Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
+++ b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
@@ -0,0 +1,42 @@
+
+title: CACTUSTORCH Remote Thread Creation
+ruletype: Sigma
+author: '@SBousseaden (detection), Thomas Patzke (rule)'
+date: 2019/02/01
+description: Detects remote thread creation from CACTUSTORCH as described in references.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage:
+    - '*\System32\cscript.exe'
+    - '*\System32\wscript.exe'
+    - '*\System32\mshta.exe'
+    - '*\winword.exe'
+    - '*\excel.exe'
+  SELECTION_3:
+    TargetImage: '*\SysWOW64\\*'
+  SELECTION_4:
+    StartModule|re: ^$
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 2e4e488a-6164-4811-9ea1-f960c7359c40
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/11/12
+references:
+- https://twitter.com/SBousseaden/status/1090588499517079552
+- https://github.com/mdsecactivebreach/CACTUSTORCH
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1093
+- attack.t1055.012
+- attack.execution
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1218.005
--- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -0,0 +1,32 @@
+
+title: CobaltStrike Process Injection
+ruletype: Sigma
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+description: Detects a possible remote threat creation with certain characteristics
+  which are typical for Cobalt Strike beacons
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    StartAddress:
+    - '*0B80'
+    - '*0C7C'
+    - '*0C88'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/11/20
+references:
+- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
--- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
+++ b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
@@ -0,0 +1,30 @@
+
+title: CreateRemoteThread API and LoadLibrary
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects potential use of CreateRemoteThread api and LoadLibrary function
+  to inject DLL into a process
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    StartModule: '*\kernel32.dll'
+  SELECTION_3:
+    StartFunction: LoadLibraryA
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 052ec6f6-1adc-41e6-907a-f1c813478bee
+level: critical
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/11/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
--- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
+++ b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
@@ -0,0 +1,33 @@
+
+title: Password Dumper Remote Thread in LSASS
+ruletype: Sigma
+author: Thomas Patzke
+date: 2017/02/19
+description: Detects password dumper activity by monitoring remote thread creation
+  EventID 8 in combination with the lsass.exe process as TargetImage. The process
+  in field Process is the malicious program. A single execution can lead to hundreds
+  of events.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    StartModule: ''
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Antivirus products
+id: f239b326-2f41-4d6b-9dfa-c846a60ef505
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/06/21
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
+- attack.t1003.001
--- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
+++ b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
@@ -0,0 +1,28 @@
+
+title: Accessing WinAPI in PowerShell. Code Injection.
+ruletype: Sigma
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting Code injection with PowerShell in another process
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage: '*\powershell.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+level: high
+logsource:
+  category: create_remote_thread
+  definition: Note that you have to configure logging for CreateRemoteThread in Symson
+    config
+  product: windows
+modified: 2021/11/27
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
--- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
+++ b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
@@ -0,0 +1,32 @@
+
+title: PowerShell Rundll32 Remote Thread Creation
+ruletype: Sigma
+author: Florian Roth
+date: 2018/06/25
+description: Detects PowerShell remote thread creation in Rundll32.exe
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage: '*\powershell.exe'
+  SELECTION_3:
+    TargetImage: '*\rundll32.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99b97608-3e21-4bfe-8217-2a127c396a0e
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/11/12
+references:
+- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
+- attack.t1086
+- attack.t1059.001
--- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
+++ b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
@@ -0,0 +1,89 @@
+
+title: Suspicious Remote Thread Created
+ruletype: Sigma
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
+  however, this is still largely observed in the wild. This rule aims to detect suspicious
+  processes (those we would not expect to behave in this way like word.exe or outlook.exe)
+  creating remote threads on other processes. It is a generalistic rule, but it should
+  have a low FP ratio due to the selected range of processes.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage:
+    - '*\bash.exe'
+    - '*\cvtres.exe'
+    - '*\defrag.exe'
+    - '*\dnx.exe'
+    - '*\esentutl.exe'
+    - '*\excel.exe'
+    - '*\expand.exe'
+    - '*\explorer.exe'
+    - '*\find.exe'
+    - '*\findstr.exe'
+    - '*\forfiles.exe'
+    - '*\git.exe'
+    - '*\gpupdate.exe'
+    - '*\hh.exe'
+    - '*\iexplore.exe'
+    - '*\installutil.exe'
+    - '*\lync.exe'
+    - '*\makecab.exe'
+    - '*\mDNSResponder.exe'
+    - '*\monitoringhost.exe'
+    - '*\msbuild.exe'
+    - '*\mshta.exe'
+    - '*\msiexec.exe'
+    - '*\mspaint.exe'
+    - '*\outlook.exe'
+    - '*\ping.exe'
+    - '*\powerpnt.exe'
+    - '*\powershell.exe'
+    - '*\provtool.exe'
+    - '*\python.exe'
+    - '*\regsvr32.exe'
+    - '*\robocopy.exe'
+    - '*\runonce.exe'
+    - '*\sapcimc.exe'
+    - '*\schtasks.exe'
+    - '*\smartscreen.exe'
+    - '*\spoolsv.exe'
+    - '*\tstheme.exe'
+    - '*\userinit.exe'
+    - '*\vssadmin.exe'
+    - '*\vssvc.exe'
+    - '*\w3wp.exe'
+    - '*\winlogon.exe'
+    - '*\winscp.exe'
+    - '*\wmic.exe'
+    - '*\word.exe'
+    - '*\wscript.exe'
+  SELECTION_3:
+    SourceImage: '*Visual Studio*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+id: 66d31e5f-52d6-40a4-9615-002d3789a119
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/06/27
+notes:
+- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
+  for process injection for .NET in-memory offensive tools.
+references:
+- Personal research, statistical analysis
+- https://lolbas-project.github.io
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055