Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml
+++ b/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml
@@ -0,0 +1,51 @@
+
+title: CobaltStrike Process Patterns
+ruletype: Sigma
+author: Florian Roth
+date: 2021/07/27
+description: Detects process patterns found in Cobalt Strike beacon activity (see
+  reference for more details)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    ParentCommandLine: '*\runonce.exe'
+  SELECTION_2:
+    CommandLine: '*\cmd.exe /C whoami*'
+  SELECTION_3:
+    ParentImage: C:\Temp*
+  SELECTION_4:
+    CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
+  SELECTION_5:
+    ParentCommandLine:
+    - '*/C whoami*'
+    - '*cmd.exe /C echo*'
+    - '* > \\.\pipe*'
+  SELECTION_6:
+    CommandLine:
+    - '*cmd.exe /c echo*'
+    - '*> \\.\pipe*'
+    - '*\whoami.exe*'
+  SELECTION_7:
+    ParentImage: '*\dllhost.exe'
+  SELECTION_8:
+    Image: '*\cmd.exe'
+  SELECTION_9:
+    ParentImage: '*\runonce.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- Other programs that cause these patterns (please report)
+id: f35c5d71-b489-4e22-a115-f003df287317
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/30
+references:
+- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059