Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/malware/av_exploiting.yml

@@ -0,0 +1,42 @@
+
+title: Antivirus Exploitation Framework Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports an exploitation
+  framework
+detection:
+  SELECTION_1:
+    Signature:
+    - '*MeteTool*'
+    - '*MPreter*'
+    - '*Meterpreter*'
+    - '*Metasploit*'
+    - '*PowerSploit*'
+    - '*CobaltSrike*'
+    - '*Swrort*'
+    - '*Rozena*'
+    - '*Backdoor.Cobalt*'
+    - '*CobaltStr*'
+    - '*COBEACON*'
+    - '*Cometer*'
+    - '*Razy*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
+level: critical
+logsource:
+  product: antivirus
+modified: 2021/11/27
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+status: test
+tags:
+- attack.execution
+- attack.t1203
+- attack.command_and_control
+- attack.t1219

rules/sigma/malware/av_hacktool.yml

@@ -0,0 +1,33 @@
+
+title: Antivirus Hacktool Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2021/08/16
+description: Detects a highly relevant Antivirus alert that reports a hack tool or
+  other attack tool
+detection:
+  SELECTION_1:
+    Signature:
+    - HTOOL*
+    - HKTL*
+    - SecurityTool*
+    - ATK/*
+  SELECTION_2:
+    Signature:
+    - '*Hacktool*'
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+level: high
+logsource:
+  product: antivirus
+references:
+- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204

rules/sigma/malware/av_password_dumper.yml

@@ -0,0 +1,42 @@
+
+title: Antivirus Password Dumper Detection
+ruletype: Sigma
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a password dumper
+detection:
+  SELECTION_1:
+    Signature:
+    - '*DumpCreds*'
+    - '*Mimikatz*'
+    - '*PWCrack*'
+    - '*HTool/WCE*'
+    - '*PSWtool*'
+    - '*PWDump*'
+    - '*SecurityTool*'
+    - '*PShlSpy*'
+    - '*Rubeus*'
+    - '*Kekeo*'
+    - '*LsassDump*'
+    - '*Outflank*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
+level: critical
+logsource:
+  product: antivirus
+modified: 2021/11/27
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
+status: test
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558
+- attack.t1003.001
+- attack.t1003.002

rules/sigma/malware/av_printernightmare_cve_2021_34527.yml

@@ -0,0 +1,31 @@
+
+title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
+ruletype: Sigma
+author: Sittikorn S, Nuttakorn T
+date: 2021/07/01
+description: Detects the suspicious file that is created from PoC code against Windows
+  Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
+  CVE-2021-1675 .
+detection:
+  SELECTION_1:
+    Filename: '*C:\Windows\System32\spool\drivers\x64\\*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- Filename
+- ComputerName
+id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
+level: critical
+logsource:
+  product: antivirus
+modified: 2021/11/23
+references:
+- https://twitter.com/mvelazco/status/1410291741241102338
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/malware/av_relevant_files.yml

@@ -0,0 +1,82 @@
+
+title: Antivirus Relevant File Paths Alerts
+ruletype: Sigma
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects an Antivirus alert in a highly relevant file path or with a relevant
+  file name
+detection:
+  SELECTION_1:
+    Filename:
+    - C:\Windows\\*
+    - C:\Temp\\*
+    - C:\PerfLogs\\*
+    - C:\Users\Public\\*
+    - C:\Users\Default\\*
+  SELECTION_2:
+    Filename:
+    - '*\Client\\*'
+    - '*\tsclient\\*'
+    - '*\inetpub\\*'
+    - '*/www/*'
+    - '*apache*'
+    - '*tomcat*'
+    - '*nginx*'
+    - '*weblogic*'
+  SELECTION_3:
+    Filename:
+    - '*.ps1'
+    - '*.psm1'
+    - '*.vbs'
+    - '*.bat'
+    - '*.cmd'
+    - '*.sh'
+    - '*.chm'
+    - '*.xml'
+    - '*.txt'
+    - '*.jsp'
+    - '*.jspx'
+    - '*.asp'
+    - '*.aspx'
+    - '*.ashx'
+    - '*.asax'
+    - '*.asmx'
+    - '*.php'
+    - '*.cfm'
+    - '*.py'
+    - '*.pyc'
+    - '*.pl'
+    - '*.rb'
+    - '*.cgi'
+    - '*.war'
+    - '*.ear'
+    - '*.hta'
+    - '*.lnk'
+    - '*.scf'
+    - '*.sct'
+    - '*.vbe'
+    - '*.wsf'
+    - '*.wsh'
+    - '*.gif'
+    - '*.png'
+    - '*.jpg'
+    - '*.jpeg'
+    - '*.svg'
+    - '*.dat'
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- User
+id: c9a88268-0047-4824-ba6e-4d81ce0b907c
+level: high
+logsource:
+  product: antivirus
+modified: 2021/11/23
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588

rules/sigma/malware/av_webshell.yml

@@ -0,0 +1,80 @@
+
+title: Antivirus Web Shell Detection
+ruletype: Sigma
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a web shell. It's
+  highly recommended to tune this rule to the specific strings used by your anti virus
+  solution by downloading a big webshell repo from e.g. github and checking the matches.
+detection:
+  SELECTION_1:
+    Signature:
+    - PHP/*
+    - JSP/*
+    - ASP/*
+    - Perl/*
+    - PHP.*
+    - JSP.*
+    - ASP.*
+    - Perl.*
+    - VBS/Uxor*
+    - IIS/BackDoor*
+    - JAVA/Backdoor*
+    - Troj/ASP*
+    - Troj/PHP*
+    - Troj/JSP*
+  SELECTION_2:
+    Signature:
+    - '*Webshell*'
+    - '*Chopper*'
+    - '*SinoChoper*'
+    - '*ASPXSpy*'
+    - '*Aspdoor*'
+    - '*filebrowser*'
+    - '*PHP_*'
+    - '*JSP_*'
+    - '*ASP_*'
+    - '*PHP:*'
+    - '*JSP:*'
+    - '*ASP:*'
+    - '*Perl:*'
+    - '*PHPShell*'
+    - '*Trojan.PHP*'
+    - '*Trojan.ASP*'
+    - '*Trojan.JSP*'
+    - '*Trojan.VBS*'
+    - '*PHP?Agent*'
+    - '*ASP?Agent*'
+    - '*JSP?Agent*'
+    - '*VBS?Agent*'
+    - '*Backdoor?PHP*'
+    - '*Backdoor?JSP*'
+    - '*Backdoor?ASP*'
+    - '*Backdoor?VBS*'
+    - '*Backdoor?Java*'
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fdf135a2-9241-4f96-a114-bb404948f736
+level: critical
+logsource:
+  product: antivirus
+modified: 2021/05/08
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+- https://github.com/tennc/webshell
+- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
+- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
+- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
+- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
+- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
+- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
+- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
+status: experimental
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003

rules/sigma/malware/file_event_mal_octopus_scanner.yml

@@ -0,0 +1,28 @@
+
+title: Octopus Scanner Malware
+ruletype: Sigma
+author: NVISO
+date: 2020/06/09
+description: Detects Octopus Scanner Malware.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\AppData\Local\Microsoft\Cache134.dat'
+    - '*\AppData\Local\Microsoft\ExplorerSync.db'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/11/27
+references:
+- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+status: test
+tags:
+- attack.t1195
+- attack.t1195.001

rules/sigma/malware/process_creation_mal_blue_mockingbird.yml

@@ -0,0 +1,39 @@
+
+title: Blue Mockingbird
+ruletype: Sigma
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmd.exe'
+  SELECTION_3:
+    CommandLine: '*sc config*'
+  SELECTION_4:
+    CommandLine: '*wercplsupporte.dll*'
+  SELECTION_5:
+    Image: '*\wmic.exe'
+  SELECTION_6:
+    CommandLine: '*COR_PROFILER'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+id: c3198a27-23a0-4c2c-af19-e5328d49680e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: ce239692-aa94-41b3-b32f-9cab259c96ea
+  type: merged
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047

rules/sigma/malware/process_creation_mal_darkside_ransomware.yml

@@ -0,0 +1,36 @@
+
+title: DarkSide Ransomware Pattern
+ruletype: Sigma
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - "*=[char][byte]('0x'+*"
+    - '* -work worker0 -path *'
+  SELECTION_3:
+    ParentCommandLine:
+    - '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+  SELECTION_4:
+    Image:
+    - '*\AppData\Local\Temp\\*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Unknown
+- UAC bypass method used by other malware
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+status: experimental
+tags:
+- attack.execution
+- attack.t1204

rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml

@@ -0,0 +1,28 @@
+
+title: LockerGoga Ransomware
+ruletype: Sigma
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*-i SM-tgytutrc -s*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 74db3488-fd28-480a-95aa-b7af626de068
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+status: test
+tags:
+- attack.impact
+- attack.t1486

rules/sigma/malware/process_creation_mal_ryuk.yml

@@ -0,0 +1,35 @@
+
+title: Ryuk Ransomware
+ruletype: Sigma
+author: Vasiliy Burov
+date: 2019/08/06
+description: Detects Ryuk Ransomware command lines
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*stop*'
+  SELECTION_4:
+    CommandLine:
+    - '*samss*'
+    - '*audioendpointbuilder*'
+    - '*unistoresvc_?????*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 0acaad27-9f02-4136-a243-c357202edd74
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
+status: test
+tags:
+- attack.execution
+- attack.t1204

rules/sigma/malware/registry_event_mal_azorult.yml

@@ -0,0 +1,41 @@
+
+title: Registry Entries For Azorult Malware
+ruletype: Sigma
+author: Trent Liffick
+date: 2020/05/08
+description: Detects the presence of a registry key created during Azorult execution
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventID: 12
+  SELECTION_5:
+    EventID: 13
+  SELECTION_6:
+    TargetObject: '*SYSTEM\\*'
+  SELECTION_7:
+    TargetObject: '*\services\localNETService'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- unknown
+fields:
+- Image
+- TargetObject
+- TargetDetails
+id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+status: test
+tags:
+- attack.execution
+- attack.t1112

rules/sigma/malware/registry_event_mal_blue_mockingbird.yml

@@ -0,0 +1,34 @@
+
+title: Blue Mockingbird
+ruletype: Sigma
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 92b0b372-a939-44ed-a11b-5136cf680e27
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: c3198a27-23a0-4c2c-af19-e5328d49680e
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047

rules/sigma/malware/registry_event_mal_flowcloud.yml

@@ -0,0 +1,36 @@
+
+title: FlowCloud Malware
+ruletype: Sigma
+author: NVISO
+date: 2020/06/09
+description: Detects FlowCloud malware from threat group TA410.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
+    - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
+    - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
+  SELECTION_5:
+    TargetObject:
+    - HKLM\SYSTEM\Setup\PrintResponsor\\*
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/22
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112

rules/sigma/malware/registry_event_mal_netwire.yml

@@ -0,0 +1,38 @@
+
+title: NetWire RAT Registry Key
+ruletype: Sigma
+Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity
+  "Because Sysmon runs as a service, it has no filtering ability for, or concept of,
+  HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation"
+  Therefore I set <TargetObject condition="contains">netwire</TargetObjecct> in my
+  configuration.
+author: Christopher Peacock
+date: 2021/10/07
+description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\software\NetWire*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- No known false positives
+id: 1d218616-71b0-4c40-855b-9dbe75510f7f
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
+- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
+- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
+- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
+- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112

rules/sigma/malware/registry_event_mal_ursnif.yml

@@ -0,0 +1,38 @@
+
+title: Ursnif
+ruletype: Sigma
+author: megan201296
+date: 2019/02/13
+description: Detects new registry key created by Ursnif malware.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+  SELECTION_5:
+    TargetObject:
+    - '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*'
+    - '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*'
+    - '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*'
+    - '*\SOFTWARE\AppDataLow\Software\Microsoft\Edge\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: 21f17060-b282-4249-ade0-589ea3591558
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/11/15
+references:
+- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+status: experimental
+tags:
+- attack.execution
+- attack.t1112