Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/process_creation/win_mshta_spawn_shell.yml
+++ b/rules/sigma/process_creation/win_mshta_spawn_shell.yml
@@ -0,0 +1,47 @@
+
+title: MSHTA Spawning Windows Shell
+ruletype: Sigma
+author: Michael Haag
+date: 2019/01/16
+description: Detects a Windows command line executable started from MSHTA
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\mshta.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\reg.exe'
+    - '*\regsvr32.exe'
+  SELECTION_4:
+    Image:
+    - '*\BITSADMIN*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Printer software / driver installations
+- HP software
+fields:
+- CommandLine
+- ParentCommandLine
+id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.trustedsec.com/july-2015/malicious-htas/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
+- car.2013-02-003
+- car.2013-03-001
+- car.2014-04-003