CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into readme-EN-update-2021-12-16

Browse Source
This commit is contained in:
Yamato Security
2021-12-19 22:18:00 +09:00
committed by GitHub
parent 0eca9e1e09 0bce3800b7
commit e7a57b5361
1169 changed files with 1885 additions and 44524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "rules"]
path = rules
url = git@github.com:Yamato-Security/hayabusa-rules.git

70
art/christmas.txt
View File

@@ -1,13 +1,57 @@
、__⌒ ̄}
______/
〃〓/ ̄ > <  ̄\〓〃
ミ☆/: :: :: >☆彡
★≡〃\/〉:: ::〈\/ ≡〃★
●※○ ^^^^^^^^ ○※●
〃≡★ Merry Christmas ★≡〃
☆〓 〓☆
〃≡★ ;) ★≡〃
●※○- ,_】【_, ,-○※●
★〃≡〓 〓≡〃★
ミ☆-★※★-☆彡
,,
,,,,
.,,,,,,,,,,,..
.,,,,,,,,,,,,,,,,
,,,,,,,,,,,
,,,,,,,,,,,
,,,,(((,,,,.
. ,((((((
(((((((((
(((((((((((((
(((((((,,,,((((*
((((((((,,,,,,,((((
((((((((((,,,,,,(((((((
((*,(((((((((((((((((((((/
((* ((. .((((((((((((((((
((((( Merry (((((((((
(((((((, Christmas (((((((((((
((((((((/(((((( (((((((((((((((((((((
(((((((*******(((((((((((((((((((((((((((((((
(((((((((*******(((((((((((((((((((((((((((((((((
.//////(((((((((((((((((((((((((((,,,,,(((((((((//////*
(((((((((((((((((((((((((((,,,,,,,(((((((((
(( ((((((((((((((((((((((,,,,,((((((((((((
,((. .((((((((((((((((((((((((((((((((((
(((((((( from ((((((((((((((((((((((((((((((*
(((((((((((( , (((((((((((((((((( *.(*
.((((((((((((((((((((((((((((((((((((((((( (((
(((((((((((((((((((((((((((((((((((((((/ Yamato ,(((((((
(((((((((((((((((((((((((((((((((((((((( ((((((((((((
((((((((((((((((((((((((,,,((((( (, ,((((((((((
((((((((((((((((((((((((,,,,,,,((((((((((((((((((((((((((
*(((( ((((((((((((((((/,,,,,,((((((((((((((((******((((((
(((( ((((((((((((((((((((((((((((((((********((((((.
(((((( Security! ((((((((((((((((((((((((((((((****((((((((((
((((((((( (((((((((((((((((((((((((((((((((((((((((((
,(((((((((((((((( .(( ((((((((((((((((((( ( (((((((((((((
((((((((((((((((,,,,,((((((((( (((((((((((( Ho ho ho!!! ,(((((((((((((.
(((((((((((((((((,,,,,,,(((((((((((((((((((((( ((((((((((((((((((((
((((((((((((((((((((,,,,,((((((((((((((((((((((((((( ,(((((((/,,,,,((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,,,,(((((((((((((((((
.(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,*(((((((((((((((((((/
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
///////////
///////////
///////////
///////////
///////////
///////////
*****************************
*****************************
%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%#%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%
#%%%%%%%%%%%%%%%#%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%

36
art/happynewyear.txt
View File

@@ -1,10 +1,26 @@
_〆
(∴)
( ̄ ̄ ̄)
( ̄ ̄ ̄ ̄)
[二◆二二◆二]
|◇ ● ◇|
|◆ ◆|
|____|
A Happy New Year!!
@@
@@@@@ @@ @@@@,
@@& @@@@@@@@@@@@@@@@@. @@@@@@@@@@@@@@@@@@
@@@@@@@@@@@( @@@@@@ @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@.
.@@@@@@@@@@@ @@@@@ #@@@ @@@@@@ @@@@@@@@@@@@@
@@@ @@@@ @@@@@@@@@@@@@@( @@@@@@@
,@@@ (@@@ @@ .@@@@@
@@@@ @@@@@@@ %% @@@@@
@@@@ @@@@ @@@@@@@%*.,@@@@@@ @@@@,
@@@@ @@@@@@ @@@@@ @@@@. @@@@@@@@@
@@@@ @@@ @@@@@@@@ @@@@@ @@@@@@@ @@@@@@@@@@@@@@@@@
@@@, @@@@& @@@@ @@@@
@@@ %@@@@@@ %@@@@, @@@@ @@@@
@@@@@@@@# @@@@@ @@@@ @@@@
@@@ (@@@@@@@@@@ @@@@ @@@@
@@@@@@@@@@@@@@@@@@@@@ @@@@ @@@@ %@@@
@@@@@@( @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@ @@@@@@@ ,@@@@@@@@@@@@@@@@@@@@@@/ &@@@@@@@@@@@@@@&
@@@@@ @@@@@@@ @@@@@@@@@@ @@@@#
@@@@@ @@@@@@@ *@
@@@@@ #@@@@
Happy New Year from Yamato Security!!!
Akemashite Omedetou Gozaimasu!
Honnen mo yoroshiku onegai shimasu!

3
art/logo.txt
View File

@@ -1,7 +1,8 @@
██╗ ██╗ █████╗ ██╗ ██╗ █████╗ ██████╗ ██╗ ██╗███████╗ █████╗
██║ ██║██╔══██╗╚██╗ ██╔╝██╔══██╗██╔══██╗██║ ██║██╔════╝██╔══██╗
███████║███████║ ╚████╔╝ ███████║██████╔╝██║ ██║███████╗███████║
██╔══██║██╔══██║ ╚██╔╝ ██╔══██║██╔══██╗██║ ██║╚════██║██╔══██║
██║ ██║██║ ██║ ██║ ██║ ██║██████╔╝╚██████╔╝███████║██║ ██║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝
by Yamato Security
by Yamato Security

6
art/ninja.txt
View File

@@ -1,5 +1,3 @@
Today is Ninja Day (2/22)!
.`,I>>+<;"'
.,}u#zcccccz*#W&jI.
@@ -35,3 +33,7 @@
[$#ccccccccccccB$%WMcnnnnnnnnz$$$B&cc#@8nnnnnnu#@$$&*cccccccMB*ccccc#$$$,
@%ccccccccccccz$#cxcnnnnnnnnM$$$@zcccc*$8nnnnnnnnW8$$%MMMM*#&zccccccc@$$|
"$*cccccccccccc#$cnx@WnnnnnnW$$$$Wccccc#@$8unnnn*@Wu&@$$$$$$@#cccccccc&$$W
Happy Ninja Day! Nin Nin! (2/22)!
from Yamato Security

