CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

removed noisy rules

Browse Source
This commit is contained in:
Tanaka Zakku
2021-11-15 08:56:09 +09:00
parent 464c7ec052
commit b2eab00604
11 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/Sigma/sysmon_wmi_event_subscription.yml
-27
View File
@@ -1,27 +0,0 @@
title: WMI Event Subscription
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation of WMI event subscription persistence method
detection:
SELECTION_1:
EventID: 19
SELECTION_2:
EventID: 20
SELECTION_3:
EventID: 21
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
falsepositives:
- exclude legitimate (vetted) use of WMI event subscription in your network
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
level: high
logsource:
category: wmi_event
product: windows
status: experimental
tags:
- attack.t1084
- attack.persistence
- attack.t1546.003
yml_filename: sysmon_wmi_event_subscription.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
rules/Sigma/win_metasploit_authentication.yml
-40
View File
@@ -1,40 +0,0 @@
title: Metasploit SMB Authentication
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/06
description: Alerts on Metasploit host's authentications on the domain.
detection:
SELECTION_1:
EventID: 4625
SELECTION_2:
EventID: 4624
SELECTION_3:
LogonType: 3
SELECTION_4:
AuthenticationPackageName: NTLM
SELECTION_5:
WorkstationName|re: ^[A-Za-z0-9]{16}$
SELECTION_6:
ProcessName|re: ^$
SELECTION_7:
EventID: 4776
SELECTION_8:
Workstation|re: ^[A-Za-z0-9]{16}$
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
falsepositives:
- Linux hostnames composed of 16 characters.
id: 72124974-a68b-4366-b990-d30e0b2a190d
level: high
logsource:
product: windows
service: security
modified: 2021/07/07
references:
- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
yml_filename: win_metasploit_authentication.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
rules/Sigma/win_multiple_suspicious_cli.yml
-109
View File
@@ -1,109 +0,0 @@
title: Quick Execution of a Series of Suspicious Commands
author: juju4
date: 2019/01/16
description: Detects multiple suspicious process in a limited timeframe
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*nbtstat.exe*'
SELECTION_11:
CommandLine: '*net.exe*'
SELECTION_12:
CommandLine: '*netsh.exe*'
SELECTION_13:
CommandLine: '*nslookup.exe*'
SELECTION_14:
CommandLine: '*ping.exe*'
SELECTION_15:
CommandLine: '*quser.exe*'
SELECTION_16:
CommandLine: '*qwinsta.exe*'
SELECTION_17:
CommandLine: '*reg.exe*'
SELECTION_18:
CommandLine: '*runas.exe*'
SELECTION_19:
CommandLine: '*sc.exe*'
SELECTION_2:
CommandLine: '*arp.exe*'
SELECTION_20:
CommandLine: '*schtasks.exe*'
SELECTION_21:
CommandLine: '*ssh.exe*'
SELECTION_22:
CommandLine: '*systeminfo.exe*'
SELECTION_23:
CommandLine: '*taskkill.exe*'
SELECTION_24:
CommandLine: '*telnet.exe*'
SELECTION_25:
CommandLine: '*tracert.exe*'
SELECTION_26:
CommandLine: '*wscript.exe*'
SELECTION_27:
CommandLine: '*xcopy.exe*'
SELECTION_28:
CommandLine: '*pscp.exe*'
SELECTION_29:
CommandLine: '*copy.exe*'
SELECTION_3:
CommandLine: '*at.exe*'
SELECTION_30:
CommandLine: '*robocopy.exe*'
SELECTION_31:
CommandLine: '*certutil.exe*'
SELECTION_32:
CommandLine: '*vssadmin.exe*'
SELECTION_33:
CommandLine: '*powershell.exe*'
SELECTION_34:
CommandLine: '*wevtutil.exe*'
SELECTION_35:
CommandLine: '*psexec.exe*'
SELECTION_36:
CommandLine: '*bcedit.exe*'
SELECTION_37:
CommandLine: '*wbadmin.exe*'
SELECTION_38:
CommandLine: '*icacls.exe*'
SELECTION_39:
CommandLine: '*diskpart.exe*'
SELECTION_4:
CommandLine: '*attrib.exe*'
SELECTION_5:
CommandLine: '*cscript.exe*'
SELECTION_6:
CommandLine: '*dsquery.exe*'
SELECTION_7:
CommandLine: '*hostname.exe*'
SELECTION_8:
CommandLine: '*ipconfig.exe*'
SELECTION_9:
CommandLine: '*mimikatz.exe*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39))| count()
by MachineName > 5
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: 61ab5496-748e-4818-a92f-de78e20fe7f1
level: low
logsource:
category: process_creation
product: windows
modified: 2021/06/13
references:
- https://car.mitre.org/wiki/CAR-2013-04-002
status: experimental
tags:
- car.2013-04-002
yml_filename: win_multiple_suspicious_cli.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
rules/Sigma/win_powershell_script_installed_as_service.yml
-29
View File
@@ -1,29 +0,0 @@
title: PowerShell Scripts Installed as Services
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects powershell script installed as a Service
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath: '*powershell*'
SELECTION_3:
ImagePath: '*pwsh*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
level: high
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1569.002
yml_filename: win_powershell_script_installed_as_service.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
rules/Sigma/win_rare_schtasks_creations.yml
-33
View File
@@ -1,33 +0,0 @@
title: Rare Schtasks Creations
author: Florian Roth
date: 2017/03/23
description: Detects rare scheduled tasks creations that only appear a few times per
time frame and could reveal password dumpers, backdoor installs or other types
of malicious code
detection:
SELECTION_1:
EventID: 4698
condition: SELECTION_1| count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
id: b0d77106-7bb0-41fe-bd94-d1752164d066
level: low
logsource:
definition: The Advanced Audit Policy setting Object Access > Audit Other Object
Access Events has to be configured to allow this detection (not in the baseline
recommendations by Microsoft). We also recommend extracting the Command field
from the embedded XML in the event data.
product: windows
service: security
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005
yml_filename: win_rare_schtasks_creations.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
rules/Sigma/win_rare_service_installs.yml
-28
View File
@@ -1,28 +0,0 @@
title: Rare Service Installs
author: Florian Roth
date: 2017/03/08
description: Detects rare service installs that only appear a few times per time frame
and could reveal password dumpers, backdoor installs or other types of malicious
services
detection:
SELECTION_1:
EventID: 7045
condition: SELECTION_1| count() by ServiceFileName < 5
falsepositives:
- Software installation
- Software updates
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
level: low
logsource:
product: windows
service: system
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
- attack.t1543.003
yml_filename: win_rare_service_installs.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
rules/Sigma/win_susp_failed_logons_single_source.yml
-34
View File
@@ -1,34 +0,0 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 529
SELECTION_2:
EventID: 4625
SELECTION_3:
TargetUserName: '*'
SELECTION_4:
WorkstationName: '*'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName)
by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
rules/Sigma/win_susp_failed_logons_single_source2.yml
-35
View File
@@ -1,35 +0,0 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
TargetUserName: '*'
SELECTION_3:
Workstation: '*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName)
by Workstation > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
related:
- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
type: derived
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source2.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin