Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/process_creation/win_hack_koadic.yml
+++ b/rules/sigma/process_creation/win_hack_koadic.yml
@@ -0,0 +1,41 @@
+
+title: Koadic Execution
+ruletype: Sigma
+author: wagga, Jonhnathan Ribeiro, oscd.community
+date: 2020/01/12
+description: Detects command line parameters used by Koadic hack tool
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmd.exe'
+  SELECTION_3:
+    CommandLine: '*/q*'
+  SELECTION_4:
+    CommandLine: '*/c*'
+  SELECTION_5:
+    CommandLine: '*chcp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Pentest
+fields:
+- CommandLine
+- ParentCommandLine
+id: 5cddf373-ef00-4112-ad72-960ac29bac34
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
+- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
+- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064