Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml

@@ -0,0 +1,38 @@
+
+title: CMSTP Execution Process Access
+ruletype: Sigma
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*cmlua.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001

rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml

@@ -0,0 +1,33 @@
+
+title: CobaltStrike BOF Injection Pattern
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+  processes
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+  SELECTION_3:
+    GrantedAccess:
+    - '0x1028'
+    - '0x1fffff'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001

rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml

@@ -0,0 +1,122 @@
+
+title: Credentials Dumping Tools Accessing LSASS Memory
+ruletype: Sigma
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+  (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+  dumping tools
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    SourceImage:
+    - '*\PROCEXP64.EXE'
+    - '*\PROCEXP.EXE'
+    - '*C:\WINDOWS\system32\taskhostw.exe'
+  SELECTION_11:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_12:
+    SourceImage: C:\ProgramData\VMware\VMware Tools\\*
+  SELECTION_13:
+    SourceImage: '*\vmtoolsd.exe'
+  SELECTION_14:
+    SourceImage: C:\WINDOWS\system32\svchost.exe
+  SELECTION_15:
+    GrantedAccess: '0x100000'
+  SELECTION_16:
+    SourceImage:
+    - C:\WINDOWS\system32\wbem\wmiprvse.exe
+    - C:\Windows\syswow64\MsiExec.exe
+    - C:\Windows\System32\msiexec.exe
+  SELECTION_17:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_18:
+    SourceImage:
+    - '*\thor.exe'
+    - '*\thor64.exe'
+  SELECTION_19:
+    GrantedAccess:
+    - '0x40'
+    - '0x1010'
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_20:
+    SourceImage: '*\explorer.exe'
+  SELECTION_21:
+    GrantedAccess: '0x401'
+  SELECTION_22:
+    SourceImage:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+  SELECTION_23:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_24:
+    SourceImage: C:\Program Files (x86)\Microsoft\Edge\Application\\*
+  SELECTION_25:
+    SourceImage: '*\Installer\setup.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - 0x40*
+    - 0x100000*
+    - 0x1410*
+    - 0x1438*
+    - 0x143a*
+    - 0x1418*
+    - 0x1f0fff*
+    - 0x1f1fff*
+    - 0x1f2fff*
+    - 0x1f3fff*
+  SELECTION_4:
+    SourceImage:
+    - C:\WINDOWS\system32\taskmgr.exe
+  SELECTION_5:
+    SourceImage: C:\ProgramData\Microsoft\Windows Defender\\*
+  SELECTION_6:
+    SourceImage: '*\MsMpEng.exe'
+  SELECTION_7:
+    SourceImage: C:\Program Files\WindowsApps\\*
+  SELECTION_8:
+    SourceImage: '*\GamingServices.exe'
+  SELECTION_9:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4)
+    or (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)
+    or (SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14
+    and SELECTION_15) or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19)
+    or (SELECTION_20 and SELECTION_21) or (SELECTION_22 and SELECTION_23) or (SELECTION_24
+    and SELECTION_25)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; please add more
+  filters
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/12/04
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004

rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml

@@ -0,0 +1,26 @@
+
+title: Direct Syscall of NtOpenProcess
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+  be done from a CobaltStrike BOF.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: UNKNOWN*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106

rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml

@@ -0,0 +1,102 @@
+
+title: Suspicious In-Memory Module Execution
+ruletype: Sigma
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+  reflectively loaded libraries in their memory space. An example is SilentTrinity
+  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+  call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+  the module name. Usually this means the stack call points to a module that was reflectively
+  loaded in memory. Adding to this, it is not common to see such few calls in the
+  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most
+  of the functions required by the process to execute certain routines are already
+  present in memory, not requiring any calls to external libraries. The latter should
+  also be considered suspicious.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    GrantedAccess:
+    - '0x1F0FFF'
+    - '0x1F1FFF'
+    - '0x143A'
+    - '0x1410'
+    - '0x1010'
+    - '0x1F2FFF'
+    - '0x1F3FFF'
+    - '0x1FFFFF'
+  SELECTION_11:
+    SourceImage:
+    - '*\Windows\System32\sdiagnhost.exe'
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\Microsoft VS Code\Code.exe'
+    - '*\aurora-agent-64.exe'
+    - '*\aurora-agent.exe'
+    - '*\git\usr\bin\sh.exe'
+    - '*\IDE\devenv.exe'
+    - '*\GitHubDesktop\Update.exe'
+    - '*\RuntimeBroker.exe'
+    - '*\backgroundTaskHost.exe'
+  SELECTION_12:
+    SourceImage:
+    - C:\Program Files (x86)\\*
+    - C:\Program Files\\*
+    - C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe*
+    - C:\Program Files (x86)\Microsoft Visual Studio\\*
+    - C:\Program Files\Microsoft Visual Studio\\*
+    - C:\Windows\Microsoft.NET\Framework*
+    - C:\WINDOWS\System32\DriverStore\\*
+    - C:\Windows\System32\WindowsPowerShell\\*
+  SELECTION_13:
+    SourceImage:
+    - C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe
+    - C:\WINDOWS\system32\taskhostw.exe
+    - C:\WINDOWS\system32\ctfmon.exe
+    - C:\WINDOWS\system32\NhNotifSys.exe
+  SELECTION_14:
+    TargetImage:
+    - C:\Windows\System32\RuntimeBroker.exe
+  SELECTION_2:
+    CallTrace: '*C:\WINDOWS\SYSTEM32\ntdll.dll+*'
+  SELECTION_3:
+    CallTrace: '*|C:\WINDOWS\System32\KERNELBASE.dll+*'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*)*'
+  SELECTION_6:
+    CallTrace: '*UNKNOWN(*'
+  SELECTION_7:
+    CallTrace: '*)|UNKNOWN(*'
+  SELECTION_8:
+    CallTrace: '*)'
+  SELECTION_9:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9 and SELECTION_10))
+    and  not (SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
+falsepositives:
+- SysInternals Process Explorer
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: medium
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/12/07
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055

rules/sigma/process_access/sysmon_invoke_phantom.yml

@@ -0,0 +1,33 @@
+
+title: Suspect Svchost Memory Asccess
+ruletype: Sigma
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+  Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\WINDOWS\System32\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1F3FFF'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/10/21
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089

rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml

@@ -0,0 +1,37 @@
+
+title: Credential Dumping by LaZagne
+ruletype: Sigma
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_6:
+    CallTrace: '*python27.dll+*'
+  SELECTION_7:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349

rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml

@@ -0,0 +1,30 @@
+
+title: LittleCorporal Generated Maldoc Injection
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*winword.exe'
+  SELECTION_3:
+    CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003

rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml

@@ -0,0 +1,34 @@
+
+title: Load Undocumented Autoelevated COM Interface
+ruletype: Sigma
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*editionupgrademanagerobj.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: test
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml

@@ -0,0 +1,32 @@
+
+title: Lsass Memory Dump via Comsvcs DLL
+ruletype: Sigma
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+  via rundll32 to perform a memory dump from lsass.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\System32\rundll32.exe
+  SELECTION_4:
+    CallTrace: '*comsvcs.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/process_access/sysmon_lsass_memdump.yml

@@ -0,0 +1,35 @@
+
+title: LSASS Memory Dump
+ruletype: Sigma
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace:
+    - '*dbghelp.dll*'
+    - '*dbgcore.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002

rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml

@@ -0,0 +1,42 @@
+
+title: Malware Shellcode in Verclsid Target Process
+ruletype: Sigma
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_6:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_7:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: test
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055

rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml

@@ -0,0 +1,37 @@
+
+title: Mimikatz through Windows Remote Management
+ruletype: Sigma
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+  to lsass process by wsmprovhost.exe.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\system32\wsmprovhost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002

rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml

@@ -0,0 +1,38 @@
+
+title: Credential Dumping by Pypykatz
+ruletype: Sigma
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*libffi-7.dll*'
+  SELECTION_6:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_7:
+    CallTrace: '*python3*.dll+*'
+  SELECTION_8:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001

rules/sigma/process_access/sysmon_svchost_cred_dump.yml

@@ -0,0 +1,29 @@
+
+title: SVCHOST Credential Dump
+ruletype: Sigma
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+  to dump credentials
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x143a'
+  SELECTION_4:
+    SourceImage:
+    - '*\services.exe'
+    - '*\msiexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+  category: process_access
+  product: windows
+status: experimental
+tags:
+- attack.t1548

rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml

@@ -0,0 +1,31 @@
+
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+ruletype: Sigma
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+  30)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*:\Windows\SysWOW64\\*'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002

