CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
+38
View File
@@ -0,0 +1,38 @@
title: Abusing Windows Telemetry For Persistence
ruletype: Sigma
author: Sreeman
date: 2020/09/29
description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
a variety of commands and perform the actual telemetry collections. This binary
was created to be easily extensible, and to that end, it relies on the registry
to instruct on which commands to run. The problem is, it will run any arbitrary
command without restriction of location or type.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine|re: (?i).*schtasks.*(-|/)r.*\\\\Application Experience\\\\Microsoft
Compatibility Appraiser.*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- none
fields:
- EventID
- CommandLine
- TargetObject
- Details
id: f548a603-c9f2-4c89-b511-b089f7e94549
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/09
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
status: experimental
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1112
- attack.t1053
rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml
+31
View File
@@ -0,0 +1,31 @@
title: Advanced IP Scanner
ruletype: Sigma
author: '@ROxPinTeddy'
date: 2020/05/12
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
ransomware groups.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\advanced_ip_scanner*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate administrative use
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
status: experimental
tags:
- attack.discovery
- attack.t1046
rules/sigma/process_creation/process_creation_alternate_data_streams.yml
+52
View File
@@ -0,0 +1,52 @@
title: Execute From Alternate Data Streams
ruletype: Sigma
author: frack113
date: 2021/09/01
description: Adversaries may use NTFS file attributes to hide their malicious data
in order to evade detection
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '* /E *'
SELECTION_11:
CommandLine: '*esentutl *'
SELECTION_12:
CommandLine: '* /y *'
SELECTION_13:
CommandLine: '* /d *'
SELECTION_14:
CommandLine: '* /o *'
SELECTION_2:
CommandLine: '*txt:*'
SELECTION_3:
CommandLine: '*type *'
SELECTION_4:
CommandLine: '* > *'
SELECTION_5:
CommandLine: '*makecab *'
SELECTION_6:
CommandLine: '*.cab*'
SELECTION_7:
CommandLine: '*reg *'
SELECTION_8:
CommandLine: '* export *'
SELECTION_9:
CommandLine: '*regedit *'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)))
falsepositives:
- Unknown
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004
rules/sigma/process_creation/process_creation_apt_gallium.yml
+38
View File
@@ -0,0 +1,38 @@
title: GALLIUM Artefacts
ruletype: Sigma
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
sha1:
- e570585edc69f9074cb5e8a790708336bd45ca0f
SELECTION_3:
Image:
- '*:\Program Files(x86)\\*'
- '*:\Program Files\\*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
id: 18739897-21b1-41da-8ee4-5b786915a676
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: experimental
tags:
- attack.credential_access
- attack.t1212
- attack.command_and_control
- attack.t1071
rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml
+49
View File
@@ -0,0 +1,49 @@
title: GALLIUM Artefacts
ruletype: Sigma
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
sha1:
- 53a44c2396d15c3a03723fa5e5db54cafd527635
- 9c5e496921e3bc882dc40694f1dcc3746a75db19
- aeb573accfd95758550cf30bf04f389a92922844
- 79ef78a797403a4ed1a616c68e07fff868a8650a
- 4f6f38b4cec35e895d91c052b1f5a83d665c2196
- 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
- e841a63e47361a572db9a7334af459ddca11347a
- c28f606df28a9bc8df75a4d5e5837fc5522dd34d
- 2e94b305d6812a9f96e6781c888e48c7fb157b6b
- dd44133716b8a241957b912fa6a02efde3ce3025
- 8793bf166cb89eb55f0593404e4e933ab605e803
- a39b57032dbb2335499a51e13470a7cd5d86b138
- 41cc2b15c662bc001c0eb92f6cc222934f0beeea
- d209430d6af54792371174e70e27dd11d3def7a7
- 1c6452026c56efd2c94cea7e0f671eb55515edb0
- c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
- 4923d460e22fbbf165bbbaba168e5a46b8157d9f
- f201504bd96e81d0d350c3a8332593ee1c9e09de
- ddd2db1127632a2a52943a2fe516a2e7d05d70d2
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 440a56bf-7873-4439-940a-1c8a671073c2
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
status: experimental
tags:
- attack.credential_access
- attack.t1212
- attack.command_and_control
- attack.t1071
rules/sigma/process_creation/process_creation_apt_pandemic.yml
+37
View File
@@ -0,0 +1,37 @@
title: Pandemic Registry Key
ruletype: Sigma
author: Florian Roth
date: 2017/06/01
description: Detects Pandemic Windows Implant
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*loaddll -a *'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
id: 9fefd33c-339d-4495-9cba-b96ca006f512
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
related:
- id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
type: derived
status: experimental
tags:
- attack.lateral_movement
- attack.t1105
rules/sigma/process_creation/process_creation_apt_slingshot.yml
+36
View File
@@ -0,0 +1,36 @@
title: Defrag Deactivation
ruletype: Sigma
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\schtasks.exe'
SELECTION_3:
CommandLine:
- '*/delete*'
- '*/change*'
SELECTION_4:
CommandLine: '*/TN*'
SELECTION_5:
CommandLine: '*\Microsoft\Windows\Defrag\ScheduledDefrag*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
status: experimental
tags:
- attack.persistence
- attack.t1053.005
- attack.s0111
rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml
+36
View File
@@ -0,0 +1,36 @@
title: Turla Group Lateral Movement
ruletype: Sigma
author: Markus Neis
date: 2017/11/07
description: Detects automated lateral movement by Turla group
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- net use \\%DomainController%\C$ "P@ssw0rd" *
- dir c:\\*.doc* /s
- dir %TEMP%\\*.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://securelist.com/the-epic-turla-operation/65545/
status: experimental
tags:
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
- attack.discovery
- attack.t1083
- attack.t1135
rules/sigma/process_creation/process_creation_apt_wocao.yml
+49
View File
@@ -0,0 +1,49 @@
title: Operation Wocao Activity
ruletype: Sigma
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*checkadmin.exe 127.0.0.1 -all*'
- '*netsh advfirewall firewall add rule name=powershell dir=in*'
- '*cmd /c powershell.exe -ep bypass -file c:\s.ps1*'
- '*/tn win32times /f*'
- '*create win32times binPath=*'
- '*\c$\windows\system32\devmgr.dll*'
- '* -exec bypass -enc JgAg*'
- '*type *keepass\KeePass.config.xml*'
- '*iie.exe iie.txt*'
- '*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
related:
- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
type: derived
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086
rules/sigma/process_creation/process_creation_automated_collection.yml
+46
View File
@@ -0,0 +1,46 @@
title: Automated Collection Command Prompt
ruletype: Sigma
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*.doc*'
- '*.docx*'
- '*.xls*'
- '*.xlsx*'
- '*.ppt*'
- '*.pptx*'
- '*.rtf*'
- '*.pdf*'
- '*.txt*'
SELECTION_3:
CommandLine: '*dir *'
SELECTION_4:
CommandLine: '* /b *'
SELECTION_5:
CommandLine: '* /s *'
SELECTION_6:
OriginalFileName: FINDSTR.EXE
SELECTION_7:
CommandLine: '* /e *'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: f576a613-2392-4067-9d1a-9345fb58d8d1
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119
rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml
+29
View File
@@ -0,0 +1,29 @@
title: F-Secure C3 Load by Rundll32
ruletype: Sigma
author: Alfie Champion (ajpc500)
date: 2021/06/02
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*rundll32.exe*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
CommandLine: '*StartNodeRelay*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
level: critical
logsource:
category: process_creation
product: windows
references:
- https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011
rules/sigma/process_creation/process_creation_certoc_execution.yml
+33
View File
@@ -0,0 +1,33 @@
title: Suspicious Load DLL via CertOC.exe
ruletype: Sigma
author: Austin Songer @austinsonger
date: 2021/10/23
description: Detects when a user installs certificates by using CertOC.exe to loads
the target DLL file.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\certoc.exe'
SELECTION_3:
CommandLine: '*-LoadDLL*'
SELECTION_4:
CommandLine: '*.dll*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- None
fields:
- CommandLine
- ParentCommandLine
id: 242301bc-f92f-4476-8718-78004a6efd9f
level: medium
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/process_creation_clip.yml
+27
View File
@@ -0,0 +1,27 @@
title: Use of CLIP
ruletype: Sigma
author: frack113
date: 2021/07/27
description: Adversaries may collect data stored in the clipboard from users copying
information within or between applications.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: clip.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
level: low
logsource:
category: process_creation
product: windows
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
status: experimental
tags:
- attack.collection
- attack.t1115
rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
+32
View File
@@ -0,0 +1,32 @@
title: CobaltStrike Load by Rundll32
ruletype: Sigma
author: Wojciech Lesicki
date: 2021/06/01
description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs
from the command line.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*rundll32.exe*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
CommandLine: '*StartW*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.cobaltstrike.com/help-windows-executable
- https://redcanary.com/threat-detection-report/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218.011
rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml
+38
View File
@@ -0,0 +1,38 @@
title: Conti Ransomware Execution
ruletype: Sigma
author: frack113
date: 2021/10/12
description: Conti ransomware command line ioc
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*-m *'
SELECTION_3:
CommandLine: '*-net *'
SELECTION_4:
CommandLine: '*-size *'
SELECTION_5:
CommandLine: '*-nomutex *'
SELECTION_6:
CommandLine: '*-p \\\*'
SELECTION_7:
CommandLine: '*$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7)
falsepositives:
- Unknown should be low
id: 689308fc-cfba-4f72-9897-796c1dc61487
level: critical
logsource:
category: process_creation
product: windows
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
status: experimental
tags:
- attack.impact
- attack.s0575
- attack.t1486
rules/sigma/process_creation/process_creation_coti_sqlcmd.yml
+37
View File
@@ -0,0 +1,37 @@
title: Conti Backup Database
ruletype: Sigma
author: frack113
date: 2021/08/16
description: Detects a command used by conti to dump database
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*sqlcmd *'
- '*sqlcmd.exe*'
SELECTION_3:
CommandLine: '* -S localhost *'
SELECTION_4:
CommandLine:
- '*sys.sysprocesses*'
- '*master.dbo.sysdatabases*'
- '*BACKUP DATABASE*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
level: high
logsource:
category: process_creation
product: windows
modified: 2021/12/02
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
status: experimental
tags:
- attack.collection
- attack.t1005
rules/sigma/process_creation/process_creation_dinjector.yml
+28
View File
@@ -0,0 +1,28 @@
title: DInject PowerShell Cradle CommandLine Flags
ruletype: Sigma
author: Florian Roth
date: 2021/12/07
description: Detects the use of the Dinject PowerShell cradle based on the specific
flags
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '* /am51*'
- '* /password*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unlikely
id: d78b5d61-187d-44b6-bf02-93486a80de5a
level: critical
logsource:
category: process_creation
product: windows
references:
- https://github.com/snovvcrash/DInjector
status: experimental
tags:
- attack.defense_evasion
- attack.t1055
rules/sigma/process_creation/process_creation_discover_private_keys.yml
+45
View File
@@ -0,0 +1,45 @@
title: Discover Private Keys
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Adversaries may search for private key certificate files on compromised
systems for insecurely stored credential
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*dir *'
- '*findstr *'
SELECTION_3:
CommandLine:
- '*.key*'
- '*.pgp*'
- '*.gpg*'
- '*.ppk*'
- '*.p12*'
- '*.pem*'
- '*.pfx*'
- '*.cer*'
- '*.p7b*'
- '*.asc*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
status: experimental
tags:
- attack.credential_access
- attack.t1552.004
rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml
+44
View File
@@ -0,0 +1,44 @@
title: DNS ServerLevelPluginDll Install
ruletype: Sigma
author: Florian Roth
date: 2017/05/08
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
in Registry, which can be used to execute code in context of the DNS server (restart
required)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\dnscmd.exe'
SELECTION_3:
CommandLine: '*/config*'
SELECTION_4:
CommandLine: '*/serverlevelplugindll*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
- attack.t1112
rules/sigma/process_creation/process_creation_dotnet.yml
+39
View File
@@ -0,0 +1,39 @@
title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
ruletype: Sigma
author: Beyu Denis, oscd.community
date: 2020/10/18
description: dotnet.exe will execute any DLL and execute unsigned code
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*.dll'
- '*.csproj'
SELECTION_3:
Image:
- '*\dotnet.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- System administrator Usage
- Penetration test
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
status: test
tags:
- attack.execution
- attack.t1218
rules/sigma/process_creation/process_creation_hack_dumpert.yml
+29
View File
@@ -0,0 +1,29 @@
title: Dumpert Process Dumper
ruletype: Sigma
author: Florian Roth
date: 2020/02/04
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
process memory
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Hashes: '*09D278F9DE118EF09163C6140255C690*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Very unlikely
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/12/08
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
rules/sigma/process_creation/process_creation_infdefaultinstall.yml
+34
View File
@@ -0,0 +1,34 @@
title: InfDefaultInstall.exe .inf Execution
ruletype: Sigma
author: frack113
date: 2021/07/13
description: Executes SCT script using scrobj.dll from a command in entered into a
specially prepared INF file.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*InfDefaultInstall.exe *'
SELECTION_3:
CommandLine: '*.inf*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
+43
View File
@@ -0,0 +1,43 @@
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
ruletype: Sigma
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021/09/30
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*/in:*'
SELECTION_3:
CommandLine: '*/out:*'
SELECTION_4:
Image:
- '*\DataSvcUtil.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- DataSvcUtil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes
in your environment.
- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If
known behavior is causing false positives, it can be exempted from the rule.
- Penetration Testing
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
level: medium
logsource:
category: process_creation
product: windows
references:
- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
status: experimental
tags:
- attack.exfiltration
- attack.t1567
rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml
+40
View File
@@ -0,0 +1,40 @@
title: New Lolbin Process by Office Applications
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: This rule will monitor any office apps that spins up a new LOLBin process.
This activity is pretty suspicious and should be investigated.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*regsvr32'
- '*rundll32'
- '*msiexec'
- '*mshta'
- '*verclsid'
SELECTION_3:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
level: high
logsource:
category: process_creation
product: windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
+46
View File
@@ -0,0 +1,46 @@
title: Suspicious Driver Install by pnputil.exe
ruletype: Sigma
author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
date: 2021/09/30
description: Detects when a possible suspicious driver is being installed via pnputil.exe
lolbin
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*-i*'
- '*/install*'
- '*-a*'
- '*/add-driver*'
- '*.inf*'
SELECTION_3:
Image:
- '*\pnputil.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Pnputil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes
in your environment.
- Pnputil.exe being executed from unfamiliar users should be investigated. If known
behavior is causing false positives, it can be exempted from the rule.
- Penetration Testing
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
level: medium
logsource:
category: process_creation
product: windows
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
- https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
status: experimental
tags:
- attack.persistence
- attack.t1547
- attack.t1547.006
rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml
+37
View File
@@ -0,0 +1,37 @@
title: Lolbins Process Creation with WmiPrvse
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: This rule will monitor LOLBin process creations by wmiprvse. Add more
LOLBins to rule logic if needed.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*regsvr32'
- '*rundll32'
- '*msiexec'
- '*mshta'
- '*verclsid'
SELECTION_3:
ParentImage: '*\wbem\WmiPrvSE.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
level: high
logsource:
category: process_creation
product: windows
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_msdeploy.yml
+41
View File
@@ -0,0 +1,41 @@
title: Execute Files with Msdeploy.exe
ruletype: Sigma
author: Beyu Denis, oscd.community
date: 2020/10/18
description: Detects file execution using the msdeploy.exe lolbin
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*verb:sync*'
SELECTION_3:
CommandLine: '*-source:RunCommand*'
SELECTION_4:
CommandLine: '*-dest:runCommand*'
SELECTION_5:
Image:
- '*\msdeploy.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- System administrator Usage
- Penetration test
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
status: test
tags:
- attack.execution
- attack.t1218
rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml
+43
View File
@@ -0,0 +1,43 @@
title: Office Applications Spawning Wmi Cli
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic to execute the file
with regsvr32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: \wbem\WMIC.exe
SELECTION_3:
CommandLine: '*wmic *'
SELECTION_4:
OriginalFileName: wmic.exe
SELECTION_5:
Description: WMI Commandline Utility
SELECTION_6:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
and SELECTION_6)
falsepositives:
- Unknown
id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/10
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml
+59
View File
@@ -0,0 +1,59 @@
title: Excel Proxy Executing Regsvr32 With Payload
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
we have command-line in the event which allow us to "restore" this suspicious parent-child
chain and detect it. Monitor process creation with "wmic process call create" and
LOLBins in command-line with parent Office application processes.
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
ParentCommandLine: '*call*'
SELECTION_2:
Image: '*\wbem\WMIC.exe'
SELECTION_3:
ParentCommandLine: '*wmic *'
SELECTION_4:
OriginalFileName: wmic.exe
SELECTION_5:
Description: WMI Commandline Utility
SELECTION_6:
CommandLine:
- '*regsvr32*'
- '*rundll32*'
- '*msiexec*'
- '*mshta*'
- '*verclsid*'
SELECTION_7:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
SELECTION_8:
ParentCommandLine: '*process*'
SELECTION_9:
ParentCommandLine: '*create*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)
falsepositives:
- Unknown
id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/09
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
+55
View File
@@ -0,0 +1,55 @@
title: Excel Proxy Executing Regsvr32 With Payload
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
we have command-line in the event which allow us to "restore" this suspicious parent-child
chain and detect it. Monitor process creation with "wmic process call create" and
LOLBins in command-line with parent Office application processes.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentCommandLine:
- '*regsvr32*'
- '*rundll32*'
- '*msiexec*'
- '*mshta*'
- '*verclsid*'
SELECTION_3:
Image: '*\wbem\WMIC.exe'
SELECTION_4:
ParentCommandLine: '*wmic *'
SELECTION_5:
ParentImage:
- '*winword.exe'
- '*excel.exe'
- '*powerpnt.exe'
SELECTION_6:
ParentCommandLine: '*process*'
SELECTION_7:
ParentCommandLine: '*create*'
SELECTION_8:
ParentCommandLine: '*call*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8)
falsepositives:
- Unknown
id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/09
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml
+38
View File
@@ -0,0 +1,38 @@
title: Office Applications Spawning Wmi Cli
ruletype: Sigma
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
date: 2021/08/23
description: Initial execution of malicious document calls wmic to execute the file
with regsvr32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\wbem\WMIC.exe'
SELECTION_3:
ParentCommandLine: '*wmic *'
SELECTION_4:
ParentImage:
- winword.exe
- excel.exe
- powerpnt.exe
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: 04f5363a-6bca-42ff-be70-0d28bf629ead
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/09
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
status: experimental
tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defense_evasion
rules/sigma/process_creation/process_creation_pingback_backdoor.yml
+37
View File
@@ -0,0 +1,37 @@
title: Pingback Backdoor
ruletype: Sigma
author: Bhabesh Raj
date: 2021/05/05
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
as described in the trustwave report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*updata.exe'
SELECTION_3:
CommandLine: '*config*'
SELECTION_4:
CommandLine: '*msdtc*'
SELECTION_5:
CommandLine: '*start*'
SELECTION_6:
CommandLine: '*auto*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Very unlikely
id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
level: high
logsource:
category: process_creation
product: windows
modified: 2021/09/09
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
status: experimental
tags:
- attack.persistence
- attack.t1574.001
rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml
+35
View File
@@ -0,0 +1,35 @@
title: ProtocolHandler.exe Downloaded Suspicious File
ruletype: Sigma
author: frack113
date: 2021/07/13
description: Emulates attack via documents through protocol handler in Microsoft Office.
On successful execution you should see Microsoft Word launch a blank file.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\protocolhandler.exe'
SELECTION_3:
CommandLine: '*"ms-word*'
SELECTION_4:
CommandLine: '*.docx"*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/process_creation_root_certificate_installed.yml
+40
View File
@@ -0,0 +1,40 @@
title: Root Certificate Installed
ruletype: Sigma
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/10
description: Adversaries may install a root certificate on a compromised system to
avoid warnings when connecting to adversary controlled web servers.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*root*'
SELECTION_3:
Image: '*\certutil.exe'
SELECTION_4:
CommandLine: '*-addstore*'
SELECTION_5:
Image: '*\CertMgr.exe'
SELECTION_6:
CommandLine: '*/add*'
condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6)))
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
test if GPO push doesn't trigger FP
id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1553.004
rules/sigma/process_creation/process_creation_sdelete.yml
+36
View File
@@ -0,0 +1,36 @@
title: Sysinternals SDelete Delete File
ruletype: Sigma
author: frack113
date: 2021/06/03
description: Use of SDelete to erase a file not the free space
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: sdelete.exe
SELECTION_3:
CommandLine:
- '* -h*'
- '* -c*'
- '* -z*'
- '* /?*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- System administrator Usage
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: a4824fca-976f-4964-b334-0621379e84c4
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
status: experimental
tags:
- attack.impact
- attack.t1485
rules/sigma/process_creation/process_creation_software_discovery.yml
+41
View File
@@ -0,0 +1,41 @@
title: Detected Windows Software Discovery
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/16
description: Adversaries may attempt to enumerate software for a variety of reasons,
such as figuring out what security measures are present or if the compromised system
has a version of software that is vulnerable.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\reg.exe'
SELECTION_3:
CommandLine: '*query*'
SELECTION_4:
CommandLine: '*\software\\*'
SELECTION_5:
CommandLine: '*/v*'
SELECTION_6:
CommandLine: '*svcversion*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Legitimate administration activities
id: e13f668e-7f95-443d-98d2-1816a7648a7b
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: experimental
tags:
- attack.discovery
- attack.t1518
rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml
+45
View File
@@ -0,0 +1,45 @@
title: Sticky Key Like Backdoor Usage
ruletype: Sigma
author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
description: Detects the usage and installation of a backdoor that uses an option
to register a malicious debugger for built-in tools that are accessible in the login
screen
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\winlogon.exe'
SELECTION_3:
Image: '*\cmd.exe'
SELECTION_4:
CommandLine:
- '*sethc.exe*'
- '*utilman.exe*'
- '*osk.exe*'
- '*Magnify.exe*'
- '*Narrator.exe*'
- '*DisplaySwitch.exe*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: experimental
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1015
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
rules/sigma/process_creation/process_creation_stordiag_execution.yml
+36
View File
@@ -0,0 +1,36 @@
title: Execution via stordiag.exe
ruletype: Sigma
author: Austin Songer (@austinsonger)
date: 2021/10/21
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe
and fltmc.exe
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\stordiag.exe'
SELECTION_3:
Image:
- '*\schtasks.exe'
- '*\systeminfo.exe'
- '*\fltmc.exe'
SELECTION_4:
ParentImage:
- c:\windows\system32\\*
- c:\windows\syswow64\\*
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
falsepositives:
- Legitimate usage of stordiag.exe.
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
level: high
logsource:
category: process_creation
product: windows
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/process_creation_susp_7z.yml
+39
View File
@@ -0,0 +1,39 @@
title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
ruletype: Sigma
author: frack113
date: 2021/07/27
description: An adversary may compress or encrypt data that is collected prior to
exfiltration using 3rd party utilities
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*7z.exe*'
- '*7za.exe*'
SELECTION_3:
CommandLine: '* -p*'
SELECTION_4:
CommandLine:
- '* a *'
- '* u *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Command line parameter combinations that contain all included strings
fields:
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 9fbf5927-5261-4284-a71d-f681029ea574
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
status: experimental
tags:
- attack.collection
- attack.t1560.001
rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml
+42
View File
@@ -0,0 +1,42 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
ruletype: Sigma
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_3:
CommandLine:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/process_creation_susp_del.yml
+34
View File
@@ -0,0 +1,34 @@
title: Suspicious Del in CommandLine
ruletype: Sigma
author: frack113
date: 2021/12/02
description: suspicious command line to remove exe or dll
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*del *.exe*'
SELECTION_3:
CommandLine: '*/f *'
SELECTION_4:
CommandLine: '*/q *'
SELECTION_5:
CommandLine: '*del *.dll*'
SELECTION_6:
CommandLine: '*C:\ProgramData\\*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
and SELECTION_6)))
falsepositives:
- unknown
id: 204b17ae-4007-471b-917b-b917b315c5db
level: medium
logsource:
category: process_creation
product: windows
references:
- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.004
rules/sigma/process_creation/process_creation_susp_image_missing.yml
+28
View File
@@ -0,0 +1,28 @@
title: Execution Of Not Existing File
ruletype: Sigma
author: Max Altgelt
date: 2021/12/09
description: Checks whether the image specified in a process creation event is not
a full, absolute path (caused by process ghosting or other unorthodox methods to
start a process)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\\*'
SELECTION_3:
Image|re: ^$
condition: (SELECTION_1 and not (SELECTION_2) and not (SELECTION_3))
falsepositives:
- unknown
id: 71158e3f-df67-472b-930e-7d287acaa3e1
level: high
logsource:
category: process_creation
product: windows
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
status: experimental
tags:
- attack.defense_evasion
rules/sigma/process_creation/process_creation_susp_non_exe_image.yml
+28
View File
@@ -0,0 +1,28 @@
title: Execution Of Other File Type Than .exe
ruletype: Sigma
author: Max Altgelt
date: 2021/12/09
description: Checks whether the image specified in a process creation event doesn't
refer to an .exe file (caused by process ghosting or other unorthodox methods to
start a process)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*.exe'
SELECTION_3:
Image|re: ^$
condition: (SELECTION_1 and not (SELECTION_2) and not (SELECTION_3))
falsepositives:
- unknown
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
level: high
logsource:
category: process_creation
product: windows
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
status: experimental
tags:
- attack.defense_evasion
rules/sigma/process_creation/process_creation_susp_recon.yml
+32
View File
@@ -0,0 +1,32 @@
title: Recon Information for Export with Command Prompt
ruletype: Sigma
author: frack113
date: 2021/07/30
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\tree.com'
- '*\WMIC.exe'
- '*\doskey.exe'
- '*\sc.exe'
SELECTION_3:
ParentCommandLine: '* > %TEMP%\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: aa2efee7-34dd-446e-8a37-40790a66efd7
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119
rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml
+35
View File
@@ -0,0 +1,35 @@
title: Windows Suspicious Use Of Web Request in CommandLine
ruletype: Sigma
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request with commandline tools or Windows
PowerShell command,methods (including aliases)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*Invoke-WebRequest*'
- '*iwr *'
- '*wget *'
- '*curl *'
- '*Net.WebClient*'
- '*Start-BitsTransfer*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
rules/sigma/process_creation/process_creation_susp_whoami_as_param.yml
+27
View File
@@ -0,0 +1,27 @@
title: WhoAmI as Parameter
ruletype: Sigma
author: Florian Roth
date: 2021/11/29
description: Detects a suspicious process command line that uses whoami as first parameter
(as e.g. used by EfsPotato)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*.exe whoami*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: e9142d84-fbe0-401d-ac50-3e519fb00c89
level: high
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
status: experimental
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
rules/sigma/process_creation/process_creation_susp_winzip.yml
+36
View File
@@ -0,0 +1,36 @@
title: Compress Data and Lock With Password for Exfiltration With WINZIP
ruletype: Sigma
author: frack113
date: 2021/07/27
description: An adversary may compress or encrypt data that is collected prior to
exfiltration using 3rd party utilities
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*winzip.exe*'
- '*winzip64.exe*'
SELECTION_3:
CommandLine:
- '*-s"*'
SELECTION_4:
CommandLine:
- '* -min *'
- '* -a *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
status: experimental
tags:
- attack.collection
- attack.t1560.001
rules/sigma/process_creation/process_creation_susp_zip_compress.yml
+36
View File
@@ -0,0 +1,36 @@
title: Zip A Folder With PowerShell For Staging In Temp
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Compress-Archive *'
SELECTION_3:
CommandLine: '* -Path *'
SELECTION_4:
CommandLine: '* -DestinationPath *'
SELECTION_5:
CommandLine: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001
rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
+37
View File
@@ -0,0 +1,37 @@
title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
ruletype: Sigma
author: frack113
date: 2021/07/12
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\SyncAppvPublishingServer.exe'
SELECTION_3:
CommandLine: '*"n; *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- App-V clients
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: fbd7c32d-db2a-4418-b92c-566eb8911133
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: obsoletes
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
+35
View File
@@ -0,0 +1,35 @@
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
ruletype: Sigma
author: frack113
date: 2021/07/16
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\SyncAppvPublishingServer.vbs*'
SELECTION_3:
CommandLine: '*"n;*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
- attack.t1216
rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml
+31
View File
@@ -0,0 +1,31 @@
title: Usage of Sysinternals Tools
ruletype: Sigma
author: Markus Neis
date: 2017/08/28
description: Detects the usage of Sysinternals Tools due to accepteula key being added
to Registry
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '* -accepteula*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
level: low
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://twitter.com/Moti_B/status/1008587936735035392
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: experimental
tags:
- attack.resource_development
- attack.t1588.002
rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
+38
View File
@@ -0,0 +1,38 @@
title: UAC Bypass via Event Viewer
ruletype: Sigma
author: Florian Roth
date: 2017/03/19
description: Detects UAC bypass method using Windows event viewer
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\eventvwr.exe'
SELECTION_3:
Image: '*\mmc.exe'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: be344333-921d-4c4d-8bb8-e584cf584780
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/12
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- attack.t1548.002
- car.2019-04-001
rules/sigma/process_creation/process_creation_tool_psexec.yml
+43
View File
@@ -0,0 +1,43 @@
title: PsExec Tool Execution
ruletype: Sigma
author: Thomas Patzke
date: 2017/06/12
description: Detects PsExec service installation and execution events (service and
Sysmon)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\PSEXESVC.exe'
SELECTION_3:
User: NT AUTHORITY\SYSTEM*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
level: low
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: experimental
tags:
- attack.execution
- attack.t1035
- attack.t1569.002
- attack.s0029
rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml
+29
View File
@@ -0,0 +1,29 @@
title: MSExchange Transport Agent Installation
ruletype: Sigma
author: Tobias Michalski
date: 2021/06/08
description: Detects the Installation of a Exchange Transport Agent
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*Install-TransportAgent*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
for this.
fields:
- AssemblyPath
id: 83809e84-4475-4b69-bc3e-4aad8568612f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
status: experimental
tags:
- attack.persistence
- attack.t1505.002
rules/sigma/process_creation/process_creation_win_lolbas_dump64.yml
+32
View File
@@ -0,0 +1,32 @@
title: Suspicious Dump64.exe Execution
ruletype: Sigma
author: Austin Songer @austinsonger, Florian Roth
date: 2021/11/26
description: Detects when a user bypasses Defender by renaming a tool to dump64.exe
and placing it in a Visual Studio folder
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\dump64.exe'
SELECTION_3:
Image: '*\Installer\Feedback\dump64.exe*'
SELECTION_4:
CommandLine:
- '* -ma *'
- '*accpeteula*'
condition: (SELECTION_1 and SELECTION_2 and ( not (SELECTION_3) or SELECTION_4))
falsepositives:
- Dump64.exe in other folders than the excluded one
id: 129966c9-de17-4334-a123-8b58172e664d
level: high
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/mrd0x/status/1460597833917251595
status: experimental
tags:
- attack.credential_access
- attack.t1003.001
rules/sigma/process_creation/process_mailboxexport_share.yml
+37
View File
@@ -0,0 +1,37 @@
title: Suspicious PowerShell Mailbox Export to Share
ruletype: Sigma
author: Florian Roth
date: 2021/08/07
description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
to a local share, as used in ProxyShell exploitations
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*New-MailboxExport*'
SELECTION_3:
CommandLine: '* -Mailbox *'
SELECTION_4:
CommandLine: '* -FilePath \\127.0.0.1\C$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
level: critical
logsource:
category: process_creation
product: windows
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.resource_development
- attack.t1584.006
rules/sigma/process_creation/process_susp_esentutl_params.yml
+37
View File
@@ -0,0 +1,37 @@
title: Esentutl Gather Credentials
ruletype: Sigma
author: sam0x90
date: 2021/08/06
description: Conti recommendation to its affiliates to use esentult to access NTDS
dumped file. Trickbot also uses this utilities to get MSEdge info via its module
pwgrab.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*esentutl*'
SELECTION_3:
CommandLine: '* /p*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- To be determined
fields:
- User
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
level: medium
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://attack.mitre.org/software/S0404/
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.003
rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml
+52
View File
@@ -0,0 +1,52 @@
title: Abused Debug Privilege by Arbitrary Parent Processes
ruletype: Sigma
author: Semanur Guneysu @semanurtg, oscd.community
date: 2020/10/28
description: Detection of unusual child processes by different system processes
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage:
- '*\winlogon.exe'
- '*\services.exe'
- '*\lsass.exe'
- '*\csrss.exe'
- '*\smss.exe'
- '*\wininit.exe'
- '*\spoolsv.exe'
- '*\searchindexer.exe'
SELECTION_3:
Image:
- '*\powershell.exe'
- '*\cmd.exe'
SELECTION_4:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_5:
CommandLine: '* route *'
SELECTION_6:
CommandLine: '* ADD *'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
(SELECTION_5 and SELECTION_6))
falsepositives:
- unknown
fields:
- ParentImage
- Image
- User
- CommandLine
id: d522eca2-2973-4391-a3e0-ef0374321dae
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
status: test
tags:
- attack.privilege_escalation
- attack.t1548
rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
+37
View File
@@ -0,0 +1,37 @@
title: Accesschk Usage After Privilege Escalation
ruletype: Sigma
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: Accesschk is an access and privilege audit tool developed by SysInternal
and often being used by attacker to verify if a privilege escalation process successful
or not
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
IntegrityLevel: Medium
SELECTION_3:
Product: '*AccessChk'
SELECTION_4:
Description: '*Reports effective permissions*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- System administrator Usage
- Penetration test
fields:
- IntegrityLevel
- Product
- Description
id: c625d754-6a3d-4f65-9c9a-536aea960d37
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
status: test
tags:
- attack.discovery
- attack.t1069.001
rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
+39
View File
@@ -0,0 +1,39 @@
title: Always Install Elevated MSI Spawned Cmd And Powershell
ruletype: Sigma
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: This rule looks for Windows Installer service (msiexec.exe) spawned command
line and/or powershell
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
SELECTION_3:
ParentImage: '*\Windows\Installer\\*'
SELECTION_4:
ParentImage: '*msi*'
SELECTION_5:
ParentImage:
- '*tmp'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Penetration test
fields:
- Image
- ParentImage
id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
status: test
tags:
- attack.privilege_escalation
- attack.t1548.002
rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml
+53
View File
@@ -0,0 +1,53 @@
title: Always Install Elevated Windows Installer
ruletype: Sigma
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
description: This rule looks for Windows Installer service (msiexec.exe) trying to
install MSI packages with SYSTEM privilege
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\Windows\Installer\\*'
SELECTION_3:
Image: '*msi*'
SELECTION_4:
Image:
- '*tmp'
SELECTION_5:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_6:
Image:
- '*\msiexec.exe'
SELECTION_7:
User:
- NT AUTHORITY\SYSTEM*
- AUTORITE NT\Sys*
SELECTION_8:
IntegrityLevel: System
SELECTION_9:
CommandLine: '*\system32\msiexec.exe /V'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or ((SELECTION_6 and SELECTION_7 and SELECTION_8) and not (SELECTION_9))))
falsepositives:
- System administrator Usage
- Penetration test
fields:
- IntegrityLevel
- User
- Image
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/09
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548.002
rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml
+35
View File
@@ -0,0 +1,35 @@
title: DNS Tunnel Technique from MuddyWater
ruletype: Sigma
author: '@caliskanfurkan_'
date: 2020/06/04
description: Detecting DNS tunnel activity for Muddywater actor
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\powershell.exe'
SELECTION_3:
ParentImage:
- '*\excel.exe'
SELECTION_4:
CommandLine:
- '*DataExchange.dll*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 36222790-0d43-4fe8-86e4-674b27809543
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
status: test
tags:
- attack.command_and_control
- attack.t1071
- attack.t1071.004
rules/sigma/process_creation/sysmon_apt_sourgrum.yml
+47
View File
@@ -0,0 +1,47 @@
title: SOURGUM Actor Behaviours
ruletype: Sigma
author: MSTIC, FPT.EagleEye
date: 2021/06/15
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*windows\system32\Physmem.sys*'
SELECTION_3:
Image:
- '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
- '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
- '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
SELECTION_4:
Image:
- '*windows\system32\filepath2*'
- '*windows\system32\ime*'
SELECTION_5:
CommandLine:
- '*reg add*'
SELECTION_6:
CommandLine:
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6)))
falsepositives:
- Unknown
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
level: high
logsource:
category: process_creation
product: windows
modified: 2021/07/30
references:
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
status: experimental
tags:
- attack.t1546
- attack.t1546.015
- attack.persistence
- attack.privilege_escalation
rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
+39
View File
@@ -0,0 +1,39 @@
title: Atlassian Confluence CVE-2021-26084
ruletype: Sigma
author: Bhabesh Raj
date: 2021/09/08
description: Detects spawning of suspicious child processes by Atlassian Confluence
server which may indicate successful exploitation of CVE-2021-26084
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\Atlassian\Confluence\jre\bin\java.exe'
SELECTION_3:
CommandLine:
- '*cmd /c*'
- '*cmd /k*'
- '*powershell*'
- '*certutil*'
- '*curl*'
- '*whoami*'
- '*ipconfig*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 245f92e3-c4da-45f1-9070-bc552e06db11
level: high
logsource:
category: process_creation
product: windows
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
status: experimental
tags:
- attack.initial_access
- attack.execution
- attack.t1190
- attack.t1059
rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml
+35
View File
@@ -0,0 +1,35 @@
title: CMSTP Execution Process Creation
ruletype: Sigma
author: Nik Seetharaman
date: 2018/07/16
description: Detects various indicators of Microsoft Connection Manager Profile Installer
execution
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\cmstp.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
fields:
- CommandLine
- ParentCommandLine
- Details
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
level: high
logsource:
category: process_creation
product: windows
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
status: stable
tags:
- attack.defense_evasion
- attack.execution
- attack.t1191
- attack.t1218.003
- attack.g0069
- car.2019-04-001
rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml
+38
View File
@@ -0,0 +1,38 @@
title: Mavinject Inject DLL Into Running Process
ruletype: Sigma
author: frack113
date: 2021/07/12
description: Injects arbitrary DLL into running process specified by process ID. Requires
Windows 10.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '* /INJECTRUNNING*'
SELECTION_3:
CommandLine: '*.dll*'
SELECTION_4:
OriginalFileName: '*mavinject*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.collection
- attack.t1218
- attack.t1056.004
rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml
+32
View File
@@ -0,0 +1,32 @@
title: CVE-2021-26857 Exchange Exploitation
ruletype: Sigma
author: Bhabesh Raj
date: 2021/03/03
description: Detects possible successful exploitation for vulnerability described
in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Servers
Unified Messaging service
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*UMWorkerProcess.exe'
SELECTION_3:
Image:
- '*wermgr.exe'
- '*WerFault.exe'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- Unknown
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
level: critical
logsource:
category: process_creation
product: windows
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
status: experimental
tags:
- attack.t1203
- attack.execution
- cve.2021.26857
rules/sigma/process_creation/sysmon_expand_cabinet_files.yml
+43
View File
@@ -0,0 +1,43 @@
title: Cabinet File Expansion
ruletype: Sigma
author: Bhabesh Raj
date: 2021/07/30
description: Adversaries can use the inbuilt expand utility to decompress cab files
as seen in recent Iranian MeteorExpress attack
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\expand.exe'
SELECTION_3:
CommandLine:
- '*.cab*'
- '*/F:*'
- '*-F:*'
- '*C:\ProgramData\\*'
- '*C:\Public\\*'
- '*\AppData\Local\Temp\\*'
- '*\AppData\Roaming\Temp\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- System administrator Usage
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 9f107a84-532c-41af-b005-8d12a607639f
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/08/31
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
status: experimental
tags:
- attack.execution
- attack.t1218
rules/sigma/process_creation/sysmon_hack_wce.yml
+37
View File
@@ -0,0 +1,37 @@
title: Windows Credential Editor
ruletype: Sigma
author: Florian Roth
date: 2019/12/31
description: Detects the use of Windows Credential Editor (WCE)
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Imphash:
- a53a02b997935fd8eedcb5f7abab9b9f
- e96a73c7bf33a464c510ede582318bf2
SELECTION_3:
CommandLine: '*.exe -S'
SELECTION_4:
ParentImage: '*\services.exe'
SELECTION_5:
Image: '*\clussvc.exe'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)) and not
(SELECTION_5))
falsepositives:
- Another service that uses a single -s command line switch
id: 7aa7009a-28b9-4344-8c1f-159489a390df
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/07/15
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.s0005
rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml
+31
View File
@@ -0,0 +1,31 @@
title: High Integrity Sdclt Process
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for sdclt being spawned as an elevated process. This
could be an indicator of sdclt being used for bypass UAC techniques.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*sdclt.exe'
SELECTION_3:
IntegrityLevel: High
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
id: 40f9af16-589d-4984-b78d-8c2aec023197
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
status: test
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548.002
rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+37
View File
@@ -0,0 +1,37 @@
title: Logon Scripts (UserInitMprLogonScript)
ruletype: Sigma
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation or execution of UserInitMprLogonScript persistence method
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\userinit.exe'
SELECTION_3:
Image: '*\explorer.exe'
SELECTION_4:
CommandLine:
- '*netlogon*.bat*'
- '*UsrLogon.cmd*'
SELECTION_5:
CommandLine: '*UserInitMprLogonScript*'
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) and not (SELECTION_4))
or SELECTION_5))
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/29
references:
- https://attack.mitre.org/techniques/T1037/
status: test
tags:
- attack.t1037
- attack.t1037.001
- attack.persistence
rules/sigma/process_creation/sysmon_long_powershell_commandline.yml
+34
View File
@@ -0,0 +1,34 @@
title: Too Long PowerShell Commandlines
ruletype: Sigma
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects Too long PowerShell command lines
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*powershell*'
- '*pwsh*'
SELECTION_3:
Description: Windows Powershell
SELECTION_4:
Product: PowerShell Core 6
SELECTION_5:
CommandLine|re: .{1000,}
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
falsepositives:
- Unknown
id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/02
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
rules/sigma/process_creation/sysmon_netcat_execution.yml
+34
View File
@@ -0,0 +1,34 @@
title: Ncat Execution
ruletype: Sigma
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\ncat.exe'
SELECTION_3:
CommandLine:
- '* -lvp *'
- '* -l --proxy-type http *'
- '* --exec cmd.exe *'
- '* -vnl --exec *'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Legitimate ncat use
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
level: high
logsource:
category: process_creation
product: windows
references:
- https://nmap.org/ncat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
status: experimental
tags:
- attack.command_and_control
- attack.t1095
rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml
+40
View File
@@ -0,0 +1,40 @@
title: Proxy Execution via Wuauclt
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
date: 2020/10/12
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
proxy execute code.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*wuauclt*'
SELECTION_3:
OriginalFileName: wuauclt.exe
SELECTION_4:
CommandLine: '*UpdateDeploymentProvider*'
SELECTION_5:
CommandLine: '*.dll*'
SELECTION_6:
CommandLine: '*RunHandlerComServer*'
SELECTION_7:
CommandLine:
- '* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *'
- '* wuaueng.dll *'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
and SELECTION_6)) and not (SELECTION_7))
falsepositives:
- Unknown
id: af77cf95-c469-471c-b6a0-946c685c4798
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/05/10
references:
- https://dtm.uk/wuauclt/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml
+36
View File
@@ -0,0 +1,36 @@
title: Remove Windows Defender Definition Files
ruletype: Sigma
author: frack113
date: 2021/07/07
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by removing Windows Defender Definition Files
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
OriginalFileName: MpCmdRun.exe
SELECTION_3:
CommandLine: '* -RemoveDefinitions*'
SELECTION_4:
CommandLine: '* -All*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
rules/sigma/process_creation/sysmon_sdclt_child_process.yml
+28
View File
@@ -0,0 +1,28 @@
title: Sdclt Child Processes
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for sdclt spawning new processes. This could be an
indicator of sdclt being used for bypass UAC techniques.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\sdclt.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: da2738f2-fadb-4394-afa7-0a0674885afa
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
status: test
tags:
- attack.privilege_escalation
- attack.t1548.002
rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml
+30
View File
@@ -0,0 +1,30 @@
title: Suspicious Plink Remote Forwarding
ruletype: Sigma
author: Florian Roth
date: 2021/01/19
description: Detects suspicious Plink tunnel remote forarding to a local port
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Description: Command-line SSH, Telnet, and Rlogin client
SELECTION_3:
CommandLine: '* -R *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrative activity using a remote port forwarding to a local port
id: 48a61b29-389f-4032-b317-b30de6b95314
level: high
logsource:
category: process_creation
product: windows
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
status: experimental
tags:
- attack.command_and_control
- attack.t1572
- attack.lateral_movement
- attack.t1021.001
rules/sigma/process_creation/sysmon_susp_service_modification.yml
+39
View File
@@ -0,0 +1,39 @@
title: Stop Or Remove Antivirus Service
ruletype: Sigma
author: frack113
date: 2021/07/07
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by stopping antivirus service
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*Stop-Service *'
- '*Remove-Service *'
SELECTION_3:
CommandLine:
- '* McAfeeDLPAgentService*'
- '* Trend Micro Deep Security Manager*'
- '* TMBMServer*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml
+31
View File
@@ -0,0 +1,31 @@
title: Suspicious WebDav Client Execution
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for svchost.exe spawning rundll32.exe with command
arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator
of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\rundll32.exe'
SELECTION_3:
CommandLine: '*C:\windows\system32\davclnt.dll,DavSetCookie*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
level: medium
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
- https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
status: test
tags:
- attack.exfiltration
- attack.t1048.003
rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml
+35
View File
@@ -0,0 +1,35 @@
title: Uninstall Crowdstrike Falcon
ruletype: Sigma
author: frack113
date: 2021/07/12
description: Adversaries may disable security tools to avoid possible detection of
their tools and activities by uninstalling Crowdstrike Falcon
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\WindowsSensor.exe*'
SELECTION_3:
CommandLine: '* /uninstall*'
SELECTION_4:
CommandLine: '* /quiet*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Uninstall by admin
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
level: medium
logsource:
category: process_creation
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml
+46
View File
@@ -0,0 +1,46 @@
title: VMToolsd Suspicious Child Process
ruletype: Sigma
author: behops, Bhabesh Raj
date: 2021/10/08
description: Detects suspicious child process creations of VMware Tools process which
may indicate persistence setup
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\vmtoolsd.exe'
SELECTION_3:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\rundll32.exe'
- '*\regsvr32.exe'
- '*\wscript.exe'
- '*\cscript.exe'
SELECTION_4:
CommandLine:
- '*\VMware\VMware Tools\poweron-vm-default.bat*'
- '*\VMware\VMware Tools\poweroff-vm-default.bat*'
- '*\VMware\VMware Tools\resume-vm-default.bat*'
- '*\VMware\VMware Tools\suspend-vm-default.bat*'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4))
falsepositives:
- Legitimate use by adminstrator
fields:
- CommandLine
- ParentCommandLine
- Details
id: 5687f942-867b-4578-ade7-1e341c46e99a
level: high
logsource:
category: process_creation
product: windows
modified: 2021/10/10
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
status: experimental
tags:
- attack.execution
- attack.persistence
- attack.t1059
rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml
+59
View File
@@ -0,0 +1,59 @@
title: Chafer Activity
ruletype: Sigma
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
ParentImage: '*\Autoit*'
SELECTION_2:
CommandLine: '*\Service.exe*'
SELECTION_3:
CommandLine:
- '*i'
- '*u'
SELECTION_4:
CommandLine: '*\microsoft\Taskbar\autoit3.exe'
SELECTION_5:
CommandLine: C:\wsc.exe*
SELECTION_6:
Image: '*\Windows\Temp\DB\\*'
SELECTION_7:
Image: '*.exe'
SELECTION_8:
CommandLine: '*\nslookup.exe*'
SELECTION_9:
CommandLine: '*-q=TXT*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 or SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
falsepositives:
- Unknown
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
rules/sigma/process_creation/win_ad_find_discovery.yml
+48
View File
@@ -0,0 +1,48 @@
title: AdFind Usage Detection
ruletype: Sigma
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
description: AdFind continues to be seen across majority of breaches. It is used to
domain trust discovery to plan out subsequent steps in the attack chain.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*domainlist*'
- '*trustdmp*'
- '*dcmodes*'
- '*adinfo*'
- '* dclist *'
- '*computer_pwdnotreqd*'
- '*objectcategory=*'
- '*-subnets -f*'
- '*name="Domain Admins"*'
- '*-sc u:*'
- '*domainncs*'
- '*dompol*'
- '* oudmp *'
- '*subnetdmp*'
- '*gpodmp*'
- '*fspdmp*'
- '*users_noexpire*'
- '*computers_active*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Admin activity
id: 9a132afa-654e-11eb-ae93-0242ac130002
level: high
logsource:
category: process_creation
product: windows
modified: 2021/02/02
references:
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1018
rules/sigma/process_creation/win_anydesk_silent_install.yml
+34
View File
@@ -0,0 +1,34 @@
title: AnyDesk Silent Installation
ruletype: Sigma
author: Ján Trenčanský
date: 2021/08/06
description: AnyDesk Remote Desktop silent installation can be used by attacker to
gain remote access.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*--install*'
SELECTION_3:
CommandLine: '*--start-with-win*'
SELECTION_4:
CommandLine: '*--silent*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate deployment of AnyDesk
fields:
- CommandLine
- ParentCommandLine
- CurrentDirectory
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
level: high
logsource:
category: process_creation
product: windows
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
status: experimental
tags:
- attack.t1219
rules/sigma/process_creation/win_apt_apt29_thinktanks.yml
+37
View File
@@ -0,0 +1,37 @@
title: APT29
ruletype: Sigma
author: Florian Roth
date: 2018/12/04
description: This method detects a suspicious PowerShell command line combination
as used by APT29 in a campaign against U.S. think tanks.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*-noni*'
SELECTION_3:
CommandLine: '*-ep*'
SELECTION_4:
CommandLine: '*bypass*'
SELECTION_5:
CommandLine: '*$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- unknown
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
status: test
tags:
- attack.execution
- attack.g0016
- attack.t1086
- attack.t1059
- attack.t1059.001
rules/sigma/process_creation/win_apt_babyshark.yml
+38
View File
@@ -0,0 +1,38 @@
title: Baby Shark Activity
ruletype: Sigma
author: Florian Roth
date: 2019/02/24
description: Detects activity that could be related to Baby Shark malware
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
- powershell.exe mshta.exe http*
- cmd.exe /c taskkill /im cmd.exe
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
status: test
tags:
- attack.execution
- attack.t1059
- attack.t1086
- attack.t1059.003
- attack.t1059.001
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1170
- attack.t1218
- attack.t1218.005
rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml
+52
View File
@@ -0,0 +1,52 @@
title: Judgement Panda Credential Access Activity
ruletype: Sigma
author: Florian Roth
date: 2019/02/21
description: Detects Russian group activity as described in Global Threat Report 2019
by Crowdstrike
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*-snapshot*'
SELECTION_11:
CommandLine: '*""*'
SELECTION_12:
CommandLine: '*c:\users\\*'
SELECTION_2:
Image: '*\xcopy.exe'
SELECTION_3:
CommandLine: '*/S*'
SELECTION_4:
CommandLine: '*/E*'
SELECTION_5:
CommandLine: '*/C*'
SELECTION_6:
CommandLine: '*/Q*'
SELECTION_7:
CommandLine: '*/H*'
SELECTION_8:
CommandLine: '*\\\*'
SELECTION_9:
Image: '*\adexplorer.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12)))
falsepositives:
- unknown
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
status: test
tags:
- attack.credential_access
- attack.t1081
- attack.t1003
- attack.t1552.001
- attack.t1003.003
rules/sigma/process_creation/win_apt_bluemashroom.yml
+32
View File
@@ -0,0 +1,32 @@
title: BlueMashroom DLL Load
ruletype: Sigma
author: Florian Roth
date: 2019/10/02
description: Detects a suspicious DLL loading from AppData Local path as described
in BlueMashroom report
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*\AppData\Local\\*'
SELECTION_3:
CommandLine: '*\regsvr32*'
SELECTION_4:
CommandLine: '*,DllEntry*'
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Unlikely
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
status: test
tags:
- attack.defense_evasion
- attack.t1117
- attack.t1218.010
rules/sigma/process_creation/win_apt_cloudhopper.yml
+35
View File
@@ -0,0 +1,35 @@
title: WMIExec VBS Script
ruletype: Sigma
author: Florian Roth
date: 2017/04/07
description: Detects suspicious file execution by wscript and cscript
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\cscript.exe'
SELECTION_3:
CommandLine: '*.vbs*'
SELECTION_4:
CommandLine: '*/shell*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: 966e4016-627f-44f7-8341-f394905c361f
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
status: test
tags:
- attack.execution
- attack.g0045
- attack.t1064
- attack.t1059.005
rules/sigma/process_creation/win_apt_dragonfly.yml
+31
View File
@@ -0,0 +1,31 @@
title: CrackMapExecWin
ruletype: Sigma
author: Markus Neis
date: 2018/04/08
description: Detects CrackMapExecWin Activity as Described by NCSC
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image:
- '*\crackmapexec.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- None
id: 04d9079e-3905-4b70-ad37-6bdf11304965
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
- https://attack.mitre.org/software/S0488/
status: test
tags:
- attack.g0035
- attack.credential_access
- attack.discovery
- attack.t1110
- attack.t1087
rules/sigma/process_creation/win_apt_elise.yml
+34
View File
@@ -0,0 +1,34 @@
title: Elise Backdoor
ruletype: Sigma
author: Florian Roth
date: 2018/01/31
description: Detects Elise backdoor acitivty as used by APT32
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: C:\Windows\SysWOW64\cmd.exe
SELECTION_3:
CommandLine: '*\Windows\Caches\NavShExt.dll *'
SELECTION_4:
CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
falsepositives:
- Unknown
id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
status: test
tags:
- attack.g0030
- attack.g0050
- attack.s0081
- attack.execution
- attack.t1059
- attack.t1059.003
rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml
+31
View File
@@ -0,0 +1,31 @@
title: Emissary Panda Malware SLLauncher
ruletype: Sigma
author: Florian Roth
date: 2018/09/03
description: Detects the execution of DLL side-loading malware used by threat group
Emissary Panda aka APT27
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\sllauncher.exe'
SELECTION_3:
Image: '*\svchost.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
- https://twitter.com/cyb3rops/status/1168863899531132929
status: test
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
rules/sigma/process_creation/win_apt_empiremonkey.yml
+31
View File
@@ -0,0 +1,31 @@
title: Empire Monkey
ruletype: Sigma
author: Markus Neis
date: 2019/04/02
description: Detects EmpireMonkey APT reported Activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*/i:%APPDATA%\logs.txt scrobj.dll'
SELECTION_3:
Image: '*\cutil.exe'
SELECTION_4:
Description: Microsoft(C) Registerserver
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- Very Unlikely
id: 10152a7b-b566-438f-a33c-390b607d1c8d
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
status: test
tags:
- attack.defense_evasion
- attack.t1218.010
- attack.t1117
rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml
+34
View File
@@ -0,0 +1,34 @@
title: Equation Group DLL_U Load
ruletype: Sigma
author: Florian Roth
date: 2019/03/04
description: Detects a specific tool and export used by EquationGroup
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Image: '*\rundll32.exe'
SELECTION_3:
CommandLine: '*,dll_u'
SELECTION_4:
CommandLine: '* -export dll_u *'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
falsepositives:
- Unknown
id: d465d1d8-27a2-4cca-9621-a800f37cf72e
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
- https://securelist.com/apt-slingshot/84312/
- https://twitter.com/cyb3rops/status/972186477512839170
status: test
tags:
- attack.g0020
- attack.defense_evasion
- attack.t1085
- attack.t1218.011
rules/sigma/process_creation/win_apt_evilnum_jul20.yml
+38
View File
@@ -0,0 +1,38 @@
title: EvilNum Golden Chickens Deployment via OCX Files
ruletype: Sigma
author: Florian Roth
date: 2020/07/10
description: Detects Golden Chickens deployment method as used by Evilnum in report
published in July 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*regsvr32*'
SELECTION_3:
CommandLine: '*/s*'
SELECTION_4:
CommandLine: '*/i*'
SELECTION_5:
CommandLine: '*\AppData\Roaming\\*'
SELECTION_6:
CommandLine: '*.ocx*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6)
falsepositives:
- Unknown
id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
status: test
tags:
- attack.defense_evasion
- attack.t1085
- attack.t1218.011
rules/sigma/process_creation/win_apt_greenbug_may20.yml
+63
View File
@@ -0,0 +1,63 @@
title: Greenbug Campaign Indicators
ruletype: Sigma
author: Florian Roth
date: 2020/05/20
description: Detects tools and process executions as observed in a Greenbug campaign
in May 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*bitsadmin*'
SELECTION_3:
CommandLine: '*/transfer*'
SELECTION_4:
CommandLine: '*CSIDL_APPDATA*'
SELECTION_5:
CommandLine:
- '*CSIDL_SYSTEM_DRIVE*'
SELECTION_6:
CommandLine:
- '*\msf.ps1*'
- '*8989 -e cmd.exe*'
- '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
- '*-nop -w hidden -c $k=new-object*'
- '*[Net.CredentialCache]::DefaultCredentials;IEX *'
- '* -nop -w hidden -c $m=new-object net.webclient;$m*'
- '*-noninteractive -executionpolicy bypass whoami*'
- '*-noninteractive -executionpolicy bypass netstat -a*'
- '*L3NlcnZlcj1*'
SELECTION_7:
Image:
- '*\adobe\Adobe.exe'
- '*\oracle\local.exe'
- '*\revshell.exe'
- '*infopagesbackup\ncat.exe'
- '*CSIDL_SYSTEM\cmd.exe'
- '*\programdata\oracle\java.exe'
- '*CSIDL_COMMON_APPDATA\comms\comms.exe'
- '*\Programdata\VMware\Vmware.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5
or SELECTION_6 or SELECTION_7))
falsepositives:
- Unknown
id: 3711eee4-a808-4849-8a14-faf733da3612
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/09/21
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
status: experimental
tags:
- attack.g0049
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.command_and_control
- attack.t1105
- attack.defense_evasion
- attack.t1036
- attack.t1036.005
rules/sigma/process_creation/win_apt_hafnium.yml
+94
View File
@@ -0,0 +1,94 @@
title: Exchange Exploitation Activity
ruletype: Sigma
author: Florian Roth
date: 2021/03/09
description: Detects activity observed by different researchers to be HAFNIUM group
activity (or related) on Exchange servers
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*Temp\__output*'
SELECTION_11:
CommandLine: '*%TEMP%\execute.bat*'
SELECTION_12:
Image: '*Users\Public\opera\Opera_browser.exe'
SELECTION_13:
Image: '*Opera_browser.exe'
SELECTION_14:
ParentImage:
- '*\services.exe'
- '*\svchost.exe'
SELECTION_15:
Image: '*\ProgramData\VSPerfMon\\*'
SELECTION_16:
CommandLine: '* -t7z *'
SELECTION_17:
CommandLine: '*C:\Programdata\pst*'
SELECTION_18:
CommandLine: '*\it.zip*'
SELECTION_19:
Image: '*\makecab.exe'
SELECTION_2:
CommandLine: '*attrib*'
SELECTION_20:
CommandLine:
- '*Microsoft\Exchange Server\\*'
- '*inetpub\wwwroot*'
SELECTION_21:
CommandLine:
- '*\Temp\xx.bat*'
- '*Windows\WwanSvcdcs*'
- '*Windows\Temp\cw.exe*'
SELECTION_22:
CommandLine: '*\comsvcs.dll*'
SELECTION_23:
CommandLine: '*Minidump*'
SELECTION_24:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_25:
CommandLine: '*dsquery*'
SELECTION_26:
CommandLine: '* -uco *'
SELECTION_27:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_3:
CommandLine: '* +h *'
SELECTION_4:
CommandLine: '* +s *'
SELECTION_5:
CommandLine: '* +r *'
SELECTION_6:
CommandLine: '*.aspx*'
SELECTION_7:
CommandLine: '*schtasks*'
SELECTION_8:
CommandLine: '*VSPerfMon*'
SELECTION_9:
CommandLine: '*vssadmin list shadows*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or SELECTION_11 or SELECTION_12 or (SELECTION_13 and SELECTION_14) or SELECTION_15
or (SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
or SELECTION_21 or (SELECTION_22 and SELECTION_23 and SELECTION_24) or (SELECTION_25
and SELECTION_26 and SELECTION_27)))
falsepositives:
- Unknown
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
level: high
logsource:
category: process_creation
product: windows
modified: 2021/03/16
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
status: experimental
tags:
- attack.persistence
- attack.t1546
- attack.t1053
rules/sigma/process_creation/win_apt_hurricane_panda.yml
+34
View File
@@ -0,0 +1,34 @@
title: Hurricane Panda Activity
ruletype: Sigma
author: Florian Roth
date: 2019/03/04
description: Detects Hurricane Panda Activity
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*localgroup*'
SELECTION_3:
CommandLine: '*admin*'
SELECTION_4:
CommandLine: '*/add*'
SELECTION_5:
CommandLine:
- '*\Win64.exe*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5))
falsepositives:
- Unknown
id: 0eb2107b-a596-422e-b123-b389d5594ed7
level: high
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
status: test
tags:
- attack.privilege_escalation
- attack.g0009
- attack.t1068
rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml
+44
View File
@@ -0,0 +1,44 @@
title: Judgement Panda Exfil Activity
ruletype: Sigma
author: Florian Roth
date: 2019/02/21
description: Detects Judgement Panda activity as described in Global Threat Report
2019 by Crowdstrike
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*eprod.ldf'
SELECTION_3:
CommandLine:
- '*\ldifde.exe -f -n *'
- '*\7za.exe a 1.7z *'
- '*\aaaa\procdump64.exe*'
- '*\aaaa\netsess.exe*'
- '*\aaaa\7za.exe*'
- '*copy .\1.7z \\*'
- '*copy \\client\c$\aaaa\\*'
SELECTION_4:
Image: C:\Users\Public\7za.exe
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
falsepositives:
- unknown
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
status: test
tags:
- attack.lateral_movement
- attack.g0010
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.exfiltration
- attack.t1002
- attack.t1560.001
rules/sigma/process_creation/win_apt_ke3chang_regadd.yml
+33
View File
@@ -0,0 +1,33 @@
title: Ke3chang Registry Key Modifications
ruletype: Sigma
author: Markus Neis, Swisscom
date: 2020/06/18
description: Detects Registry modifications performed by Ke3chang malware in campaigns
running in 2019 and 2020
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine:
- '*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*'
- '*-Property String -name Check_Associations -value*'
- '*-Property DWORD -name IEHarden -value 0 -Force*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Will need to be looked for combinations of those processes
id: 7b544661-69fc-419f-9a59-82ccc328f205
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/11/27
references:
- https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
status: test
tags:
- attack.g0004
- attack.defense_evasion
- attack.t1089
- attack.t1562.001

Some files were not shown because too many files have changed in this diff Show More