81
art/takoyaki.txt
View File

@@ -1,43 +1,38 @@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@#------@@@@@@@@--------@@@@@@@@--------@@@@@@@@--------@@@@@@@@--------@@@@@@@@------#@@
@@* @@@@@@@% @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@
@@* @@@@@@@% @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@
@@#------********--------********--------********--------********--------********=-----#@@
@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@
@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@
@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@
@@@@@@@@@-------=@@@@@@@%-------=@@@@@@@@-------=@@@@@@@@-------=@@@@@@@@-------=@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=:@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*.+@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@= *@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%:-@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*.*@@@@@@@@@@@@
@@@@@@@@@@@%*=-:::-=*@@@@@@@@@%*=-:::-+#@@@@@@@@@#+=-::-=+#@@@@@@@@@#+--::: =%@@@@@@@@@@@@
@@@@@@@@@*: = :#@@@@+. -%@@@@= =@@@@%- .+@@@@@@@@@@
@@@@@@@@: :: #* -@%. - *= =@* -. =#. *@+ :: -#: .#@@@@@@@@
@@@@@@@. : -. . : .= : : = . %@@@@@@@
@@@@@@+ =*. -+=. .++ =+= :*= =+- -*- .++- . -@@@@@@@
@@@@@@= *@@@@=-#@@@@+:+@% .*@@@%==#@@@@=:*@# :#@@@#==%@@@%--#@+ -%@@@*-=@@@@#--%@-:@@@@@@@
@@@@-== #@@@@@@@@@@@@@@@+ %@@@@@@@@@@@@@@@- .@@@@@@@@@@@@@@@@. :@@@@@@@@@@@@@@@@ :=:@@@@@
@@@@#. =*#@@@@@@@@@@@* *-.%@@@@@@@@@@@@@= #::@@@@@@@@@@@@@@:.# -@@@@@@@@@@@%*=. .*@@@@@
@@@@@@#- .:-=+*#%*::%@@*.-#@@@@@@@@@+.-%@@=.=%@@@@@@@@%=.=@@@=.+%#*+=-:. :*@@@@@@@
@@@@@@@@@*- ..::- :====-. .=++++++: .-====-. :::.. :*@@@@@@@@@@
@@@@@@@@@@@@%+-. .-+#@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@%#*+-::. ..:-=*#%@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@%##***++++=============++++***##%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@======@@#--%@@#=+@@+=#@#=--=#@#==@@==#@@+-=@@@+=*@@==%==#@@@*====+%@@@#--%@@*=*@%==%==@@
@@*+ ##@@. .@@* .@= :@- .+*: -# %% +@# -@@- =@: =@ *@@@- -#+ #@@. .@@= .@* % %@
@@@# @@@: =- -@* .@@ #@@% @# *@% *. *@- =@@ #@@@= =@@= -@- -= -@@+ .#@:.@@
@@@# @@+ :: ** .@: :@+ -- +@@# #@@: .:: %- =%. =@ *@@@- :+- .%* :: +@@+ @@@=-@@
@@@%++@@*+%@@#+*%+*@@*+#@@*++*@@@@@**@@@++@@@*+##+#@%++%++%@@@#+++*#@@*+%@@%+*@@%**@@@*+@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@:.......@@@@@@@@:.......@@@@@@@@:.......@@@@@@@@:.......%@@@@@@@:.......@@@@@@@@@
@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@
@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@
@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@
@@#:::::-########::::::::########::::::::########::::::::########::::::::########::::::#@@
@@* .@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@
@@* .@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@
@@%+++++*@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++%@@
####
##.##
##.(#
.#.,#
#..#
##.#*
##.##
*#.##
#.##
#(/#
##.#
(#.#,
#.#(
#*##
####
.,####* ##(#
##.##../##((####.((####,#
####(.(....(((((##,.#(((######
###.(##(((#######..##......#((((##/
########((((####.(##########(*(((#,##..#
#################..####*..(((######*,##..#
/###############......*####((((###.*##..####
#######(,#####################*#####.((((####
#(###,,,,#############(/######...##..#(######
#,,,,,,,,*#######,,,,,,,,######(.######/*/###
#,,,,,,,,,,,,,,,,,,,,,,,#######/#############
#,,,,,,,,,,,,,,,,,,,,,,##########,,,(#######
#,,,,,,,,,,,,,,,,,,,,,#######,,,,,,#######
#,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,######
##,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*##
##,,,,,,,,,,,,,,,,,,,,,,,,,,,,,##
###,,,,,,,,,,,,,,,,,,,,,,##.
.#################
HAPPY TAKOYAKI DAY!!! (8/8)
from Yamato Security

4
config/eventkey_alias.txt
View File

@@ -12,6 +12,7 @@ AuthenticationPackageName,Event.EventData.AuthenticationPackageName
CallTrace,Event.EventData.CallTrace
Caller_Process_Name,Event.EventData.Caller_Process_Name
CallingProcessName,Event.EventData.CallingProcessName
CategoryName,Event.EventData.Category Name
Channel,Event.System.Channel
Client_Address,Event.EventData.Client_Address
CommandLine,Event.EventData.CommandLine
@@ -30,6 +31,7 @@ DestinationIsIpv6,Event.EventData.DestinationIsIpv6
DestinationPort,Event.EventData.DestinationPort
Details,Event.EventData.Details
DetectionSource,Event.EventData.DetectionSource
DetectionUser,Event.EventData.Detection User
Device,Event.EventData.Device
DeviceClassName,Event.EventData.DeviceClassName
DeviceDescription,Event.EventData.DeviceDescription
@@ -107,6 +109,7 @@ Service,Event.EventData.Service
ServiceFileName,Event.EventData.ServiceFileName
ServiceName,Event.EventData.ServiceName
ServicePrincipalNames,Event.EventData.ServicePrincipalNames
SeverityName,Event.EventData.Severity Name
ShareName,Event.EventData.ShareName
SidHistory,Event.EventData.SidHistory
Signature,Event.EventData.Signature
@@ -136,6 +139,7 @@ TargetProcessAddress,Event.EventData.TargetProcessAddress
TargetSid,Event.EventData.TargetSid
TargetUserName,Event.EventData.TargetUserName
TaskName,Event.EventData.TaskName
ThreatName,Event.EventData.Threat Name
TicketEncryptionType,Event.EventData.TicketEncryptionType
TicketOptions,Event.EventData.TicketOptions
Url,Event.EventData.url

8
config/exclude-rules-full.txt Normal file
View File

@@ -0,0 +1,8 @@
4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml
c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
# Replaced by hayabusa rules
c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml
7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml

3
config/exclude-rules.txt
View File

@@ -2,4 +2,5 @@
c92f1896-d1d2-43c3-92d5-7a5b35c217bb
7b449a5e-1db5-4dd0-a2dc-4e3a67282538
c265cf08-3f99-46c1-8d59-328247057d57
66b6be3d-55d0-4f47-9855-d69df21740ea
66b6be3d-55d0-4f47-9855-d69df21740ea
9f7aa113-9da6-4a8d-907c-5f1a4b908299

9
config/noisy-rules-full.txt Normal file
View File

@@ -0,0 +1,9 @@
0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml

4
config/noisy-rules.txt
View File

@@ -3,4 +3,8 @@ b0d77106-7bb0-41fe-bd94-d1752164d066
66bfef30-22a5-4fcd-ad44-8d81e60922ae
e98374a6-e2d9-4076-9b5c-11bdb2569995
6309ffc4-8fa2-47cf-96b8-a2f72e58e538
61ab5496-748e-4818-a92f-de78e20fe7f1
add2ef8d-dc91-4002-9e7e-f2702369f53a
196a29c2-e378-48d8-ba07-8a9e61f7fab9
72124974-a68b-4366-b990-d30e0b2a190d
b20f6158-9438-41be-83da-a5a16ac90c2b

0
config/regex/allowlist_legimate_serviceimage.txt → config/regex/allowlist_legitimate_services.txt
View File

0
config/regex/regexes_suspicous_service.txt → config/regex/detectlist_suspicous_services.txt
View File

4
contributors.txt
View File

@@ -1,7 +1,7 @@
Hayabusa was possible thanks to the following people (in alphabetical order):
Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc...
DustInDark(@hitenkoku): Core developer, project management, sigma count implementation, rule creation, countless feature additions and fixes, etc…
DustInDark(@hitenkoku): Core developer, project management, sigma count implementation, rule creation, countless feature additions and fixes, etc…
Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc...
ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc...
James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, etc…
@@ -17,7 +17,7 @@ Zach Mathis (@yamatosecurity, Yamato Security Founder): Project Leader
Nishikawa Akira (@nishikawaakira): Lead Developer
Kazuminn (@k47_um1n): Core Developer
itiB (@itiB_S144): Core Developer
James Takai / hachiyone (@hach1yon): Developer
James Takai / hachiyone (@hach1yon): Core Developer
DustInDark (@hitenkoku): Core Developer
garigariganzy (@garigariganzy31): Developer
7itoh (@yNitocrypto22): Developer

1
rules Submodule

Submodule rules added at 631db51204

20
rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml
View File

@@ -1,20 +0,0 @@
title: PowerShell Execution Remote Command
title_jp: Powershellのリモートコマンドの実行
description: Powershell command executed remotely.
description_jp: Powershell command executed remotely.
author: Eric Conrad, Zach Mathis
mitre_attack: T1059
level: medium
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4104
Path: null
ScriptBlockText|re: '.+'
# condition: selection
falsepositives:
- normal system usage
output: 'Command: %ScriptBlockText%'
output: 'コマンド: %ScriptBlockText%'
creation_date: 2020/11/08
updated_date: 2021/11/06

14
rules-noisy/Security/4688.yml
View File

@@ -1,14 +0,0 @@
title: Command Line Logging
description: Command line logging.
author: Eric Conrad, Zach Mathis
detection:
selection:
Channel: Security
EventID: 4688
CommandLine|re: '.+'
# condition: selection
falsepositives:
- unknown
output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%'
creation_date: 2020/11/8
updated_date: 2021/11/8

30
rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml
View File

@@ -1,30 +0,0 @@
title: Hidden Local User Creation
author: Christian Burkard
date: 2021/05/03
description: Detects the creation of a local hidden user account which should not
happen for event ID 4720.
detection:
SELECTION_1:
EventID: 4720
SELECTION_2:
TargetUserName: '*$'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
fields:
- EventCode
- AccountName
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
level: high
logsource:
product: windows
service: security
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
status: experimental
tags:
- attack.persistence
- attack.t1136.001
yml_filename: win_hidden_user_creation.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

32
rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml
View File

@@ -1,32 +0,0 @@
title: User Added to Local Administrators
author: Florian Roth
date: 2017/03/14
description: This rule triggers on user accounts that are added to the local Administrators
group, which could be legitimate activity or a sign of privilege escalation activity
detection:
SELECTION_1:
EventID: 4732
SELECTION_2:
TargetUserName: Administr*
SELECTION_3:
TargetSid: S-1-5-32-544
SELECTION_4:
SubjectUserName: '*$'
condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4))
falsepositives:
- Legitimate administrative activity
id: c265cf08-3f99-46c1-8d59-328247057d57
level: medium
logsource:
product: windows
service: security
modified: 2021/07/07
status: stable
tags:
- attack.privilege_escalation
- attack.t1078
- attack.persistence
- attack.t1098
yml_filename: win_user_added_to_local_administrators.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

33
rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml
View File

@@ -1,33 +0,0 @@
title: Local User Creation
author: Patrick Bareiss
date: 2019/04/18
description: Detects local user creation on windows servers, which shouldn't happen
in an Active Directory environment. Apply this Sigma Use Case on your windows
server logs and not on your DC logs.
detection:
SELECTION_1:
EventID: 4720
condition: SELECTION_1
falsepositives:
- Domain Controller Logs
- Local accounts managed by privileged account management tools
fields:
- EventCode
- AccountName
- AccountDomain
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
level: low
logsource:
product: windows
service: security
modified: 2020/08/23
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
status: experimental
tags:
- attack.persistence
- attack.t1136
- attack.t1136.001
yml_filename: win_user_creation.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

27
rules-noisy/Sigma/sysmon_wmi_event_subscription.yml
View File

@@ -1,27 +0,0 @@
title: WMI Event Subscription
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
description: Detects creation of WMI event subscription persistence method
detection:
SELECTION_1:
EventID: 19
SELECTION_2:
EventID: 20
SELECTION_3:
EventID: 21
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
falsepositives:
- exclude legitimate (vetted) use of WMI event subscription in your network
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
level: high
logsource:
category: wmi_event
product: windows
status: experimental
tags:
- attack.t1084
- attack.persistence
- attack.t1546.003
yml_filename: sysmon_wmi_event_subscription.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event

40
rules-noisy/Sigma/win_metasploit_authentication.yml
View File

@@ -1,40 +0,0 @@
title: Metasploit SMB Authentication
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020/05/06
description: Alerts on Metasploit host's authentications on the domain.
detection:
SELECTION_1:
EventID: 4625
SELECTION_2:
EventID: 4624
SELECTION_3:
LogonType: 3
SELECTION_4:
AuthenticationPackageName: NTLM
SELECTION_5:
WorkstationName|re: ^[A-Za-z0-9]{16}$
SELECTION_6:
ProcessName|re: ^$
SELECTION_7:
EventID: 4776
SELECTION_8:
Workstation|re: ^[A-Za-z0-9]{16}$
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
falsepositives:
- Linux hostnames composed of 16 characters.
id: 72124974-a68b-4366-b990-d30e0b2a190d
level: high
logsource:
product: windows
service: security
modified: 2021/07/07
references:
- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
yml_filename: win_metasploit_authentication.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

