Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/deprecated/powershell_suspicious_download.yml

@@ -0,0 +1,26 @@
+
+title: Suspicious PowerShell Download
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+  SELECTION_1:
+  - System.Net.WebClient
+  SELECTION_2:
+  - .DownloadFile(
+  - .DownloadString(
+  condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/21
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/deprecated/powershell_suspicious_invocation_generic.yml

@@ -0,0 +1,32 @@
+
+title: Suspicious PowerShell Invocations - Generic
+ruletype: Sigma
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+  SELECTION_1:
+  - ' -enc '
+  - ' -EncodedCommand '
+  SELECTION_2:
+  - ' -w hidden '
+  - ' -window hidden '
+  - ' -windowstyle hidden '
+  SELECTION_3:
+  - ' -noni '
+  - ' -noninteractive '
+  condition: ((SELECTION_1) and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: 3d304fda-78aa-43ed-975c-d740798a49c1
+level: high
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/12/02
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/deprecated/powershell_suspicious_invocation_specific.yml

@@ -0,0 +1,79 @@
+
+title: Suspicious PowerShell Invocations - Specific
+ruletype: Sigma
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+  SELECTION_1:
+  - ' -w '
+  SELECTION_10:
+  - bypass
+  SELECTION_11:
+  - -Enc
+  SELECTION_12:
+  - powershell
+  SELECTION_13:
+  - reg
+  SELECTION_14:
+  - add
+  SELECTION_15:
+  - HKCU\software\microsoft\windows\currentversion\run
+  SELECTION_16:
+  - bypass
+  SELECTION_17:
+  - -noprofile
+  SELECTION_18:
+  - -windowstyle
+  SELECTION_19:
+  - hidden
+  SELECTION_2:
+  - hidden
+  SELECTION_20:
+  - new-object
+  SELECTION_21:
+  - system.net.webclient
+  SELECTION_22:
+  - .download
+  SELECTION_23:
+  - iex
+  SELECTION_24:
+  - New-Object
+  SELECTION_25:
+  - Net.WebClient
+  SELECTION_26:
+  - .Download
+  SELECTION_3:
+  - -nop
+  SELECTION_4:
+  - ' -c '
+  SELECTION_5:
+  - '[Convert]::FromBase64String'
+  SELECTION_6:
+  - -noni
+  SELECTION_7:
+  - iex
+  SELECTION_8:
+  - New-Object
+  SELECTION_9:
+  - -ep
+  condition: ((((SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+    ((SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_5)) or (SELECTION_9
+    and SELECTION_10 and SELECTION_11))) or (SELECTION_12 and SELECTION_13 and SELECTION_14
+    and SELECTION_15)) or (SELECTION_16 and SELECTION_17 and SELECTION_18 and SELECTION_19
+    and SELECTION_20 and SELECTION_21 and SELECTION_22)) or (SELECTION_23 and SELECTION_24
+    and SELECTION_25 and SELECTION_26))
+falsepositives:
+- Penetration tests
+id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+level: high
+logsource:
+  definition: Script block logging must be enabled for 4104, Module Logging must be
+    enabled for 4103
+  product: windows
+  service: powershell
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml

@@ -0,0 +1,26 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+  by adversaries to bypass PowerShell execution restrictions.
+detection:
+  condition: SyncAppvPublishingServer.exe
+falsepositives:
+- App-V clients
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+- id: fde7929d-8beb-4a4c-b922-be9974671667
+  type: derived
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218

rules/sigma/deprecated/process_creation_syncappvpublishingserver_exe.yml

@@ -0,0 +1,27 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+  by adversaries to bypass PowerShell execution restrictions.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\SyncAppvPublishingServer.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- App-V clients
+id: fde7929d-8beb-4a4c-b922-be9974671667
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218

rules/sigma/deprecated/sysmon_mimikatz_detection_lsass.yml

@@ -0,0 +1,45 @@
+
+title: Mimikatz Detection LSASS Access
+ruletype: Sigma
+author: Sherif Eldeeb
+date: 2017/10/18
+description: Detects process access to LSASS which is typical for Mimikatz (0x1000
+  PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
+  versions", 0x0010 PROCESS_VM_READ)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '0x1410'
+    - '0x1010'
+    - '0x410'
+  SELECTION_4:
+    SourceImage: C:\Program Files\WindowsApps\\*
+  SELECTION_5:
+    SourceImage: '*\GamingServices.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    and SELECTION_5))
+falsepositives:
+- Some security products access LSASS in this way.
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/11/30
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+status: deprecated
+tags:
+- attack.t1003
+- attack.s0002
+- attack.credential_access
+- car.2019-04-004

rules/sigma/deprecated/sysmon_rclone_execution.yml

@@ -0,0 +1,54 @@
+
+title: RClone Execution
+ruletype: Sigma
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+  ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Rsync for cloud storage
+  SELECTION_3:
+    CommandLine: '*--config *'
+  SELECTION_4:
+    CommandLine: '*--no-check-certificate *'
+  SELECTION_5:
+    CommandLine: '* copy *'
+  SELECTION_6:
+    Image:
+    - '*\rclone.exe'
+  SELECTION_7:
+    CommandLine:
+    - '*mega*'
+    - '*pcloud*'
+    - '*ftp*'
+    - '*--progress*'
+    - '*--ignore-existing*'
+    - '*--auto-confirm*'
+    - '*--transfers*'
+    - '*--multi-thread-streams*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/29
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002

rules/sigma/deprecated/win_susp_esentutl_activity.yml

@@ -0,0 +1,35 @@
+
+title: Suspicious Esentutl Use
+ruletype: Sigma
+author: Florian Roth
+date: 2020/05/23
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity.
+  It could be used in rare cases by administrators to access locked files or during
+  maintenance.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* /vss *'
+  SELECTION_3:
+    CommandLine: '* /y *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/
+- https://twitter.com/chadtilbury/status/1264226341408452610
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.s0404
+- attack.t1218

rules/sigma/deprecated/win_susp_rclone_exec.yml

@@ -0,0 +1,42 @@
+
+title: Rclone Execution via Command Line or PowerShell
+ruletype: Sigma
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone which is commonly used by ransomware groups for exfiltration
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* pass *'
+    - '* user *'
+    - '* copy *'
+    - '* mega *'
+    - '* sync *'
+    - '* config *'
+    - '* lsd *'
+    - '* remote *'
+    - '* ls *'
+  SELECTION_3:
+    Description: Rsync for cloud storage
+  SELECTION_4:
+    Image: '*\rclone.exe'
+  SELECTION_5:
+    ParentImage:
+    - '*\PowerShell.exe'
+    - '*\cmd.exe'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: cb7286ba-f207-44ab-b9e6-760d82b84253
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002

rules/sigma/deprecated/win_susp_vssadmin_ntds_activity.yml

@@ -0,0 +1,42 @@
+
+title: Activity Related to NTDS.dit Domain Hash Retrieval
+ruletype: Sigma
+author: Florian Roth, Michael Haag
+date: 2019/01/16
+description: Detects suspicious commands that could be related to activity that uses
+  volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - vssadmin.exe Delete Shadows
+    - 'vssadmin create shadow /for=C:'
+    - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
+    - copy \\?\GLOBALROOT\Device\\*\config\SAM
+    - 'vssadmin delete shadows /for=C:'
+    - 'reg SAVE HKLM\SYSTEM '
+    - esentutl.exe /y /vss *\ntds.dit*
+    - esentutl.exe /y /vss *\SAM
+    - esentutl.exe /y /vss *\SYSTEM
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
+- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: deprecated
+tags:
+- attack.credential_access
+- attack.t1003