From b2692ef9837f317931821f7e43242c0974d983fe Mon Sep 17 00:00:00 2001 From: itiB Date: Wed, 24 Nov 2021 00:09:41 +0900 Subject: [PATCH 01/22] Add: input function for start/end option --- src/detections/configs.rs | 2 ++ src/main.rs | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index d3a8db51..e90ad72a 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -52,6 +52,8 @@ fn build_app<'a>() -> ArgMatches<'a> { --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' --verbose 'Output check information to target event file path and rule file.' + --start-time=[STARTTIME] + --end-time=[ENDTIME] -q 'Quiet Output Logo' -r --rules=[RULEDIRECTORY] 'using target of rule file directory' -L --level=[LEVEL] 'Specified execute rule level(default: LOW)' diff --git a/src/main.rs b/src/main.rs index 9db674d1..4e1a1beb 100644 --- a/src/main.rs +++ b/src/main.rs @@ -118,6 +118,44 @@ fn analysis_files(evtx_files: Vec) { .value_of("level") .unwrap_or("INFO") .to_uppercase(); + + // TODO: config.rs に移す + // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z + let start_time= if let Some(s_time) = configs::CONFIG + .read() + .unwrap() + .args + .value_of("start-time") + { + match s_time.parse::>() { + Ok(dt)=> Some(dt), + Err(err) => { + AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); + None + } + } + } else { + None + }; + + let end_time= if let Some(e_time) = configs::CONFIG + .read() + .unwrap() + .args + .value_of("end-time") + { + match s_time.parse::>() { + Ok(dt)=> Some(dt), + Err(err) => { + AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); + None + } + } + } else { + None + }; + + println!("TIME: {:?}", start_time); println!("Analyzing Event Files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, From e09cfb7231f84e7131880efd51c424013b7f2b90 Mon Sep 17 00:00:00 2001 From: itiB Date: Tue, 7 Dec 2021 00:11:34 +0900 Subject: [PATCH 02/22] Add: datetime util --- src/detections/print.rs | 19 ++----------------- src/detections/utils.rs | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/src/detections/print.rs b/src/detections/print.rs index 51e65acb..22a15d8d 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -9,6 +9,7 @@ use std::collections::BTreeMap; use std::collections::HashMap; use std::io::{self, Write}; use std::sync::Mutex; +use crate::detections::utils; #[derive(Debug)] pub struct Message { @@ -174,23 +175,7 @@ impl Message { pub fn get_event_time(event_record: &Value) -> Option> { let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"]; - let system_time_str = system_time.as_str().unwrap_or(""); - if system_time_str.is_empty() { - return Option::None; - } - - let rfc3339_time = DateTime::parse_from_rfc3339(system_time_str); - if rfc3339_time.is_err() { - return Option::None; - } - let datetime = Utc - .from_local_datetime(&rfc3339_time.unwrap().naive_utc()) - .single(); - if datetime.is_none() { - return Option::None; - } else { - return Option::Some(datetime.unwrap()); - } + return utils::str_time_to_datetime(system_time.as_str().unwrap_or("")); } /// message内のマップをクリアする。テストする際の冪等性の担保のため作成。 diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 9df91ff7..bde46871 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -14,6 +14,7 @@ use std::io::prelude::*; use std::io::{BufRead, BufReader}; use std::str; use std::string::String; +use chrono::{DateTime, TimeZone, Utc}; pub fn concat_selection_key(key_list: &Vec) -> String { return key_list @@ -93,6 +94,29 @@ pub fn get_event_id_key() -> String { return "Event.System.EventID".to_string(); } +pub fn get_event_time() -> String { + return "Event.System.TimeCreated_attributes.SystemTime".to_string(); +} + +pub fn str_time_to_datetime(system_time_str: &str) -> Option> { + if system_time_str.is_empty() { + return Option::None; + } + + let rfc3339_time = DateTime::parse_from_rfc3339(system_time_str); + if rfc3339_time.is_err() { + return Option::None; + } + let datetime = Utc + .from_local_datetime(&rfc3339_time.unwrap().naive_utc()) + .single(); + if datetime.is_none() { + return Option::None; + } else { + return Option::Some(datetime.unwrap()); + } +} + /// serde:Valueの型を確認し、文字列を返します。 pub fn get_serde_number_to_string(value: &serde_json::Value) -> Option { if value.is_string() { From 4bb445d4f58515a5bf9e6cce991107c624c3992c Mon Sep 17 00:00:00 2001 From: itiB Date: Tue, 7 Dec 2021 00:50:00 +0900 Subject: [PATCH 03/22] Add: time filter --- src/detections/configs.rs | 64 +++++++++++++++++++++++++++++++ src/detections/print.rs | 2 +- src/detections/utils.rs | 2 +- src/main.rs | 79 ++++++++++++++++++++++----------------- 4 files changed, 110 insertions(+), 37 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index ef64bd99..4e79eb35 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1,4 +1,6 @@ +use crate::detections::print::AlertMessage; use crate::detections::utils; +use chrono::{DateTime, Utc}; use clap::{App, AppSettings, ArgMatches}; use lazy_static::lazy_static; use std::collections::{HashMap, HashSet}; @@ -118,6 +120,68 @@ fn load_target_ids(path: &str) -> TargetEventIds { return ret; } +#[derive(Debug, Clone)] +pub struct TargetEventTime { + start_time: Option>, + end_time: Option>, +} + +impl TargetEventTime { + pub fn new() -> TargetEventTime { + let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") { + match s_time.parse::>() { + Ok(dt) => Some(dt), + Err(err) => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + format!("start-time field: {}", err), + ) + .ok(); + None + } + } + } else { + None + }; + let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") { + match e_time.parse::>() { + Ok(dt) => Some(dt), + Err(err) => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + format!("start-time field: {}", err), + ) + .ok(); + None + } + } + } else { + None + }; + return TargetEventTime { + start_time: start_time, + end_time: end_time, + }; + } + + pub fn is_target(&self, eventtime: &Option>) -> bool { + if eventtime.is_none() { + return true; + } + if let Some(starttime) = self.start_time { + if eventtime.unwrap() < starttime { + return false; + } + } + if let Some(endtime) = self.end_time { + if eventtime.unwrap() > endtime { + return false; + } + } + return true; + } +} + #[derive(Debug, Clone)] pub struct EventKeyAliasConfig { key_to_eventkey: HashMap, diff --git a/src/detections/print.rs b/src/detections/print.rs index 22a15d8d..26e05046 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -1,5 +1,6 @@ extern crate lazy_static; use crate::detections::configs; +use crate::detections::utils; use crate::detections::utils::get_serde_number_to_string; use chrono::{DateTime, TimeZone, Utc}; use lazy_static::lazy_static; @@ -9,7 +10,6 @@ use std::collections::BTreeMap; use std::collections::HashMap; use std::io::{self, Write}; use std::sync::Mutex; -use crate::detections::utils; #[derive(Debug)] pub struct Message { diff --git a/src/detections/utils.rs b/src/detections/utils.rs index bde46871..5d0d52ff 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -7,6 +7,7 @@ use crate::detections::configs; use tokio::runtime::Builder; use tokio::runtime::Runtime; +use chrono::{DateTime, TimeZone, Utc}; use regex::Regex; use serde_json::Value; use std::fs::File; @@ -14,7 +15,6 @@ use std::io::prelude::*; use std::io::{BufRead, BufReader}; use std::str; use std::string::String; -use chrono::{DateTime, TimeZone, Utc}; pub fn concat_selection_key(key_list: &Vec) -> String { return key_list diff --git a/src/main.rs b/src/main.rs index f2cf0458..73efcd6b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -121,43 +121,42 @@ fn analysis_files(evtx_files: Vec) { .unwrap_or("informational") .to_uppercase(); - // TODO: config.rs に移す - // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z - let start_time = if let Some(s_time) = configs::CONFIG - .read() - .unwrap() - .args - .value_of("start-time") - { - match s_time.parse::>() { - Ok(dt)=> Some(dt), - Err(err) => { - AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); - None - } - } - } else { - None - }; + // // TODO: config.rs に移す + // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z + // let start_time = + // if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") { + // match s_time.parse::>() { + // Ok(dt) => Some(dt), + // Err(err) => { + // AlertMessage::alert( + // &mut std::io::stderr().lock(), + // format!("start-time field: {}", err), + // ) + // .ok(); + // None + // } + // } + // } else { + // None + // }; - let end_time= if let Some(e_time) = configs::CONFIG - .read() - .unwrap() - .args - .value_of("end-time") - { - match e_time.parse::>() { - Ok(dt)=> Some(dt), - Err(err) => { - AlertMessage::alert(&mut std::io::stderr().lock(), format!("start-time field: {}", err)).ok(); - None - } - } - } else { - None - }; + // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") { + // match e_time.parse::>() { + // Ok(dt) => Some(dt), + // Err(err) => { + // AlertMessage::alert( + // &mut std::io::stderr().lock(), + // format!("start-time field: {}", err), + // ) + // .ok(); + // None + // } + // } + // } else { + // None + // }; - println!("TIME: {:?}", start_time); + // println!("TIME: {:?}", start_time); println!("Analyzing Event Files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, @@ -192,6 +191,8 @@ fn analysis_file( let mut records = parser.records_json_value(); let tokio_rt = utils::create_tokio_runtime(); + let target_event_time = configs::TargetEventTime::new(); + loop { let mut records_per_detect = vec![]; while records_per_detect.len() < MAX_DETECT_RECORDS { @@ -228,6 +229,14 @@ fn analysis_file( } } + let eventtime = utils::get_event_value(&utils::get_event_time(), &data); + if eventtime.is_some() { + let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or("")); + if !target_event_time.is_target(&time) { + continue; + } + } + // EvtxRecordInfo構造体に変更 let data_string = data.to_string(); let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string); From a1ec06cc6c511edf3ba065a00b670a07f0e6a091 Mon Sep 17 00:00:00 2001 From: itiB Date: Tue, 7 Dec 2021 00:52:57 +0900 Subject: [PATCH 04/22] rm: comments --- src/main.rs | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/src/main.rs b/src/main.rs index 73efcd6b..d9da8b1d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -121,42 +121,6 @@ fn analysis_files(evtx_files: Vec) { .unwrap_or("informational") .to_uppercase(); - // // TODO: config.rs に移す - // // ./target/debug/hayabusa -f ./test_files/evtx/test1.evtx --start-time 2014-11-28T12:00:09Z - // let start_time = - // if let Some(s_time) = configs::CONFIG.read().unwrap().args.value_of("start-time") { - // match s_time.parse::>() { - // Ok(dt) => Some(dt), - // Err(err) => { - // AlertMessage::alert( - // &mut std::io::stderr().lock(), - // format!("start-time field: {}", err), - // ) - // .ok(); - // None - // } - // } - // } else { - // None - // }; - - // let end_time = if let Some(e_time) = configs::CONFIG.read().unwrap().args.value_of("end-time") { - // match e_time.parse::>() { - // Ok(dt) => Some(dt), - // Err(err) => { - // AlertMessage::alert( - // &mut std::io::stderr().lock(), - // format!("start-time field: {}", err), - // ) - // .ok(); - // None - // } - // } - // } else { - // None - // }; - - // println!("TIME: {:?}", start_time); println!("Analyzing Event Files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, From 0e4136e9cf8be473ca9fd09704b07b2dab434e29 Mon Sep 17 00:00:00 2001 From: itiB Date: Tue, 7 Dec 2021 01:00:18 +0900 Subject: [PATCH 05/22] fix: option's documents --- src/detections/configs.rs | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 4e79eb35..fd227bd5 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -56,8 +56,8 @@ fn build_app<'a>() -> ArgMatches<'a> { --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' --verbose 'Output verbose information to target event file path and rule file' - --start-time=[STARTTIME] - --end-time=[ENDTIME] + --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file' + --endtimeline=[ENDTIMELINE]'End time of the event to load from event file' -q 'Quiet mode. Do not display the launch banner' -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)' @@ -128,13 +128,14 @@ pub struct TargetEventTime { impl TargetEventTime { pub fn new() -> TargetEventTime { - let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-time") { + let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline") + { match s_time.parse::>() { Ok(dt) => Some(dt), Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("start-time field: {}", err), + format!("starttimeline field: {}", err), ) .ok(); None @@ -143,13 +144,13 @@ impl TargetEventTime { } else { None }; - let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-time") { + let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") { match e_time.parse::>() { Ok(dt) => Some(dt), Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("start-time field: {}", err), + format!("endtimeline field: {}", err), ) .ok(); None From f8bd73898471640700f3b833f086ca37737e622c Mon Sep 17 00:00:00 2001 From: itiB Date: Tue, 7 Dec 2021 01:25:21 +0900 Subject: [PATCH 06/22] fix: input time format --- src/detections/configs.rs | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index fd227bd5..7dfc4b29 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -56,8 +56,8 @@ fn build_app<'a>() -> ArgMatches<'a> { --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' --verbose 'Output verbose information to target event file path and rule file' - --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file' - --endtimeline=[ENDTIMELINE]'End time of the event to load from event file' + --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' + --endtimeline=[ENDTIMELINE]'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' -q 'Quiet mode. Do not display the launch banner' -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)' @@ -130,8 +130,10 @@ impl TargetEventTime { pub fn new() -> TargetEventTime { let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline") { - match s_time.parse::>() { - Ok(dt) => Some(dt), + match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 + .or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00 + { + Ok(dt) => Some(dt.with_timezone(&Utc)), Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), @@ -145,9 +147,11 @@ impl TargetEventTime { None }; let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") { - match e_time.parse::>() { - Ok(dt) => Some(dt), - Err(err) => { + match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 + .or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00 + { + Ok(dt) => Some(dt.with_timezone(&Utc)), + Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), format!("endtimeline field: {}", err), From 708305c95866d7eed68748cad18492b1fcd78e83 Mon Sep 17 00:00:00 2001 From: itiB Date: Sat, 11 Dec 2021 15:27:11 +0900 Subject: [PATCH 07/22] Add: TargetTimefilter testcase --- src/detections/configs.rs | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 7dfc4b29..aab7bd2d 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -127,7 +127,7 @@ pub struct TargetEventTime { } impl TargetEventTime { - pub fn new() -> TargetEventTime { + pub fn new() -> Self { let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline") { match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 @@ -163,10 +163,14 @@ impl TargetEventTime { } else { None }; - return TargetEventTime { + return Self::set(start_time, end_time) + } + + pub fn set(start_time: Option>, end_time: Option>) -> Self { + return Self { start_time: start_time, - end_time: end_time, - }; + end_time: end_time + } } pub fn is_target(&self, eventtime: &Option>) -> bool { @@ -306,6 +310,7 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig { mod tests { use crate::detections::configs; + use chrono::{DateTime, Utc}; #[test] #[ignore] @@ -324,4 +329,29 @@ mod tests { ); assert_eq!(message, display); } + + #[test] + fn target_event_time_filter() { + let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); + let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); + let time_filter = configs::TargetEventTime::set(start_time, end_time); + + let out_of_range1 = Some("1999-01-01T12:00:09Z".parse::>().unwrap()); + let within_range = Some("2019-02-27T01:05:01Z".parse::>().unwrap()); + let out_of_range2 = Some("2021-02-27T01:05:01Z".parse::>().unwrap()); + + assert_eq!(time_filter.is_target(&out_of_range1), false); + assert_eq!(time_filter.is_target(&within_range), true); + assert_eq!(time_filter.is_target(&out_of_range2), false); + } + + #[test] + fn target_event_time_filter_containes_on_time() { + let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); + let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); + let time_filter = configs::TargetEventTime::set(start_time, end_time); + + assert_eq!(time_filter.is_target(&start_time), true); + assert_eq!(time_filter.is_target(&end_time), true); + } } From 721bf993f7ecbe3d37adde6bf7687b23f003cca5 Mon Sep 17 00:00:00 2001 From: itiB Date: Sat, 11 Dec 2021 15:28:13 +0900 Subject: [PATCH 08/22] cargo fmt --all --- src/detections/configs.rs | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index aab7bd2d..da65ad8e 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -163,14 +163,17 @@ impl TargetEventTime { } else { None }; - return Self::set(start_time, end_time) + return Self::set(start_time, end_time); } - pub fn set(start_time: Option>, end_time: Option>) -> Self { + pub fn set( + start_time: Option>, + end_time: Option>, + ) -> Self { return Self { start_time: start_time, - end_time: end_time - } + end_time: end_time, + }; } pub fn is_target(&self, eventtime: &Option>) -> bool { @@ -332,12 +335,12 @@ mod tests { #[test] fn target_event_time_filter() { - let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); - let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); + let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); + let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); let time_filter = configs::TargetEventTime::set(start_time, end_time); let out_of_range1 = Some("1999-01-01T12:00:09Z".parse::>().unwrap()); - let within_range = Some("2019-02-27T01:05:01Z".parse::>().unwrap()); + let within_range = Some("2019-02-27T01:05:01Z".parse::>().unwrap()); let out_of_range2 = Some("2021-02-27T01:05:01Z".parse::>().unwrap()); assert_eq!(time_filter.is_target(&out_of_range1), false); @@ -347,8 +350,8 @@ mod tests { #[test] fn target_event_time_filter_containes_on_time() { - let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); - let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); + let start_time = Some("2018-02-20T12:00:09Z".parse::>().unwrap()); + let end_time = Some("2020-03-30T12:00:09Z".parse::>().unwrap()); let time_filter = configs::TargetEventTime::set(start_time, end_time); assert_eq!(time_filter.is_target(&start_time), true); From d1d77b4e9f52f3d2398997a493ab66c839d6dd17 Mon Sep 17 00:00:00 2001 From: itiB Date: Thu, 16 Dec 2021 20:14:31 +0900 Subject: [PATCH 09/22] cargo fmt --all --- src/detections/configs.rs | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index ceabc05a..c2fa589f 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -316,23 +316,23 @@ mod tests { use crate::detections::configs; use chrono::{DateTime, Utc}; -// #[test] -// #[ignore] -// fn singleton_read_and_write() { -// let message = -// "EventKeyAliasConfig { key_to_eventkey: {\"EventID\": \"Event.System.EventID\"} }"; -// configs::EVENT_KEY_ALIAS_CONFIG = -// configs::load_eventkey_alias("test_files/config/eventkey_alias.txt"); -// let display = format!( -// "{}", -// format_args!( -// "{:?}", -// configs::CONFIG.write().unwrap().event_key_alias_config -// ) -// ); -// assert_eq!(message, display); -// } -// } + // #[test] + // #[ignore] + // fn singleton_read_and_write() { + // let message = + // "EventKeyAliasConfig { key_to_eventkey: {\"EventID\": \"Event.System.EventID\"} }"; + // configs::EVENT_KEY_ALIAS_CONFIG = + // configs::load_eventkey_alias("test_files/config/eventkey_alias.txt"); + // let display = format!( + // "{}", + // format_args!( + // "{:?}", + // configs::CONFIG.write().unwrap().event_key_alias_config + // ) + // ); + // assert_eq!(message, display); + // } + // } #[test] fn target_event_time_filter() { @@ -358,4 +358,4 @@ mod tests { assert_eq!(time_filter.is_target(&start_time), true); assert_eq!(time_filter.is_target(&end_time), true); } -} \ No newline at end of file +} From 8b1e2894623c34d72e8454980f59d7a2be92b2c7 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 16 Dec 2021 22:04:23 +0900 Subject: [PATCH 10/22] delete noisy-rules folder. not needed anymore (#287) --- ...T1059_PowershellExecutionRemoteCommand.yml | 20 ---- rules-noisy/Security/4688.yml | 14 --- .../win_hidden_user_creation.yml | 30 ----- ...win_user_added_to_local_administrators.yml | 32 ----- .../win_user_creation.yml | 33 ------ .../Sigma/sysmon_wmi_event_subscription.yml | 27 ----- .../Sigma/win_metasploit_authentication.yml | 40 ------- .../Sigma/win_multiple_suspicious_cli.yml | 109 ------------------ ...powershell_script_installed_as_service.yml | 29 ----- .../Sigma/win_rare_schtasks_creations.yml | 33 ------ .../Sigma/win_rare_service_installs.yml | 28 ----- .../win_susp_failed_logons_single_source.yml | 34 ------ .../win_susp_failed_logons_single_source2.yml | 35 ------ rules-noisy/System/7036.yml | 15 --- 14 files changed, 479 deletions(-) delete mode 100644 rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml delete mode 100644 rules-noisy/Security/4688.yml delete mode 100644 rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml delete mode 100644 rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml delete mode 100644 rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml delete mode 100644 rules-noisy/Sigma/sysmon_wmi_event_subscription.yml delete mode 100644 rules-noisy/Sigma/win_metasploit_authentication.yml delete mode 100644 rules-noisy/Sigma/win_multiple_suspicious_cli.yml delete mode 100644 rules-noisy/Sigma/win_powershell_script_installed_as_service.yml delete mode 100644 rules-noisy/Sigma/win_rare_schtasks_creations.yml delete mode 100644 rules-noisy/Sigma/win_rare_service_installs.yml delete mode 100644 rules-noisy/Sigma/win_susp_failed_logons_single_source.yml delete mode 100644 rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml delete mode 100644 rules-noisy/System/7036.yml diff --git a/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml b/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml deleted file mode 100644 index 7fae9b75..00000000 --- a/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: PowerShell Execution Remote Command -title_jp: Powershellのリモートコマンドの実行 -description: Powershell command executed remotely. -description_jp: Powershell command executed remotely. -author: Eric Conrad, Zach Mathis -mitre_attack: T1059 -level: medium -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4104 - Path: null - ScriptBlockText|re: '.+' - # condition: selection -falsepositives: - - normal system usage -output: 'Command: %ScriptBlockText%' -output: 'コマンド: %ScriptBlockText%' -creation_date: 2020/11/08 -updated_date: 2021/11/06 diff --git a/rules-noisy/Security/4688.yml b/rules-noisy/Security/4688.yml deleted file mode 100644 index f22fd44e..00000000 --- a/rules-noisy/Security/4688.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: Command Line Logging -description: Command line logging. -author: Eric Conrad, Zach Mathis -detection: - selection: - Channel: Security - EventID: 4688 - CommandLine|re: '.+' - # condition: selection -falsepositives: - - unknown -output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%' -creation_date: 2020/11/8 -updated_date: 2021/11/8 diff --git a/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml deleted file mode 100644 index ffba158f..00000000 --- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Hidden Local User Creation -author: Christian Burkard -date: 2021/05/03 -description: Detects the creation of a local hidden user account which should not - happen for event ID 4720. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - TargetUserName: '*$' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- EventCode -- AccountName -id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 -level: high -logsource: - product: windows - service: security -references: -- https://twitter.com/SBousseaden/status/1387743867663958021 -status: experimental -tags: -- attack.persistence -- attack.t1136.001 -yml_filename: win_hidden_user_creation.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml deleted file mode 100644 index d7bb1f24..00000000 --- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: User Added to Local Administrators -author: Florian Roth -date: 2017/03/14 -description: This rule triggers on user accounts that are added to the local Administrators - group, which could be legitimate activity or a sign of privilege escalation activity -detection: - SELECTION_1: - EventID: 4732 - SELECTION_2: - TargetUserName: Administr* - SELECTION_3: - TargetSid: S-1-5-32-544 - SELECTION_4: - SubjectUserName: '*$' - condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Legitimate administrative activity -id: c265cf08-3f99-46c1-8d59-328247057d57 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -status: stable -tags: -- attack.privilege_escalation -- attack.t1078 -- attack.persistence -- attack.t1098 -yml_filename: win_user_added_to_local_administrators.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml deleted file mode 100644 index fb8f5d46..00000000 --- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Local User Creation -author: Patrick Bareiss -date: 2019/04/18 -description: Detects local user creation on windows servers, which shouldn't happen - in an Active Directory environment. Apply this Sigma Use Case on your windows - server logs and not on your DC logs. -detection: - SELECTION_1: - EventID: 4720 - condition: SELECTION_1 -falsepositives: -- Domain Controller Logs -- Local accounts managed by privileged account management tools -fields: -- EventCode -- AccountName -- AccountDomain -id: 66b6be3d-55d0-4f47-9855-d69df21740ea -level: low -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ -status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 -yml_filename: win_user_creation.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/sysmon_wmi_event_subscription.yml b/rules-noisy/Sigma/sysmon_wmi_event_subscription.yml deleted file mode 100644 index 36744d10..00000000 --- a/rules-noisy/Sigma/sysmon_wmi_event_subscription.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: WMI Event Subscription -author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -description: Detects creation of WMI event subscription persistence method -detection: - SELECTION_1: - EventID: 19 - SELECTION_2: - EventID: 20 - SELECTION_3: - EventID: 21 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) -falsepositives: -- exclude legitimate (vetted) use of WMI event subscription in your network -id: 0f06a3a5-6a09-413f-8743-e6cf35561297 -level: high -logsource: - category: wmi_event - product: windows -status: experimental -tags: -- attack.t1084 -- attack.persistence -- attack.t1546.003 -yml_filename: sysmon_wmi_event_subscription.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event - diff --git a/rules-noisy/Sigma/win_metasploit_authentication.yml b/rules-noisy/Sigma/win_metasploit_authentication.yml deleted file mode 100644 index 01d79062..00000000 --- a/rules-noisy/Sigma/win_metasploit_authentication.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: Metasploit SMB Authentication -author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/06 -description: Alerts on Metasploit host's authentications on the domain. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - EventID: 4624 - SELECTION_3: - LogonType: 3 - SELECTION_4: - AuthenticationPackageName: NTLM - SELECTION_5: - WorkstationName|re: ^[A-Za-z0-9]{16}$ - SELECTION_6: - ProcessName|re: ^$ - SELECTION_7: - EventID: 4776 - SELECTION_8: - Workstation|re: ^[A-Za-z0-9]{16}$ - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and - SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) -falsepositives: -- Linux hostnames composed of 16 characters. -id: 72124974-a68b-4366-b990-d30e0b2a190d -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -yml_filename: win_metasploit_authentication.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/win_multiple_suspicious_cli.yml b/rules-noisy/Sigma/win_multiple_suspicious_cli.yml deleted file mode 100644 index 3f5ae391..00000000 --- a/rules-noisy/Sigma/win_multiple_suspicious_cli.yml +++ /dev/null @@ -1,109 +0,0 @@ -title: Quick Execution of a Series of Suspicious Commands -author: juju4 -date: 2019/01/16 -description: Detects multiple suspicious process in a limited timeframe -detection: - SELECTION_1: - EventID: 1 - SELECTION_10: - CommandLine: '*nbtstat.exe*' - SELECTION_11: - CommandLine: '*net.exe*' - SELECTION_12: - CommandLine: '*netsh.exe*' - SELECTION_13: - CommandLine: '*nslookup.exe*' - SELECTION_14: - CommandLine: '*ping.exe*' - SELECTION_15: - CommandLine: '*quser.exe*' - SELECTION_16: - CommandLine: '*qwinsta.exe*' - SELECTION_17: - CommandLine: '*reg.exe*' - SELECTION_18: - CommandLine: '*runas.exe*' - SELECTION_19: - CommandLine: '*sc.exe*' - SELECTION_2: - CommandLine: '*arp.exe*' - SELECTION_20: - CommandLine: '*schtasks.exe*' - SELECTION_21: - CommandLine: '*ssh.exe*' - SELECTION_22: - CommandLine: '*systeminfo.exe*' - SELECTION_23: - CommandLine: '*taskkill.exe*' - SELECTION_24: - CommandLine: '*telnet.exe*' - SELECTION_25: - CommandLine: '*tracert.exe*' - SELECTION_26: - CommandLine: '*wscript.exe*' - SELECTION_27: - CommandLine: '*xcopy.exe*' - SELECTION_28: - CommandLine: '*pscp.exe*' - SELECTION_29: - CommandLine: '*copy.exe*' - SELECTION_3: - CommandLine: '*at.exe*' - SELECTION_30: - CommandLine: '*robocopy.exe*' - SELECTION_31: - CommandLine: '*certutil.exe*' - SELECTION_32: - CommandLine: '*vssadmin.exe*' - SELECTION_33: - CommandLine: '*powershell.exe*' - SELECTION_34: - CommandLine: '*wevtutil.exe*' - SELECTION_35: - CommandLine: '*psexec.exe*' - SELECTION_36: - CommandLine: '*bcedit.exe*' - SELECTION_37: - CommandLine: '*wbadmin.exe*' - SELECTION_38: - CommandLine: '*icacls.exe*' - SELECTION_39: - CommandLine: '*diskpart.exe*' - SELECTION_4: - CommandLine: '*attrib.exe*' - SELECTION_5: - CommandLine: '*cscript.exe*' - SELECTION_6: - CommandLine: '*dsquery.exe*' - SELECTION_7: - CommandLine: '*hostname.exe*' - SELECTION_8: - CommandLine: '*ipconfig.exe*' - SELECTION_9: - CommandLine: '*mimikatz.exe*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 - or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 - or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 - or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 - or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 - or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 - or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 - or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39))| count() - by MachineName > 5 -falsepositives: -- False positives depend on scripts and administrative tools used in the monitored - environment -id: 61ab5496-748e-4818-a92f-de78e20fe7f1 -level: low -logsource: - category: process_creation - product: windows -modified: 2021/06/13 -references: -- https://car.mitre.org/wiki/CAR-2013-04-002 -status: experimental -tags: -- car.2013-04-002 -yml_filename: win_multiple_suspicious_cli.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation - diff --git a/rules-noisy/Sigma/win_powershell_script_installed_as_service.yml b/rules-noisy/Sigma/win_powershell_script_installed_as_service.yml deleted file mode 100644 index 65f22ff2..00000000 --- a/rules-noisy/Sigma/win_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: PowerShell Scripts Installed as Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: '*powershell*' - SELECTION_3: - ImagePath: '*pwsh*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Unknown -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae -level: high -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -status: experimental -tags: -- attack.execution -- attack.t1569.002 -yml_filename: win_powershell_script_installed_as_service.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/win_rare_schtasks_creations.yml b/rules-noisy/Sigma/win_rare_schtasks_creations.yml deleted file mode 100644 index 40c51982..00000000 --- a/rules-noisy/Sigma/win_rare_schtasks_creations.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Rare Schtasks Creations -author: Florian Roth -date: 2017/03/23 -description: Detects rare scheduled tasks creations that only appear a few times per - time frame and could reveal password dumpers, backdoor installs or other types - of malicious code -detection: - SELECTION_1: - EventID: 4698 - condition: SELECTION_1| count() by TaskName < 5 -falsepositives: -- Software installation -- Software updates -id: b0d77106-7bb0-41fe-bd94-d1752164d066 -level: low -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). We also recommend extracting the Command field - from the embedded XML in the event data. - product: windows - service: security -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.persistence -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 -yml_filename: win_rare_schtasks_creations.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/win_rare_service_installs.yml b/rules-noisy/Sigma/win_rare_service_installs.yml deleted file mode 100644 index d5a4df16..00000000 --- a/rules-noisy/Sigma/win_rare_service_installs.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Rare Service Installs -author: Florian Roth -date: 2017/03/08 -description: Detects rare service installs that only appear a few times per time frame - and could reveal password dumpers, backdoor installs or other types of malicious - services -detection: - SELECTION_1: - EventID: 7045 - condition: SELECTION_1| count() by ServiceFileName < 5 -falsepositives: -- Software installation -- Software updates -id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae -level: low -logsource: - product: windows - service: system -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 -yml_filename: win_rare_service_installs.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/win_susp_failed_logons_single_source.yml b/rules-noisy/Sigma/win_susp_failed_logons_single_source.yml deleted file mode 100644 index 85c0b923..00000000 --- a/rules-noisy/Sigma/win_susp_failed_logons_single_source.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 529 - SELECTION_2: - EventID: 4625 - SELECTION_3: - TargetUserName: '*' - SELECTION_4: - WorkstationName: '*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName) - by WorkstationName > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -yml_filename: win_susp_failed_logons_single_source.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml b/rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml deleted file mode 100644 index 79daca36..00000000 --- a/rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - TargetUserName: '*' - SELECTION_3: - Workstation: '*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName) - by Workstation > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -related: -- id: e98374a6-e2d9-4076-9b5c-11bdb2569995 - type: derived -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -yml_filename: win_susp_failed_logons_single_source2.yml -yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin - diff --git a/rules-noisy/System/7036.yml b/rules-noisy/System/7036.yml deleted file mode 100644 index c4f8d6b4..00000000 --- a/rules-noisy/System/7036.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: The ... service entered the stopped|running state -description: hogehoge -author: DeepblueCLI, Zach Mathis -detection: - selection: - Channel: System - EventID: 7036 - param1: - regexes: ./config/regex/regexes_suspicous_service.txt - condition: selection -falsepositives: - - unknown -output: 'Suspicious Service Name¥nService name: %ServiceName%' -creation_date: 2020/11/8 -uodated_date: 2020/11/8 From 9be8b3d33f114a6cc34c7e6471f486dea9c16554 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 17 Dec 2021 11:07:27 +0000 Subject: [PATCH 11/22] art update (#294) --- art/christmas.txt | 70 +++++++++++++++++++++++++++++++------- art/happynewyear.txt | 36 ++++++++++++++------ art/ninja.txt | 6 ++-- art/takoyaki.txt | 81 +++++++++++++++++++++----------------------- 4 files changed, 125 insertions(+), 68 deletions(-) diff --git a/art/christmas.txt b/art/christmas.txt index 48a94f93..144c9b8c 100644 --- a/art/christmas.txt +++ b/art/christmas.txt @@ -1,13 +1,57 @@ - /⌒\、__/⌒ ̄} - \__(__)__/ - 〃〓/ ̄ > <  ̄\〓〃 - ミ☆/: (:: ::):: >☆彡 - ★≡〃\/〉:: ::〈\/ ≡〃★ - ●※○ ^^^^^^^^ ○※● -〃≡★ Merry Christmas ★≡〃 - ☆〓 〓☆ - 〃≡★ (;) ★≡〃 - ●※○- ,_】【_, ,-○※● - ★〃≡〓 ○ 〓≡〃★ - ミ☆-★※★-☆彡 - ● \ No newline at end of file + + ,, + ,,,, + .,,,,,,,,,,,.. + .,,,,,,,,,,,,,,,, + ,,,,,,,,,,, + ,,,,,,,,,,, + ,,,,(((,,,,. + . ,(((((( + ((((((((( + ((((((((((((( + (((((((,,,,((((* + ((((((((,,,,,,,(((( + ((((((((((,,,,,,((((((( + ((*,(((((((((((((((((((((/ + ((* ((. .(((((((((((((((( + ((((( Merry ((((((((( + (((((((, Christmas ((((((((((( + ((((((((/(((((( ((((((((((((((((((((( + (((((((*******((((((((((((((((((((((((((((((( + (((((((((*******((((((((((((((((((((((((((((((((( + .//////(((((((((((((((((((((((((((,,,,,(((((((((//////* + (((((((((((((((((((((((((((,,,,,,,((((((((( + (( ((((((((((((((((((((((,,,,,(((((((((((( + ,((. .(((((((((((((((((((((((((((((((((( + (((((((( from ((((((((((((((((((((((((((((((* + (((((((((((( , (((((((((((((((((( *.(* + .((((((((((((((((((((((((((((((((((((((((( ((( + (((((((((((((((((((((((((((((((((((((((/ Yamato ,((((((( + (((((((((((((((((((((((((((((((((((((((( (((((((((((( + ((((((((((((((((((((((((,,,((((( (, ,(((((((((( + ((((((((((((((((((((((((,,,,,,,(((((((((((((((((((((((((( + *(((( ((((((((((((((((/,,,,,,((((((((((((((((******(((((( + (((( ((((((((((((((((((((((((((((((((********((((((. + (((((( Security! ((((((((((((((((((((((((((((((****(((((((((( + ((((((((( ((((((((((((((((((((((((((((((((((((((((((( + ,(((((((((((((((( .(( ((((((((((((((((((( ( ((((((((((((( + ((((((((((((((((,,,,,((((((((( (((((((((((( Ho ho ho!!! ,(((((((((((((. + (((((((((((((((((,,,,,,,(((((((((((((((((((((( (((((((((((((((((((( + ((((((((((((((((((((,,,,,((((((((((((((((((((((((((( ,(((((((/,,,,,(((((((((((((((( + (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,,,,((((((((((((((((( + .(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((,,,,*(((((((((((((((((((/ + ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( + /////////// + /////////// + /////////// + /////////// + /////////// + /////////// + ***************************** + ***************************** + %%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%#%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%% + #%%%%%%%%%%%%%%%#%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%% + \ No newline at end of file diff --git a/art/happynewyear.txt b/art/happynewyear.txt index 14c2bc91..bda3f44d 100644 --- a/art/happynewyear.txt +++ b/art/happynewyear.txt @@ -1,10 +1,26 @@ - _〆 - (∴) - ( ̄ ̄ ̄) - <( ̄ ̄ ̄ ̄)> - [二◆二二◆二] - |◇ ● ◇| - |◆ ◆| - |____| - - A Happy New Year!! + + @@ + @@@@@ @@ @@@@, + @@& @@@@@@@@@@@@@@@@@. @@@@@@@@@@@@@@@@@@ + @@@@@@@@@@@( @@@@@@ @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@. + .@@@@@@@@@@@ @@@@@ #@@@ @@@@@@ @@@@@@@@@@@@@ + @@@ @@@@ @@@@@@@@@@@@@@( @@@@@@@ + ,@@@ (@@@ @@ .@@@@@ + @@@@ @@@@@@@ %% @@@@@ + @@@@ @@@@ @@@@@@@%*.,@@@@@@ @@@@, + @@@@ @@@@@@ @@@@@ @@@@. @@@@@@@@@ + @@@@ @@@ @@@@@@@@ @@@@@ @@@@@@@ @@@@@@@@@@@@@@@@@ + @@@, @@@@& @@@@ @@@@ + @@@ %@@@@@@ %@@@@, @@@@ @@@@ + @@@@@@@@# @@@@@ @@@@ @@@@ + @@@ (@@@@@@@@@@ @@@@ @@@@ + @@@@@@@@@@@@@@@@@@@@@ @@@@ @@@@ %@@@ + @@@@@@( @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @@@@@ @@@@@@@ ,@@@@@@@@@@@@@@@@@@@@@@/ &@@@@@@@@@@@@@@& + @@@@@ @@@@@@@ @@@@@@@@@@ @@@@# + @@@@@ @@@@@@@ *@ + @@@@@ #@@@@ + + Happy New Year from Yamato Security!!! + Akemashite Omedetou Gozaimasu! + Honnen mo yoroshiku onegai shimasu! diff --git a/art/ninja.txt b/art/ninja.txt index 505ddce6..ddfd6831 100644 --- a/art/ninja.txt +++ b/art/ninja.txt @@ -1,5 +1,3 @@ - - Today is Ninja Day (2/22)! .`,I>>+<;"' .,}u#zcccccz*#W&jI. @@ -35,3 +33,7 @@ [$#ccccccccccccB$%WMcnnnnnnnnz$$$B&cc#@8nnnnnnu#@$$&*cccccccMB*ccccc#$$$, @%ccccccccccccz$#cxcnnnnnnnnM$$$@zcccc*$8nnnnnnnnW8$$%MMMM*#&zccccccc@$$| "$*cccccccccccc#$cnx@WnnnnnnW$$$$Wccccc#@$8unnnn*@Wu&@$$$$$$@#cccccccc&$$W + + Happy Ninja Day! Nin Nin! (2/22)! + from Yamato Security + \ No newline at end of file diff --git a/art/takoyaki.txt b/art/takoyaki.txt index 29320d36..a01fa6b7 100644 --- a/art/takoyaki.txt +++ b/art/takoyaki.txt @@ -1,43 +1,38 @@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@#------@@@@@@@@--------@@@@@@@@--------@@@@@@@@--------@@@@@@@@--------@@@@@@@@------#@@ -@@* @@@@@@@% @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@ -@@* @@@@@@@% @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@ -@@#------********--------********--------********--------********--------********=-----#@@ -@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@ -@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@ -@@@@@@@@@ @@@@@@@# @@@@@@@@ @@@@@@@@ @@@@@@@% @@@@@@@@@ -@@@@@@@@@-------=@@@@@@@%-------=@@@@@@@@-------=@@@@@@@@-------=@@@@@@@@-------=@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=:@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*.+@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@= *@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%:-@@@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*.*@@@@@@@@@@@@ -@@@@@@@@@@@%*=-:::-=*@@@@@@@@@%*=-:::-+#@@@@@@@@@#+=-::-=+#@@@@@@@@@#+--::: =%@@@@@@@@@@@@ -@@@@@@@@@*: = :#@@@@+. -%@@@@= =@@@@%- .+@@@@@@@@@@ -@@@@@@@@: :: #* -@%. - *= =@* -. =#. *@+ :: -#: .#@@@@@@@@ -@@@@@@@. : -. . : .= : : = . %@@@@@@@ -@@@@@@+ =*. -+=. .++ =+= :*= =+- -*- .++- . -@@@@@@@ -@@@@@@= *@@@@=-#@@@@+:+@% .*@@@%==#@@@@=:*@# :#@@@#==%@@@%--#@+ -%@@@*-=@@@@#--%@-:@@@@@@@ -@@@@-== #@@@@@@@@@@@@@@@+ %@@@@@@@@@@@@@@@- .@@@@@@@@@@@@@@@@. :@@@@@@@@@@@@@@@@ :=:@@@@@ -@@@@#. =*#@@@@@@@@@@@* *-.%@@@@@@@@@@@@@= #::@@@@@@@@@@@@@@:.# -@@@@@@@@@@@%*=. .*@@@@@ -@@@@@@#- .:-=+*#%*::%@@*.-#@@@@@@@@@+.-%@@=.=%@@@@@@@@%=.=@@@=.+%#*+=-:. :*@@@@@@@ -@@@@@@@@@*- ..::- :====-. .=++++++: .-====-. :::.. :*@@@@@@@@@@ -@@@@@@@@@@@@%+-. .-+#@@@@@@@@@@@@@ -@@@@@@@@@@@@@@@@@%#*+-::. ..:-=*#%@@@@@@@@@@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@%##***++++=============++++***##%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@======@@#--%@@#=+@@+=#@#=--=#@#==@@==#@@+-=@@@+=*@@==%==#@@@*====+%@@@#--%@@*=*@%==%==@@ -@@*+ ##@@. .@@* .@= :@- .+*: -# %% +@# -@@- =@: =@ *@@@- -#+ #@@. .@@= .@* % %@ -@@@# @@@: =- -@* .@@ #@@% @# *@% *. *@- =@@ #@@@= =@@= -@- -= -@@+ .#@:.@@ -@@@# @@+ :: ** .@: :@+ -- +@@# #@@: .:: %- =%. =@ *@@@- :+- .%* :: +@@+ @@@=-@@ -@@@%++@@*+%@@#+*%+*@@*+#@@*++*@@@@@**@@@++@@@*+##+#@%++%++%@@@#+++*#@@*+%@@%+*@@%**@@@*+@@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@@@@@@@@:.......@@@@@@@@:.......@@@@@@@@:.......@@@@@@@@:.......%@@@@@@@:.......@@@@@@@@@ -@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@ -@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@ -@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ %@@@@@@@ @@@@@@@@@ -@@#:::::-########::::::::########::::::::########::::::::########::::::::########::::::#@@ -@@* .@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@ -@@* .@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ *@@ -@@%+++++*@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++++@@@@@@@@++++++%@@ \ No newline at end of file + + #### + ##.## + ##.(# + .#.,# + #..# + ##.#* + ##.## + *#.## + #.## + #(/# + ##.# + (#.#, + #.#( + #*## + #### + .,####* ##(# + ##.##../##((####.((####,# + ####(.(....(((((##,.#(((###### + ###.(##(((#######..##......#((((##/ + ########((((####.(##########(*(((#,##..# + #################..####*..(((######*,##..# + /###############......*####((((###.*##..#### + #######(,#####################*#####.((((#### + #(###,,,,#############(/######...##..#(###### + #,,,,,,,,*#######,,,,,,,,######(.######/*/### + #,,,,,,,,,,,,,,,,,,,,,,,#######/############# + #,,,,,,,,,,,,,,,,,,,,,,##########,,,(####### + #,,,,,,,,,,,,,,,,,,,,,#######,,,,,,####### + #,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,###### + ##,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,*## + ##,,,,,,,,,,,,,,,,,,,,,,,,,,,,,## + ###,,,,,,,,,,,,,,,,,,,,,,##. + .################# + + HAPPY TAKOYAKI DAY!!! (8/8) + from Yamato Security + \ No newline at end of file From d668fc9241a5dd7c49a7368eb7e75550608a2036 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 17 Dec 2021 12:25:55 +0000 Subject: [PATCH 12/22] Regex filename change (#291) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * update rule config files and art * regexサンプルファイルの名前変更 * fixed test error due to filename change #291 Co-authored-by: DustInDark --- art/christmas.txt | 2 +- config/eventkey_alias.txt | 4 ++++ config/exclude-rules-full.txt | 8 ++++++++ config/exclude-rules.txt | 3 ++- config/noisy-rules-full.txt | 9 +++++++++ config/noisy-rules.txt | 4 ++++ ...viceimage.txt => allowlist_legitimate_services.txt} | 0 ...s_service.txt => detectlist_suspicous_services.txt} | 0 ...rocess-WindowsService_MaliciousServiceInstalled.yml | 8 ++++---- src/detections/rule/matchers.rs | 10 +++++----- src/detections/utils.rs | 4 ++-- 11 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 config/exclude-rules-full.txt create mode 100644 config/noisy-rules-full.txt rename config/regex/{allowlist_legimate_serviceimage.txt => allowlist_legitimate_services.txt} (100%) rename config/regex/{regexes_suspicous_service.txt => detectlist_suspicous_services.txt} (100%) diff --git a/art/christmas.txt b/art/christmas.txt index 144c9b8c..72c9807a 100644 --- a/art/christmas.txt +++ b/art/christmas.txt @@ -54,4 +54,4 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%% #%%%%%%%%%%%%%%%#%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%% - \ No newline at end of file + diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 3188c4b9..7c4bbcc4 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -12,6 +12,7 @@ AuthenticationPackageName,Event.EventData.AuthenticationPackageName CallTrace,Event.EventData.CallTrace Caller_Process_Name,Event.EventData.Caller_Process_Name CallingProcessName,Event.EventData.CallingProcessName +CategoryName,Event.EventData.Category Name Channel,Event.System.Channel Client_Address,Event.EventData.Client_Address CommandLine,Event.EventData.CommandLine @@ -30,6 +31,7 @@ DestinationIsIpv6,Event.EventData.DestinationIsIpv6 DestinationPort,Event.EventData.DestinationPort Details,Event.EventData.Details DetectionSource,Event.EventData.DetectionSource +DetectionUser,Event.EventData.Detection User Device,Event.EventData.Device DeviceClassName,Event.EventData.DeviceClassName DeviceDescription,Event.EventData.DeviceDescription @@ -107,6 +109,7 @@ Service,Event.EventData.Service ServiceFileName,Event.EventData.ServiceFileName ServiceName,Event.EventData.ServiceName ServicePrincipalNames,Event.EventData.ServicePrincipalNames +SeverityName,Event.EventData.Severity Name ShareName,Event.EventData.ShareName SidHistory,Event.EventData.SidHistory Signature,Event.EventData.Signature @@ -136,6 +139,7 @@ TargetProcessAddress,Event.EventData.TargetProcessAddress TargetSid,Event.EventData.TargetSid TargetUserName,Event.EventData.TargetUserName TaskName,Event.EventData.TaskName +ThreatName,Event.EventData.Threat Name TicketEncryptionType,Event.EventData.TicketEncryptionType TicketOptions,Event.EventData.TicketOptions Url,Event.EventData.url diff --git a/config/exclude-rules-full.txt b/config/exclude-rules-full.txt new file mode 100644 index 00000000..f03fce3c --- /dev/null +++ b/config/exclude-rules-full.txt @@ -0,0 +1,8 @@ +4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml +c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml +9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml + +# Replaced by hayabusa rules +c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml +66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml +7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml \ No newline at end of file diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt index 201932cc..22e7479f 100644 --- a/config/exclude-rules.txt +++ b/config/exclude-rules.txt @@ -2,4 +2,5 @@ c92f1896-d1d2-43c3-92d5-7a5b35c217bb 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 c265cf08-3f99-46c1-8d59-328247057d57 -66b6be3d-55d0-4f47-9855-d69df21740ea \ No newline at end of file +66b6be3d-55d0-4f47-9855-d69df21740ea +9f7aa113-9da6-4a8d-907c-5f1a4b908299 \ No newline at end of file diff --git a/config/noisy-rules-full.txt b/config/noisy-rules-full.txt new file mode 100644 index 00000000..abadf989 --- /dev/null +++ b/config/noisy-rules-full.txt @@ -0,0 +1,9 @@ +0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml +b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml +66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml +e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml +6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml +61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml +add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml +196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml +72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml \ No newline at end of file diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt index 1fa83b45..fce2d332 100644 --- a/config/noisy-rules.txt +++ b/config/noisy-rules.txt @@ -3,4 +3,8 @@ b0d77106-7bb0-41fe-bd94-d1752164d066 66bfef30-22a5-4fcd-ad44-8d81e60922ae e98374a6-e2d9-4076-9b5c-11bdb2569995 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 +61ab5496-748e-4818-a92f-de78e20fe7f1 +add2ef8d-dc91-4002-9e7e-f2702369f53a +196a29c2-e378-48d8-ba07-8a9e61f7fab9 +72124974-a68b-4366-b990-d30e0b2a190d b20f6158-9438-41be-83da-a5a16ac90c2b \ No newline at end of file diff --git a/config/regex/allowlist_legimate_serviceimage.txt b/config/regex/allowlist_legitimate_services.txt similarity index 100% rename from config/regex/allowlist_legimate_serviceimage.txt rename to config/regex/allowlist_legitimate_services.txt diff --git a/config/regex/regexes_suspicous_service.txt b/config/regex/detectlist_suspicous_services.txt similarity index 100% rename from config/regex/regexes_suspicous_service.txt rename to config/regex/detectlist_suspicous_services.txt diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index 78b13842..a249f246 100644 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -6,8 +6,8 @@ title: Malicious service installed title_jp: 悪意のあるサービスがインストールされた output: 'Service: %ServiceName% : Image path: %ImagePath' output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath' -description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt -description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt +description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt +description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt id: dbbfd9f3-9508-478b-887e-03ddb9236909 level: high @@ -17,10 +17,10 @@ detection: Channel: System EventID: 7045 ServiceName: - regexes: ./config/regex/regexes_suspicous_service.txt + regexes: ./config/regex/detectlist_suspicous_services.txt ImagePath: min_length: 1000 - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + allowlist: .allowlist_legitimate_services.txt condition: selection falsepositives: - normal system usage diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 42c69614..7fc45fd7 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -538,8 +538,8 @@ mod tests { - ホスト アプリケーション ImagePath: min_length: 1234321 - regexes: ./config/regex/regexes_suspicous_service.txt - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + regexes: ./config/regex/detectlist_suspicous_services.txt + allowlist: ./config/regex/allowlist_legitimate_services.txt falsepositives: - unknown level: medium @@ -1165,7 +1165,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; @@ -1202,7 +1202,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; @@ -1239,7 +1239,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: ./config/regex/allowlist_legimate_serviceimage.txt + - allowlist: ./config/regex/allowlist_legitimate_services.txt output: 'command=%CommandLine%' "#; diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 72d6448c..c7e4c57b 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -192,7 +192,7 @@ mod tests { #[test] fn test_check_regex() { - let regexes = utils::read_txt("./config/regex/regexes_suspicous_service.txt") + let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt") .unwrap() .into_iter() .map(|regex_str| Regex::new(®ex_str).unwrap()) @@ -207,7 +207,7 @@ mod tests { #[test] fn test_check_allowlist() { let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\""; - let allowlist = utils::read_txt("./config/regex/allowlist_legimate_serviceimage.txt") + let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt") .unwrap() .into_iter() .map(|allow_str| Regex::new(&allow_str).unwrap()) From ee80e6bc1eb5d96af9768332229197e1cf76682c Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 18 Dec 2021 11:06:08 +0900 Subject: [PATCH 13/22] Hotfix/regex filename replace lack#296 (#297) * fixed lacked replacement #286 * fixed typo #296 --- ...tySystemProcess-WindowsService_MaliciousServiceInstalled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index a249f246..4dbbdbd5 100644 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -20,7 +20,7 @@ detection: regexes: ./config/regex/detectlist_suspicous_services.txt ImagePath: min_length: 1000 - allowlist: .allowlist_legitimate_services.txt + allowlist: ./config/regex/allowlist_legitimate_services.txt condition: selection falsepositives: - normal system usage From 2626ef8e49698e67f52dc3bc1dcd4c178089a830 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 18 Dec 2021 11:06:45 +0900 Subject: [PATCH 14/22] removed process-speed view in progress bar #289 (#292) --- src/main.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main.rs b/src/main.rs index 7bce8cc9..1bdc0e82 100644 --- a/src/main.rs +++ b/src/main.rs @@ -137,6 +137,7 @@ fn analysis_files(evtx_files: Vec) { &filter::exclude_ids(), ); let mut pb = ProgressBar::new(evtx_files.len() as u64); + pb.show_speed = false; let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") { From 17b6b97aa30a976b00d095773cb8b35979fd7776 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 18 Dec 2021 11:12:28 +0900 Subject: [PATCH 15/22] Revert "removed process-speed view in progress bar #289 (#292)" (#298) This reverts commit 2626ef8e49698e67f52dc3bc1dcd4c178089a830. --- src/main.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 1bdc0e82..7bce8cc9 100644 --- a/src/main.rs +++ b/src/main.rs @@ -137,7 +137,6 @@ fn analysis_files(evtx_files: Vec) { &filter::exclude_ids(), ); let mut pb = ProgressBar::new(evtx_files.len() as u64); - pb.show_speed = false; let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") { From cbbcb4c0688d3b6dd79c43860431f114320657d2 Mon Sep 17 00:00:00 2001 From: James Takai / hach1yon <32596618+hach1yon@users.noreply.github.com> Date: Sat, 18 Dec 2021 11:13:51 +0900 Subject: [PATCH 16/22] Feature/re tuning and bugfix for regexes keyword (#293) * re-tuning * not effective * re-tuning * set key * fix bug and fix testcase. * fmt --- src/detections/detection.rs | 22 +- src/detections/mod.rs | 2 +- src/detections/rule/condition_parser.rs | 26 +- src/detections/rule/count.rs | 19 +- src/detections/rule/matchers.rs | 293 ++++--------- src/detections/rule/mod.rs | 116 +++-- src/detections/rule/selectionnodes.rs | 51 +-- src/detections/utils.rs | 48 ++ src/main.rs | 559 +++++++++++++----------- 9 files changed, 522 insertions(+), 614 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 7f16a3b9..103297d9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,18 +1,18 @@ extern crate csv; -use crate::detections::rule::AggResult; -use serde_json::Value; -use std::collections::HashMap; -use tokio::{runtime::Runtime, spawn, task::JoinHandle}; - use crate::detections::configs; use crate::detections::print::AlertMessage; use crate::detections::print::MESSAGES; use crate::detections::rule; +use crate::detections::rule::AggResult; use crate::detections::rule::RuleNode; use crate::detections::utils::get_serde_number_to_string; use crate::filter; use crate::yaml::ParseYaml; +use hashbrown; +use serde_json::Value; +use std::collections::HashMap; +use tokio::{runtime::Runtime, spawn, task::JoinHandle}; use std::sync::Arc; @@ -24,15 +24,12 @@ pub struct EvtxRecordInfo { pub evtx_filepath: String, // イベントファイルのファイルパス ログで出力するときに使う pub record: Value, // 1レコード分のデータをJSON形式にシリアライズしたもの pub data_string: String, + pub key_2_value: hashbrown::HashMap, } impl EvtxRecordInfo { - pub fn new(evtx_filepath: String, record: Value, data_string: String) -> EvtxRecordInfo { - return EvtxRecordInfo { - evtx_filepath: evtx_filepath, - record: record, - data_string: data_string, - }; + pub fn get_value(&self, key: &String) -> Option<&String> { + return self.key_2_value.get(key); } } @@ -185,9 +182,8 @@ impl Detection { // 複数のイベントレコードに対して、ルールを1個実行します。 fn execute_rule(mut rule: RuleNode, records: Arc>) -> RuleNode { - let records = &*records; let agg_condition = rule.has_agg_condition(); - for record_info in records { + for record_info in records.as_ref() { let result = rule.select(&record_info.evtx_filepath, &record_info); if !result { continue; diff --git a/src/detections/mod.rs b/src/detections/mod.rs index 3bfab408..e4ee98be 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -1,5 +1,5 @@ pub mod configs; pub mod detection; pub mod print; -mod rule; +pub mod rule; pub mod utils; diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 8bc90d71..3f37ed60 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -503,11 +503,10 @@ impl ConditionCompiler { #[cfg(test)] mod tests { - use yaml_rust::YamlLoader; - - use crate::detections::detection::EvtxRecordInfo; use crate::detections::rule::create_rule; use crate::detections::rule::tests::parse_rule_from_str; + use crate::detections::{self, utils}; + use yaml_rust::YamlLoader; const SIMPLE_RECORD_STR: &str = r#" { @@ -537,11 +536,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!( rule_node.select(&"testpath".to_owned(), &recinfo), expect_select @@ -586,11 +582,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { @@ -633,11 +626,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 9ad83e2b..d4152518 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -316,10 +316,11 @@ pub fn judge_timeframe( #[cfg(test)] mod tests { - use crate::detections::detection::EvtxRecordInfo; + use crate::detections; use crate::detections::rule::create_rule; use crate::detections::rule::AggResult; - use std::collections::HashMap; + use crate::detections::utils; + use hashbrown::HashMap; use chrono::{TimeZone, Utc}; use yaml_rust::YamlLoader; @@ -642,11 +643,8 @@ mod tests { for record in target { match serde_json::from_str(record) { Ok(rec) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: rec, - data_string: record.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(rec, "testpath".to_owned(), &keys); let _result = rule_node.select(&"testpath".to_string(), &recinfo); } Err(_rec) => { @@ -735,11 +733,8 @@ mod tests { for record_str in records_str { match serde_json::from_str(record_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); let result = &rule_node.select(&"testpath".to_owned(), &recinfo); assert_eq!(result, &true); } diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 7fc45fd7..f5800c14 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1,11 +1,15 @@ use regex::Regex; -use serde_json::Value; use std::collections::VecDeque; use yaml_rust::Yaml; use crate::detections::{detection::EvtxRecordInfo, utils}; use mopa::mopafy; +use lazy_static::lazy_static; +lazy_static! { + pub static ref STR_DEFAULT: String = String::default(); +} + // 末端ノードがEventLogの値を比較するロジックを表す。 // 正規条件のマッチや文字数制限など、比較ロジック毎にこのtraitを実装したクラスが存在する。 // @@ -18,7 +22,7 @@ pub trait LeafMatcher: mopa::Any { /// 引数に指定されたJSON形式のデータがマッチするかどうか判定する。 /// main.rsでWindows Event LogをJSON形式に変換していて、そのJSON形式のWindowsのイベントログデータがここには来る /// 例えば正規表現でマッチするロジックなら、ここに正規表現でマッチさせる処理を書く。 - fn is_match(&self, event_value: Option<&Value>, recinfo: &EvtxRecordInfo) -> bool; + fn is_match(&self, event_value: Option<&String>, recinfo: &EvtxRecordInfo) -> bool; /// 初期化ロジックをここに記載します。 /// ルールファイルの書き方が間違っている等の原因により、正しくルールファイルからパースできない場合、戻り値のResult型でエラーを返してください。 @@ -60,11 +64,10 @@ impl LeafMatcher for MinlengthMatcher { return Result::Ok(()); } - fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool { - return match event_value.unwrap_or(&Value::Null) { - Value::String(s) => s.len() as i64 >= self.min_len, - Value::Number(n) => n.to_string().len() as i64 >= self.min_len, - _ => false, + fn is_match(&self, event_value: Option<&String>, _recinfo: &EvtxRecordInfo) -> bool { + return match event_value { + Some(s) => s.len() as i64 >= self.min_len, + None => false, }; } } @@ -118,12 +121,10 @@ impl LeafMatcher for RegexesFileMatcher { return Result::Ok(()); } - fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool { - //TODO Wildcardの場合、CaseInsensitiveなので、ToLowerする。 - return match event_value.unwrap_or(&Value::Null) { - Value::String(s) => !utils::check_regex(s, &self.regexes), - Value::Number(n) => !utils::check_regex(&n.to_string(), &self.regexes), - _ => false, + fn is_match(&self, event_value: Option<&String>, _recinfo: &EvtxRecordInfo) -> bool { + return match event_value { + Some(s) => utils::check_regex(s, &self.regexes), + None => false, }; } } @@ -177,12 +178,10 @@ impl LeafMatcher for AllowlistFileMatcher { return Result::Ok(()); } - fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool { - return match event_value.unwrap_or(&Value::Null) { - Value::String(s) => !utils::check_allowlist(s, &self.regexes), - Value::Number(n) => !utils::check_allowlist(&n.to_string(), &self.regexes), - Value::Bool(b) => !utils::check_allowlist(&b.to_string(), &self.regexes), - _ => true, + fn is_match(&self, event_value: Option<&String>, _recinfo: &EvtxRecordInfo) -> bool { + return match event_value { + Some(s) => !utils::check_allowlist(s, &self.regexes), + None => true, }; } } @@ -320,50 +319,18 @@ impl LeafMatcher for DefaultMatcher { return Result::Ok(()); } - fn is_match(&self, event_value: Option<&Value>, recinfo: &EvtxRecordInfo) -> bool { - // unwrap_orの引数に""ではなく" "を指定しているのは、 - // event_valueが文字列じゃない場合にis_event_value_nullの値がfalseになるように、len() == 0とならない値を指定している。 - let is_event_value_null = event_value.is_none() - || event_value.unwrap().is_null() - || event_value.unwrap().as_str().unwrap_or(" ").len() == 0; - + fn is_match(&self, event_value: Option<&String>, _recinfo: &EvtxRecordInfo) -> bool { // yamlにnullが設定されていた場合 // keylistが空(==JSONのgrep検索)の場合、無視する。 - if !self.key_list.is_empty() && self.re.is_none() { - return is_event_value_null; - } - - // JSON形式のEventLogデータをstringに変換するための前処理 - // 以前のコードはstringに変換に変換する必ずto_string()がするような処理になっていた。 - // そうすると、凄く遅くなるので、そうならないように回避 - let mut b_str = String::default(); - let mut n_str = String::default(); - match event_value.unwrap_or(&Value::Null) { - Value::Bool(b) => b_str = b.to_string(), - Value::Number(n) => { - n_str = n.to_string(); - } - _ => (), - }; - - // JSON形式のEventLogデータをstringに変換 - let event_value_str: Option<&String> = if self.key_list.is_empty() { - Option::Some(&recinfo.data_string) - } else { - let value = match event_value.unwrap_or(&Value::Null) { - Value::Bool(_) => Option::Some(&b_str), - Value::String(s) => Option::Some(s), - Value::Number(_) => Option::Some(&n_str), - _ => Option::None, - }; - value - }; - if event_value_str.is_none() { + if self.key_list.is_empty() && self.re.is_none() { return false; } - // 変換したデータに対してパイプ処理を実行する。 - let event_value_str = event_value_str.unwrap(); + if event_value.is_none() { + return false; + } + + let event_value_str = event_value.unwrap(); if self.key_list.is_empty() { // この場合ただのgrep検索なので、ただ正規表現に一致するかどうか調べればよいだけ return self.re.as_ref().unwrap().is_match(&event_value_str); @@ -515,9 +482,8 @@ mod tests { use super::super::selectionnodes::{ AndSelectionNode, LeafSelectionNode, OrSelectionNode, SelectionNode, }; - use crate::detections::detection::EvtxRecordInfo; use crate::detections::rule::tests::parse_rule_from_str; - use serde_json::Value; + use crate::detections::{self, utils}; #[test] fn test_rule_parse() { @@ -739,11 +705,8 @@ mod tests { match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -772,11 +735,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -805,11 +765,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -839,11 +796,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -873,11 +827,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -906,11 +857,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -939,11 +887,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -973,11 +918,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1007,11 +949,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1041,11 +980,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1075,11 +1011,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1109,11 +1042,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1142,11 +1072,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1179,11 +1106,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1216,11 +1140,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1252,11 +1173,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1297,11 +1215,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { @@ -1342,11 +1257,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { @@ -1387,11 +1299,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { @@ -1432,11 +1341,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { @@ -1477,11 +1383,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { @@ -1522,11 +1425,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { @@ -1555,11 +1455,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1588,11 +1485,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1621,11 +1515,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1711,13 +1602,9 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { - Ok(rec) => { - let rec: Value = rec; - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: rec, - data_string: record_json_str.to_string(), - }; + Ok(record) => { + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1746,12 +1633,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let rec: Value = record; - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: rec, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -1782,11 +1665,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -1817,11 +1697,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index c5a1f779..0b50e470 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -9,7 +9,7 @@ use yaml_rust::Yaml; mod matchers; mod selectionnodes; -use self::selectionnodes::SelectionNode; +use self::selectionnodes::{LeafSelectionNode, SelectionNode}; mod aggregation_parser; use self::aggregation_parser::AggregationParseInfo; @@ -93,6 +93,31 @@ impl RuleNode { } } +// RuleNodeのdetectionに定義されているキーの一覧を取得する。 +pub fn get_detection_keys(node: &RuleNode) -> Vec { + let mut ret = vec![]; + let detection = &node.detection; + for key in detection.name_to_selection.keys() { + let selection = &detection.name_to_selection[key]; + let desc = selection.get_descendants(); + let keys = desc.iter().filter_map(|node| { + if !node.is::() { + return Option::None; + } + + let node = node.downcast_ref::().unwrap(); + let key = node.get_key(); + if key.is_empty() { + return Option::None; + } + return Option::Some(key.to_string()); + }); + ret.extend(keys); + } + + return ret; +} + /// Ruleファイルのdetectionを表すノード struct DetectionNode { pub name_to_selection: HashMap>>, @@ -300,10 +325,9 @@ impl AggResult { #[cfg(test)] mod tests { - use crate::detections::{detection::EvtxRecordInfo, rule::create_rule}; - use yaml_rust::YamlLoader; - use super::RuleNode; + use crate::detections::{self, rule::create_rule, utils}; + use yaml_rust::YamlLoader; pub fn parse_rule_from_str(rule_str: &str) -> RuleNode { let rule_yaml = YamlLoader::load_from_str(rule_str); @@ -335,11 +359,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -368,11 +389,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -401,11 +419,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -487,11 +502,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -549,11 +561,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -618,11 +627,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -665,11 +671,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -713,11 +716,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -780,11 +780,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -847,11 +844,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -896,11 +890,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { @@ -957,11 +948,8 @@ mod tests { let _init = rule_node.init(); match serde_json::from_str(record_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); let result = rule_node.select(&"testpath".to_string(), &recinfo); assert_eq!(rule_node.detection.aggregation_condition.is_some(), true); assert_eq!(result, true); diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index f7446866..c33a4db0 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -1,6 +1,5 @@ use crate::detections::{detection::EvtxRecordInfo, utils}; use mopa::mopafy; -use serde_json::Value; use std::{sync::Arc, vec}; use yaml_rust::Yaml; @@ -268,13 +267,13 @@ impl LeafSelectionNode { } /// JSON形式のEventJSONから値を取得する関数 aliasも考慮されている。 - fn get_event_value<'a>(&self, event_value: &'a Value) -> Option<&'a Value> { + fn get_event_value<'a>(&self, record: &'a EvtxRecordInfo) -> Option<&'a String> { // keyが指定されたいない場合は if self.key_list.is_empty() { - return Option::Some(event_value); + return Option::Some(&record.data_string); } - return utils::get_event_value(&self.get_key(), event_value); + return record.get_value(self.get_key()); } /// matchers::LeafMatcherの一覧を取得する。 @@ -334,7 +333,7 @@ impl SelectionNode for LeafSelectionNode { .matcher .as_ref() .unwrap() - .is_match(Option::Some(eventdata_data), event_record); + .is_match(event_record.get_value(self.get_key()), event_record); } // 配列の場合は配列の要素のどれか一つでもルールに合致すれば条件に一致したことにする。 if eventdata_data.is_array() { @@ -343,11 +342,12 @@ impl SelectionNode for LeafSelectionNode { .unwrap() .iter() .any(|ary_element| { + let aryelement_val = utils::value_to_string(ary_element); return self .matcher .as_ref() .unwrap() - .is_match(Option::Some(ary_element), event_record); + .is_match(aryelement_val.as_ref(), event_record); }); } else { return self @@ -358,7 +358,7 @@ impl SelectionNode for LeafSelectionNode { } } - let event_value = self.get_event_value(&event_record.record); + let event_value = self.get_event_value(&event_record); return self .matcher .as_ref() @@ -407,7 +407,7 @@ impl SelectionNode for LeafSelectionNode { #[cfg(test)] mod tests { - use crate::detections::{detection::EvtxRecordInfo, rule::tests::parse_rule_from_str}; + use crate::detections::{self, rule::tests::parse_rule_from_str, utils}; #[test] fn test_detect_mutiple_regex_and() { @@ -430,11 +430,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -466,11 +463,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { @@ -501,11 +495,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -536,11 +527,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { @@ -571,11 +559,8 @@ mod tests { let mut rule_node = parse_rule_from_str(rule_str); match serde_json::from_str(record_json_str) { Ok(record) => { - let recinfo = EvtxRecordInfo { - evtx_filepath: "testpath".to_owned(), - record: record, - data_string: record_json_str.to_string(), - }; + let keys = detections::rule::get_detection_keys(&rule_node); + let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { diff --git a/src/detections/utils.rs b/src/detections/utils.rs index c7e4c57b..0ba39dd4 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -16,6 +16,8 @@ use std::io::{BufRead, BufReader}; use std::str; use std::string::String; +use super::detection::EvtxRecordInfo; + pub fn concat_selection_key(key_list: &Vec) -> String { return key_list .iter() @@ -47,6 +49,17 @@ pub fn check_allowlist(target: &str, regexes: &Vec) -> bool { return false; } +pub fn value_to_string(value: &Value) -> Option { + return match value { + Value::Null => Option::None, + Value::Bool(b) => Option::Some(b.to_string()), + Value::Number(n) => Option::Some(n.to_string()), + Value::String(s) => Option::Some(s.to_string()), + Value::Array(_) => Option::None, + Value::Object(_) => Option::None, + }; +} + pub fn read_txt(filename: &str) -> Result, String> { let f = File::open(filename); if f.is_err() { @@ -184,6 +197,41 @@ pub fn create_tokio_runtime() -> Runtime { .unwrap(); } +// EvtxRecordInfoを作成します。 +pub fn create_rec_info(data: Value, path: String, keys: &Vec) -> EvtxRecordInfo { + // EvtxRecordInfoを作る + let data_str = data.to_string(); + let mut rec = EvtxRecordInfo { + evtx_filepath: path, + record: data, + data_string: data_str, + key_2_value: hashbrown::HashMap::new(), + }; + + // 高速化のための処理 + + // 例えば、Value型から"Event.System.EventID"の値を取得しようとすると、value["Event"]["System"]["EventID"]のように3回アクセスする必要がある。 + // この処理を高速化するため、rec.key_2_valueというhashmapに"Event.System.EventID"というキーで値を設定しておく。 + // これなら、"Event.System.EventID"というキーを1回指定するだけで値を取得できるようになるので、高速化されるはず。 + // あと、serde_jsonのValueからvalue["Event"]みたいな感じで値を取得する処理がなんか遅いので、そういう意味でも早くなるかも + // それと、serde_jsonでは内部的に標準ライブラリのhashmapを使用しているが、hashbrownを使った方が早くなるらしい。 + for key in keys { + let val = get_event_value(key, &rec.record); + if val.is_none() { + continue; + } + + let val = value_to_string(val.unwrap()); + if val.is_none() { + continue; + } + + rec.key_2_value.insert(key.to_string(), val.unwrap()); + } + + return rec; +} + #[cfg(test)] mod tests { use crate::detections::utils; diff --git a/src/main.rs b/src/main.rs index 7bce8cc9..efe79b34 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4,9 +4,9 @@ extern crate serde_derive; use chrono::Datelike; use chrono::{DateTime, Local}; use evtx::{EvtxParser, ParserSettings}; -use hayabusa::detections::detection; -use hayabusa::detections::detection::EvtxRecordInfo; +use hayabusa::detections::detection::{self, EvtxRecordInfo}; use hayabusa::detections::print::AlertMessage; +use hayabusa::detections::rule::{get_detection_keys, RuleNode}; use hayabusa::filter; use hayabusa::omikuji::Omikuji; use hayabusa::{afterfact::after_fact, detections::utils}; @@ -14,315 +14,344 @@ use hayabusa::{detections::configs, timeline::timeline::Timeline}; use hhmmss::Hhmmss; use pbr::ProgressBar; use serde_json::Value; -use std::collections::HashMap; +use std::collections::{HashMap, HashSet}; use std::fmt::Display; +use std::sync::Arc; use std::{ fs::{self, File}, path::PathBuf, vec, }; +use tokio::runtime::Runtime; +use tokio::spawn; +use tokio::task::JoinHandle; // 一度にtimelineやdetectionを実行する行数 const MAX_DETECT_RECORDS: usize = 5000; fn main() { - let analysis_start_time: DateTime = Local::now(); - if !configs::CONFIG.read().unwrap().args.is_present("q") { - output_logo(); - println!(""); - output_eggs(&format!( - "{:02}/{:02}", - &analysis_start_time.month().to_owned(), - &analysis_start_time.day().to_owned() - )); - } - if configs::CONFIG.read().unwrap().args.args.len() == 0 { - println!( - "{}", - configs::CONFIG.read().unwrap().args.usage().to_string() - ); - return; - } - if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") { - if !filepath.ends_with(".evtx") { - AlertMessage::alert( - &mut std::io::stderr().lock(), - "--filepath only accepts .evtx files.".to_owned(), - ) - .ok(); - return; - } - analysis_files(vec![PathBuf::from(filepath)]); - } else if let Some(directory) = configs::CONFIG.read().unwrap().args.value_of("directory") { - let evtx_files = collect_evtxfiles(&directory); - if evtx_files.len() == 0 { - AlertMessage::alert( - &mut std::io::stderr().lock(), - "No .evtx files were found.".to_owned(), - ) - .ok(); - return; - } - analysis_files(evtx_files); - } else if configs::CONFIG - .read() - .unwrap() - .args - .is_present("contributors") - { - print_contributors(); - return; - } - let analysis_end_time: DateTime = Local::now(); - let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time); - println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()); - println!(""); + let mut app = App::new(); + app.exec(); + app.rt.shutdown_background(); } -fn collect_evtxfiles(dirpath: &str) -> Vec { - let entries = fs::read_dir(dirpath); - if entries.is_err() { - let stderr = std::io::stderr(); - let mut stderr = stderr.lock(); - AlertMessage::alert(&mut stderr, format!("{}", entries.unwrap_err())).ok(); - return vec![]; +pub struct App { + rt: Runtime, + rule_keys: Vec, +} + +impl App { + pub fn new() -> App { + return App { + rt: utils::create_tokio_runtime(), + rule_keys: Vec::new(), + }; } - let mut ret = vec![]; - for e in entries.unwrap() { - if e.is_err() { - continue; + fn exec(&mut self) { + let analysis_start_time: DateTime = Local::now(); + if !configs::CONFIG.read().unwrap().args.is_present("q") { + self.output_logo(); + println!(""); + self.output_eggs(&format!( + "{:02}/{:02}", + &analysis_start_time.month().to_owned(), + &analysis_start_time.day().to_owned() + )); + } + if configs::CONFIG.read().unwrap().args.args.len() == 0 { + println!( + "{}", + configs::CONFIG.read().unwrap().args.usage().to_string() + ); + return; + } + if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") { + if !filepath.ends_with(".evtx") { + AlertMessage::alert( + &mut std::io::stderr().lock(), + "--filepath only accepts .evtx files.".to_owned(), + ) + .ok(); + return; + } + self.analysis_files(vec![PathBuf::from(filepath)]); + } else if let Some(directory) = configs::CONFIG.read().unwrap().args.value_of("directory") { + let evtx_files = self.collect_evtxfiles(&directory); + if evtx_files.len() == 0 { + AlertMessage::alert( + &mut std::io::stderr().lock(), + "No .evtx files were found.".to_owned(), + ) + .ok(); + return; + } + self.analysis_files(evtx_files); + } else if configs::CONFIG + .read() + .unwrap() + .args + .is_present("contributors") + { + self.print_contributors(); + return; + } + let analysis_end_time: DateTime = Local::now(); + let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time); + println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()); + println!(""); + } + + fn collect_evtxfiles(&self, dirpath: &str) -> Vec { + let entries = fs::read_dir(dirpath); + if entries.is_err() { + let stderr = std::io::stderr(); + let mut stderr = stderr.lock(); + AlertMessage::alert(&mut stderr, format!("{}", entries.unwrap_err())).ok(); + return vec![]; } - let path = e.unwrap().path(); - if path.is_dir() { - path.to_str().and_then(|path_str| { - let subdir_ret = collect_evtxfiles(path_str); - ret.extend(subdir_ret); - return Option::Some(()); - }); - } else { - let path_str = path.to_str().unwrap_or(""); - if path_str.ends_with(".evtx") { - ret.push(path); + let mut ret = vec![]; + for e in entries.unwrap() { + if e.is_err() { + continue; + } + + let path = e.unwrap().path(); + if path.is_dir() { + path.to_str().and_then(|path_str| { + let subdir_ret = self.collect_evtxfiles(path_str); + ret.extend(subdir_ret); + return Option::Some(()); + }); + } else { + let path_str = path.to_str().unwrap_or(""); + if path_str.ends_with(".evtx") { + ret.push(path); + } + } + } + + return ret; + } + + fn print_contributors(&self) { + match fs::read_to_string("./contributors.txt") { + Ok(contents) => println!("{}", contents), + Err(err) => { + AlertMessage::alert(&mut std::io::stderr().lock(), format!("{}", err)).ok(); } } } - return ret; -} + fn analysis_files(&mut self, evtx_files: Vec) { + let level = configs::CONFIG + .read() + .unwrap() + .args + .value_of("min-level") + .unwrap_or("informational") + .to_uppercase(); + println!("Analyzing event files: {:?}", evtx_files.len()); -fn print_contributors() { - match fs::read_to_string("./contributors.txt") { - Ok(contents) => println!("{}", contents), - Err(err) => { - AlertMessage::alert(&mut std::io::stderr().lock(), format!("{}", err)).ok(); + let rule_files = detection::Detection::parse_rule_files( + level, + configs::CONFIG.read().unwrap().args.value_of("rules"), + &filter::exclude_ids(), + ); + let mut pb = ProgressBar::new(evtx_files.len() as u64); + self.rule_keys = self.get_all_keys(&rule_files); + let mut detection = detection::Detection::new(rule_files); + for evtx_file in evtx_files { + if configs::CONFIG.read().unwrap().args.is_present("verbose") { + println!("Checking target evtx FilePath: {:?}", &evtx_file); + } + detection = self.analysis_file(evtx_file, detection); + pb.inc(); } + after_fact(); + detection.print_unique_results(); } -} -fn analysis_files(evtx_files: Vec) { - let level = configs::CONFIG - .read() - .unwrap() - .args - .value_of("min-level") - .unwrap_or("informational") - .to_uppercase(); - println!("Analyzing event files: {:?}", evtx_files.len()); - - let rule_files = detection::Detection::parse_rule_files( - level, - configs::CONFIG.read().unwrap().args.value_of("rules"), - &filter::exclude_ids(), - ); - let mut pb = ProgressBar::new(evtx_files.len() as u64); - let mut detection = detection::Detection::new(rule_files); - for evtx_file in evtx_files { - if configs::CONFIG.read().unwrap().args.is_present("verbose") { - println!("Checking target evtx FilePath: {:?}", &evtx_file); + // Windowsイベントログファイルを1ファイル分解析する。 + fn analysis_file( + &self, + evtx_filepath: PathBuf, + mut detection: detection::Detection, + ) -> detection::Detection { + let path = evtx_filepath.display(); + let parser = self.evtx_to_jsons(evtx_filepath.clone()); + if parser.is_none() { + return detection; } - detection = analysis_file(evtx_file, detection); - pb.inc(); - } - after_fact(); - detection.print_unique_results(); -} -// Windowsイベントログファイルを1ファイル分解析する。 -fn analysis_file( - evtx_filepath: PathBuf, - mut detection: detection::Detection, -) -> detection::Detection { - let filepath_disp = evtx_filepath.display(); - let parser = evtx_to_jsons(evtx_filepath.clone()); - if parser.is_none() { - return detection; - } + let mut tl = Timeline::new(); + let mut parser = parser.unwrap(); + let mut records = parser.records_json_value(); - let mut tl = Timeline::new(); - let mut parser = parser.unwrap(); - let mut records = parser.records_json_value(); - let tokio_rt = utils::create_tokio_runtime(); + loop { + let mut records_per_detect = vec![]; + while records_per_detect.len() < MAX_DETECT_RECORDS { + // パースに失敗している場合、エラーメッセージを出力 + let next_rec = records.next(); + if next_rec.is_none() { + break; + } - let target_event_time = configs::TargetEventTime::new(); + let record_result = next_rec.unwrap(); + if record_result.is_err() { + let evtx_filepath = &path; + let errmsg = format!( + "Failed to parse event file. EventFile:{} Error:{}", + evtx_filepath, + record_result.unwrap_err() + ); + AlertMessage::alert(&mut std::io::stderr().lock(), errmsg).ok(); + continue; + } - loop { - let mut records_per_detect = vec![]; - while records_per_detect.len() < MAX_DETECT_RECORDS { - // パースに失敗している場合、エラーメッセージを出力 - let next_rec = records.next(); - if next_rec.is_none() { + // target_eventids.txtでフィルタする。 + let data = record_result.unwrap().data; + if self._is_target_event_id(&data) == false { + continue; + } + + // EvtxRecordInfo構造体に変更 + records_per_detect.push(data); + } + if records_per_detect.len() == 0 { break; } - let record_result = next_rec.unwrap(); - if record_result.is_err() { - let evtx_filepath = &filepath_disp; - let errmsg = format!( - "Failed to parse event file. EventFile:{} Error:{}", - evtx_filepath, - record_result.unwrap_err() - ); - AlertMessage::alert(&mut std::io::stderr().lock(), errmsg).ok(); - continue; + let records_per_detect = self.rt.block_on(App::create_rec_infos( + records_per_detect, + &path, + self.rule_keys.clone(), + )); + + // // timeline機能の実行 + tl.start(&records_per_detect); + + // // ruleファイルの検知 + detection = detection.start(&self.rt, records_per_detect); + } + + detection.add_aggcondtion_msg(); + tl.tm_stats_dsp_msg(); + + return detection; + } + + async fn create_rec_infos( + records_per_detect: Vec, + path: &dyn Display, + rule_keys: Vec, + ) -> Vec { + let path = Arc::new(path.to_string()); + let rule_keys = Arc::new(rule_keys); + let threads: Vec> = records_per_detect + .into_iter() + .map(|rec| { + let arc_rule_keys = Arc::clone(&rule_keys); + let arc_path = Arc::clone(&path); + return spawn(async move { + let rec_info = + utils::create_rec_info(rec, arc_path.to_string(), &arc_rule_keys); + return rec_info; + }); + }) + .collect(); + + let mut ret = vec![]; + for thread in threads.into_iter() { + ret.push(thread.await.unwrap()); + } + + return ret; + } + + fn get_all_keys(&self, rules: &Vec) -> Vec { + let mut key_set = HashSet::new(); + for rule in rules { + let keys = get_detection_keys(rule); + key_set.extend(keys); + } + + let ret: Vec = key_set.into_iter().collect(); + return ret; + } + + // target_eventids.txtの設定を元にフィルタする。 + fn _is_target_event_id(&self, data: &Value) -> bool { + let eventid = utils::get_event_value(&utils::get_event_id_key(), data); + if eventid.is_none() { + return true; + } + + return match eventid.unwrap() { + Value::String(s) => utils::is_target_event_id(s), + Value::Number(n) => utils::is_target_event_id(&n.to_string()), + _ => true, // レコードからEventIdが取得できない場合は、特にフィルタしない + }; + } + + fn evtx_to_jsons(&self, evtx_filepath: PathBuf) -> Option> { + match EvtxParser::from_path(evtx_filepath) { + Ok(evtx_parser) => { + // parserのデフォルト設定を変更 + let mut parse_config = ParserSettings::default(); + parse_config = parse_config.separate_json_attributes(true); // XMLのattributeをJSONに変換する時のルールを設定 + parse_config = parse_config.num_threads(0); // 設定しないと遅かったので、設定しておく。 + + let evtx_parser = evtx_parser.with_configuration(parse_config); + return Option::Some(evtx_parser); } - - // target_eventids.txtでフィルタする。 - let data = record_result.unwrap().data; - if _is_target_event_id(&data) == false { - continue; + Err(e) => { + eprintln!("{}", e); + return Option::None; } + } + } - let eventtime = utils::get_event_value(&utils::get_event_time(), &data); - if eventtime.is_some() { - let time = utils::str_time_to_datetime(eventtime.unwrap().as_str().unwrap_or("")); - if !target_event_time.is_target(&time) { - continue; - } + fn _output_with_omikuji(&self, omikuji: Omikuji) { + let fp = &format!("art/omikuji/{}", omikuji); + let content = fs::read_to_string(fp).unwrap(); + println!("{}", content); + } + + /// output logo + fn output_logo(&self) { + let fp = &format!("art/logo.txt"); + let content = fs::read_to_string(fp).unwrap_or("".to_owned()); + println!("{}", content); + } + + /// output easter egg arts + fn output_eggs(&self, exec_datestr: &str) { + let mut eggs: HashMap<&str, &str> = HashMap::new(); + eggs.insert("01/01", "art/happynewyear.txt"); + eggs.insert("02/22", "art/ninja.txt"); + eggs.insert("08/08", "art/takoyaki.txt"); + eggs.insert("12/25", "art/christmas.txt"); + + match eggs.get(exec_datestr) { + None => {} + Some(path) => { + let content = fs::read_to_string(path).unwrap_or("".to_owned()); + println!("{}", content); } - - // EvtxRecordInfo構造体に変更 - records_per_detect.push(_create_rec_info(data, &filepath_disp)); - } - if records_per_detect.len() == 0 { - break; - } - - // timeline機能の実行 - tl.start(&records_per_detect); - - // ruleファイルの検知 - detection = detection.start(&tokio_rt, records_per_detect); - } - - tokio_rt.shutdown_background(); - detection.add_aggcondtion_msg(); - tl.tm_stats_dsp_msg(); - - return detection; -} - -// target_eventids.txtの設定を元にフィルタする。 -fn _is_target_event_id(data: &Value) -> bool { - let eventid = utils::get_event_value(&utils::get_event_id_key(), data); - if eventid.is_none() { - return true; - } - - return match eventid.unwrap() { - Value::String(s) => utils::is_target_event_id(s), - Value::Number(n) => utils::is_target_event_id(&n.to_string()), - _ => true, // レコードからEventIdが取得できない場合は、特にフィルタしない - }; -} - -// EvtxRecordInfoを作成します。 -fn _create_rec_info(mut data: Value, path: &dyn Display) -> EvtxRecordInfo { - // 高速化のための処理 - // RuleNodeでワイルドカードや正規表現のマッチング処理をする際には、 - // Value(JSON)がstring型以外の場合はstringに変換して比較している。 - // RuleNodeでマッチングする毎にstring変換していると、 - // 1回の処理はそこまででもないが相当回数呼び出されれるとボトルネックになりうる。 - - // なので、よく使われるstring型ではない値を事前に変換しておくことで、 - // string変換する回数を減らせる。 - // 本当はやりたくないが... - match &data["Event"]["System"]["EventID"] { - Value::Number(n) => data["Event"]["System"]["EventID"] = Value::String(n.to_string()), - _ => (), - }; - match &data["Event"]["EventData"]["LogonType"] { - Value::Number(n) => data["Event"]["EventData"]["LogonType"] = Value::String(n.to_string()), - _ => (), - } - match &data["Event"]["EventData"]["DestinationPort"] { - Value::Number(n) => { - data["Event"]["EventData"]["DestinationPort"] = Value::String(n.to_string()) - } - _ => (), - } - - // EvtxRecordInfoを作る - let data_str = data.to_string(); - return EvtxRecordInfo::new(path.to_string(), data, data_str); -} - -fn evtx_to_jsons(evtx_filepath: PathBuf) -> Option> { - match EvtxParser::from_path(evtx_filepath) { - Ok(evtx_parser) => { - // parserのデフォルト設定を変更 - let mut parse_config = ParserSettings::default(); - parse_config = parse_config.separate_json_attributes(true); // XMLのattributeをJSONに変換する時のルールを設定 - parse_config = parse_config.num_threads(utils::get_thread_num()); // 設定しないと遅かったので、設定しておく。 - - let evtx_parser = evtx_parser.with_configuration(parse_config); - return Option::Some(evtx_parser); - } - Err(e) => { - eprintln!("{}", e); - return Option::None; - } - } -} - -fn _output_with_omikuji(omikuji: Omikuji) { - let fp = &format!("art/omikuji/{}", omikuji); - let content = fs::read_to_string(fp).unwrap(); - println!("{}", content); -} - -/// output logo -fn output_logo() { - let fp = &format!("art/logo.txt"); - let content = fs::read_to_string(fp).unwrap_or("".to_owned()); - println!("{}", content); -} - -/// output easter egg arts -fn output_eggs(exec_datestr: &str) { - let mut eggs: HashMap<&str, &str> = HashMap::new(); - eggs.insert("01/01", "art/happynewyear.txt"); - eggs.insert("02/22", "art/ninja.txt"); - eggs.insert("08/08", "art/takoyaki.txt"); - eggs.insert("12/25", "art/christmas.txt"); - - match eggs.get(exec_datestr) { - None => {} - Some(path) => { - let content = fs::read_to_string(path).unwrap_or("".to_owned()); - println!("{}", content); } } } #[cfg(test)] mod tests { - use crate::collect_evtxfiles; + use crate::App; #[test] fn test_collect_evtxfiles() { - let files = collect_evtxfiles("test_files/evtx"); + let app = App::new(); + let files = app.collect_evtxfiles("test_files/evtx"); assert_eq!(3, files.len()); files.iter().for_each(|file| { From cc14b7e4acf7ae136f680d8b2d58349ba2c74f41 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 18 Dec 2021 11:59:16 +0900 Subject: [PATCH 17/22] Feature/improve output#253 (#285) * changed processing time pre code #253 - changed csv file writer to BufWriter * changed processing time pre code in stdout #253 --- src/afterfact.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 72d2aabb..1d9217b4 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -6,6 +6,7 @@ use serde::Serialize; use std::error::Error; use std::fs::File; use std::io; +use std::io::BufWriter; use std::process; #[derive(Debug, Serialize)] @@ -50,7 +51,7 @@ pub fn after_fact() { { // ファイル出力する場合 match File::create(csv_path) { - Ok(file) => Box::new(file), + Ok(file) => Box::new(BufWriter::new(file)), Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), @@ -63,7 +64,7 @@ pub fn after_fact() { } else { displayflag = true; // 標準出力に出力する場合 - Box::new(io::stdout()) + Box::new(BufWriter::new(io::stdout())) }; if let Err(err) = emit_csv(&mut target, displayflag) { From c01dcbfc94f582a1b97e5f2d669d6801a409f22d Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 18 Dec 2021 12:14:23 +0900 Subject: [PATCH 18/22] =?UTF-8?q?Logo=E3=81=AE=E5=BE=AE=E8=AA=BF=E6=95=B4?= =?UTF-8?q?=20(#300)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- art/logo.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/art/logo.txt b/art/logo.txt index 3e2f102e..bd972b3b 100644 --- a/art/logo.txt +++ b/art/logo.txt @@ -1,7 +1,8 @@ + ██╗ ██╗ █████╗ ██╗ ██╗ █████╗ ██████╗ ██╗ ██╗███████╗ █████╗ ██║ ██║██╔══██╗╚██╗ ██╔╝██╔══██╗██╔══██╗██║ ██║██╔════╝██╔══██╗ ███████║███████║ ╚████╔╝ ███████║██████╔╝██║ ██║███████╗███████║ ██╔══██║██╔══██║ ╚██╔╝ ██╔══██║██╔══██╗██║ ██║╚════██║██╔══██║ ██║ ██║██║ ██║ ██║ ██║ ██║██████╔╝╚██████╔╝███████║██║ ██║ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ -by Yamato Security \ No newline at end of file + by Yamato Security \ No newline at end of file From 692fdae9a06b89265620878fd1ca6e80d5eda7e9 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 19 Dec 2021 15:36:24 +0900 Subject: [PATCH 19/22] RevertedMerge: Feature/remove process speed#289 (#299) * removed process-speed view in progress bar #289 * insert changed code after resolve conflict #289 --- src/main.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main.rs b/src/main.rs index efe79b34..a48d4028 100644 --- a/src/main.rs +++ b/src/main.rs @@ -160,6 +160,7 @@ impl App { &filter::exclude_ids(), ); let mut pb = ProgressBar::new(evtx_files.len() as u64); + pb.show_speed = false; self.rule_keys = self.get_all_keys(&rule_files); let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { From a023ba46a696b3d6c63eb2672b9a8d1b0006bf23 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sun, 19 Dec 2021 20:03:39 +0900 Subject: [PATCH 20/22] Usage menu update (#302) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Usage menu update * usage menuの微調整 * fixed options #302 - changed show-deprecated to enable-deprecated-rules - changed csv-timeline to output - change show-noisyalerts to enable-noisy-rules * fixed option #302 - changed starttimeline to start-timeline * fixed option #302 - changed q to quiet option * fixed options #302 - changed endtimeline to end-timeline option - changed threadnum to thread-number option Co-authored-by: DustInDark --- src/afterfact.rs | 40 ++++++++++++++++++--------------------- src/detections/configs.rs | 38 ++++++++++++++++++------------------- src/detections/utils.rs | 2 +- src/filter.rs | 2 +- src/main.rs | 2 +- src/yaml.rs | 2 +- 6 files changed, 41 insertions(+), 45 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 1d9217b4..5cb9fcf0 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -43,29 +43,25 @@ pub fn after_fact() { process::exit(1); }; let mut displayflag = false; - let mut target: Box = if let Some(csv_path) = configs::CONFIG - .read() - .unwrap() - .args - .value_of("csv-timeline") - { - // ファイル出力する場合 - match File::create(csv_path) { - Ok(file) => Box::new(BufWriter::new(file)), - Err(err) => { - AlertMessage::alert( - &mut std::io::stderr().lock(), - format!("Failed to open file. {}", err), - ) - .ok(); - process::exit(1); + let mut target: Box = + if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") { + // ファイル出力する場合 + match File::create(csv_path) { + Ok(file) => Box::new(BufWriter::new(file)), + Err(err) => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + format!("Failed to open file. {}", err), + ) + .ok(); + process::exit(1); + } } - } - } else { - displayflag = true; - // 標準出力に出力する場合 - Box::new(BufWriter::new(io::stdout())) - }; + } else { + displayflag = true; + // 標準出力に出力する場合 + Box::new(BufWriter::new(io::stdout())) + }; if let Err(err) = emit_csv(&mut target, displayflag) { fn_emit_csv_err(Box::new(err)); diff --git a/src/detections/configs.rs b/src/detections/configs.rs index c2fa589f..06f60e3d 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -52,22 +52,22 @@ fn build_app<'a>() -> ArgMatches<'a> { return ArgMatches::default(); } - let usages = "-f --filepath=[FILEPATH] 'File path to one .evtx file' - --csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format' + let usages = "-d --directory=[DIRECTORY] 'Directory of multiple .evtx files' + -f --filepath=[FILEPATH] 'File path to one .evtx file' + -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' + -o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. Example: results.csv' + -v --verbose 'Output verbose information' + -D --enable-deprecated-rules 'Enable sigma rules marked as deprecated' + -n --enable-noisy-rules 'Enable rules marked as noisy' + -m --min-level=[LEVEL] 'Minimum level for rules (default: informational)' + --start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' + --end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' - --verbose 'Output verbose information to target event file path and rule file' - --starttimeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' - --endtimeline=[ENDTIMELINE]'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00'' - -q 'Quiet mode. Do not display the launch banner' - -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' - -m --min-level=[LEVEL] 'Minimum level for rules (default: informational)' -u --utc 'Output time in UTC format (default: local time)' - -d --directory=[DIRECTORY] 'Directory of multiple .evtx files' + -t --thread-number=[NUMBER] 'Thread number (default: optimal number for performance)' -s --statistics 'Prints statistics of event IDs' - -n --show-noisyalerts 'do not exclude noisy rules' - -t --threadnum=[NUM] 'Thread number (default: optimal number for performance)' - --show-deprecated 'do not exclude rules with YAML's status deprecated' + -q --quiet 'Quiet mode. Do not display the launch banner' --contributors 'Prints the list of contributors'"; App::new(&program) .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!") @@ -131,9 +131,9 @@ pub struct TargetEventTime { impl TargetEventTime { pub fn new() -> Self { - let start_time = if let Some(s_time) = CONFIG.read().unwrap().args.value_of("starttimeline") - { - match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 + let start_time = + if let Some(s_time) = CONFIG.read().unwrap().args.value_of("start-timeline") { + match DateTime::parse_from_str(s_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 .or_else(|_| DateTime::parse_from_str(s_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00 { Ok(dt) => Some(dt.with_timezone(&Utc)), @@ -146,10 +146,10 @@ impl TargetEventTime { None } } - } else { - None - }; - let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("endtimeline") { + } else { + None + }; + let end_time = if let Some(e_time) = CONFIG.read().unwrap().args.value_of("end-timeline") { match DateTime::parse_from_str(e_time, "%Y-%m-%d %H:%M:%S %z") // 2014-11-28 21:00:09 +09:00 .or_else(|_| DateTime::parse_from_str(e_time, "%Y/%m/%d %H:%M:%S %z")) // 2014/11/28 21:00:09 +09:00 { diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 0ba39dd4..4ecf3733 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -184,7 +184,7 @@ pub fn get_thread_num() -> usize { let conf = configs::CONFIG.read().unwrap(); let threadnum = &conf .args - .value_of("threadnum") + .value_of("thread-number") .unwrap_or(def_thread_num_str.as_str()); return threadnum.parse::().unwrap().clone(); } diff --git a/src/filter.rs b/src/filter.rs index 113283cf..d1ff0466 100644 --- a/src/filter.rs +++ b/src/filter.rs @@ -18,7 +18,7 @@ pub fn exclude_ids() -> RuleExclude { .read() .unwrap() .args - .is_present("show-noisyalerts") + .is_present("enable-noisy-rules") { ids += "\n"; // 改行を入れないとexclude-rulesの一番最後の行とnoisy-rules.txtの一番最初の行が一行にまとめられてしまう。 match fs::read("config/noisy-rules.txt") { diff --git a/src/main.rs b/src/main.rs index a48d4028..425d0a9d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -50,7 +50,7 @@ impl App { fn exec(&mut self) { let analysis_start_time: DateTime = Local::now(); - if !configs::CONFIG.read().unwrap().args.is_present("q") { + if !configs::CONFIG.read().unwrap().args.is_present("quiet") { self.output_logo(); println!(""); self.output_eggs(&format!( diff --git a/src/yaml.rs b/src/yaml.rs index 53a6a0af..4326d9f8 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -156,7 +156,7 @@ impl ParseYaml { .read() .unwrap() .args - .is_present("show-deprecated") + .is_present("enable-deprecated-rules") { let rule_status = &yaml_doc["status"].as_str(); if rule_status.is_some() && rule_status.unwrap() == "deprecated" { From dbba49b815c6f4a54810f3b6fe63d64a7c00e9a6 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 19 Dec 2021 20:48:29 +0900 Subject: [PATCH 21/22] Hotfix/not work count#278 (#281) * fixed countup structure #278 * fixed countup structure and count up field logic #278 * fixed tests #278 * added no output aggregation detect message when output exist in rule yaml #232 * moved get_agg_condtion to rulenode function #278 * added field_values to output count fields data #232 #278 - fixed count logic #278 - fixed count test to adjust field_values add - added count test * fixed count output format #232 * fixed compile error * fixed count output #232 - moved output check to create_count_output - fixed yaml condition reference - adjust top and tail multi space * added create count output test #232 * removed count by file #278 - commented by @YamatoSecurity * changed sort function to sort_unstable_by * fixed typo * adjust to comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767283508 * adjust comment #281 refs - https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767285993 - https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767286713 * adjust coment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767287831 * omitted code #281 * adjust comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767302595 * adjust comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767303168 * adjust comment ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767307535 * omitted unnecessary code #281 * adjust comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767288428 * adjust commnet #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767286731 * adjust comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767285716 * adjust comment #281 ref: https://github.com/Yamato-Security/hayabusa/pull/281/commits/159191ec36bdc89ad6af381f3963a2bb91cd8ace#r767288428 * adjust test result #281 * removed debug print statement in testfunction * adjust comment #281 ref https://github.com/Yamato-Security/hayabusa/pull/281#discussion_r767286731 * fixed output by level #278 #284 - fixed result counting process when rule has no aggregation condition #278 - added total output by level #284 * removed unnecessary crate * fixed output #284 * removed unnecessary total/unique sum process #284 * add testcase and fix testcase bug * add testcase, add check to check_cout() * fixed count logic #278 * fixed test parameter * add testcase * fmt * fixed count field check process #278 * fix testcase #281 * fixed comment typo * removed one time used variable in test case #281 * fixed count field check process #278 * changed insert position #278 * changed contributor list * fixed contributors list` * passed with timeframe case #278 * passed all count test #278 * removed debug print * removed debug print * removed debug print * cargo fmt * changed by0level output format #284 * reduce clone() #278 #281 * changed for loop to map #278 #281 * fixed compile error * changed priority from output in yml to aggregation output case aggregation condition exist in rule. #232 * fixed testcase #232 * changed if-let to generics #278 #281 * fixed error when test to sample_evtx#278 #281 * changed if-let to generic #278 #281 * adjust unwrap none error #278 #281 * fixed compile error and test case failed #278 Co-authored-by: ichiichi11 --- contributors.txt | 8 +- src/afterfact.rs | 56 +- src/detections/detection.rs | 307 +++++++-- src/detections/rule/condition_parser.rs | 9 +- src/detections/rule/count.rs | 812 +++++++++++++++++++----- src/detections/rule/matchers.rs | 58 +- src/detections/rule/mod.rs | 67 +- src/detections/rule/selectionnodes.rs | 10 +- src/main.rs | 3 +- src/timeline/timeline.rs | 2 +- src/yaml.rs | 2 +- 11 files changed, 1023 insertions(+), 311 deletions(-) diff --git a/contributors.txt b/contributors.txt index 927b19a0..8631af4c 100644 --- a/contributors.txt +++ b/contributors.txt @@ -1,11 +1,11 @@ Hayabusa was possible thanks to the following people (in alphabetical order): Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc... -DustInDark(@hitenkoku): Core developer, project management, sigma count implementation, rule creation, countless feature additions and fixes, etc… +DustInDark(@hitenkoku): Core developer, project management, sigma count implementation, rule creation, countless feature additions and fixes, etc… Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc... ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc... James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, etc… -Kazuminn (@k2warugaki): Developer +Kazuminn (@k47_um1n): Developer Yusuke Matsui (@apt773): AD hacking working group leader, rule testing, documentation, research, support, etc... Zach Mathis (@yamatosecurity, Yamato Security Founder): Project leader, tool and concept design, rule creation and tuning, etc… @@ -14,9 +14,9 @@ Hayabusa would not have been possible without first creating RustyBlue, so we wo Zach Mathis (@yamatosecurity, Yamato Security Founder): Project Leader Nishikawa Akira (@nishikawaakira): Lead Developer -kazuminn (@k2warugaki): Core Developer +kazuminn (@k47_um1n): Core Developer itiB (@itiB_S144): Core Developer -James Takai / hachiyone (@hach1yon): Developer +James Takai / hachiyone (@hach1yon): Core Developer DustInDark (@hitenkoku): Core Developer garigariganzy (@garigariganzy31): Developer 7itoh (@yNitocrypto22): Developer diff --git a/src/afterfact.rs b/src/afterfact.rs index 5cb9fcf0..753c8633 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -42,6 +42,7 @@ pub fn after_fact() { .ok(); process::exit(1); }; + let mut displayflag = false; let mut target: Box = if let Some(csv_path) = configs::CONFIG.read().unwrap().args.value_of("output") { @@ -77,8 +78,13 @@ fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result< } else { wtr = csv::WriterBuilder::new().from_writer(writer); } + let messages = print::MESSAGES.lock().unwrap(); - let mut detect_count = 0; + // levelの区分が"Critical","High","Medium","Low","Informational","Undefined"の6つであるため + let mut total_detect_counts_by_level: Vec = vec![0; 6]; + let mut unique_detect_counts_by_level: Vec = vec![0; 6]; + let mut detected_rule_files: Vec = Vec::new(); + for (time, detect_infos) in messages.iter() { for detect_info in detect_infos { if displayflag { @@ -103,17 +109,61 @@ fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result< details: &detect_info.detail, })?; } + let level_suffix = *configs::LEVELMAP + .get(&detect_info.level.to_uppercase()) + .unwrap_or(&0) as usize; + if !detected_rule_files.contains(&detect_info.rulepath) { + detected_rule_files.push(detect_info.rulepath.clone()); + unique_detect_counts_by_level[level_suffix] += 1; + } + total_detect_counts_by_level[level_suffix] += 1; } - detect_count += detect_infos.len(); } println!(""); wtr.flush()?; println!(""); - println!("Total events: {:?}", detect_count); + _print_unique_results( + total_detect_counts_by_level, + "Total".to_string(), + "detections".to_string(), + ); + _print_unique_results( + unique_detect_counts_by_level, + "Unique".to_string(), + "rules".to_string(), + ); Ok(()) } +/// 与えられたユニークな検知数と全体の検知数の情報(レベル別と総計)を元に結果文を標準出力に表示する関数 +fn _print_unique_results(mut counts_by_level: Vec, head_word: String, tail_word: String) { + let levels = Vec::from([ + "Critical", + "High", + "Medium", + "Low", + "Informational", + "Undefined", + ]); + + // configsの登録順番と表示をさせたいlevelの順番が逆であるため + counts_by_level.reverse(); + + // 全体の集計(levelの記載がないためformatの第二引数は空の文字列) + println!( + "{} {}:{}", + head_word, + tail_word, + counts_by_level.iter().sum::() + ); + for (i, level_name) in levels.iter().enumerate() { + println!( + "{} {} {}:{}", + head_word, level_name, tail_word, counts_by_level[i] + ); + } +} fn format_time(time: &DateTime) -> String { if configs::CONFIG.read().unwrap().args.is_present("utc") { format_rfc(time) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 103297d9..d63a73e8 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1,6 +1,5 @@ extern crate csv; -use crate::detections::configs; use crate::detections::print::AlertMessage; use crate::detections::print::MESSAGES; use crate::detections::rule; @@ -132,7 +131,7 @@ impl Detection { return self; } - pub fn add_aggcondtion_msg(&self) { + pub fn add_aggcondition_msg(&self) { for rule in &self.rules { if !rule.has_agg_condition() { continue; @@ -145,46 +144,11 @@ impl Detection { } } - pub fn print_unique_results(&self) { - let rules = &self.rules; - let levellabel = Vec::from([ - "Critical", - "High", - "Medium", - "Low", - "Informational", - "Undefined", - ]); - // levclcounts is [(Undefined), (Informational), (Low),(Medium),(High),(Critical)] - let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); - for rule in rules.into_iter() { - if rule.check_exist_countdata() { - let suffix = configs::LEVELMAP - .get( - &rule.yaml["level"] - .as_str() - .unwrap_or("") - .to_owned() - .to_uppercase(), - ) - .unwrap_or(&0); - levelcounts[*suffix as usize] += 1; - } - } - let mut total_unique = 0; - levelcounts.reverse(); - for (i, value) in levelcounts.iter().enumerate() { - println!("{} alerts: {}", levellabel[i], value); - total_unique += value; - } - println!("Unique alerts detected: {}", total_unique); - } - // 複数のイベントレコードに対して、ルールを1個実行します。 fn execute_rule(mut rule: RuleNode, records: Arc>) -> RuleNode { let agg_condition = rule.has_agg_condition(); for record_info in records.as_ref() { - let result = rule.select(&record_info.evtx_filepath, &record_info); + let result = rule.select(&record_info); if !result { continue; } @@ -219,34 +183,63 @@ impl Detection { fn insert_agg_message(rule: &RuleNode, agg_result: AggResult) { let output = Detection::create_count_output(rule, &agg_result); MESSAGES.lock().unwrap().insert_message( - agg_result.filepath, - rule.rulepath.to_string(), + "-".to_owned(), + rule.rulepath.to_owned(), agg_result.start_timedate, - rule.yaml["level"].as_str().unwrap_or("").to_string(), - "-".to_string(), - "-".to_string(), - rule.yaml["title"].as_str().unwrap_or("").to_string(), - output.to_string(), + rule.yaml["level"].as_str().unwrap_or("").to_owned(), + "-".to_owned(), + "-".to_owned(), + rule.yaml["title"].as_str().unwrap_or("").to_owned(), + output.to_owned(), ) } ///aggregation conditionのcount部分の検知出力文の文字列を返す関数 fn create_count_output(rule: &RuleNode, agg_result: &AggResult) -> String { - let mut ret: String = "count(".to_owned(); - let key: Vec<&str> = agg_result.key.split("_").collect(); - if key.len() >= 1 { - ret.push_str(key[0]); + // 条件式部分の出力 + let mut ret: String = "[condition] ".to_owned(); + let agg_condition_raw_str: Vec<&str> = rule.yaml["detection"]["condition"] + .as_str() + .unwrap() + .split("|") + .collect(); + // この関数が呼び出されている段階で既にaggregation conditionは存在する前提なのでunwrap前の確認は行わない + let agg_condition = rule.get_agg_condition().unwrap(); + let exist_timeframe = rule.yaml["detection"]["timeframe"] + .as_str() + .unwrap_or("") + .to_string() + != ""; + // この関数が呼び出されている段階で既にaggregation conditionは存在する前提なのでagg_conditionの配列の長さは2となる + ret.push_str(agg_condition_raw_str[1].trim()); + if exist_timeframe { + ret.push_str(" in timeframe"); } - ret.push_str(&") "); - if key.len() >= 2 { - ret.push_str("by "); - ret.push_str(key[1]); + + ret.push_str(&format!(" [result] count:{}", agg_result.data)); + if agg_condition._field_name.is_some() { + ret.push_str(&format!( + " {}:{}", + agg_condition._field_name.as_ref().unwrap(), + agg_result.field_values.join("/") + )); } - ret.push_str(&format!( - "{} in {}.", - agg_result.condition_op_num, - rule.yaml["timeframe"].as_str().unwrap_or(""), - )); + + if agg_condition._by_field_name.is_some() { + ret.push_str(&format!( + " {}:{}", + agg_condition._by_field_name.as_ref().unwrap(), + agg_result.key + )); + } + + if exist_timeframe { + ret.push_str(&format!( + " timeframe:{}", + rule.yaml["detection"]["timeframe"].as_str().unwrap() + )); + } + return ret; } pub fn print_rule_load_info( @@ -266,10 +259,196 @@ impl Detection { } } -#[test] -fn test_parse_rule_files() { - let level = "informational"; - let opt_rule_path = Some("./test_files/rules/level_yaml"); - let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path, &filter::exclude_ids()); - assert_eq!(5, cole.len()); +#[cfg(test)] +mod tests { + + use crate::detections::detection::Detection; + use crate::detections::rule::create_rule; + use crate::detections::rule::AggResult; + use crate::filter; + use chrono::{TimeZone, Utc}; + use yaml_rust::YamlLoader; + + #[test] + fn test_parse_rule_files() { + let level = "informational"; + let opt_rule_path = Some("./test_files/rules/level_yaml"); + let cole = + Detection::parse_rule_files(level.to_owned(), opt_rule_path, &filter::exclude_ids()); + assert_eq!(5, cole.len()); + } + + #[test] + fn test_output_aggregation_output_with_output() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = + AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string()); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + EventID: 7040 + selection3: + param1: 'Windows Event Log' + condition: selection1 and selection2 and selection3 | count() >= 1 + output: testdata + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = "[condition] count() >= 1 [result] count:2"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } + + #[test] + fn test_output_aggregation_output_no_filed_by() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = + AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string()); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + EventID: 7040 + selection3: + param1: 'Windows Event Log' + condition: selection1 and selection2 and selection3 | count() >= 1 + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = "[condition] count() >= 1 [result] count:2"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } + + #[test] + fn test_output_aggregation_output_with_timeframe() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = + AggResult::new(2, "_".to_string(), vec![], default_time, ">= 1".to_string()); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + EventID: 7040 + selection3: + param1: 'Windows Event Log' + condition: selection1 and selection2 and selection3 | count() >= 1 + timeframe: 15m + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = + "[condition] count() >= 1 in timeframe [result] count:2 timeframe:15m"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } + + #[test] + fn test_output_aggregation_output_with_field() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = AggResult::new( + 2, + "_".to_string(), + vec!["7040".to_owned(), "9999".to_owned()], + default_time, + ">= 1".to_string(), + ); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + param1: 'Windows Event Log' + condition: selection1 and selection2 | count(EventID) >= 1 + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = "[condition] count(EventID) >= 1 [result] count:2 EventID:7040/9999"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } + + #[test] + fn test_output_aggregation_output_with_field_by() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = AggResult::new( + 2, + "lsass.exe".to_string(), + vec!["0000".to_owned(), "1111".to_owned()], + default_time, + ">= 1".to_string(), + ); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + param1: 'Windows Event Log' + condition: selection1 and selection2 | count(EventID) by process >= 1 + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = "[condition] count(EventID) by process >= 1 [result] count:2 EventID:0000/1111 process:lsass.exe"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } + #[test] + fn test_output_aggregation_output_with_by() { + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let agg_result: AggResult = AggResult::new( + 2, + "lsass.exe".to_string(), + vec![], + default_time, + ">= 1".to_string(), + ); + let rule_str = r#" + enabled: true + detection: + selection1: + Channel: 'System' + selection2: + param1: 'Windows Event Log' + condition: selection1 and selection2 | count() by process >= 1 + "#; + let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); + let test = rule_yaml.next().unwrap(); + let mut rule_node = create_rule("testpath".to_string(), test); + rule_node.init().ok(); + let expected_output = + "[condition] count() by process >= 1 [result] count:2 process:lsass.exe"; + assert_eq!( + Detection::create_count_output(&rule_node, &agg_result), + expected_output + ); + } } diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 3f37ed60..984a9fca 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -538,10 +538,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!( - rule_node.select(&"testpath".to_owned(), &recinfo), - expect_select - ); + assert_eq!(rule_node.select(&recinfo), expect_select); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -584,7 +581,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -628,7 +625,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_rec) => { assert!(false, "Failed to parse json record."); diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index d4152518..c675589a 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -4,22 +4,33 @@ use crate::detections::rule::AggregationParseInfo; use crate::detections::rule::Message; use crate::detections::rule::RuleNode; use chrono::{DateTime, TimeZone, Utc}; +use hashbrown::HashMap; use serde_json::Value; -use std::collections::HashMap; use std::num::ParseIntError; +use std::path::Path; use crate::detections::rule::aggregation_parser::AggregationConditionToken; use crate::detections::utils; /// 検知された際にカウント情報を投入する関数 -pub fn count(rule: &mut RuleNode, filepath: &String, record: &Value) { +pub fn count(rule: &mut RuleNode, record: &Value) { let key = create_count_key(&rule, record); + let field_name: String = match rule.get_agg_condition() { + None => String::default(), + Some(aggcondition) => aggcondition + ._field_name + .as_ref() + .unwrap_or(&String::default()) + .to_owned(), + }; + let field_value = + get_alias_value_in_record(rule, &field_name, record, false).unwrap_or(String::default()); let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); countup( rule, - filepath, - &key, + key, + field_value, Message::get_event_time(record).unwrap_or(default_time), ); } @@ -27,74 +38,84 @@ pub fn count(rule: &mut RuleNode, filepath: &String, record: &Value) { ///count byの条件に合致する検知済みレコードの数を増やすための関数 pub fn countup( rule: &mut RuleNode, - filepath: &String, - key: &str, + key: String, + field_value: String, record_time_value: DateTime, ) { - rule.countdata - .entry(filepath.to_string()) - .or_insert(HashMap::new()); - let value_map = rule.countdata.get_mut(filepath).unwrap(); - value_map.entry(key.to_string()).or_insert(Vec::new()); - let mut prev_value = value_map[key].clone(); - prev_value.push(record_time_value); - value_map.insert(key.to_string(), prev_value); + let value_map = rule.countdata.entry(key).or_insert(Vec::new()); + value_map.push(AggRecordTimeInfo { + field_record_value: field_value, + record_time: record_time_value, + }); } -/// countでgroupbyなどの情報を区分するためのハッシュマップのキーを作成する関数 +/// 与えられたエイリアスから対象レコード内の値を取得してダブルクオーテーションを外す関数。 +/// ダブルクオーテーションを外す理由は結果表示の際に余計なダブルクオーテーションが入るのを防ぐため +/// is_by_aliasはこの関数を呼び出す際はcountのbyの値もしくはfieldの値のどちらかであるためboolとした +fn get_alias_value_in_record( + rule: &RuleNode, + alias: &String, + record: &Value, + is_by_alias: bool, +) -> Option { + if alias == "" { + return None; + } + match utils::get_event_value(alias, record) { + Some(value) => { + return Some(value.to_string().replace("\"", "")); + } + None => { + AlertMessage::alert( + &mut std::io::stderr().lock(), + match is_by_alias { + true => format!( + "count by clause alias value not found in count process. rule file:{} EventID:{}", + Path::new(&rule.rulepath) + .file_name() + .unwrap() + .to_str() + .unwrap(), + utils::get_event_value(&utils::get_event_id_key(), record).unwrap() + ), + false => format!( + "count field clause alias value not found in count process. rule file:{} EventID:{}", + Path::new(&rule.rulepath) + .file_name() + .unwrap() + .to_str() + .unwrap(), + utils::get_event_value(&utils::get_event_id_key(), record).unwrap() + ), + }, + ) + .ok(); + return None; + } + }; +} + +/// countでgroupbyなどの情報を区分するためのハッシュマップのキーを作成する関数。 +/// 以下の場合は空文字を返却 +/// groupbyの指定がない、groubpbyで指定したエイリアスがレコードに存在しない場合は_のみとする。空文字ではキーを指定してデータを取得することができなかった pub fn create_count_key(rule: &RuleNode, record: &Value) -> String { - if rule.detection.aggregation_condition.as_ref().is_none() { + let agg_condition = rule.get_agg_condition().unwrap(); + if agg_condition._by_field_name.is_some() { + let by_field_key = agg_condition._by_field_name.as_ref().unwrap(); + return get_alias_value_in_record(rule, by_field_key, record, true) + .unwrap_or("_".to_string()); + } else { return "_".to_string(); } - let aggcondition = rule.detection.aggregation_condition.as_ref().unwrap(); - // recordでaliasが登録されている前提とする - let mut key = "".to_string(); - if aggcondition._field_name.is_some() { - let field_value = aggcondition._field_name.as_ref().unwrap(); - match utils::get_event_value(field_value, record) { - Some(value) => { - key.push_str(&value.to_string().replace("\"", "")); - } - None => { - AlertMessage::alert( - &mut std::io::stderr().lock(), - format!("field_value alias not found.value:{}", field_value), - ) - .ok(); - } - }; - } - key.push_str("_"); - if aggcondition._by_field_name.is_some() { - let by_field_value = aggcondition._by_field_name.as_ref().unwrap(); - match utils::get_event_value(by_field_value, record) { - Some(value) => { - key.push_str(&value.to_string().replace("\"", "")); - } - None => { - AlertMessage::alert( - &mut std::io::stderr().lock(), - format!("by_field_value alias not found.value:{}", by_field_value), - ) - .ok(); - } - } - } - return key; } ///現状のレコードの状態から条件式に一致しているかを判定する関数 -pub fn aggregation_condition_select(rule: &RuleNode, filepath: &String) -> Vec { +pub fn aggregation_condition_select(rule: &RuleNode) -> Vec { // recordでaliasが登録されている前提とする - let value_map = rule.countdata.get(filepath).unwrap(); + let value_map = &rule.countdata; let mut ret = Vec::new(); for (key, value) in value_map { - ret.append(&mut judge_timeframe( - &rule, - &filepath.to_string(), - value, - &key.to_string(), - )); + ret.append(&mut judge_timeframe(&rule, &value, &key.to_string())); } return ret; } @@ -129,6 +150,13 @@ pub fn get_str_agg_eq(rule: &RuleNode) -> String { return ret; } +#[derive(Clone, Debug)] +/// countの括弧内の情報とレコードの情報を所持する構造体 +pub struct AggRecordTimeInfo { + pub field_record_value: String, + pub record_time: DateTime, +} + #[derive(Debug)] /// timeframeに設定された情報。SIGMAルール上timeframeで複数の単位(日、時、分、秒)が複合で記載されているルールがなかったためタイプと数値のみを格納する構造体 pub struct TimeFrameInfo { @@ -239,78 +267,183 @@ pub fn select_aggcon(cnt: i32, aggcondition: &AggregationParseInfo) -> bool { } } +/// condtionの分岐によって同じ型を返すif-letのジェネリクス +fn _if_condition_fn_caller S, S, U: FnMut() -> S>( + condition: bool, + mut process_true: T, + mut process_false: U, +) -> S { + if condition { + process_true() + } else { + process_false() + } +} + /// count済みデータ内でタイムフレーム内に存在するselectの条件を満たすレコードが、timeframe単位でcountの条件を満たしているAggResultを配列として返却する関数 pub fn judge_timeframe( rule: &RuleNode, - filepath: &String, - time_datas: &Vec>, + time_datas: &Vec, key: &String, ) -> Vec { let mut ret: Vec = Vec::new(); let mut time_data = time_datas.clone(); - time_data.sort(); + // 番兵 + let stop_time = Utc.ymd(9999, 12, 31).and_hms(23, 59, 59); let aggcondition = rule.detection.aggregation_condition.as_ref().unwrap(); + let exist_field = aggcondition._field_name.is_some(); + let mut start_point = 0; - // 最初はcountの条件として記載されている分のレコードを取得するためのindex指定 - let mut check_point = start_point + aggcondition._cmp_num - 1; // timeframeで指定された基準の値を秒数として保持 let judge_sec_frame = get_sec_timeframe(&rule.detection.timeframe); - loop { - // 基準となるレコードもしくはcountを最低限満たす対象のレコードのindexが配列の領域を超えていた場合 - if start_point as usize >= time_data.len() || check_point as usize >= time_data.len() { - // 最終のレコードを対象として時刻を確認する - let check_point_date = time_data[time_data.len() - 1]; - let diff = check_point_date.timestamp() - time_data[start_point as usize].timestamp(); - // 対象のレコード数を基準となるindexから計算 - let mut count_set_cnt = time_data.len() - (start_point as usize); - if judge_sec_frame.is_some() && diff > judge_sec_frame.unwrap() { - //すでにcountを満たしている状態で1つずつdiffを確認している場合は適正な個数指定となり、もともとcountの条件が残りデータ個数より多い場合は-1したことによってcountの判定でもfalseになるため - count_set_cnt -= count_set_cnt - 1; - } + let mut loaded_field_value: HashMap = HashMap::new(); - // timeframe内に入っている場合があるため判定を行う - let judge = select_aggcon(count_set_cnt as i32, &aggcondition); - if judge { - ret.push(AggResult::new( - filepath.to_string(), - count_set_cnt as i32, - key.to_string(), - time_data[start_point as usize], - get_str_agg_eq(rule), - )); - } - break; + let mut stop_time_datas: Vec = (1..=aggcondition._cmp_num) + .map(|_a| AggRecordTimeInfo { + record_time: stop_time, + field_record_value: "".to_string(), + }) + .collect(); + + time_data.append(&mut stop_time_datas); + time_data.sort_by(|a, b| a.record_time.cmp(&b.record_time)); + + // 次のチェックポイントのindexを取得する関数 + let get_next_checkpoint = |cal_point| { + if cal_point + aggcondition._cmp_num - 1 > (time_data.len() - 1) as i32 { + (time_data.len() - 1) as i32 + } else { + cal_point + aggcondition._cmp_num - 1 } - // 基準となるレコードと時刻比較を行う対象のレコード時刻情報を取得する - let check_point_date = time_data[check_point as usize]; - let diff = check_point_date.timestamp() - time_data[start_point as usize].timestamp(); - // timeframeで指定した情報と比較して時刻差がtimeframeの枠を超えていた場合(timeframeの属性を記載していない場合はこの処理を行わない) - if judge_sec_frame.is_some() && diff > judge_sec_frame.unwrap() { - let count_set_cnt = check_point - start_point; - let judge = select_aggcon(count_set_cnt, &aggcondition); - // timeframe内の対象のレコード数がcountの条件を満たさなかった場合、基準となるレコードを1つずらし、countの判定基準分のindexを設定して、次のレコードから始まるtimeframeの判定を行う - if !judge { - start_point += 1; - check_point = start_point + aggcondition._cmp_num - 1; + }; + // 最初はcountの条件として記載されている分のレコードを取得するためのindex指定 + let mut check_point = get_next_checkpoint(start_point); + + *loaded_field_value + .entry(time_data[0].field_record_value.to_string()) + .or_insert(0) += 1; + + while time_data[start_point as usize].record_time != stop_time + && check_point < time_data.len() as i32 + { + // 基準となるレコードと時刻比較を行う対象のレコード時刻情報を取得する + let check_point_date = &time_data[check_point as usize]; + let diff = check_point_date.record_time.timestamp() + - time_data[start_point as usize].record_time.timestamp(); + // timeframeで指定した情報と比較して時刻差がtimeframeの枠を超えていた場合 + if judge_sec_frame.is_some() && diff > judge_sec_frame.unwrap() { + // 検査対象データが1個しかない状態でaggregation conditionの条件が1であるときにデータ個数が0になってしまう問題への対応 + let count_set_cnt = check_point - start_point; + // timeframe内に入っている場合があるため判定を行う + let result_set_cnt: i32 = _if_condition_fn_caller( + exist_field, + || { + time_data[(start_point as usize + 1)..