109
rules-noisy/Sigma/win_multiple_suspicious_cli.yml
View File

@@ -1,109 +0,0 @@
title: Quick Execution of a Series of Suspicious Commands
author: juju4
date: 2019/01/16
description: Detects multiple suspicious process in a limited timeframe
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*nbtstat.exe*'
SELECTION_11:
CommandLine: '*net.exe*'
SELECTION_12:
CommandLine: '*netsh.exe*'
SELECTION_13:
CommandLine: '*nslookup.exe*'
SELECTION_14:
CommandLine: '*ping.exe*'
SELECTION_15:
CommandLine: '*quser.exe*'
SELECTION_16:
CommandLine: '*qwinsta.exe*'
SELECTION_17:
CommandLine: '*reg.exe*'
SELECTION_18:
CommandLine: '*runas.exe*'
SELECTION_19:
CommandLine: '*sc.exe*'
SELECTION_2:
CommandLine: '*arp.exe*'
SELECTION_20:
CommandLine: '*schtasks.exe*'
SELECTION_21:
CommandLine: '*ssh.exe*'
SELECTION_22:
CommandLine: '*systeminfo.exe*'
SELECTION_23:
CommandLine: '*taskkill.exe*'
SELECTION_24:
CommandLine: '*telnet.exe*'
SELECTION_25:
CommandLine: '*tracert.exe*'
SELECTION_26:
CommandLine: '*wscript.exe*'
SELECTION_27:
CommandLine: '*xcopy.exe*'
SELECTION_28:
CommandLine: '*pscp.exe*'
SELECTION_29:
CommandLine: '*copy.exe*'
SELECTION_3:
CommandLine: '*at.exe*'
SELECTION_30:
CommandLine: '*robocopy.exe*'
SELECTION_31:
CommandLine: '*certutil.exe*'
SELECTION_32:
CommandLine: '*vssadmin.exe*'
SELECTION_33:
CommandLine: '*powershell.exe*'
SELECTION_34:
CommandLine: '*wevtutil.exe*'
SELECTION_35:
CommandLine: '*psexec.exe*'
SELECTION_36:
CommandLine: '*bcedit.exe*'
SELECTION_37:
CommandLine: '*wbadmin.exe*'
SELECTION_38:
CommandLine: '*icacls.exe*'
SELECTION_39:
CommandLine: '*diskpart.exe*'
SELECTION_4:
CommandLine: '*attrib.exe*'
SELECTION_5:
CommandLine: '*cscript.exe*'
SELECTION_6:
CommandLine: '*dsquery.exe*'
SELECTION_7:
CommandLine: '*hostname.exe*'
SELECTION_8:
CommandLine: '*ipconfig.exe*'
SELECTION_9:
CommandLine: '*mimikatz.exe*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39))| count()
by MachineName > 5
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored
environment
id: 61ab5496-748e-4818-a92f-de78e20fe7f1
level: low
logsource:
category: process_creation
product: windows
modified: 2021/06/13
references:
- https://car.mitre.org/wiki/CAR-2013-04-002
status: experimental
tags:
- car.2013-04-002
yml_filename: win_multiple_suspicious_cli.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation

29
rules-noisy/Sigma/win_powershell_script_installed_as_service.yml
View File

@@ -1,29 +0,0 @@
title: PowerShell Scripts Installed as Services
author: oscd.community, Natalia Shornikova
date: 2020/10/06
description: Detects powershell script installed as a Service
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ImagePath: '*powershell*'
SELECTION_3:
ImagePath: '*pwsh*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
level: high
logsource:
product: windows
service: system
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1569.002
yml_filename: win_powershell_script_installed_as_service.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

33
rules-noisy/Sigma/win_rare_schtasks_creations.yml
View File

@@ -1,33 +0,0 @@
title: Rare Schtasks Creations
author: Florian Roth
date: 2017/03/23
description: Detects rare scheduled tasks creations that only appear a few times per
time frame and could reveal password dumpers, backdoor installs or other types
of malicious code
detection:
SELECTION_1:
EventID: 4698
condition: SELECTION_1| count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
id: b0d77106-7bb0-41fe-bd94-d1752164d066
level: low
logsource:
definition: The Advanced Audit Policy setting Object Access > Audit Other Object
Access Events has to be configured to allow this detection (not in the baseline
recommendations by Microsoft). We also recommend extracting the Command field
from the embedded XML in the event data.
product: windows
service: security
status: experimental
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005
yml_filename: win_rare_schtasks_creations.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

28
rules-noisy/Sigma/win_rare_service_installs.yml
View File

@@ -1,28 +0,0 @@
title: Rare Service Installs
author: Florian Roth
date: 2017/03/08
description: Detects rare service installs that only appear a few times per time frame
and could reveal password dumpers, backdoor installs or other types of malicious
services
detection:
SELECTION_1:
EventID: 7045
condition: SELECTION_1| count() by ServiceFileName < 5
falsepositives:
- Software installation
- Software updates
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
level: low
logsource:
product: windows
service: system
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
- attack.t1543.003
yml_filename: win_rare_service_installs.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

34
rules-noisy/Sigma/win_susp_failed_logons_single_source.yml
View File

@@ -1,34 +0,0 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 529
SELECTION_2:
EventID: 4625
SELECTION_3:
TargetUserName: '*'
SELECTION_4:
WorkstationName: '*'
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName)
by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

35
rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml
View File

@@ -1,35 +0,0 @@
title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
single source system
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
TargetUserName: '*'
SELECTION_3:
Workstation: '*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName)
by Workstation > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
level: medium
logsource:
product: windows
service: security
modified: 2021/09/21
related:
- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
type: derived
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source2.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin

15
rules-noisy/System/7036.yml
View File

@@ -1,15 +0,0 @@
title: The ... service entered the stopped|running state
description: hogehoge
author: DeepblueCLI, Zach Mathis
detection:
selection:
Channel: System
EventID: 7036
param1:
regexes: ./config/regex/regexes_suspicous_service.txt
condition: selection
falsepositives:
- unknown
output: 'Suspicious Service Name¥nService name: %ServiceName%'
creation_date: 2020/11/8
uodated_date: 2020/11/8

29
rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Powershell 2.0 Downgrade Attack
title_jp: Powershell 2.0へのダウングレード攻撃
output: 'Powershell 2.0 downgrade attack detected!'
output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
description: An attacker may have started Powershell 2.0 to evade detection.
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
id: bc082394-73e6-4d00-a9af-e7b524ef5085
level: medium
status: test
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
falsepositives:
- legacy application
tags:
- attack.defense_evasion
- attack.t1562.010
- lolbas
references:
- https://attack.mitre.org/techniques/T1562/010/
- https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: Security log was cleared
title_jp: セキュリティログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the Security event log.
description_jp: 誰かがセキュリティログをクリアした。
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 1102
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml
View File

@@ -1,28 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Unknown Reason
title_jp: ログオンに失敗 - 不明な理由
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
filter:
- SubStatus: "0xc0000064"
- SubStatus: "0xc000006a"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Wrong Password
title_jp: ログオンに失敗 - パスワードが間違っている
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: e87bd730-df45-4ae9-85de-6c75369c5d29
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
ruletype: hayabusa

25
rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Username does not exist
title_jp: ログオンに失敗 - ユーザ名は存在しない
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: 8afa97ce-a217-4f7c-aced-3e320a57756d
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064"
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
ruletype: hayabusa

48
rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml
View File

@@ -1,48 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Unknown process used a high privilege
title_jp: 不明なプロセスが高い権限を使った
output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: |
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
Disk wipers like bcwipe will also generate this.
More legitimate filepaths may have to be added to the filter.
This is marked as a medium alert as there is a high possibility for false positives.
description_jp:
id: 5b6e58ee-c231-4a54-9eee-af2577802e08
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1561
- attack.impact
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
ruletype: hayabusa

28
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Hidden user account created! (Possible Backdoor)
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4720
TargetUserName|endswith: "$"
falsepositives:
- domain controller
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
ruletype: hayabusa

30
rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/11/26
title: Local user account created
title_jp: ローカルユーザアカウントが作成された
output: 'User: %TargetUserName% : SID:%TargetSid%'
output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%'
description: A local user account was created.
description_jp: ローカルユーザアカウントが作成された.
id: 13edce80-2b02-4469-8de4-a3e37271dcdb
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4720
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
ruletype: hayabusa

31
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml
View File

@@ -1,31 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to the global Domain Admins group
title_jp: ユーザがグローバルドメイン管理者グループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to the Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

30
rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: User added to global security group
title_jp: ユーザがグローバルセキュリティグループに追加された
output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%'
output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%'
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
description_jp: ユーザがグローバルのセキュリティグループに追加された。
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
View File

@@ -1,29 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local Domain Admins group
title_jp: ユーザがローカルドメイン管理者グループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to the local Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: bc58e432-959f-464d-812e-d60ce5d46fa1
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
ruletype: hayabusa

32
rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml
View File

@@ -1,32 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/26
title: User added to local security group
title_jp: ユーザがローカルセキュリティグループに追加された
output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%'
output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%'
description: A user was added to a security-enabled local group.
description_jp: ユーザがローカルセキュリティグループに追加された。
id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
- TargetUserName: Administrators
- TargetUserName: None
- TargetUserName: Domain Admins
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/26
title: Possible AS-REP Roasting
title_jp: AS-REPロースティングの可能性
output: 'Possible AS-REP Roasting'
output_jp: 'AS-REPロースティングのリスクがある'
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 0 #Logon without pre-authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.004
references:
- https://attack.mitre.org/techniques/T1558/004/
ruletype: hayabusa

29
rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
View File

@@ -1,29 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Kerberoasting
title_jp: Kerberoast攻撃
output: 'Possible Kerberoasting Risk Activity.'
output_jp: 'Kerberoast攻撃のリスクがある'
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
level: medium
status: test
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 2 #Standard password authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.003
references:
- https://attack.mitre.org/techniques/T1558/003/
ruletype: hayabusa

27
rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
View File

@@ -1,27 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: System log file was cleared
title_jp: システムログがクリアされた
output: "User: %LogFileClearedSubjectUserName%"
output_jp: "ユーザ名: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the System event log.
description_jp: 誰かがシステムログをクリアした。
id: f481a1f3-969e-4187-b3a5-b47c272bfebd
level: high
status: stable
detection:
selection:
Channel: System
EventID: 104
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
ruletype: hayabusa

27
rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
View File

@@ -1,27 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Event log service startup type changed to disabled
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
output: 'Old setting: %param2% : New setting: %param3%'
output: '設定前: %param2% : 設定後: %param3%'
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
level: medium
status: test
detection:
selection:
Channel: System
EventID: 7040
param1: 'Windows Event Log'
param3: "disabled"
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1562.002
references:
- https://attack.mitre.org/techniques/T1562/002/
ruletype: hayabusa

32
rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
View File

@@ -1,32 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/23
title: Malicious service installed
title_jp: 悪意のあるサービスがインストールされた
output: 'Service: %ServiceName% : Image path: %ImagePath'
output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath'
description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
id: dbbfd9f3-9508-478b-887e-03ddb9236909
level: high
status: test
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
regexes: ./config/regex/regexes_suspicous_service.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legimate_serviceimage.txt
condition: selection
falsepositives:
- normal system usage
tags:
- attack.persistence
- attack.t1543.003
references:
- https://attack.mitre.org/techniques/T1543/003/
ruletype: hayabusa

30
rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
View File

@@ -1,30 +0,0 @@
author: Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Bits Job Creation
title_jp: Bits Jobの作成
output: 'Job Title: %JobTitle% : URL: %Url%'
output_jp: 'Job名: %JobTitle% : URL: %Url%'
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-Bits-Client/Operational
EventID: 59
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- lolbas
references:
- https://attack.mitre.org/techniques/T1197/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
ruletype: hayabusa

30
rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: PowerShell Execution Pipeline
title_jp: PowerShellパイプライン実行
output: 'Command: %CommandLine%'
output_jp: 'コマンド: %CommandLine%'
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.t1059.001
- lolbas
references:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 0 - System
title_jp: ログオンタイプ 0 - System
output: 'Bootup'
output_jp: 'システム起動'
description: Prints logon information
description_jp: Prints logon information
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 0
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 10 - RDP (Remote Interactive)
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 10
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 11 - CachedInteractive
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 11
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 12 - CachedRemoteInteractive
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 12
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 13 - CachedUnlock
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 13
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 2 - Interactive
title_jp: ログオンタイプ 2 - インタラクティブ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information
description_jp: Prints logon information
id: 7beb4832-f357-47a4-afd8-803d69a5c85c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 2
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 3 - Network
title_jp: ログオンタイプ 3 - ネットワーク
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 3
filter:
- IpAddress: "-"
- IpAddress: "127.0.0.1"
- IpAddress: "::1"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 4 - Batch
title_jp: ログオンタイプ 4 - バッチ
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 4
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 5 - Service
title_jp: ログオンタイプ 5 - サービス
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 5
filter:
- TargetUserName: "SYSTEM"
- TargetUserName: "NETWORK SERVICE"
- TargetUserName: "LOCAL SERVICE"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 7 - Unlock
title_jp: ログオンタイプ 7 - アンロック
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 7
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 8 - NetworkCleartext
title_jp: ログオンタイプ 8 - ネットワーク平文
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%'
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
description_jp: Prints logon information
id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 8
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

25
rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
View File

@@ -1,25 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 9 - NewCredentials
title_jp: ログオンタイプ 9 - 新しい資格情報
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: d80facaa-ca97-47bb-aed2-66362416eb49
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 9
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

27
rules/hayabusa/events/Security/Logons/4634_Logoff.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff
title_jp: ログオフ
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4634
filter:
TargetUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff - User Initiated
title_jp: ログオフ - ユーザが行った
output: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 6bad16f1-02c4-4075-b414-3cd16944bc65
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4647
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

30
rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Admin Logon
title_jp: 管理者ログオン
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4672
filter:
- SubjectUserName: "SYSTEM"
- SubjectUserName: "LOCAL SERVICE"
- SubjectUserName: "NETWORK SERVICE"
- SubjectUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos TGT was requested
title_jp: Kerberos TGTが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
description: Prints logon information.
description_jp: Prints logon information.
id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4768
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos Service Ticket Requested
title_jp: Kerberosサービスチケットが要求された
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4769
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: NTLM Logon to Local Account
title_jp: ローカルアカウントへのNTLMログオン
output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4776
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

24
rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml
View File

@@ -1,24 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Connection to wireless access point
title_jp: ローカルアカウントへのNTLMログオン
output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
description: Prints connection info to wireless access points.
description_jp: Prints connection info to wireless access points.
id: 90dd0797-f481-453d-a97e-dd78436893f9
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-WLAN-AutoConfig
EventID: 8001
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
ruletype: hayabusa

40
rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml
View File

@@ -1,40 +0,0 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012
ruletype: SIGMA

42
rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml
View File

@@ -1,42 +0,0 @@
title: Azure AD Health Service Agents Registry Keys Access
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012
ruletype: SIGMA

35
rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml
View File

@@ -1,35 +0,0 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
date: 2019/04/03
description: backdooring domain object to grant the rights associated with DCSync
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeLDAPDisplayName: ntSecurityDescriptor
SELECTION_3:
AttributeValue:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute
of event 5136 and verify if it's a regular user or DC computer account.
id: 2c99737c-585d-4431-b61a-c911d86ff32f
level: critical
logsource:
product: windows
service: security
modified: 2021/07/09
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
status: experimental
tags:
- attack.persistence
- attack.t1098
ruletype: SIGMA

44
rules/sigma/builtin/win_account_discovery.yml
View File

@@ -1,44 +0,0 @@
title: AD Privileged Users or Groups Reconnaissance
author: Samir Bousseaden
date: 2019/04/03
description: Detect priv users or groups recon based on 4661 eventid and known privileged
users or groups SIDs
detection:
SELECTION_1:
EventID: 4661
SELECTION_2:
ObjectType:
- SAM_USER
- SAM_GROUP
SELECTION_3:
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
SELECTION_4:
ObjectName: '*admin*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- if source account name is not an admin then its super suspicious
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
level: high
logsource:
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
product: windows
service: security
modified: 2021/09/08
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002
ruletype: SIGMA

32
rules/sigma/builtin/win_ad_object_writedac_access.yml
View File

@@ -1,32 +0,0 @@
title: AD Object WriteDAC Access
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects WRITE_DAC access to a domain object
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectServer: DS
SELECTION_3:
AccessMask: '0x40000'
SELECTION_4:
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
level: critical
logsource:
product: windows
service: security
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001
ruletype: SIGMA

42
rules/sigma/builtin/win_ad_replication_non_machine_account.yml
View File

@@ -1,42 +0,0 @@
title: Active Directory Replication from Non Machine Account
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/07/26
description: Detects potential abuse of Active Directory Replication Service (ADRS)
from a non machine account to request credentials.
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
AccessMask: '0x100'
SELECTION_3:
Properties:
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
SELECTION_4:
SubjectUserName: '*$'
SELECTION_5:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 17d619c1-e020-4347-957e-1d1207455c93
level: critical
logsource:
product: windows
service: security
modified: 2020/08/23
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.006
ruletype: SIGMA

35
rules/sigma/builtin/win_ad_user_enumeration.yml
View File

@@ -1,35 +0,0 @@
title: AD User Enumeration
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
SELECTION_3:
SubjectUserName: '*$'
SELECTION_4:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
definition: Requires the "Read all properties" permission on the user object to
be audited for the "Everyone" principal
product: windows
service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002
ruletype: SIGMA

35
rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml
View File

@@ -1,35 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_3:
EventID: 4899
SELECTION_4:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
level: low
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access
ruletype: SIGMA

49
rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml
View File

@@ -1,49 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
and risky EKU
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_3:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_4:
EventID: 4899
SELECTION_5:
NewTemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_6:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
level: high
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag with risky EKU.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access
ruletype: SIGMA

37
rules/sigma/builtin/win_admin_rdp_login.yml
View File

@@ -1,37 +0,0 @@
title: Admin User Remote Logon
author: juju4
date: 2017/10/29
description: Detect remote login by Administrator user (depending on internal pattern).
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 10
SELECTION_3:
AuthenticationPackageName: Negotiate
SELECTION_4:
TargetUserName: Admin*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administrative activity.
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
level: low
logsource:
definition: 'Requirements: Identifiable administrators usernames (pattern or special
unique character. ex: "Admin-*"), internal policy mandating use only as secondary
account'
product: windows
service: security
modified: 2021/07/07
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
ruletype: SIGMA

29
rules/sigma/builtin/win_admin_share_access.yml
View File

@@ -1,29 +0,0 @@
title: Access to ADMIN$ Share
author: Florian Roth
date: 2017/03/04
description: Detects access to $ADMIN share
detection:
SELECTION_1:
EventID: 5140
SELECTION_2:
ShareName: Admin$
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate administrative activity
id: 098d7118-55bc-4912-a836-dc6483a8d150
level: low
logsource:
definition: The advanced audit policy setting "Object Access > Audit File Share"
must be configured for Success/Failure
product: windows
service: security
modified: 2020/08/23
status: experimental
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
ruletype: SIGMA

32
rules/sigma/builtin/win_alert_active_directory_user_control.yml
View File

@@ -1,32 +0,0 @@
title: Enabled User Right in AD to Control User Objects
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
right in Active Directory it would allow control of other AD user objects.
detection:
SELECTION_1:
EventID: 4704
SELECTION_2:
PrivilegeList:
- '*SeEnableDelegationPrivilege*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
level: high
logsource:
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2020/08/23
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
status: experimental
tags:
- attack.persistence
- attack.t1098
ruletype: SIGMA

53
rules/sigma/builtin/win_alert_ad_user_backdoors.yml
View File

@@ -1,53 +0,0 @@
title: Active Directory User Backdoors
author: '@neu5ron'
date: 2017/04/13
description: Detects scenarios where one can control another users or computers account
without having to use their credentials.
detection:
SELECTION_1:
EventID: 4738
SELECTION_10:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
SELECTION_2:
AllowedToDelegateTo: '-'
SELECTION_3:
AllowedToDelegateTo|re: ^$
SELECTION_4:
EventID: 5136
SELECTION_5:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
SELECTION_6:
EventID: 5136
SELECTION_7:
ObjectClass: user
SELECTION_8:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_9:
EventID: 5136
condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or (SELECTION_4
and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9
and SELECTION_10))
falsepositives:
- Unknown
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\DS Access\Audit Directory Service Changes'
product: windows
service: security
modified: 2020/08/23
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
status: experimental
tags:
- attack.t1098
- attack.persistence
ruletype: SIGMA

91
rules/sigma/builtin/win_alert_enable_weak_encryption.yml
View File

@@ -1,91 +0,0 @@
title: Weak Encryption Enabled and Kerberoast
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where weak encryption is enabled for a user profile
which could be used for hash/password cracking.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
NewUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_3:
OldUacValue:
- '*8???'
- '*9???'
- '*A???'
- '*B???'
- '*C???'
- '*D???'
- '*E???'
- '*F???'
SELECTION_4:
NewUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_5:
OldUacValue:
- '*1????'
- '*3????'
- '*5????'
- '*7????'
- '*9????'
- '*B????'
- '*D????'
- '*F????'
SELECTION_6:
NewUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
SELECTION_7:
OldUacValue:
- '*8??'
- '*9??'
- '*A??'
- '*B??'
- '*C??'
- '*D??'
- '*E??'
- '*F??'
condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4
and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7))))
falsepositives:
- Unknown
id: f6de9536-0441-4b3f-a646-f4e00f300ffd
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management'
product: windows
service: security
references:
- https://adsecurity.org/?p=2053
- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA

31
rules/sigma/builtin/win_alert_lsass_access.yml
View File

@@ -1,31 +0,0 @@
title: LSASS Access Detected via Attack Surface Reduction
author: Markus Neis
date: 2018/08/26
description: Detects Access to LSASS Process
detection:
SELECTION_1:
EventID: 1121
SELECTION_2:
Path: '*\lsass.exe'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
level: high
logsource:
definition: 'Requirements:Enabled Block credential stealing from the Windows local
security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
product: windows
service: windefend
modified: 2021/11/13
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
ruletype: SIGMA

46
rules/sigma/builtin/win_alert_mimikatz_keywords.yml
View File

@@ -1,46 +0,0 @@
title: Mimikatz Use
author: Florian Roth
date: 2017/01/10
description: This method detects mimikatz keywords in different Eventlogs (some of
them only appear in older Mimikatz version that are however still used by different
threat groups)
detection:
SELECTION_1:
- \mimikatz
- mimikatz.exe
- \mimilib.dll
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
- ' p::d '
- ' s::l '
- gentilkiwi.com
- Kiwi Legit Printer
condition: (SELECTION_1)
falsepositives:
- Naughty administrators
- Penetration test
- AV Signature updates
- Files with Mimikatz in their filename
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
level: critical
logsource:
product: windows
modified: 2021/08/26
status: experimental
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
ruletype: SIGMA

41
rules/sigma/builtin/win_alert_ruler.yml
View File

@@ -1,41 +0,0 @@
title: Hacktool Ruler
author: Florian Roth
date: 2017/05/31
description: This events that are generated when using the hacktool Ruler by Sensepost
detection:
SELECTION_1:
EventID: 4776
SELECTION_2:
Workstation: RULER
SELECTION_3:
EventID: 4624
SELECTION_4:
EventID: 4625
SELECTION_5:
WorkstationName: RULER
condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
falsepositives:
- Go utilities that use staaldraad awesome NTLM library
id: 24549159-ac1b-479c-8175-d42aea947cae
level: high
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1087
- attack.t1075
- attack.t1114
- attack.t1059
- attack.t1550.002
ruletype: SIGMA

48
rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml
View File

@@ -1,48 +0,0 @@
title: File Was Not Allowed To Run
author: Pushkarev Dmitry
date: 2020/06/28
description: Detect run not allowed files. Applocker is a very useful tool, especially
on servers where unprivileged users have access. For example terminal servers. You
need configure applocker and log collect to receive these events.
detection:
SELECTION_1:
EventID: 8004
SELECTION_2:
EventID: 8007
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- need tuning applocker or add exceptions in SIEM
fields:
- PolicyName
- RuleId
- RuleName
- TargetUser
- TargetProcessId
- FilePath
- FileHash
- Fqbn
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
level: medium
logsource:
product: windows
service: applocker
modified: 2020/08/23
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1064
- attack.t1204
- attack.t1035
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
ruletype: SIGMA

31
rules/sigma/builtin/win_apt_carbonpaper_turla.yml
View File

@@ -1,31 +0,0 @@
title: Turla Service Install
author: Florian Roth
date: 2017/03/31
description: This method detects a service install of malicious services mentioned
in Carbon Paper - Turla report by ESET
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- srservice
- ipvpn
- hkmsvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
level: high
logsource:
product: windows
service: system
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
status: experimental
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

42
rules/sigma/builtin/win_apt_chafer_mar18_security.yml
View File

@@ -1,42 +0,0 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 4698
SELECTION_2:
TaskName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
level: critical
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
ruletype: SIGMA

39
rules/sigma/builtin/win_apt_chafer_mar18_system.yml
View File

@@ -1,39 +0,0 @@
title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
in March 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName:
- SC Scheduled Scan
- UpdatMachine
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
level: critical
logsource:
product: windows
service: system
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
status: experimental
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
ruletype: SIGMA

39
rules/sigma/builtin/win_apt_gallium.yml
View File

@@ -1,39 +0,0 @@
title: GALLIUM Artefacts
author: Tim Burrell
date: 2020/02/07
description: Detects artefacts associated with activity group GALLIUM - Microsoft
Threat Intelligence Center indicators released in December 2019.
detection:
SELECTION_1:
EventID: 257
SELECTION_2:
QNAME:
- asyspy256.ddns.net
- hotkillmail9sddcc.ddns.net
- rosaf112.ddns.net
- cvdfhjh1231.myftp.biz
- sz2016rose.ddns.net
- dffwescwer4325.myftp.biz
- cvdfhjh1231.ddns.net
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 3db10f25-2527-4b79-8d4b-471eb900ee29
level: high
logsource:
product: windows
service: dns-server
modified: 2021/09/19
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: experimental
tags:
- attack.credential_access
- attack.command_and_control
- attack.t1071
ruletype: SIGMA

