Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
@@ -0,0 +1,30 @@
+
+title: Pingback Backdoor
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+  as described in the trustwave report
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*msdtc.exe'
+  SELECTION_3:
+    ImageLoaded: C:\Windows\oci.dll
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
@@ -0,0 +1,29 @@
+
+title: SILENTTRINITY Stager Execution
+ruletype: Sigma
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: '*st2stager*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/10/04
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+related:
+- id: 03552375-cc2c-4883-bbe4-7958d5a980be
+  type: derived
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
@@ -0,0 +1,31 @@
+
+title: Wmiprvse Wbemcomn DLL Hijack
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+  directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\wmiprvse.exe'
+  SELECTION_3:
+    ImageLoaded: '*\wbem\wbemcomn.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7707a579-e0d8-4886-a853-ce47e4575aaa
+level: critical
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
@@ -0,0 +1,57 @@
+
+title: Suspicious WSMAN Provider Image Loads
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects signs of potential use of the WSMAN provider from uncommon processes
+  locally and remote execution.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\WsmSvc.dll'
+    - '*\WsmAuto.dll'
+    - '*\Microsoft.WSMan.Management.ni.dll'
+  SELECTION_3:
+    OriginalFileName:
+    - WsmSvc.dll
+    - WSMANAUTOMATION.DLL
+    - Microsoft.WSMan.Management.dll
+  SELECTION_4:
+    Image: '*\svchost.exe'
+  SELECTION_5:
+    OriginalFileName: WsmWmiPl.dll
+  SELECTION_6:
+    Image:
+    - '*\powershell.exe'
+    - '*C:\Windows\System32\sdiagnhost.exe'
+  SELECTION_7:
+    CommandLine:
+    - '*svchost.exe -k netsvcs -p -s BITS*'
+    - '*svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc*'
+  SELECTION_8:
+    Image: C:\Windows\Microsoft.NET\Framework64\\*
+  SELECTION_9:
+    Image: '*\mscorsvw.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5))
+    and  not ((SELECTION_6) or (SELECTION_7) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unknown
+id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/03
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
@@ -0,0 +1,34 @@
+
+title: Time Travel Debugging Utility Usage
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+  malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\tttracer.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+related:
+- id: e76c8240-d68f-4773-8880-5c6f63595aaf
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
@@ -0,0 +1,40 @@
+
+title: Abusing Azure Browser SSO
+ruletype: Sigma
+author: Den Iuzvyk
+date: 2020/07/15
+description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens
+  for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure
+  AD and a user logs in with their Azure AD account) wanting to perform SSO authentication
+  in the browser. An attacker can use this to authenticate to Azure AD in a browser
+  as that user.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*MicrosoftAccountTokenProvider.dll'
+  SELECTION_3:
+    Image:
+    - '*\BackgroundTaskHost.exe'
+    - '*\devenv.exe'
+    - '*\iexplore.exe'
+    - '*\MicrosoftEdge.exe'
+    - '*\Microsoft\Edge\Application\msedge.exe'
+    - '*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/08
+references:
+- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+status: test
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1073
+- attack.t1574.002
@@ -0,0 +1,39 @@
+
+title: Alternate PowerShell Hosts
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: System.Management.Automation
+  SELECTION_3:
+    ImageLoaded: '*System.Management.Automation*'
+  SELECTION_4:
+    Image:
+    - '*\powershell.exe'
+    - '*\mscorsvw.exe'
+  SELECTION_5:
+    Image:
+    - C:\Program Files (x86)\Microsoft Visual Studio\\*
+    - C:\Program Files\Microsoft Visual Studio\\*
+    - C:\Windows\System32\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    or SELECTION_5))
+falsepositives:
+- Unknown
+id: fe6e002f-f244-4278-9263-20e4b593827f
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/07
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
@@ -0,0 +1,25 @@
+
+title: FoggyWeb Backdoor DLL Loading
+ruletype: Sigma
+author: Florian Roth
+date: 2021/09/27
+description: Detects DLL image load activity as used by FoggyWeb backdoor loader
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: C:\Windows\ADFS\version.dll
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
+level: critical
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1587
@@ -0,0 +1,60 @@
+
+title: In-memory PowerShell
+ruletype: Sigma
+author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
+date: 2019/11/14
+description: Detects loading of essential DLL used by PowerShell, but not by the process
+  powershell.exe. Detects meterpreter's "load powershell" extension.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\System.Management.Automation.Dll'
+    - '*\System.Management.Automation.ni.Dll'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\WINDOWS\System32\sdiagnhost.exe'
+    - '*\mscorsvw.exe'
+    - '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
+    - '*\sqlps.exe'
+    - '*\wsmprovhost.exe'
+    - '*\winrshost.exe'
+    - '*\syncappvpublishingserver.exe'
+    - '*\runscripthelper.exe'
+    - '*\ServerManager.exe'
+    - '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
+    - '*\IDE\devenv.exe'
+    - '*\ServiceHub.VSDetouredHost.exe'
+    - '*\ServiceHub.SettingsHost.exe'
+    - '*\ServiceHub.Host.CLR.x86.exe'
+  SELECTION_4:
+    Image:
+    - C:\Program Files (x86)\Microsoft Visual Studio\\*
+    - C:\Program Files\Microsoft Visual Studio\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Used by some .NET binaries, minimal on user workstation.
+- Used by Microsoft SQL Server Management Studio
+id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://adsecurity.org/?p=2921
+- https://github.com/p3nt4/PowerShdll
+related:
+- id: 867613fb-fa60-4497-a017-a82df74a172c
+  type: obsoletes
+status: experimental
+tags:
+- attack.t1086
+- attack.t1059.001
+- attack.execution
@@ -0,0 +1,27 @@
+
+title: PCRE.NET Package Image Load
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes loading modules related to PCRE.NET package
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
@@ -0,0 +1,37 @@
+
+title: WMI Script Host Process Image Loaded
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe
+  functionality being used via images being loaded by a process.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\scrcons.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\vbscript.dll'
+    - '*\wbemdisp.dll'
+    - '*\wshom.ocx'
+    - '*\scrrun.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/HunterPlaybook/status/1301207718355759107
+- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: test
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
@@ -0,0 +1,34 @@
+
+title: Windows Spooler Service Suspicious Binary Load
+ruletype: Sigma
+author: FPT.EagleEye, Thomas Patzke (improvements)
+date: 2021/06/29
+description: Detect DLL Load from Spooler Service backup folder
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*spoolsv.exe'
+  SELECTION_3:
+    ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*'
+  SELECTION_4:
+    ImageLoaded: '*.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Loading of legitimate driver
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+level: informational
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
+- cve.2021.1675
+- cve.2021.34527
@@ -0,0 +1,38 @@
+
+title: Fax Service DLL Search Order Hijack
+ruletype: Sigma
+author: NVISO
+date: 2020/05/04
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An
+  attacker can then (side)load their own malicious DLL using this service.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*fxssvc.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*ualapi.dll'
+  SELECTION_4:
+    ImageLoaded:
+    - C:\Windows\WinSxS\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unlikely
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://windows-internals.com/faxing-your-way-to-system/
+status: test
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1038
+- attack.t1574.001
+- attack.t1574.002
@@ -0,0 +1,33 @@
+
+title: Possible Process Hollowing Image Loading
+ruletype: Sigma
+author: Markus Neis
+date: 2018/01/07
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.
+  through process hollowing by Mimikatz
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\notepad.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\samlib.dll'
+    - '*\WinSCard.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very likely, needs more tuning
+id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
@@ -0,0 +1,34 @@
+
+title: dotNET DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any assembly DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - C:\Windows\assembly\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,34 @@
+
+title: CLR DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects CLR DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\clr.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,34 @@
+
+title: GAC DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any GAC DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - C:\Windows\Microsoft.NET\assembly\GAC_MSIL*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,34 @@
+
+title: Active Directory Parsing DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DSParse DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\dsparse.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,34 @@
+
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects Kerberos DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\kerberos.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,37 @@
+
+title: Python Py2Exe Image Load
+ruletype: Sigma
+author: Patrick St. John, OTR (Open Threat Research)
+date: 2020/05/03
+description: Detects the image load of Python Core indicative of a Python script bundled
+  with Py2Exe.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: Python Core
+  SELECTION_3:
+    Image:
+    - '*Python*'
+  SELECTION_4:
+    Image:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legit Py2Exe Binaries
+fields:
+- Description
+id: cbb56d62-4060-40f7-9466-d8aaf3123f83
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/05
+references:
+- https://www.py2exe.org/
+- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.002
@@ -0,0 +1,37 @@
+
+title: CLR DLL Loaded Via Scripting Applications
+ruletype: Sigma
+author: omkar72, oscd.community
+date: 2020/10/14
+description: Detects CLR DLL being loaded by an scripting applications
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\mshta.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\clr.dll'
+    - '*\mscoree.dll'
+    - '*\mscorlib.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://github.com/tyranid/DotNetToJScript
+- https://thewover.github.io/Introducing-Donut/
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: test
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1055
@@ -0,0 +1,40 @@
+
+title: Suspicious System.Drawing Load
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for processes loading System.Drawing.ni.dll. This
+  could be an indicator of potential Screen Capture.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*\System.Drawing.ni.dll'
+  SELECTION_3:
+    Image:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+    - C:\Windows\System32\\*
+    - C:\Windows\Microsoft.NET\\*
+    - C:\Windows\ImmersiveControlPanel\\*
+  SELECTION_4:
+    Image:
+    - C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe
+    - C:\Users\\*\GitHubDesktop\Update.exe
+    - C:\Windows\System32\NhNotifSys.exe
+  condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3) or (SELECTION_4)))
+falsepositives:
+- unknown
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+level: low
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/05
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
@@ -0,0 +1,36 @@
+
+title: VBA DLL Loaded Via Microsoft Word
+ruletype: Sigma
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\VBE7.DLL'
+    - '*\VBEUI.DLL'
+    - '*\VBE7INTL.DLL'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: test
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
@@ -0,0 +1,38 @@
+
+title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
+ruletype: Sigma
+author: Michael R. (@nahamike01)
+date: 2019/12/26
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\wmiutils.dll'
+    - '*\wbemcomn.dll'
+    - '*\wbemprox.dll'
+    - '*\wbemdisp.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Possible. Requires further testing.
