Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions

View File

@@ -0,0 +1,51 @@
title: CobaltStrike Process Patterns
ruletype: Sigma
author: Florian Roth
date: 2021/07/27
description: Detects process patterns found in Cobalt Strike beacon activity (see
reference for more details)
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
ParentCommandLine: '*\runonce.exe'
SELECTION_2:
CommandLine: '*\cmd.exe /C whoami*'
SELECTION_3:
ParentImage: C:\Temp*
SELECTION_4:
CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
SELECTION_5:
ParentCommandLine:
- '*/C whoami*'
- '*cmd.exe /C echo*'
- '* > \\.\pipe*'
SELECTION_6:
CommandLine:
- '*cmd.exe /c echo*'
- '*> \\.\pipe*'
- '*\whoami.exe*'
SELECTION_7:
ParentImage: '*\dllhost.exe'
SELECTION_8:
Image: '*\cmd.exe'
SELECTION_9:
ParentImage: '*\runonce.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
falsepositives:
- Other programs that cause these patterns (please report)
id: f35c5d71-b489-4e22-a115-f003df287317
level: high
logsource:
category: process_creation
product: windows
modified: 2021/08/30
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
status: experimental
tags:
- attack.execution
- attack.t1059