Feature/rm submodule (#312)
* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
GitHub
@@ -0,0 +1,39 @@
|
||||
|
||||
title: Audit CVE Event
|
||||
ruletype: Sigma
|
||||
author: Florian Roth
|
||||
date: 2020/01/15
|
||||
description: Detects events generated by Windows to indicate the exploitation of a
|
||||
known vulnerability (e.g. CVE-2020-0601)
|
||||
detection:
|
||||
SELECTION_1:
|
||||
Provider_Name: Microsoft-Windows-Audit-CVE
|
||||
condition: SELECTION_1
|
||||
falsepositives:
|
||||
- Unknown
|
||||
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
|
||||
level: critical
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/10/13
|
||||
references:
|
||||
- https://twitter.com/mattifestation/status/1217179698008068096
|
||||
- https://twitter.com/VM_vivisector/status/1217190929330655232
|
||||
- https://twitter.com/davisrichardg/status/1217517547576348673
|
||||
- https://twitter.com/DidierStevens/status/1217533958096924676
|
||||
- https://twitter.com/FlemmingRiis/status/1217147415482060800
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1203
|
||||
- attack.privilege_escalation
|
||||
- attack.t1068
|
||||
- attack.defense_evasion
|
||||
- attack.t1211
|
||||
- attack.credential_access
|
||||
- attack.t1212
|
||||
- attack.lateral_movement
|
||||
- attack.t1210
|
||||
- attack.impact
|
||||
- attack.t1499.004
|
||||
@@ -0,0 +1,44 @@
|
||||
|
||||
title: Relevant Anti-Virus Event
|
||||
ruletype: Sigma
|
||||
author: Florian Roth
|
||||
date: 2017/02/19
|
||||
description: This detection method points out highly relevant Antivirus events
|
||||
detection:
|
||||
SELECTION_1:
|
||||
- HTool-
|
||||
- Hacktool
|
||||
- ASP/Backdoor
|
||||
- JSP/Backdoor
|
||||
- PHP/Backdoor
|
||||
- Backdoor.ASP
|
||||
- Backdoor.JSP
|
||||
- Backdoor.PHP
|
||||
- Webshell
|
||||
- Portscan
|
||||
- Mimikatz
|
||||
- .WinCred.
|
||||
- PlugX
|
||||
- Korplug
|
||||
- Pwdump
|
||||
- Chopper
|
||||
- WmiExec
|
||||
- Xscan
|
||||
- Clearlog
|
||||
- ASPXSpy
|
||||
SELECTION_2:
|
||||
- Keygen
|
||||
- Crack
|
||||
condition: ((SELECTION_1) and not (SELECTION_2))
|
||||
falsepositives:
|
||||
- Some software piracy tools (key generators, cracks) are classified as hack tools
|
||||
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/11/20
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.resource_development
|
||||
- attack.t1588
|
||||
@@ -0,0 +1,28 @@
|
||||
|
||||
title: Atera Agent Installation
|
||||
ruletype: Sigma
|
||||
author: Bhabesh Raj
|
||||
date: 2021/09/01
|
||||
description: Detects successful installation of Atera Remote Monitoring & Management
|
||||
(RMM) agent as recently found to be used by Conti operators
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 1033
|
||||
SELECTION_2:
|
||||
Provider_Name: MsiInstaller
|
||||
SELECTION_3:
|
||||
Message: '*AteraAgent*'
|
||||
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
||||
falsepositives:
|
||||
- Legitimate Atera agent installation
|
||||
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/10/13
|
||||
references:
|
||||
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.t1219
|
||||
@@ -0,0 +1,28 @@
|
||||
|
||||
title: Backup Catalog Deleted
|
||||
ruletype: Sigma
|
||||
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
|
||||
date: 2017/05/12
|
||||
description: Detects backup catalog deletions
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 524
|
||||
SELECTION_2:
|
||||
Provider_Name: Microsoft-Windows-Backup
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- Unknown
|
||||
id: 9703792d-fd9a-456d-a672-ff92efe4806a
|
||||
level: medium
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/10/13
|
||||
references:
|
||||
- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
|
||||
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1107
|
||||
- attack.t1070.004
|
||||
@@ -0,0 +1,39 @@
|
||||
|
||||
title: Microsoft Malware Protection Engine Crash
|
||||
ruletype: Sigma
|
||||
author: Florian Roth
|
||||
date: 2017/05/09
|
||||
description: This rule detects a suspicious crash of the Microsoft Malware Protection
|
||||
Engine
|
||||
detection:
|
||||
SELECTION_1:
|
||||
Provider_Name: Application Error
|
||||
SELECTION_2:
|
||||
EventID: 1000
|
||||
SELECTION_3:
|
||||
Provider_Name: Windows Error Reporting
|
||||
SELECTION_4:
|
||||
EventID: 1001
|
||||
SELECTION_5:
|
||||
- MsMpEng.exe
|
||||
SELECTION_6:
|
||||
- mpengine.dll
|
||||
condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
|
||||
(SELECTION_5 and SELECTION_6))
|
||||
falsepositives:
|
||||
- MsMpEng.exe can crash when C:\ is full
|
||||
id: 6c82cf5c-090d-4d57-9188-533577631108
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/10/13
|
||||
references:
|
||||
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
|
||||
- https://technet.microsoft.com/en-us/library/security/4022344
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1089
|
||||
- attack.t1211
|
||||
- attack.t1562.001
|
||||
@@ -0,0 +1,32 @@
|
||||
|
||||
title: CVE-2020-0688 Exploitation via Eventlog
|
||||
ruletype: Sigma
|
||||
author: Florian Roth, wagga
|
||||
date: 2020/02/29
|
||||
description: Detects the exploitation of Microsoft Exchange vulnerability as described
|
||||
in CVE-2020-0688
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 4
|
||||
SELECTION_2:
|
||||
Provider_Name: MSExchange Control Panel
|
||||
SELECTION_3:
|
||||
Level: Error
|
||||
SELECTION_4:
|
||||
- '&__VIEWSTATE='
|
||||
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
|
||||
falsepositives:
|
||||
- Unknown
|
||||
id: d6266bf5-935e-4661-b477-78772735a7cb
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
modified: 2021/10/13
|
||||
references:
|
||||
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
|
||||
- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
@@ -0,0 +1,27 @@
|
||||
|
||||
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
|
||||
ruletype: Sigma
|
||||
author: Florian Roth
|
||||
date: 2021/11/22
|
||||
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 1033
|
||||
SELECTION_2:
|
||||
Provider_Name: MsiInstaller
|
||||
SELECTION_3:
|
||||
- test pkg
|
||||
condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3)
|
||||
falsepositives:
|
||||
- Other MSI packages for which your admins have used that name
|
||||
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
references:
|
||||
- https://github.com/klinix5/InstallerFileTakeOver
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.initial_access
|
||||
- attack.t1190
|
||||
Reference in New Issue
Block a user