Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/other/windefend/win_alert_lsass_access.yml

@@ -0,0 +1,31 @@
+
+title: LSASS Access Detected via Attack Surface Reduction
+ruletype: Sigma
+author: Markus Neis
+date: 2018/08/26
+description: Detects Access to LSASS Process
+detection:
+  SELECTION_1:
+    EventID: 1121
+  SELECTION_2:
+    Path: '*\lsass.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Google Chrome GoogleUpdate.exe
+- Some Taskmgr.exe related activity
+id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
+level: high
+logsource:
+  definition: 'Requirements:Enabled Block credential stealing from the Windows local
+    security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
+    9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+  product: windows
+  service: windefend
+modified: 2021/11/13
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001

rules/sigma/other/windefend/win_defender_amsi_trigger.yml

@@ -0,0 +1,26 @@
+
+title: Windows Defender AMSI Trigger Detected
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2020/09/14
+description: Detects triggering of AMSI by Windows Defender.
+detection:
+  SELECTION_1:
+    EventID: 1116
+  SELECTION_2:
+    Source_Name: AMSI
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/10/13
+references:
+- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
+status: stable
+tags:
+- attack.execution
+- attack.t1059

rules/sigma/other/windefend/win_defender_disabled.yml

@@ -0,0 +1,32 @@
+
+title: Windows Defender Threat Detection Disabled
+ruletype: Sigma
+author: Ján Trenčanský, frack113
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+  SELECTION_1:
+    EventID: 5001
+  SELECTION_2:
+    EventID: 5010
+  SELECTION_3:
+    EventID: 5012
+  SELECTION_4:
+    EventID: 5101
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Administrator actions
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/09/21
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001

rules/sigma/other/windefend/win_defender_exclusions.yml

@@ -0,0 +1,27 @@
+
+title: Windows Defender Exclusions Added
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/07/06
+description: Detects the Setting of Windows Defender Exclusions
+detection:
+  SELECTION_1:
+    EventID: 5007
+  SELECTION_2:
+    New_Value: '*\Microsoft\Windows Defender\Exclusions*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrator actions
+id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+level: medium
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/10/13
+references:
+- https://twitter.com/_nullbind/status/1204923340810543109
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001

rules/sigma/other/windefend/win_defender_history_delete.yml

@@ -0,0 +1,31 @@
+
+title: Windows Defender Malware Detection History Deletion
+ruletype: Sigma
+author: Cian Heasley
+date: 2020/08/13
+description: Windows Defender logs when the history of detected infections is deleted.
+  Log file will contain the message "Windows Defender Antivirus has removed history
+  of malware and other potentially unwanted software".
+detection:
+  SELECTION_1:
+    EventID: 1013
+  SELECTION_2:
+    EventType: 4
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Deletion of Defender malware detections history for legitimate reasons
+fields:
+- EventID
+- EventType
+id: 2afe6582-e149-11ea-87d0-0242ac130003
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/05/30
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.001

rules/sigma/other/windefend/win_defender_psexec_wmi_asr.yml

@@ -0,0 +1,35 @@
+
+title: PSExec and WMI Process Creations Block
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2020/07/14
+description: Detects blocking of process creations originating from PSExec and WMI
+  commands
+detection:
+  SELECTION_1:
+    EventID: 1121
+  SELECTION_2:
+    ProcessName:
+    - '*\wmiprvse.exe'
+    - '*\psexesvc.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
+level: high
+logsource:
+  definition: 'Requirements:Enabled Block process creations originating from PSExec
+    and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
+  product: windows
+  service: windefend
+modified: 2021/11/13
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
+- https://twitter.com/duff22b/status/1280166329660497920
+status: experimental
+tags:
+- attack.execution
+- attack.lateral_movement
+- attack.t1047
+- attack.t1035
+- attack.t1569.002

rules/sigma/other/windefend/win_defender_tamper_protection_trigger.yml

@@ -0,0 +1,29 @@
+
+title: Microsoft Defender Tamper Protection Trigger
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/07/05
+description: Detects block of attempt to disable real time protection of Microsoft
+  Defender by tamper protection
+detection:
+  SELECTION_1:
+    EventID: 5013
+  SELECTION_2:
+    Value:
+    - '*\Windows Defender\DisableAntiSpyware = 0x1()'
+    - '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+  condition: ((SELECTION_1) and SELECTION_2)
+falsepositives:
+- Administrator actions
+id: 49e5bc24-8b86-49f1-b743-535f332c2856
+level: critical
+logsource:
+  product: windows
+  service: windefend
+references:
+- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001

rules/sigma/other/windefend/win_defender_threat.yml

@@ -0,0 +1,29 @@
+
+title: Windows Defender Threat Detected
+ruletype: Sigma
+author: Ján Trenčanský
+date: 2020/07/28
+description: Detects all actions taken by Windows Defender malware detection engines
+detection:
+  SELECTION_1:
+    EventID: 1006
+  SELECTION_2:
+    EventID: 1116
+  SELECTION_3:
+    EventID: 1015
+  SELECTION_4:
+    EventID: 1117
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- unlikely
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+level: high
+logsource:
+  product: windows
+  service: windefend
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+- attack.execution
+- attack.t1059