Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml

@@ -0,0 +1,34 @@
+
+title: Alternate PowerShell Hosts
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    HostApplication: '*'
+  SELECTION_2:
+    HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter
+- MSP Detection Searcher
+- Citrix ConfigSync.ps1
+id: d7326048-328b-4d5e-98af-86e84b17c765
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+related:
+- id: 64e8e417-c19a-475a-8d19-98ea705394cc
+  type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml

@@ -0,0 +1,33 @@
+
+title: Netcat The Powershell Version
+ruletype: Sigma
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+  between host and C2 server or among infected hosts within a network
+detection:
+  SELECTION_1:
+    HostApplication:
+    - '*powercat *'
+    - '*powercat.ps1*'
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+id: c5b20776-639a-49bf-94c7-84f912b91c15
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://nmap.org/ncat/
+- https://github.com/besimorhino/powercat
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+related:
+- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+  type: derived
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095

rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml

@@ -0,0 +1,34 @@
+
+title: Remote PowerShell Session
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+  SELECTION_1:
+    HostName: ServerRemoteHost
+  SELECTION_2:
+    HostApplication: '*wsmprovhost.exe*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 60167e5c-84b2-4c95-a7ac-86281f27c445
+level: high
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+related:
+- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+  type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028

rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml

@@ -0,0 +1,41 @@
+
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+ruletype: Sigma
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+  that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+  SELECTION_1:
+    HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+  SELECTION_2:
+    HostApplication:
+    - '*-ModuleName *'
+    - '*-ModulePath *'
+    - '*-ScriptBlock *'
+    - '*-RemoteFXvGPUDisablementFilePath*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: f65e22f9-819e-4f96-9c7b-498364ae7a25
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+related:
+- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218

rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml

@@ -0,0 +1,35 @@
+
+title: Zip A Folder With PowerShell For Staging In Temp
+ruletype: Sigma
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+  temporary folder for later exfiltration
+detection:
+  SELECTION_1:
+    HostApplication: '*Compress-Archive *'
+  SELECTION_2:
+    HostApplication: '* -Path *'
+  SELECTION_3:
+    HostApplication: '* -DestinationPath *'
+  SELECTION_4:
+    HostApplication: '*$env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 71ff406e-b633-4989-96ec-bc49d825a412
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+  type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001

rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml

@@ -0,0 +1,31 @@
+
+title: Suspicious PowerShell Download
+ruletype: Sigma
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+  SELECTION_1:
+    HostApplication: '*System.Net.WebClient*'
+  SELECTION_2:
+    HostApplication: '*.DownloadFile(*'
+  SELECTION_3:
+    HostApplication: '*.DownloadString(*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+related:
+- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml

@@ -0,0 +1,36 @@
+
+title: Delete Volume Shadow Copies Via WMI With PowerShell
+ruletype: Sigma
+author: frack113
+date: 2021/06/03
+description: Shadow Copies deletion using operating systems utilities via PowerShell
+detection:
+  SELECTION_1:
+    HostApplication: '*Get-WmiObject*'
+  SELECTION_2:
+    HostApplication: '* Win32_Shadowcopy*'
+  SELECTION_3:
+    HostApplication:
+    - '*Delete()*'
+    - '*Remove-WmiObject*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Administrator deletes Shadow Copies using operating systems utilities
+  for legitimate reason
+fields:
+- HostApplication
+id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
+level: critical
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
+- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
+status: experimental
+tags:
+- attack.impact
+- attack.t1490

rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml

@@ -0,0 +1,31 @@
+
+title: PowerShell Downgrade Attack
+ruletype: Sigma
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
+date: 2017/03/22
+description: Detects PowerShell downgrade attack by comparing the host versions with
+  the actually used engine version 2.0
+detection:
+  SELECTION_1:
+    EngineVersion: 2.*
+  SELECTION_2:
+    HostVersion: 2.*
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Penetration Test
+- Unknown
+id: 6331d09b-4785-4c13-980f-f96661356249
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml

@@ -0,0 +1,34 @@
+
+title: PowerShell Called from an Executable Version Mismatch
+ruletype: Sigma
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects PowerShell called from an executable by the version mismatch
+  method
+detection:
+  SELECTION_1:
+    EngineVersion:
+    - 2.*
+    - 4.*
+    - 5.*
+  SELECTION_2:
+    HostVersion: 3.*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration Tests
+- Unknown
+id: c70e019b-1479-4b65-b0cc-cd0c6093a599
+level: high
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086

rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml

@@ -0,0 +1,30 @@
+
+title: Renamed Powershell Under Powershell Channel
+ruletype: Sigma
+author: Harish Segar, frack113
+date: 2020/06/29
+description: Detects renamed powershell
+detection:
+  SELECTION_1:
+    HostName: ConsoleHost
+  SELECTION_2:
+    HostApplication:
+    - powershell.exe*
+    - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- unknown
+id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
+level: low
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001

rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml

@@ -0,0 +1,32 @@
+
+title: Tamper Windows Defender
+ruletype: Sigma
+author: frack113
+date: 2021/06/07
+description: Attempting to disable scheduled scanning and other parts of windows defender
+  atp.
+detection:
+  SELECTION_1:
+    HostApplication: '*Set-MpPreference*'
+  SELECTION_2:
+    HostApplication:
+    - '*-DisableRealtimeMonitoring 1*'
+    - '*-DisableBehaviorMonitoring 1*'
+    - '*-DisableScriptScanning 1*'
+    - '*-DisableBlockAtFirstSeen 1*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+level: high
+logsource:
+  category: ps_classic_provider_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001

rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml

@@ -0,0 +1,32 @@
+
+title: Suspicious Non PowerShell WSMAN COM Provider
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
+  the host application.
+detection:
+  SELECTION_1:
+    ProviderName: WSMan
+  SELECTION_2:
+    HostApplication: '*powershell*'
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Unknown
+id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/30
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003

rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml

@@ -0,0 +1,30 @@
+
+title: Suspicious XOR Encoded PowerShell Command Line
+ruletype: Sigma
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/06/29
+description: Detects suspicious powershell process which includes bxor command, alternative
+  obfuscation method to b64 encoded commands.
+detection:
+  SELECTION_1:
+    HostName: ConsoleHost
+  SELECTION_2:
+    HostApplication:
+    - '*bxor*'
+    - '*join*'
+    - '*char*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086