rules/sigma/process_access/win_susp_proc_access_lsass.yml

@@ -0,0 +1,123 @@
+
+title: Suspicious GrantedAccess Flags on LSASS Access
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/22
+description: Detects process access to LSASS memory with suspicious access flags
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    SourceImage:
+    - '*\PROCEXP64.EXE'
+    - '*\PROCEXP.EXE'
+  SELECTION_11:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_12:
+    SourceImage: C:\ProgramData\VMware\VMware Tools\\*
+  SELECTION_13:
+    SourceImage: '*\vmtoolsd.exe'
+  SELECTION_14:
+    SourceImage:
+    - C:\Progra Files\\*
+    - C:\Progra Files (x86)\\*
+  SELECTION_15:
+    SourceImage:
+    - '*Antivirus*'
+  SELECTION_16:
+    SourceImage: C:\WINDOWS\system32\wbem\wmiprvse.exe
+  SELECTION_17:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_18:
+    SourceImage:
+    - C:\Program Files\\*
+    - C:\Program Files (x86)\\*
+    - C:\WINDOWS\system32\\*
+  SELECTION_19:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '*10'
+    - '*30'
+    - '*50'
+    - '*70'
+    - '*90'
+    - '*B0'
+    - '*D0'
+    - '*F0'
+    - '*18'
+    - '*38'
+    - '*58'
+    - '*78'
+    - '*98'
+    - '*B8'
+    - '*D8'
+    - '*F8'
+    - '*1A'
+    - '*3A'
+    - '*5A'
+    - '*7A'
+    - '*9A'
+    - '*BA'
+    - '*DA'
+    - '*FA'
+    - '*0x14C2'
+  SELECTION_4:
+    SourceImage:
+    - C:\WINDOWS\system32\taskmgr.exe
+    - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
+    - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe
+    - C:\WINDOWS\system32\taskhostw.exe
+    - C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe
+    - C:\Program Files\Windows Defender\MsMpEng.exe
+  SELECTION_5:
+    SourceImage: C:\ProgramData\Microsoft\Windows Defender\\*
+  SELECTION_6:
+    SourceImage: '*\MsMpEng.exe'
+  SELECTION_7:
+    SourceImage: C:\Program Files\WindowsApps\\*
+  SELECTION_8:
+    SourceImage: '*\GamingServices.exe'
+  SELECTION_9:
+    GrantedAccess:
+    - '0x1410'
+    - '0x410'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4)
+    or (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)
+    or (SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14
+    and SELECTION_15) or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason
+fields:
+- User
+- SourceImage
+- GrantedAccess
+id: a18dd26b-6450-46de-8c91-9659150cf088
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/12/03
+references:
+- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+related:
+- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+  type: obsoletes
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002

rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml

@@ -0,0 +1,83 @@
+
+title: LSASS Access from Program in Suspicious Folder
+ruletype: Sigma
+author: Florian Roth
+date: 2021/11/27
+description: Detects process access to LSASS memory with suspicious access flags and
+  from a suspicious folder
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '*10'
+    - '*30'
+    - '*50'
+    - '*70'
+    - '*90'
+    - '*B0'
+    - '*D0'
+    - '*F0'
+    - '*18'
+    - '*38'
+    - '*58'
+    - '*78'
+    - '*98'
+    - '*B8'
+    - '*D8'
+    - '*F8'
+    - '*1A'
+    - '*3A'
+    - '*5A'
+    - '*7A'
+    - '*9A'
+    - '*BA'
+    - '*DA'
+    - '*FA'
+    - '*0x14C2'
+    - '*FF'
+  SELECTION_4:
+    SourceImage:
+    - '*\Temp\\*'
+    - '*\Users\Public\\*'
+    - '*\PerfLogs\\*'
+    - '*\AppData\\*'
+    - '*\Temporary*'
+  SELECTION_5:
+    SourceImage: '*C:\Users\\*'
+  SELECTION_6:
+    SourceImage: '*\AppData\Local\\*'
+  SELECTION_7:
+    SourceImage:
+    - '*\Microsoft VS Code\Code.exe'
+    - '*\software_reporter_tool.exe'
+  SELECTION_8:
+    GrantedAccess: '0x410'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    ((SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason
+fields:
+- User
+- SourceImage
+- GrantedAccess
+id: fa34b441-961a-42fa-a100-ecc28c886725
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/12/05
+references:
+- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002

rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml

@@ -0,0 +1,36 @@
+
+title: Suspicious Shells Spawn by WinRM
+ruletype: Sigma
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\wsmprovhost.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\powershell.exe'
+    - '*\schtasks.exe'
+    - '*\certutil.exe'
+    - '*\whoami.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation