
+    - '1000'
+    - '100000'
+    - '1410'
+    - '1010'
+    - '1438'
+    - 143a
+    - '1418'
+    - 1f0fff
+    - 1f1fff
+    - 1f2fff
+    - 1f3fff
+  SELECTION_4:
+    ObjectType: Process
+  SELECTION_5:
+    ObjectName: '*\lsass.exe'
+  SELECTION_6:
+    SubjectUserName: '*$'
+  SELECTION_7:
+    ProcessName: C:\Program Files*
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not ((SELECTION_6) or (SELECTION_7)))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- ObjectName
+- SubjectUserName
+- ProcessName
+id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/22
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
@@ -0,0 +1,35 @@
+
+title: WCE wceaux.dll Access
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects wceaux.dll access while WCE pass-the-hash remote command execution
+  on source host
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4658
+  SELECTION_3:
+    EventID: 4660
+  SELECTION_4:
+    EventID: 4663
+  SELECTION_5:
+    ObjectName: '*\wceaux.dll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Penetration testing
+id: 1de68c67-af5c-4097-9c85-fe5578e09e67
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
@@ -0,0 +1,40 @@
+
+title: Metasploit SMB Authentication
+ruletype: Sigma
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+description: Alerts on Metasploit host's authentications on the domain.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    EventID: 4624
+  SELECTION_3:
+    LogonType: 3
+  SELECTION_4:
+    AuthenticationPackageName: NTLM
+  SELECTION_5:
+    WorkstationName|re: ^[A-Za-z0-9]{16}$
+  SELECTION_6:
+    ProcessName|re: ^$
+  SELECTION_7:
+    EventID: 4776
+  SELECTION_8:
+    Workstation|re: ^[A-Za-z0-9]{16}$
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- Linux hostnames composed of 16 characters.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
@@ -0,0 +1,41 @@
+
+title: NetNTLM Downgrade Attack
+ruletype: Sigma
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    ObjectName: '*\REGISTRY\MACHINE\SYSTEM*'
+  SELECTION_3:
+    ObjectName: '*ControlSet*'
+  SELECTION_4:
+    ObjectName: '*\Control\Lsa*'
+  SELECTION_5:
+    ObjectValueName:
+    - LmCompatibilityLevel
+    - NtlmMinClientSec
+    - RestrictSendingNTLMTraffic
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
+level: critical
+logsource:
+  definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+  product: windows
+  service: security
+modified: 2021/06/27
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+related:
+- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
@@ -0,0 +1,30 @@
+
+title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    EventID: 4781
+  SELECTION_3:
+    SamAccountName: '*$*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- EventID
+- SamAccountName
+- SubjectUserName
+id: cfeed607-6aa4-4bbd-9627-b637deb723c8
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
@@ -0,0 +1,32 @@
+
+title: Denied Access To Remote Desktop
+ruletype: Sigma
+author: Pushkarev Dmitry
+date: 2020/06/27
+description: This event is generated when an authenticated user who is not allowed
+  to log on remotely attempts to connect to this computer through Remote Desktop.
+  Often, this event can be generated by attackers when searching for available windows
+  servers in the network.
+detection:
+  SELECTION_1:
+    EventID: 4825
+  condition: SELECTION_1
+falsepositives:
+- Valid user was not added to RDP group
+fields:
+- EventCode
+- AccountName
+- ClientAddress
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1076
+- attack.t1021.001
@@ -0,0 +1,33 @@
+
+title: Successful Overpass the Hash Attempt
+ruletype: Sigma
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+description: Detects successful logon with logon type 9 (NewCredentials) which matches
+  the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 9
+  SELECTION_3:
+    LogonProcessName: seclogo
+  SELECTION_4:
+    AuthenticationPackageName: Negotiate
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Runas command-line tool using /netonly parameter
+id: 192a0330-c20b-4356-90b6-7b7049ae0b87
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.s0002
+- attack.t1550.002
@@ -0,0 +1,44 @@
+
+title: Pass the Hash Activity
+ruletype: Sigma
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017/03/08
+description: Detects the attack technique pass the hash which is used to move laterally
+  inside the network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    EventID: 4625
+  SELECTION_3:
+    LogonType: '3'
+  SELECTION_4:
+    LogonProcessName: NtLmSsp
+  SELECTION_5:
+    WorkstationName: '%Workstations%'
+  SELECTION_6:
+    ComputerName: '%Workstations%'
+  SELECTION_7:
+    TargetUserName: ANONYMOUS LOGON
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+level: medium
+logsource:
+  definition: The successful use of PtH for lateral movement between workstations
+    would trigger event ID 4624, a failed logon attempt would trigger an event ID
+    4625
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1075
+- car.2016-04-004
+- attack.t1550.002
@@ -0,0 +1,45 @@
+
+title: Pass the Hash Activity 2
+ruletype: Sigma
+author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
+date: 2019/06/14
+description: Detects the attack technique pass the hash which is used to move laterally
+  inside the network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    SubjectUserSid: S-1-0-0
+  SELECTION_3:
+    LogonType: '3'
+  SELECTION_4:
+    LogonProcessName: NtLmSsp
+  SELECTION_5:
+    KeyLength: '0'
+  SELECTION_6:
+    LogonType: '9'
+  SELECTION_7:
+    LogonProcessName: seclogo
+  SELECTION_8:
+    TargetUserName: ANONYMOUS LOGON
+  condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
+level: medium
+logsource:
+  definition: The successful use of PtH for lateral movement between workstations
+    would trigger event ID 4624
+  product: windows
+  service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
+status: stable
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
@@ -0,0 +1,34 @@
+
+title: Possible PetitPotam Coerce Authentication Attempt
+ruletype: Sigma
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect PetitPotam coerced authentication activity.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*
+  SELECTION_3:
+    ShareName: '*\IPC$'
+  SELECTION_4:
+    RelativeTargetName: lsarpc
+  SELECTION_5:
+    SubjectUserName: ANONYMOUS LOGON
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown. Feedback welcomed.
+id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Detailed File Share"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://github.com/topotam/PetitPotam
+- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1187
@@ -0,0 +1,44 @@
+
+title: PetitPotam Suspicious Kerberos TGT Request
+ruletype: Sigma
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
+  certificate by abusing Active Directory Certificate Services in combination with
+  PetitPotam, the next step would be to leverage the certificate for malicious purposes.
+  One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
+  like Rubeus. This request will generate a 4768 event with some unusual fields depending
+  on the environment. This analytic will require tuning, we recommend filtering Account_Name
+  to the Domain Controller computer accounts.
+detection:
+  SELECTION_1:
+    EventID: 4768
+  SELECTION_2:
+    TargetUserName: '*$'
+  SELECTION_3:
+    CertThumbprint: '*'
+  SELECTION_4:
+    IpAddress: ::1
+  SELECTION_5:
+    CertThumbprint: ''
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not ((SELECTION_4)
+    or (SELECTION_5)))
+falsepositives:
+- False positives are possible if the environment is using certificates for authentication.
+  We recommend filtering Account_Name to the Domain Controller computer accounts.
+id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
+level: high
+logsource:
+  definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
+    Service" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/09/07
+references:
+- https://github.com/topotam/PetitPotam
+- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
+- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1187
@@ -0,0 +1,35 @@
+
+title: Possible DC Shadow
+ruletype: Sigma
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2019/10/25
+description: Detects DCShadow via create new SPN
+detection:
+  SELECTION_1:
+    EventID: 4742
+  SELECTION_2:
+    ServicePrincipalNames: '*GC/*'
+  SELECTION_3:
+    EventID: 5136
+  SELECTION_4:
+    AttributeLDAPDisplayName: servicePrincipalName
+  SELECTION_5:
+    AttributeValue: GC/*
+  condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
+falsepositives:
+- Exclude known DCs
+id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1207
@@ -0,0 +1,32 @@
+
+title: Possible Zerologon (CVE-2020-1472) Exploitation
+ruletype: Sigma
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
+date: 2020/10/15
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+detection:
+  SELECTION_1:
+    EventID: 4742
+  SELECTION_2:
+    SubjectUserName: ANONYMOUS LOGON
+  SELECTION_3:
+    TargetUserName: '%DC-MACHINE-NAME%'
+  SELECTION_4:
+    PasswordLastSet: '-'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- automatic DC computer account password change
+- legitimate DC computer account password change
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+status: experimental
+tags:
+- attack.t1068
+- attack.privilege_escalation
@@ -0,0 +1,30 @@
+
+title: Protected Storage Service Access
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects access to a protected_storage service over the network. Potential
+  abuse of DPAPI to extract domain backup keys from Domain Controllers
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: '*IPC*'
+  SELECTION_3:
+    RelativeTargetName: protected_storage
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 45545954-4016-43c6-855e-eae8f1c369dc
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021
+- attack.t1021.002
@@ -0,0 +1,34 @@
+
+title: Rare Schtasks Creations
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/23
+description: Detects rare scheduled tasks creations that only appear a few times per
+  time frame and could reveal password dumpers, backdoor installs or other types of
+  malicious code
+detection:
+  SELECTION_1:
+    EventID: 4698
+  condition: SELECTION_1 | count() by TaskName < 5
+  timeframe: 7d
+falsepositives:
+- Software installation
+- Software updates
+id: b0d77106-7bb0-41fe-bd94-d1752164d066
+level: low
+logsource:
+  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+    Access Events has to be configured to allow this detection (not in the baseline
+    recommendations by Microsoft). We also recommend extracting the Command field
+    from the embedded XML in the event data.
+  product: windows
+  service: security
+modified: 2021/11/27
+status: test
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
@@ -0,0 +1,29 @@
+
+title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
+ruletype: Sigma
+author: Florian Roth (rule), Adam Bradbury (idea)
+date: 2019/06/02
+description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable
+  to  CVE-2019-0708 RDP RCE aka BlueKeep
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    TargetUserName: AAAAAAA
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 8400629e-79a9-4737-b387-5db940ab2367
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/12
+references:
+- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
+- https://github.com/zerosum0x0/CVE-2019-0708
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
@@ -0,0 +1,32 @@
+
+title: RDP Login from Localhost
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/01/28
+description: RDP login with localhost source address may be a tunnelled login
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 10
+  SELECTION_3:
+    IpAddress:
+    - ::1
+    - 127.0.0.1
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 51e33403-2a37-4d66-a574-1fda1782cc31
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- car.2013-07-002
+- attack.t1021.001
@@ -0,0 +1,45 @@
+
+title: RDP over Reverse SSH Tunnel WFP
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+  address
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    SourcePort: 3389
+  SELECTION_3:
+    DestAddress:
+    - 127.*
+    - ::1
+  SELECTION_4:
+    DestPort: 3389
+  SELECTION_5:
+    SourceAddress:
+    - 127.*
+    - ::1
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- unknown
+id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.command_and_control
+- attack.lateral_movement
+- attack.t1076
+- attack.t1090
+- attack.t1090.001
+- attack.t1090.002
+- attack.t1021.001
+- car.2013-07-002
@@ -0,0 +1,28 @@
+
+title: Register new Logon Process by Rubeus
+ruletype: Sigma
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: Detects potential use of Rubeus via registered new trusted logon process
+detection:
+  SELECTION_1:
+    EventID: 4611
+  SELECTION_2:
+    LogonProcessName: User32LogonProcesss
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 12e6d621-194f-4f59-90cc-1959e21e69f7
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
@@ -0,0 +1,32 @@
+
+title: Remote PowerShell Sessions Network Connections (WinRM)
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
+  connections to ports 5985 OR 5986
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestPort: 5985
+  SELECTION_3:
+    DestPort: 5986
+  SELECTION_4:
+    LayerRTID: 44
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of remote PowerShell execution
+id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
@@ -0,0 +1,33 @@
+
+title: Remote Registry Management Using Reg Utility
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Remote registry management using REG utility from non-admin workstation
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName: '*\winreg*'
+  SELECTION_3:
+    IpAddress: '%Admins_Workstations%'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate usage of remote registry management by administrator
+id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1112
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
+- attack.s0075
@@ -0,0 +1,36 @@
+
+title: SAM Registry Hive Handle Request
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handles requested to SAM registry hive
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    ObjectType: Key
+  SELECTION_3:
+    ObjectName: '*\SAM'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ObjectName
+id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
+status: test
+tags:
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
@@ -0,0 +1,32 @@
+
+title: Scheduled Task Deletion
+ruletype: Sigma
+author: David Strassegger
+date: 2021/01/22
+description: Detects scheduled task deletion events. Scheduled tasks are likely to
+  be deleted if not used for persistence. Malicious Software often creates tasks directly
+  under the root node e.g. \TASKNAME
+detection:
+  SELECTION_1:
+    EventID: 4699
+  condition: SELECTION_1
+falsepositives:
+- Software installation
+id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
+level: medium
+logsource:
+  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+    Access Events has to be configured to allow this detection. We also recommend
+    extracting the Command field from the embedded XML in the event data.
+  product: windows
+  service: security
+references:
+- https://twitter.com/matthewdunwoody/status/1352356685982146562
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
@@ -0,0 +1,30 @@
+
+title: SCM Database Handle Failure
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects non-system users failing to get a handle of the SCM database.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    ObjectType: SC_MANAGER OBJECT
+  SELECTION_3:
+    ObjectName: ServicesActive
+  SELECTION_4:
+    SubjectLogonId: '0x3e4'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 13addce7-47b2-4ca0-a98f-1de964d1d669
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/12
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1010
@@ -0,0 +1,33 @@
+
+title: SCM Database Privileged Operation
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects non-system users performing privileged operation os the SCM database
+detection:
+  SELECTION_1:
+    EventID: 4674
+  SELECTION_2:
+    ObjectType: SC_MANAGER OBJECT
+  SELECTION_3:
+    ObjectName: servicesactive
+  SELECTION_4:
+    PrivilegeList: SeTakeOwnershipPrivilege
+  SELECTION_5:
+    SubjectLogonId: '0x3e4'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: dae8171c-5ec6-4396-b210-8466585b53e9
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1548
@@ -0,0 +1,33 @@
+
+title: Remote WMI ActiveScriptEventConsumers
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers
+  remotely to move laterally in a network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 3
+  SELECTION_3:
+    ProcessName: '*scrcons.exe'
+  SELECTION_4:
+    TargetLogonId: '0x3e7'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- SCCM
+id: 9599c180-e3a8-4743-8f92-7fb96d3be648
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
@@ -0,0 +1,52 @@
+
+title: CobaltStrike Service Installations
+ruletype: Sigma
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+  a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName: '*ADMIN$*'
+  SELECTION_3:
+    ServiceFileName: '*.exe*'
+  SELECTION_4:
+    ServiceFileName: '*%COMSPEC%*'
+  SELECTION_5:
+    ServiceFileName: '*start*'
+  SELECTION_6:
+    ServiceFileName: '*powershell*'
+  SELECTION_7:
+    ServiceFileName: '*powershell -nop -w hidden -encodedcommand*'
+  SELECTION_8:
+    ServiceFileName:
+    - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+    - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+    - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+related:
+- id: 5a105d34-05fc-401e-8553-272b45c1522d
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
@@ -0,0 +1,46 @@
+
+title: Credential Dumping Tools Service Execution
+ruletype: Sigma
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+  events
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName:
+    - '*fgexec*'
+    - '*dumpsvc*'
+    - '*cachedump*'
+    - '*mimidrv*'
+    - '*gsecdump*'
+    - '*servpw*'
+    - '*pwdump*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+  type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
@@ -0,0 +1,38 @@
+
+title: Malicious Service Installations
+ruletype: Sigma
+author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+date: 2017/03/27
+description: Detects known malicious service installs that only appear in cases of
+  lateral movement, credential dumping, and other suspicious activities.
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceName: javamtsup
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration testing
+id: cb062102-587e-4414-8efa-dbe3c7bf19c6
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://awakesecurity.com/blog/threat-hunting-for-paexec/
+- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
+- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+related:
+- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1003
+- attack.t1035
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+- attack.t1569.002
@@ -0,0 +1,49 @@
+
+title: Metasploit Or Impacket Service Installation Via SMB PsExec
+ruletype: Sigma
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/21
+description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and
+  Impacket psexec.py by triggering on specific service installation
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$
+  SELECTION_3:
+    ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)
+  SELECTION_4:
+    ServiceStartType: '3'
+  SELECTION_5:
+    ServiceType: '0x10'
+  SELECTION_6:
+    ServiceName: PSEXESVC
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Possible, different agents with a 8 character binary and a 4, 8 or 16 character
+  service name
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceName
+- ServiceFileName
+id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/23
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+related:
+- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
+  type: derived
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
@@ -0,0 +1,69 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+ruletype: Sigma
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+  a specific service installation
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_10:
+    ServiceFileName: '*cmd.exe*'
+  SELECTION_11:
+    ServiceFileName: '*/c*'
+  SELECTION_12:
+    ServiceFileName: '*echo*'
+  SELECTION_13:
+    ServiceFileName: '*\pipe\\*'
+  SELECTION_14:
+    ServiceFileName: '*rundll32*'
+  SELECTION_15:
+    ServiceFileName: '*.dll,a*'
+  SELECTION_16:
+    ServiceFileName: '*/p:*'
+  SELECTION_2:
+    ServiceFileName: '*cmd*'
+  SELECTION_3:
+    ServiceFileName: '*/c*'
+  SELECTION_4:
+    ServiceFileName: '*echo*'
+  SELECTION_5:
+    ServiceFileName: '*\pipe\\*'
+  SELECTION_6:
+    ServiceFileName: '*%COMSPEC%*'
+  SELECTION_7:
+    ServiceFileName: '*/c*'
+  SELECTION_8:
+    ServiceFileName: '*echo*'
+  SELECTION_9:
+    ServiceFileName: '*\pipe\\*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+    and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceFileName
+id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+  type: derived
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
@@ -0,0 +1,31 @@
+
+title: PowerShell Scripts Installed as Services
+ruletype: Sigma
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName:
+    - '*powershell*'
+    - '*pwsh*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
@@ -0,0 +1,28 @@
+
+title: Tap Driver Installation
+ruletype: Sigma
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+  using tunnelling techniques
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName: '*tap0901*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 9c8afa4d-0022-48f0-9456-3712466f9701
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+related:
+- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+  type: derived
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
@@ -0,0 +1,35 @@
+
+title: WMI Persistence
+ruletype: Sigma
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+  on WMI and Security Logs.
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: WMI Namespace
+  SELECTION_3:
+    ObjectName: '*subscription*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: f033f3f3-fd24-4995-97d8-a3bb17550a88
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+related:
+- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
@@ -0,0 +1,32 @@
+
+title: SMB Create Remote File Admin Share
+ruletype: Sigma
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/08/06
+description: Look for non-system accounts SMB accessing a file with write (0x2) access
+  mask via administrative share (i.e C$).
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: '*C$'
+  SELECTION_3:
+    AccessMask: '0x2'
+  SELECTION_4:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: b210394c-ba12-4f89-9117-44a2464b9511
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/11/27
+references:
+- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
+- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+status: test
+tags:
+- attack.lateral_movement
+- attack.t1021.002
@@ -0,0 +1,21 @@
+
+title: Addition of Domain Trusts
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/12/03
+description: Addition of domains is seldom and should be verified for legitimacy.
+detection:
+  SELECTION_1:
+    EventID: 4706
+  condition: SELECTION_1
+falsepositives:
+- Legitimate extension of domain structure
+id: 0255a820-e564-4e40-af2b-6ac61160335c
+level: medium
+logsource:
+  product: windows
+  service: security
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
@@ -0,0 +1,36 @@
+
+title: Addition of SID History to Active Directory Object
+ruletype: Sigma
+author: Thomas Patzke, @atc_project (improvements)
+date: 2017/02/19
+description: An attacker can use the SID history attribute to gain additional privileges.
+detection:
+  SELECTION_1:
+    EventID: 4765
+  SELECTION_2:
+    EventID: 4766
+  SELECTION_3:
+    EventID: 4738
+  SELECTION_4:
+    SidHistory:
+    - '-'
+    - '%%1793'
+  SELECTION_5:
+    SidHistory|re: ^$
+  condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and  not (SELECTION_4))
+    and  not (SELECTION_5)))
+falsepositives:
+- Migration of an account into a new domain
+id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://adsecurity.org/?p=1772
+status: stable
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1178
+- attack.t1134.005
@@ -0,0 +1,25 @@
+
+title: Failed Code Integrity Checks
+ruletype: Sigma
+author: Thomas Patzke
+date: 2019/12/03
+description: Code integrity failures may indicate tampered executables.
+detection:
+  SELECTION_1:
+    EventID: 5038
+  SELECTION_2:
+    EventID: 6281
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Disk device errors
+id: 470ec5fa-7b4e-4071-b200-4c753100f49b
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1009
+- attack.t1027.001
@@ -0,0 +1,25 @@
+
+title: Password Change on Directory Service Restore Mode (DSRM) Account
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/02/19
+description: The Directory Service Restore Mode (DSRM) account is a local administrator
+  account on Domain Controllers. Attackers may change the password to gain persistence.
+detection:
+  SELECTION_1:
+    EventID: 4794
+  condition: SELECTION_1
+falsepositives:
+- Initial installation of a domain controller
+id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://adsecurity.org/?p=1714
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
--- a/Show More
+++ b/Show More