+id: a457f232-7df9-491d-898f-b5aabd2cbe2f
+level: informational
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/22
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+status: deprecated
+tags:
+- attack.execution
+- attack.t1047
@@ -0,0 +1,72 @@
+
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+ruletype: Sigma
+author: Perez Diego (@darkquassar), oscd.community, Ecco
+date: 2019/10/27
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by
+  suspicious processes. Tools like ProcessHacker and some attacker tradecract use
+  MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity
+  C2 Framework has a module that leverages this API to dump the contents of Lsass.exe
+  and transfer it over the network back to the attacker's machine.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\dbghelp.dll'
+    - '*\dbgcore.dll'
+  SELECTION_3:
+    Image:
+    - '*\msbuild.exe'
+    - '*\cmd.exe'
+    - '*\svchost.exe'
+    - '*\rundll32.exe'
+    - '*\powershell.exe'
+    - '*\word.exe'
+    - '*\excel.exe'
+    - '*\powerpnt.exe'
+    - '*\outlook.exe'
+    - '*\monitoringhost.exe'
+    - '*\wmic.exe'
+    - '*\bash.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\mshta.exe'
+    - '*\regsvr32.exe'
+    - '*\schtasks.exe'
+    - '*\dnx.exe'
+    - '*\regsvcs.exe'
+    - '*\sc.exe'
+    - '*\scriptrunner.exe'
+  SELECTION_4:
+    Signed: 'FALSE'
+  SELECTION_5:
+    Image: '*Visual Studio*'
+  SELECTION_6:
+    CommandLine: '*-k LocalSystemNetworkRestricted*'
+  SELECTION_7:
+    CommandLine: C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding
+  condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+    (SELECTION_5 or SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Penetration tests
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/05
+references:
+- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
@@ -0,0 +1,43 @@
+
+title: Svchost DLL Search Order Hijack
+ruletype: Sigma
+author: SBousseaden
+date: 2019/10/28
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that
+  do not exist within C:\Windows\System32\ by default. An attacker can place their
+  malicious logic within the PROCESS_ATTACH block of their library and restart the
+  aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote
+  machine.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\svchost.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\tsmsisrv.dll'
+    - '*\tsvipsrv.dll'
+    - '*\wlbsctrl.dll'
+  SELECTION_4:
+    ImageLoaded:
+    - C:\Windows\WinSxS\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Pentest
+id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+status: test
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1038
+- attack.t1574.001
@@ -0,0 +1,34 @@
+
+title: Time Travel Debugging Utility Usage
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+  malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\ttdrecord.dll'
+    - '*\ttdwriter.dll'
+    - '*\ttdloader.dll'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
@@ -0,0 +1,37 @@
+
+title: UAC Bypass With Fake DLL
+ruletype: Sigma
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+description: Attempts to load dismcore.dll after dropping it
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\dism.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\dismcore.dll'
+  SELECTION_4:
+    ImageLoaded:
+    - C:\Windows\System32\Dism\dismcore.dll
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Pentests
+- Actions of a legitimate telnet client
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/23
+references:
+- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1574.002
@@ -0,0 +1,48 @@
+
+title: UIPromptForCredentials DLLs
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects potential use of UIPromptForCredentials functions by looking
+  for some of the DLLs needed for it.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\credui.dll'
+    - '*\wincredui.dll'
+  SELECTION_3:
+    OriginalFileName:
+    - credui.dll
+    - wincredui.dll
+  SELECTION_4:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\explorer.exe*
+    - C:\Program Files\\*
+    - C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe*
+    - C:\Program Files (x86)\\*
+    - C:\Windows\ImmersiveControlPanel\SystemSettings.exe*
+    - C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe*
+  SELECTION_5:
+    Image: '*\opera_autoupdate.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4 or
+    SELECTION_5))
+falsepositives:
+- other legitimate processes loading those DLLs in your environment.