(check_point as usize)] + .iter() + .for_each(|timedata| { + *loaded_field_value + .entry(timedata.field_record_value.to_string()) + .or_insert(0) += 1; + }); + loaded_field_value.len() as i32 + }, + || count_set_cnt as i32, + ); + // timeframe内の対象のレコード数がcountの条件を満たさなかった場合、基準となるレコードを1つずらし、countの判定基準分のindexを設定して、次のレコードから始まるtimeframeの判定を行う + if !select_aggcon(result_set_cnt, &aggcondition) { + _if_condition_fn_caller( + exist_field && time_data[start_point as usize].record_time != stop_time, + || { + let counter = loaded_field_value + .entry( + time_data[start_point as usize] + .field_record_value + .to_string(), + ) + .or_insert(1); + *counter -= 1; + if *counter == 0 as u128 { + loaded_field_value + .remove(&time_data[start_point as usize].field_record_value); + } + }, + || {}, + ); + start_point += 1; + check_point = get_next_checkpoint(start_point); continue; } + let field_values: Vec = loaded_field_value + .keys() + .filter(|key| **key != "") + .map(|key| key.to_string()) + .collect(); //timeframe内の対象のレコード数がcountの条件を満たした場合は返却用の変数に結果を投入する ret.push(AggResult::new( - filepath.to_string(), - count_set_cnt, + result_set_cnt, key.to_string(), - time_data[start_point as usize], + field_values, + time_data[start_point as usize].record_time, get_str_agg_eq(rule), )); // timeframe投入内の対象レコード数がcountの条件を満たした場合は、すでに判定済みのtimeframe内では同様に検知を行うことになり、過検知となってしまうため、今回timeframe内と判定された最後のレコードの次のレコードを次の基準として参照するようにindexを設定する start_point = check_point; - check_point = start_point + aggcondition._cmp_num - 1; + check_point = get_next_checkpoint(start_point); + loaded_field_value = HashMap::new(); + *loaded_field_value + .entry(time_data[0].field_record_value.to_string()) + .or_insert(0) += 1; } else { - // timeframeで指定した情報と比較して。時刻差がtimeframeの枠を超えていない場合は次のレコード時刻情報を参照して、timeframe内であるかを判定するため + // 条件の基準が1の時に最初の要素を2回読み込む事を防止するため + _if_condition_fn_caller( + check_point_date.record_time != stop_time && check_point != 0, + || { + *loaded_field_value + .entry(check_point_date.field_record_value.to_string()) + .or_insert(0) += 1; + () + }, + || {}, + ); + // timeframeで指定した情報と比較して、時刻差がtimeframeの枠を超えていない場合は次のレコード時刻情報を参照して、timeframe内であるかを判定するため check_point += 1; } } + + // timeframeがないルールの場合の判定(フィールドの読み込みはwhile内で実施済み) + + if judge_sec_frame.is_none() { + if exist_field && select_aggcon(loaded_field_value.keys().len() as i32, &aggcondition) { + let field_values: Vec = loaded_field_value + .keys() + .filter(|key| **key != "") + .map(|key| key.to_string()) + .collect(); + //timeframe内の対象のレコード数がcountの条件を満たした場合は返却用の変数に結果を投入する + ret.push(AggResult::new( + loaded_field_value.values().map(|value| *value as i32).sum(), + key.to_string(), + field_values, + time_data[start_point as usize].record_time, + get_str_agg_eq(rule), + )); + } else { + if select_aggcon( + *loaded_field_value.get("").unwrap_or(&0) as i32, + &aggcondition, + ) { + //timeframe内の対象のレコード数がcountの条件を満たした場合は返却用の変数に結果を投入する + ret.push(AggResult::new( + *loaded_field_value.get("").unwrap_or(&0) as i32, + key.to_string(), + vec![], + time_data[start_point as usize].record_time, + get_str_agg_eq(rule), + )); + } + } + } return ret; } @@ -376,14 +509,13 @@ mod tests { condition: selection1 and selection2 and selection3 | count() >= 1 output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); let expected_agg_result: Vec = vec![AggResult::new( - "testpath".to_string(), 2, "_".to_string(), - default_time, + vec![], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 1".to_string(), )]; check_count( @@ -429,23 +561,21 @@ mod tests { timeframe: 15m output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); - let record_time = Utc.ymd(1996, 2, 27).and_hms(1, 5, 1); let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); let mut expected_agg_result: Vec = Vec::new(); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, "_".to_string(), - default_time, + vec![], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 1".to_string(), )); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, "_".to_string(), - record_time, + vec![], + Utc.ymd(1996, 2, 27).and_hms(1, 5, 1), ">= 1".to_string(), )); check_count( @@ -471,14 +601,13 @@ mod tests { condition: selection1 and selection2 and selection3 | count(Channel) >= 1 output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); let mut expected_count = HashMap::new(); - expected_count.insert("System_".to_owned(), 1); + expected_count.insert("_".to_owned(), 1); let expected_agg_result = AggResult::new( - "testpath".to_string(), 1, - "System_".to_string(), - default_time, + "_".to_string(), + vec!["System".to_owned()], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 1".to_string(), ); check_count( @@ -520,24 +649,22 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); - let record_time = Utc.ymd(1996, 2, 27).and_hms(1, 5, 1); let mut expected_count = HashMap::new(); - expected_count.insert("7040_System".to_owned(), 1); - expected_count.insert("9999_Test".to_owned(), 1); + expected_count.insert("System".to_owned(), 1); + expected_count.insert("Test".to_owned(), 1); let mut expected_agg_result: Vec = Vec::new(); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, - "7040_System".to_owned(), - default_time, + "System".to_owned(), + vec!["7040".to_owned()], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 1".to_string(), )); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, - "9999_Test".to_owned(), - record_time, + "Test".to_owned(), + vec!["9999".to_owned()], + Utc.ymd(1996, 2, 27).and_hms(1, 5, 1), ">= 1".to_string(), )); check_count( @@ -579,24 +706,22 @@ mod tests { timeframe: 1h output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); - let record_time = Utc.ymd(1977, 1, 1).and_hms(0, 5, 0); let mut expected_count = HashMap::new(); - expected_count.insert("7040_Windows Event Log".to_owned(), 1); - expected_count.insert("9999_Test".to_owned(), 1); + expected_count.insert("Windows Event Log".to_owned(), 1); + expected_count.insert("Test".to_owned(), 1); let mut expected_agg_result: Vec = Vec::new(); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, - "7040_Windows Event Log".to_owned(), - default_time, + "Windows Event Log".to_owned(), + vec!["7040".to_owned()], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 1".to_string(), )); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 1, - "9999_Test".to_owned(), - record_time, + "Test".to_owned(), + vec!["9999".to_owned()], + Utc.ymd(1977, 1, 1).and_hms(0, 5, 0), ">= 1".to_string(), )); check_count( @@ -638,14 +763,14 @@ mod tests { let test = rule_yaml.next().unwrap(); let mut rule_node = create_rule("testpath".to_string(), test); let init_result = rule_node.init(); - assert_eq!(init_result.is_ok(), true); + assert!(init_result.is_ok()); let target = vec![SIMPLE_RECORD_STR, record_str]; for record in target { match serde_json::from_str(record) { Ok(rec) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(rec, "testpath".to_owned(), &keys); - let _result = rule_node.select(&"testpath".to_string(), &recinfo); + let _result = rule_node.select(&recinfo); } Err(_rec) => { assert!(false, "failed to parse json record."); @@ -654,13 +779,7 @@ mod tests { } //countupの関数が機能しているかを確認 assert_eq!( - *&rule_node - .countdata - .get("testpath") - .unwrap() - .get(&"7040_".to_owned()) - .unwrap() - .len() as i32, + *&rule_node.countdata.get(&"_".to_owned()).unwrap().len() as i32, 2 ); let judge_result = rule_node.judge_satisfy_aggcondition(); @@ -673,7 +792,7 @@ mod tests { { "Event": { "System": { - "EventID": 7040, + "EventID": 9999, "Channel": "System", "TimeCreated_attributes": { "SystemTime": "1977-01-01T00:05:00Z" @@ -698,15 +817,14 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); let mut expected_count = HashMap::new(); - expected_count.insert("7040_System".to_owned(), 2); + expected_count.insert("System".to_owned(), 2); let mut expected_agg_result: Vec = Vec::new(); expected_agg_result.push(AggResult::new( - "testpath".to_string(), 2, - "7040_System".to_owned(), - default_time, + "System".to_owned(), + vec!["7040".to_owned(), "9999".to_owned()], + Utc.ymd(1977, 1, 1).and_hms(0, 0, 0), ">= 2".to_string(), )); check_count( @@ -716,6 +834,371 @@ mod tests { expected_agg_result, ); } + + #[test] + /// countで括弧内の記載、byの記載両方がありtimeframe内に存在する場合にruleでcountの検知ができることを確認する(countの括弧内の項目が異なる場合) + fn test_count_exist_field_and_by_with_timeframe_other_field_value() { + let record_str: &str = r#" + { + "Event": { + "System": { + "EventID": 9999, + "Channel": "System", + "TimeCreated_attributes": { + "SystemTime": "1977-01-01T00:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log", + "param2": "auto start" + } + }, + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + } + }"#; + let rule_str = r#" + enabled: true + detection: + selection1: + param1: 'Windows Event Log' + condition: selection1 | count(EventID) by Channel >= 1 + timeframe: 1h + output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + "#; + + let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); + let mut expected_count = HashMap::new(); + expected_count.insert("System".to_owned(), 2); + let mut expected_agg_result: Vec = Vec::new(); + expected_agg_result.push(AggResult::new( + 2, + "System".to_owned(), + vec!["7040".to_owned(), "9999".to_owned()], + default_time, + ">= 1".to_string(), + )); + check_count( + rule_str, + vec![SIMPLE_RECORD_STR, record_str], + expected_count, + expected_agg_result, + ); + } + + // timeframeの検査 + // timeframe=2hで、パイプ以降はcount(EventID) >= 3とする。 + // + // このとき先頭の3行だと検知しないが、2行目から4行目は検知するはず + // このように先頭行ではなく、途中から数えて検知するパターンをチェックする。 + // 0:30 EventID=1 + // 1:30 EventID=1 + // 2:30 EventID=2 + // 3:30 EventID=3 + #[test] + fn test_count_timeframe() { + let record_str1: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T00:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str2: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T01:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str3: &str = r#" + { + "Event": { + "System": { + "EventID": 2, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T02:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str4: &str = r#" + { + "Event": { + "System": { + "EventID": 3, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T03:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let rule_str = r#" + enabled: true + detection: + selection1: + param1: 'Windows Event Log' + condition: selection1 | count(EventID) >= 3 + timeframe: 2h + output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + "#; + + let default_time = Utc.ymd(1977, 1, 9).and_hms(1, 30, 0); + let mut expected_count = HashMap::new(); + expected_count.insert("_".to_owned(), 4); + let mut expected_agg_result: Vec = Vec::new(); + expected_agg_result.push(AggResult::new( + 3, + "_".to_owned(), + vec!["1".to_owned(), "2".to_owned(), "3".to_owned()], + default_time, + ">= 3".to_string(), + )); + check_count( + rule_str, + vec![record_str1, record_str2, record_str3, record_str4], + expected_count, + expected_agg_result, + ); + } + + // timeframeの検査 + // timeframe=2hで、パイプ以降はcount(EventID) >= 3とする。 + // + // このパターンをチェック + // 0:30 EventID=1 + // 1:30 EventID=1 + // 2:30 EventID=2 + // 3:30 EventID=2 + // 4:30 EventID=3 + // 5:30 EventID=4 + // 19:00 EventID=1 + // 20:00 EventID=1 + // 21:00 EventID=3 + // 22:00 EventID=4 + #[test] + fn test_count_timeframe2() { + let record_str1: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T00:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str2: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T01:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str3: &str = r#" + { + "Event": { + "System": { + "EventID": 2, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T02:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str4: &str = r#" + { + "Event": { + "System": { + "EventID": 2, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T03:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str5: &str = r#" + { + "Event": { + "System": { + "EventID": 3, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T04:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str6: &str = r#" + { + "Event": { + "System": { + "EventID": 4, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T05:30:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str7: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T19:00:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str8: &str = r#" + { + "Event": { + "System": { + "EventID": 1, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T20:00:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str9: &str = r#" + { + "Event": { + "System": { + "EventID": 3, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T21:00:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let record_str10: &str = r#" + { + "Event": { + "System": { + "EventID": 4, + "TimeCreated_attributes": { + "SystemTime": "1977-01-09T22:00:00Z" + } + }, + "EventData": { + "param1": "Windows Event Log" + } + } + }"#; + + let rule_str = r#" + enabled: true + detection: + selection1: + param1: 'Windows Event Log' + condition: selection1 | count(EventID) >= 3 + timeframe: 2h + output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + "#; + + let mut expected_count = HashMap::new(); + expected_count.insert("_".to_owned(), 10); + let mut expected_agg_result: Vec = Vec::new(); + expected_agg_result.push(AggResult::new( + 3, + "_".to_owned(), + vec!["2".to_owned(), "3".to_owned(), "4".to_owned()], + Utc.ymd(1977, 1, 9).and_hms(3, 30, 0), + ">= 3".to_string(), + )); + + expected_agg_result.push(AggResult::new( + 3, + "_".to_owned(), + vec!["1".to_owned(), "3".to_owned(), "4".to_owned()], + Utc.ymd(1977, 1, 9).and_hms(20, 00, 0), + ">= 3".to_string(), + )); + check_count( + rule_str, + vec![ + record_str1, + record_str2, + record_str3, + record_str4, + record_str5, + record_str6, + record_str7, + record_str8, + record_str9, + record_str10, + ], + expected_count, + expected_agg_result, + ); + } + /// countで対象の数値確認を行うためのテスト用関数 fn check_count( rule_str: &str, @@ -735,7 +1218,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - let result = &rule_node.select(&"testpath".to_owned(), &recinfo); + let result = &rule_node.select(&recinfo); assert_eq!(result, &true); } Err(_rec) => { @@ -744,27 +1227,23 @@ mod tests { } } let agg_results = &rule_node.judge_satisfy_aggcondition(); - let mut expect_filepath = vec![]; + assert_eq!(agg_results.len(), expect_agg_results.len()); + let mut expect_data = vec![]; let mut expect_key = vec![]; + let mut expect_field_values = vec![]; let mut expect_start_timedate = vec![]; let mut expect_condition_op_num = vec![]; for expect_agg in expect_agg_results { let expect_count = expected_counts.get(&expect_agg.key).unwrap_or(&-1); //countupの関数が機能しているかを確認 assert_eq!( - *&rule_node - .countdata - .get("testpath") - .unwrap() - .get(&expect_agg.key) - .unwrap() - .len() as i32, + *&rule_node.countdata.get(&expect_agg.key).unwrap().len() as i32, *expect_count ); - expect_filepath.push(expect_agg.filepath); expect_data.push(expect_agg.data); expect_key.push(expect_agg.key); + expect_field_values.push(expect_agg.field_values); expect_start_timedate.push(expect_agg.start_timedate); expect_condition_op_num.push(expect_agg.condition_op_num); } @@ -773,9 +1252,14 @@ mod tests { let index = expect_start_timedate .binary_search(&agg_result.start_timedate) .unwrap(); - assert_eq!(agg_result.filepath, expect_filepath[index]); assert_eq!(agg_result.data, expect_data[index]); assert_eq!(agg_result.key, expect_key[index]); + assert!(agg_result.field_values.len() == expect_field_values[index].len()); + for expect_field_value in &expect_field_values[index] { + // テストによってはtimeframeの値と各fieldの値で配列の順番が想定したものと変化してしまう可能性があるため配列の長さを確認したうえで期待した各要素が存在するかを確認する。 + // field`要素の順番については以降の処理で関連しない + assert!(agg_result.field_values.contains(&expect_field_value)); + } assert_eq!(agg_result.condition_op_num, expect_condition_op_num[index]); } } diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index f5800c14..aacf3672 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -707,7 +707,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "failed to parse json record."); @@ -737,7 +737,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -767,7 +767,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "failed to parse json record."); @@ -798,7 +798,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -829,7 +829,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -859,7 +859,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -889,7 +889,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -920,7 +920,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -951,7 +951,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -982,7 +982,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1013,7 +1013,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1044,7 +1044,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1074,7 +1074,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1108,7 +1108,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1142,7 +1142,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1175,7 +1175,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1217,7 +1217,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1259,7 +1259,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1301,7 +1301,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1343,7 +1343,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1385,7 +1385,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1427,7 +1427,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -1457,7 +1457,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1487,7 +1487,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1517,7 +1517,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1605,7 +1605,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1635,7 +1635,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1667,7 +1667,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -1699,7 +1699,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 0b50e470..ebea89fd 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -15,7 +15,7 @@ use self::aggregation_parser::AggregationParseInfo; mod condition_parser; mod count; -use self::count::TimeFrameInfo; +use self::count::{AggRecordTimeInfo, TimeFrameInfo}; use super::detection::EvtxRecordInfo; @@ -28,7 +28,7 @@ pub struct RuleNode { pub rulepath: String, pub yaml: Yaml, detection: DetectionNode, - countdata: HashMap>>>, + countdata: HashMap>, } impl Debug for RuleNode { @@ -66,10 +66,10 @@ impl RuleNode { } } - pub fn select(&mut self, filepath: &String, event_record: &EvtxRecordInfo) -> bool { + pub fn select(&mut self, event_record: &EvtxRecordInfo) -> bool { let result = self.detection.select(event_record); - if result { - count::count(self, filepath, &event_record.record); + if result && self.has_agg_condition() { + count::count(self, &event_record.record); } return result; } @@ -83,14 +83,23 @@ impl RuleNode { if !self.has_agg_condition() { return ret; } - for filepath in self.countdata.keys() { - ret.append(&mut count::aggregation_condition_select(&self, &filepath)); - } + ret.append(&mut count::aggregation_condition_select(&self)); return ret; } pub fn check_exist_countdata(&self) -> bool { self.countdata.len() > 0 } + /// ルール内のAggregationParseInfo(Aggregation Condition)を取得する関数 + pub fn get_agg_condition(&self) -> Option<&AggregationParseInfo> { + match self.detection.aggregation_condition.as_ref() { + None => { + return None; + } + Some(agg_parse_info) => { + return Some(agg_parse_info); + } + } + } } // RuleNodeのdetectionに定義されているキーの一覧を取得する。 @@ -293,12 +302,12 @@ impl DetectionNode { #[derive(Debug)] /// countなどのaggregationの結果を出力する構造体 pub struct AggResult { - /// evtx file path - pub filepath: String, /// countなどの値 pub data: i32, - /// (countの括弧内の記載)_(count byで指定された条件)で設定されたキー + /// count byで指定された条件のレコード内での値 pub key: String, + /// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる + pub field_values: Vec, ///検知したブロックの最初のレコードの時間 pub start_timedate: DateTime, ///条件式の情報 @@ -307,16 +316,16 @@ pub struct AggResult { impl AggResult { pub fn new( - filepath: String, data: i32, key: String, + field_values: Vec, start_timedate: DateTime, condition_op_num: String, ) -> AggResult { return AggResult { - filepath: filepath, data: data, key: key, + field_values: field_values, start_timedate: start_timedate, condition_op_num: condition_op_num, }; @@ -361,7 +370,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -391,7 +400,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -421,7 +430,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -504,7 +513,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -563,7 +572,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -629,7 +638,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -673,7 +682,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -718,7 +727,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -782,7 +791,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -846,7 +855,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -892,7 +901,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_rec) => { assert!(false, "Failed to parse json record."); @@ -950,17 +959,11 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - let result = rule_node.select(&"testpath".to_string(), &recinfo); + let result = rule_node.select(&recinfo); assert_eq!(rule_node.detection.aggregation_condition.is_some(), true); assert_eq!(result, true); assert_eq!( - *&rule_node - .countdata - .get("testpath") - .unwrap() - .get(key) - .unwrap() - .len() as i32, + *&rule_node.countdata.get(key).unwrap().len() as i32, expect_count ); } diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index c33a4db0..4d88bedd 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -432,7 +432,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -465,7 +465,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -497,7 +497,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -529,7 +529,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); + assert_eq!