Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
--- a/rules/sigma/process_creation/win_proc_wrong_parent.yml
+++ b/rules/sigma/process_creation/win_proc_wrong_parent.yml
@@ -0,0 +1,57 @@
+
+title: Windows Processes Suspicious Parent Directory
+ruletype: Sigma
+author: vburov
+date: 2019/02/23
+description: Detect suspicious parent processes of well-known Windows processes
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\svchost.exe'
+    - '*\taskhost.exe'
+    - '*\lsm.exe'
+    - '*\lsass.exe'
+    - '*\services.exe'
+    - '*\lsaiso.exe'
+    - '*\csrss.exe'
+    - '*\wininit.exe'
+    - '*\winlogon.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\SavService.exe'
+    - '*\ngen.exe'
+  SELECTION_4:
+    ParentImage:
+    - '*\System32\\*'
+    - '*\SysWOW64\\*'
+  SELECTION_5:
+    ParentImage:
+    - '*\Windows Defender\\*'
+    - '*\Microsoft Security Client\\*'
+  SELECTION_6:
+    ParentImage: '*\MsMpEng.exe'
+  SELECTION_7:
+    ParentImage|re: ^$
+  condition: (SELECTION_1 and ((SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+    and  not (SELECTION_5 and SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Some security products seem to spawn these
+id: 96036718-71cc-4027-a538-d1587e0006a7
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/24
+references:
+- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
+- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
+- https://attack.mitre.org/techniques/T1036/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+- attack.t1036.005