+id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/12/03
+references:
+- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
+- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
@@ -0,0 +1,29 @@
+
+title: Unsigned Image Loaded Into LSASS Process
+ruletype: Sigma
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Loading unsigned image (DLL, EXE) into LSASS process
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\lsass.exe'
+  SELECTION_3:
+    Signed: 'false'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Valid user connecting using RDP
+id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
@@ -0,0 +1,67 @@
+
+title: WMI Modules Loaded
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects non wmiprvse loading WMI modules
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\wmiclnt.dll'
+    - '*\WmiApRpl.dll'
+    - '*\wmiprov.dll'
+    - '*\wmiutils.dll'
+    - '*\wbemcomn.dll'
+    - '*\wbemprox.dll'
+    - '*\WMINet_Utils.dll'
+    - '*\wbemsvc.dll'
+    - '*\fastprox.dll'
+  SELECTION_3:
+    Image:
+    - '*\WmiPrvSE.exe'
+    - '*\WmiApSrv.exe'
+    - '*\svchost.exe'
+    - '*\DeviceCensus.exe'
+    - '*\CompatTelRunner.exe'
+    - '*\sdiagnhost.exe'
+    - '*\SIHClient.exe'
+    - '*\ngentask.exe'
+    - '*\windows\system32\taskhostw.exe'
+    - '*\windows\system32\MoUsoCoreWorker.exe'
+    - '*\windows\system32\wbem\WMIADAP.exe'
+    - '*C:\Windows\Sysmon64.exe'
+    - '*C:\Windows\Sysmon.exe'
+    - '*C:\Windows\System32\wbem\unsecapp.exe'
+    - '*\logman.exe'
+    - '*\systeminfo.exe'
+    - '*\nvcontainer.exe'
+    - '*C:\Windows\System32\wbem\WMIC.exe'
+    - '*\explorer.exe'
+    - '*\opera_autoupdate.exe'
+    - '*\MsMpEng.exe'
+  SELECTION_4:
+    Image:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+level: informational
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/25
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
@@ -0,0 +1,29 @@
+
+title: WMI Persistence - Command Line Event Consumer
+ruletype: Sigma
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI command line event consumers
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: C:\Windows\System32\wbem\WmiPrvSE.exe
+  SELECTION_3:
+    ImageLoaded: '*\wbemcons.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: test
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
@@ -0,0 +1,34 @@
+
+title: WMIC Loading Scripting Libraries
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/17
+description: Detects threat actors proxy executing code and bypassing application
+  controls by leveraging wmic and the `/FORMAT` argument switch to download and execute
+  an XSL file (i.e js, vbs, etc).
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\jscript.dll'
+    - '*\vbscript.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Apparently, wmic os get lastboottuptime loads vbscript.dll
+id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/11/27
+references:
+- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+- https://twitter.com/dez_/status/986614411711442944
+- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1220
@@ -0,0 +1,29 @@
+
+title: APT PRIVATELOG Image Load Pattern
+ruletype: Sigma
+author: Florian Roth
+date: 2021/09/07
+description: Detects an image load pattern as seen when a tool named PRIVATELOG is
+  used and rarely observed under legitimate circumstances
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    ImageLoaded: '*\clfsw32.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Rarely observed
+id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
@@ -0,0 +1,43 @@
+
+title: Image Load of VSS_PS.dll by Uncommon Executable
+ruletype: Sigma
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName
+  datapoint
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\vss_ps.dll'
+  SELECTION_3:
+    Image:
+    - '*\svchost.exe'
+    - '*\msiexec.exe'
+    - '*\vssvc.exe'
+    - '*\srtasks.exe'
+    - '*\tiworker.exe'
+    - '*\dllhost.exe'
+    - '*\searchindexer.exe'
+    - '*dismhost.exe'
+    - '*taskhostw.exe'
+    - '*\clussvc.exe'
+  SELECTION_4:
+    Image: '*c:\windows\\*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- unknown
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- 1bd85e1caa1415ebdc8852c91e37bbb7
+- https://twitter.com/am0nsec/status/1412232114980982787
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1490