32
rules/sigma/builtin/win_apt_slingshot.yml
View File

@@ -1,32 +0,0 @@
title: Defrag Deactivation
author: Florian Roth, Bartlomiej Czyz (@bczyz1)
date: 2019/03/04
description: Detects the deactivation and disabling of the Scheduled defragmentation
task as seen by Slingshot APT group
detection:
SELECTION_1:
EventID: 4701
SELECTION_2:
TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
level: medium
logsource:
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
product: windows
service: security
modified: 2021/09/19
references:
- https://securelist.com/apt-slingshot/84312/
related:
- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
type: derived
status: experimental
tags:
- attack.persistence
- attack.t1053
- attack.s0111
ruletype: SIGMA

30
rules/sigma/builtin/win_apt_stonedrill.yml
View File

@@ -1,30 +0,0 @@
title: StoneDrill Service Install
author: Florian Roth
date: 2017/03/07
description: This method detects a service install of the malicious Microsoft Network
Realtime Inspection Service service described in StoneDrill report by Kaspersky
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: NtsSrv
SELECTION_3:
ServiceFileName: '* LocalService'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unlikely
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
level: high
logsource:
product: windows
service: system
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
status: experimental
tags:
- attack.persistence
- attack.g0064
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

28
rules/sigma/builtin/win_apt_turla_service_png.yml
View File

@@ -1,28 +0,0 @@
title: Turla PNG Dropper Service
author: Florian Roth
date: 2018/11/23
description: This method detects malicious services mentioned in Turla PNG dropper
report by NCC Group in November 2018
detection:
SELECTION_1:
EventID: 7045
SELECTION_2:
ServiceName: WerFaultSvc
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unlikely
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
level: critical
logsource:
product: windows
service: system
references:
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
status: experimental
tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
ruletype: SIGMA

38
rules/sigma/builtin/win_apt_wocao.yml
View File

@@ -1,38 +0,0 @@
title: Operation Wocao Activity
author: Florian Roth, frack113
date: 2019/12/20
description: Detects activity mentioned in Operation Wocao report
detection:
SELECTION_1:
EventID: 4799
SELECTION_2:
TargetUserName: Administr*
SELECTION_3:
CallerProcessName: '*\checkadmin.exe'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
level: high
logsource:
product: windows
service: security
modified: 2021/09/19
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
status: experimental
tags:
- attack.discovery
- attack.t1012
- attack.defense_evasion
- attack.t1036.004
- attack.t1036
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1053
- attack.t1059.001
- attack.t1086
ruletype: SIGMA

35
rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
View File

@@ -1,35 +0,0 @@
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
author: Sreeman
date: 2020/03/13
description: The .SettingContent-ms file type was introduced in Windows 10 and allows
a user to create "shortcuts" to various Windows 10 setting pages. These files are
simply XML and contain paths to various Windows 10 settings binaries.
detection:
SELECTION_1:
CommandLine: '*.SettingContent-ms*'
SELECTION_2:
FilePath: '*immersivecontrolpanel*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
level: medium
logsource:
product: windows
service: security
modified: 2021/08/09
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
status: experimental
tags:
- attack.t1204
- attack.t1193
- attack.t1566.001
- attack.execution
- attack.initial_access
ruletype: SIGMA

30
rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml
View File

@@ -1,30 +0,0 @@
title: Using AppVLP To Circumvent ASR File Path Rule
author: Sreeman
date: 2020/03/13
description: Application Virtualization Utility is included with Microsoft Office.We
are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
for Application Virtualization, but we can use it as an abuse binary to circumvent
the ASR file path rule folder or to mark a file as a system file
detection:
SELECTION_1:
CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
condition: SELECTION_1
falsepositives:
- unknown
fields:
- ParentProcess
- CommandLine
- ParentCommandLine
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
level: medium
logsource:
product: windows
service: security
modified: 2021/06/11
status: experimental
tags:
- attack.t1218
- attack.defense_evasion
- attack.execution
ruletype: SIGMA

36
rules/sigma/builtin/win_atsvc_task.yml
View File

@@ -1,36 +0,0 @@
title: Remote Task Creation via ATSVC Named Pipe
author: Samir Bousseaden
date: 2019/04/03
description: Detects remote task creation via at.exe or API interacting with ATSVC
namedpipe
detection:
SELECTION_1:
EventID: 5145
SELECTION_2:
ShareName: \\*\IPC$
SELECTION_3:
RelativeTargetName: atsvc
SELECTION_4:
Accesses: '*WriteData*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- pentesting
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
level: medium
logsource:
definition: The advanced audit policy setting "Object Access > Audit Detailed File
Share" must be configured for Success/Failure
product: windows
service: security
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
status: experimental
tags:
- attack.lateral_movement
- attack.persistence
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
ruletype: SIGMA

39
rules/sigma/builtin/win_audit_cve.yml
View File

@@ -1,39 +0,0 @@
title: Audit CVE Event
author: Florian Roth
date: 2020/01/15
description: Detects events generated by Windows to indicate the exploitation of a
known vulnerability (e.g. CVE-2020-0601)
detection:
SELECTION_1:
Provider_Name: Microsoft-Windows-Audit-CVE
condition: SELECTION_1
falsepositives:
- Unknown
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
level: critical
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://twitter.com/mattifestation/status/1217179698008068096
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
status: experimental
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004
ruletype: SIGMA

44
rules/sigma/builtin/win_av_relevant_match.yml
View File

@@ -1,44 +0,0 @@
title: Relevant Anti-Virus Event
author: Florian Roth
date: 2017/02/19
description: This detection method points out highly relevant Antivirus events
detection:
SELECTION_1:
- HTool-
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- .WinCred.
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
SELECTION_2:
- Keygen
- Crack
condition: ((SELECTION_1) and not (SELECTION_2))
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
level: high
logsource:
product: windows
service: application
modified: 2021/11/20
status: experimental
tags:
- attack.resource_development
- attack.t1588
ruletype: SIGMA

32
rules/sigma/builtin/win_camera_microphone_access.yml
View File

@@ -1,32 +0,0 @@
title: Processes Accessing the Microphone and Webcam
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
SELECTION_5:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: experimental
tags:
- attack.collection
- attack.t1123
ruletype: SIGMA

Some files were not shown because too many files have changed in this diff Show More