(rule_node.select(&recinfo), true); } Err(_) => { assert!(false, "Failed to parse json record."); @@ -561,7 +561,7 @@ mod tests { Ok(record) => { let keys = detections::rule::get_detection_keys(&rule_node); let recinfo = utils::create_rec_info(record, "testpath".to_owned(), &keys); - assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); + assert_eq!(rule_node.select(&recinfo), false); } Err(_) => { assert!(false, "Failed to parse json record."); diff --git a/src/main.rs b/src/main.rs index 425d0a9d..50abee7d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -171,7 +171,6 @@ impl App { pb.inc(); } after_fact(); - detection.print_unique_results(); } // Windowsイベントログファイルを1ファイル分解析する。 @@ -237,7 +236,7 @@ impl App { detection = detection.start(&self.rt, records_per_detect); } - detection.add_aggcondtion_msg(); + detection.add_aggcondition_msg(); tl.tm_stats_dsp_msg(); return detection; diff --git a/src/timeline/timeline.rs b/src/timeline/timeline.rs index 75603540..890212af 100644 --- a/src/timeline/timeline.rs +++ b/src/timeline/timeline.rs @@ -11,7 +11,7 @@ pub struct Timeline { impl Timeline { pub fn new() -> Timeline { let totalcnt = 0; - let filepath = "".to_owned(); + let filepath = String::default(); let starttm = "".to_string(); let endtm = "".to_string(); let statslst = HashMap::new(); diff --git a/src/yaml.rs b/src/yaml.rs index 4326d9f8..4411afb2 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -191,7 +191,7 @@ mod tests { }; let _ = &yaml.read_dir( "test_files/rules/yaml/".to_string(), - &"".to_owned(), + &String::default(), &exclude_ids, ); assert_ne!(yaml.files.len(), 0); From 0bce3800b7562663541e8318bc08e526d8187466 Mon Sep 17 00:00:00 2001 From: itiB Date: Sun, 19 Dec 2021 20:50:20 +0900 Subject: [PATCH 22/22] separate rules to submodule (#304) * rm: rules * Add: hayabusa-rules to submodule --- .gitmodules | 3 + rules | 1 + ...radeAttack_PowershellV2DowngradeAttack.yml | 29 --- ...earWindowsEventLogs_SecurityLogCleared.yml | 28 --- ...eralMovement_LogonFailure-UnknownError.yml | 28 --- ...ralMovement_LogonFailure-WrongPassword.yml | 25 -- ...ralMovement_LogonFailure-WrongUsername.yml | 25 -- ...ltiple_UnknownProcessUsedHighPrivilege.yml | 48 ---- ...nt-LocalAccount_ComputerAccountCreated.yml | 28 --- ...ccount-LocalAccount_UserAccountCreated.yml | 30 --- ...pulation_UserAddedToGlobalDomainAdmins.yml | 31 --- ...ulation_UserAddedToGlobalSecurityGroup.yml | 30 --- ...on_UserAddedToLocalAdministratorsGroup.yml | 29 --- ...tion_UserAddedToLocalDomainAdminsGroup.yml | 29 --- ...pulation_UserAddedToLocalSecurityGroup.yml | 32 --- ...OrForgeKerberosTickets_AS-REP-Roasting.yml | 29 --- ...alOrForgeKerberosTickets_Kerberoasting.yml | 29 --- ...ClearWindowsEventLogs_SystemLogCleared.yml | 27 -- ...Logging_EventLogServiceStartupDisabled.yml | 27 -- ...ndowsService_MaliciousServiceInstalled.yml | 32 --- .../59_BITS-Jobs_BitsJobCreation.yml | 30 --- ...PowerShell_PowershellExecutionPipeline.yml | 30 --- .../Logons/4624_LogonType-0-System.yml | 25 -- .../4624_LogonType-10-RemoteInteractive.yml | 25 -- .../4624_LogonType-11-CachedInteractive.yml | 25 -- ...4_LogonType-12-CachedRemoteInteractive.yml | 25 -- .../Logons/4624_LogonType-13-CachedUnlock.yml | 25 -- .../Logons/4624_LogonType-2-Interactive.yml | 25 -- .../Logons/4624_LogonType-3-Network.yml | 30 --- .../Logons/4624_LogonType-4-Batch.yml | 25 -- .../Logons/4624_LogonType-5-Service.yml | 30 --- .../Logons/4624_LogonType-7-Unlock.yml | 25 -- .../4624_LogonType-8-NetworkCleartext.yml | 25 -- .../4624_LogonType-9-NewInteractive.yml | 25 -- .../events/Security/Logons/4634_Logoff.yml | 27 -- .../Logons/4647_LogoffUserInitiated.yml | 24 -- .../Security/Logons/4672_AdminLogon.yml | 30 --- .../Logons/4768_KerberosTGT-Request.yml | 24 -- .../4769_KerberosServiceTicketRequest.yml | 24 -- .../Logons/4776_NTLM-LogonToLocalAccount.yml | 24 -- .../8001_WirelessAP-Connect.yml | 24 -- .../win_aadhealth_mon_agent_regkey_access.yml | 40 --- .../win_aadhealth_svc_agent_regkey_access.yml | 42 ---- .../win_account_backdoor_dcsync_rights.yml | 35 --- rules/sigma/builtin/win_account_discovery.yml | 44 ---- .../builtin/win_ad_object_writedac_access.yml | 32 --- ...win_ad_replication_non_machine_account.yml | 42 ---- .../sigma/builtin/win_ad_user_enumeration.yml | 35 --- ...e_template_configuration_vulnerability.yml | 35 --- ...mplate_configuration_vulnerability_eku.yml | 49 ---- rules/sigma/builtin/win_admin_rdp_login.yml | 37 --- .../sigma/builtin/win_admin_share_access.yml | 29 --- ...in_alert_active_directory_user_control.yml | 32 --- .../builtin/win_alert_ad_user_backdoors.yml | 53 ---- .../win_alert_enable_weak_encryption.yml | 91 ------- .../sigma/builtin/win_alert_lsass_access.yml | 31 --- .../builtin/win_alert_mimikatz_keywords.yml | 46 ---- rules/sigma/builtin/win_alert_ruler.yml | 41 --- ..._applocker_file_was_not_allowed_to_run.yml | 48 ---- .../builtin/win_apt_carbonpaper_turla.yml | 31 --- .../builtin/win_apt_chafer_mar18_security.yml | 42 ---- .../builtin/win_apt_chafer_mar18_system.yml | 39 --- rules/sigma/builtin/win_apt_gallium.yml | 39 --- rules/sigma/builtin/win_apt_slingshot.yml | 32 --- rules/sigma/builtin/win_apt_stonedrill.yml | 30 --- .../builtin/win_apt_turla_service_png.yml | 28 --- rules/sigma/builtin/win_apt_wocao.yml | 38 --- ...ary_shell_execution_via_settingcontent.yml | 35 --- .../builtin/win_asr_bypass_via_appvlp_re.yml | 30 --- rules/sigma/builtin/win_atsvc_task.yml | 36 --- rules/sigma/builtin/win_audit_cve.yml | 39 --- rules/sigma/builtin/win_av_relevant_match.yml | 44 ---- .../builtin/win_camera_microphone_access.yml | 32 --- .../win_cobaltstrike_service_installs.yml | 49 ---- .../win_dce_rpc_smb_spoolss_named_pipe.yml | 31 --- .../builtin/win_dcom_iertutil_dll_hijack.yml | 30 --- rules/sigma/builtin/win_dcsync.yml | 41 --- .../builtin/win_disable_event_logging.yml | 40 --- .../win_dpapi_domain_backupkey_extraction.yml | 31 --- ..._dpapi_domain_masterkey_backup_attempt.yml | 29 --- rules/sigma/builtin/win_etw_modification.yml | 37 --- rules/sigma/builtin/win_event_log_cleared.yml | 31 --- .../builtin/win_exchange_transportagent.yml | 28 --- ...win_exploit_cve_2021_1675_printspooler.yml | 46 ---- ...cve_2021_1675_printspooler_operational.yml | 32 --- ...it_cve_2021_1675_printspooler_security.yml | 35 --- rules/sigma/builtin/win_external_device.yml | 29 --- .../win_global_catalog_enumeration.yml | 34 --- .../sigma/builtin/win_gpo_scheduledtasks.yml | 38 --- rules/sigma/builtin/win_hack_smbexec.yml | 36 --- .../builtin/win_hidden_user_creation.yml | 28 --- ...n_hybridconnectionmgr_svc_installation.yml | 28 --- .../win_hybridconnectionmgr_svc_running.yml | 32 --- rules/sigma/builtin/win_impacket_psexec.yml | 32 --- .../sigma/builtin/win_impacket_secretdump.yml | 35 --- .../win_invoke_obfuscation_clip_services.yml | 28 --- ...oke_obfuscation_clip_services_security.yml | 31 --- ...ke_obfuscation_obfuscated_iex_services.yml | 38 --- ...ation_obfuscated_iex_services_security.yml | 43 ---- .../win_invoke_obfuscation_stdin_services.yml | 28 --- ...ke_obfuscation_stdin_services_security.yml | 31 --- .../win_invoke_obfuscation_var_services.yml | 28 --- ...voke_obfuscation_var_services_security.yml | 31 --- ...voke_obfuscation_via_compress_services.yml | 28 --- ...scation_via_compress_services_security.yml | 31 --- ...invoke_obfuscation_via_rundll_services.yml | 28 --- ...fuscation_via_rundll_services_security.yml | 31 --- ..._invoke_obfuscation_via_stdin_services.yml | 28 --- ...bfuscation_via_stdin_services_security.yml | 31 --- ...voke_obfuscation_via_use_clip_services.yml | 28 --- ...scation_via_use_clip_services_security.yml | 31 --- ...oke_obfuscation_via_use_mshta_services.yml | 28 --- ...cation_via_use_mshta_services_security.yml | 31 --- ..._obfuscation_via_use_rundll32_services.yml | 28 --- ...ion_via_use_rundll32_services_security.yml | 31 --- ...in_invoke_obfuscation_via_var_services.yml | 28 --- ..._obfuscation_via_var_services_security.yml | 31 --- rules/sigma/builtin/win_iso_mount.yml | 37 --- rules/sigma/builtin/win_lm_namedpipe.yml | 54 ---- .../win_lolbas_execution_of_nltest.yml | 35 --- .../win_lsass_access_non_system_account.yml | 70 ------ rules/sigma/builtin/win_mal_creddumper.yml | 43 ---- rules/sigma/builtin/win_mal_wceaux_dll.yml | 34 --- .../builtin/win_metasploit_authentication.yml | 40 --- ...tstrike_getsystem_service_installation.yml | 66 ----- .../builtin/win_mmc20_lateral_movement.yml | 34 --- rules/sigma/builtin/win_moriya_rootkit.yml | 28 --- .../sigma/builtin/win_net_ntlm_downgrade.yml | 41 --- .../sigma/builtin/win_net_use_admin_share.yml | 33 --- ..._renamed_user_account_with_dollar_sign.yml | 30 --- .../builtin/win_not_allowed_rdp_access.yml | 31 --- rules/sigma/builtin/win_ntfs_vuln_exploit.yml | 34 --- rules/sigma/builtin/win_overpass_the_hash.yml | 32 --- rules/sigma/builtin/win_pass_the_hash.yml | 43 ---- rules/sigma/builtin/win_pass_the_hash_2.yml | 45 ---- .../builtin/win_petitpotam_network_share.yml | 34 --- .../win_petitpotam_susp_tgt_request.yml | 44 ---- .../sigma/builtin/win_possible_dc_shadow.yml | 35 --- ...powershell_script_installed_as_service.yml | 28 --- .../builtin/win_privesc_cve_2020_1472.yml | 32 --- .../win_protected_storage_service_access.yml | 30 --- ...rkspwdump_clearing_hive_access_history.yml | 27 -- .../builtin/win_rare_schtasks_creations.yml | 32 --- .../builtin/win_rare_service_installs.yml | 27 -- .../builtin/win_rdp_bluekeep_poc_scanner.yml | 29 --- .../sigma/builtin/win_rdp_localhost_login.yml | 32 --- .../win_rdp_potential_cve_2019_0708.yml | 30 --- .../sigma/builtin/win_rdp_reverse_tunnel.yml | 45 ---- ...n_register_new_logon_process_by_rubeus.yml | 28 --- .../builtin/win_remote_powershell_session.yml | 32 --- ..._registry_management_using_reg_utility.yml | 33 --- .../win_root_certificate_installed.yml | 32 --- .../win_sam_registry_hive_handle_request.yml | 36 --- .../builtin/win_scheduled_task_deletion.yml | 32 --- .../win_scm_database_handle_failure.yml | 30 --- .../win_scm_database_privileged_operation.yml | 32 --- ...scrcons_remote_wmi_scripteventconsumer.yml | 32 --- ...security_cobaltstrike_service_installs.yml | 52 ---- .../builtin/win_security_mal_creddumper.yml | 46 ---- .../win_security_mal_service_installs.yml | 38 --- ...or_impacket_smb_psexec_service_install.yml | 49 ---- ...cobaltstrike_getsystem_service_install.yml | 69 ------ ...powershell_script_installed_as_service.yml | 31 --- .../win_security_tap_driver_installation.yml | 28 --- ...in_set_oabvirtualdirectory_externalurl.yml | 31 --- .../win_smb_file_creation_admin_shares.yml | 31 --- .../win_software_atera_rmm_agent_install.yml | 28 --- .../builtin/win_susp_add_domain_trust.yml | 21 -- .../builtin/win_susp_add_sid_history.yml | 36 --- .../sigma/builtin/win_susp_backup_delete.yml | 28 --- .../win_susp_codeintegrity_check_failure.yml | 25 -- rules/sigma/builtin/win_susp_dhcp_config.yml | 30 --- .../builtin/win_susp_dhcp_config_failed.yml | 34 --- rules/sigma/builtin/win_susp_dns_config.yml | 29 --- .../builtin/win_susp_dsrm_password_change.yml | 25 -- .../builtin/win_susp_eventlog_cleared.yml | 37 --- .../builtin/win_susp_failed_guest_logon.yml | 36 --- .../builtin/win_susp_failed_logon_reasons.yml | 41 --- .../builtin/win_susp_failed_logon_source.yml | 57 ----- ...usp_failed_logons_explicit_credentials.yml | 29 --- .../win_susp_failed_logons_single_process.yml | 35 --- .../win_susp_failed_logons_single_source.yml | 34 --- .../win_susp_failed_logons_single_source2.yml | 35 --- ...p_failed_logons_single_source_kerberos.yml | 35 --- ..._failed_logons_single_source_kerberos2.yml | 35 --- ..._failed_logons_single_source_kerberos3.yml | 35 --- ..._susp_failed_logons_single_source_ntlm.yml | 34 --- ...susp_failed_logons_single_source_ntlm2.yml | 34 --- ...usp_failed_remote_logons_single_source.yml | 34 --- .../builtin/win_susp_interactive_logons.yml | 38 --- .../win_susp_kerberos_manipulation.yml | 60 ----- .../builtin/win_susp_ldap_dataexchange.yml | 36 --- .../win_susp_local_anon_logon_created.yml | 32 --- .../win_susp_logon_explicit_credentials.yml | 36 --- rules/sigma/builtin/win_susp_lsass_dump.yml | 32 --- .../builtin/win_susp_lsass_dump_generic.yml | 85 ------- .../builtin/win_susp_mshta_execution.yml | 41 --- .../sigma/builtin/win_susp_msmpeng_crash.yml | 39 --- ...susp_multiple_files_renamed_or_deleted.yml | 35 --- .../builtin/win_susp_net_recon_activity.yml | 46 ---- rules/sigma/builtin/win_susp_ntlm_auth.yml | 30 --- rules/sigma/builtin/win_susp_ntlm_rdp.yml | 34 --- rules/sigma/builtin/win_susp_proceshacker.yml | 30 --- rules/sigma/builtin/win_susp_psexec.yml | 42 ---- .../win_susp_raccess_sensitive_fext.yml | 43 ---- rules/sigma/builtin/win_susp_rc4_kerberos.yml | 33 --- rules/sigma/builtin/win_susp_rottenpotato.yml | 35 --- rules/sigma/builtin/win_susp_sam_dump.yml | 28 --- rules/sigma/builtin/win_susp_sdelete.yml | 41 --- .../builtin/win_susp_time_modification.yml | 41 --- rules/sigma/builtin/win_susp_wmi_login.yml | 24 -- ...uspicious_outbound_kerberos_connection.yml | 34 --- .../builtin/win_svcctl_remote_service.yml | 34 --- .../builtin/win_syskey_registry_access.yml | 35 --- .../win_sysmon_channel_reference_deletion.yml | 40 --- .../win_system_susp_eventlog_cleared.yml | 37 --- .../builtin/win_tap_driver_installation.yml | 25 -- ...ith_credential_data_via_network_shares.yml | 37 --- .../sigma/builtin/win_usb_device_plugged.yml | 28 --- ...win_user_added_to_local_administrators.yml | 30 --- ...ileged_service_lsaregisterlogonprocess.yml | 32 --- rules/sigma/builtin/win_user_creation.yml | 31 --- .../sigma/builtin/win_user_driver_loaded.yml | 52 ---- .../builtin/win_volume_shadow_copy_mount.yml | 28 --- ..._vssaudit_secevent_source_registration.yml | 28 --- rules/sigma/builtin/win_vul_cve_2020_0688.yml | 32 --- rules/sigma/builtin/win_vul_cve_2020_1472.yml | 27 -- .../win_wmiprvse_wbemcomn_dll_hijack.yml | 30 --- .../sysmon_cactustorch.yml | 42 ---- .../sysmon_cobaltstrike_process_injection.yml | 32 --- .../sysmon_createremotethread_loadlibrary.yml | 30 --- .../sysmon_password_dumper_lsass.yml | 33 --- .../sysmon_powershell_code_injection.yml | 27 -- .../sysmon_susp_powershell_rundll32.yml | 32 --- .../sysmon_suspicious_remote_thread.yml | 89 ------- .../sysmon_ads_executable.yml | 35 --- .../sysmon_regedit_export_to_ads.yml | 29 --- .../dns_query/dns_net_mal_cobaltstrike.yml | 35 --- rules/sigma/dns_query/dns_net_susp_ipify.yml | 52 ---- ...s_query_hybridconnectionmgr_servicebus.yml | 29 --- rules/sigma/dns_query/dns_query_mega_nz.yml | 25 -- .../dns_query_possible_dns_rebinding.yml | 76 ------ .../dns_query_regsvr32_network_activity.yml | 41 --- .../driver_load_mal_creddumper.yml | 46 ---- ...tstrike_getsystem_service_installation.yml | 69 ------ ...powershell_script_installed_as_service.yml | 31 --- .../driver_load/driver_load_susp_temp_use.yml | 26 -- .../driver_load_vuln_dell_driver.yml | 35 --- .../driver_load/driver_load_windivert.yml | 31 --- ...mmand_execution_by_office_applications.yml | 37 --- .../file_delete/sysmon_delete_prefetch.yml | 32 --- ...mon_sysinternals_sdelete_file_deletion.yml | 31 --- .../win_cve_2021_1675_printspooler_del.yml | 34 --- .../file_event_advanced_ip_scanner.yml | 34 --- .../file_event_apt_unidentified_nov_18.yml | 30 --- ...cve_2021_31979_cve_2021_33771_exploits.yml | 41 --- .../file_event/file_event_hack_dumpert.yml | 32 --- .../file_event_hktl_createminidump.yml | 31 --- .../file_event/file_event_lsass_dump.yml | 38 --- .../file_event/file_event_mal_adwind.yml | 36 --- .../file_event_mal_vhd_download.yml | 41 --- ...ile_event_mimikatz_kirbi_file_creation.yml | 26 -- .../file_event/file_event_moriya_rootkit.yml | 31 --- .../file_event_pingback_backdoor.yml | 30 --- ...ript_creation_by_office_using_file_ext.yml | 47 ---- .../file_event/file_event_susp_task_write.yml | 31 --- .../file_event/file_event_tool_psexec.yml | 41 --- .../file_event_uac_bypass_winsat.yml | 31 --- .../file_event/file_event_uac_bypass_wmp.yml | 33 --- ...e_event_win_shell_write_susp_directory.yml | 50 ---- .../file_event_winrm_awl_bypass.yml | 36 --- ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml | 31 --- .../sysmon_creation_system_file.yml | 68 ----- .../sysmon_cred_dump_tools_dropped_files.yml | 58 ----- .../sysmon_cve_2021_26858_msexchange.yml | 39 --- .../sysmon_detect_powerup_dllhijacking.yml | 33 --- .../sysmon_ghostpack_safetykatz.yml | 27 -- ...sysmon_lsass_memory_dump_file_creation.yml | 35 --- .../file_event/sysmon_office_persistence.yml | 41 --- .../file_event/sysmon_outlook_newform.yml | 30 --- .../file_event/sysmon_pcre_net_temp_file.yml | 27 -- .../sysmon_powershell_exploit_scripts.yml | 121 --------- .../sysmon_powershell_startup_shortcuts.yml | 38 --- .../file_event/sysmon_quarkspw_filedump.yml | 29 --- .../sysmon_redmimicry_winnti_filedrop.yml | 28 --- .../sysmon_startup_folder_file_write.yml | 27 -- .../sysmon_susp_adsi_cache_usage.yml | 40 --- .../sigma/file_event/sysmon_susp_clr_logs.yml | 45 ---- .../file_event/sysmon_susp_desktop_ini.yml | 34 --- .../sysmon_susp_pfx_file_creation.yml | 27 -- ...cexplorer_driver_created_in_tmp_folder.yml | 39 --- ...n_suspicious_powershell_profile_create.yml | 31 --- .../sysmon_tsclient_filewrite_startup.yml | 26 -- .../sysmon_uac_bypass_consent_comctl32.yml | 29 --- .../sysmon_uac_bypass_dotnet_profiler.yml | 29 --- .../file_event/sysmon_uac_bypass_ieinstal.yml | 32 --- .../sysmon_uac_bypass_msconfig_gui.yml | 28 --- .../sysmon_uac_bypass_ntfs_reparse_point.yml | 29 --- .../sysmon_webshell_creation_detect.yml | 60 ----- ...ersistence_script_event_consumer_write.yml | 27 -- .../win_cve_2021_1675_printspooler.yml | 37 --- .../win_file_winword_cve_2021_40444.yml | 39 --- .../win_hivenightmare_file_exports.yml | 40 --- .../win_outlook_c2_macro_creation.yml | 30 --- .../sigma/file_event/win_rclone_exec_file.yml | 28 --- .../win_susp_desktopimgdownldr_file.yml | 41 --- .../image_load_pingback_backdoor.yml | 30 --- .../image_load_silenttrinity_stage_use.yml | 29 --- ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 31 --- .../process_creation_tttracer_mod_load.yml | 34 --- .../sysmon_abusing_azure_browser_sso.yml | 38 --- ..._alternate_powershell_hosts_moduleload.yml | 31 --- .../image_load/sysmon_foggyweb_nobelium.yml | 25 -- .../sysmon_in_memory_powershell.yml | 52 ---- .../sigma/image_load/sysmon_pcre_net_load.yml | 27 -- ...cons_imageload_wmi_scripteventconsumer.yml | 36 --- .../image_load/sysmon_spoolsv_dll_load.yml | 34 --- .../sigma/image_load/sysmon_susp_fax_dll.yml | 38 --- .../image_load/sysmon_susp_image_load.yml | 33 --- ...n_susp_office_dotnet_assembly_dll_load.yml | 34 --- ...sysmon_susp_office_dotnet_clr_dll_load.yml | 34 --- ...sysmon_susp_office_dotnet_gac_dll_load.yml | 34 --- .../sysmon_susp_office_dsparse_dll_load.yml | 34 --- .../sysmon_susp_office_kerberos_dll_load.yml | 34 --- .../sysmon_susp_python_image_load.yml | 30 --- ...sysmon_susp_script_dotnet_clr_dll_load.yml | 36 --- .../sysmon_susp_system_drawing_load.yml | 32 --- .../sysmon_susp_winword_vbadll_load.yml | 36 --- .../sysmon_susp_winword_wmidll_load.yml | 38 --- ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 73 ------ ...sysmon_svchost_dll_search_order_hijack.yml | 43 ---- .../image_load/sysmon_tttracer_mod_load.yml | 34 --- .../image_load/sysmon_uac_bypass_via_dism.yml | 33 --- .../sysmon_uipromptforcreds_dlls.yml | 40 --- ...ysmon_unsigned_image_loaded_into_lsass.yml | 29 --- .../image_load/sysmon_wmi_module_load.yml | 64 ----- ...persistence_commandline_event_consumer.yml | 29 --- .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 33 --- .../sysmon_wsman_provider_image_load.yml | 49 ---- .../image_load/win_susp_svchost_clfsw32.yml | 29 --- .../image_load/win_suspicious_vss_ps_load.yml | 43 ---- rules/sigma/malware/av_exploiting.yml | 42 ---- rules/sigma/malware/av_hacktool.yml | 33 --- rules/sigma/malware/av_password_dumper.yml | 42 ---- .../av_printernightmare_cve_2021_34527.yml | 30 --- rules/sigma/malware/av_relevant_files.yml | 82 ------ rules/sigma/malware/av_webshell.yml | 80 ------ .../file_event_mal_octopus_scanner.yml | 27 -- .../process_creation_mal_blue_mockingbird.yml | 39 --- ...ocess_creation_mal_darkside_ransomware.yml | 36 --- ...ess_creation_mal_lockergoga_ransomware.yml | 27 -- .../malware/process_creation_mal_ryuk.yml | 34 --- .../malware/registry_event_mal_azorult.yml | 40 --- .../registry_event_mal_blue_mockingbird.yml | 34 --- .../malware/registry_event_mal_flowcloud.yml | 36 --- .../malware/registry_event_mal_netwire.yml | 38 --- .../malware/registry_event_mal_ursnif.yml | 38 --- .../silenttrinity_stager_msbuild_activity.yml | 31 --- .../sysmon_dllhost_net_connections.yml | 53 ---- ...smon_excel_outbound_network_connection.yml | 61 ----- .../sysmon_malware_backconnect_ports.yml | 111 --------- .../sysmon_notepad_network_connection.yml | 31 --- .../sysmon_powershell_network_connection.yml | 63 ----- .../sysmon_rdp_reverse_tunnel.yml | 42 ---- .../sysmon_regsvr32_network_activity.yml | 38 --- ...smon_remote_powershell_session_network.yml | 35 --- .../sysmon_rundll32_net_connections.yml | 52 ---- ..._susp_prog_location_network_connection.yml | 43 ---- .../network_connection/sysmon_susp_rdp.yml | 54 ---- ...uspicious_outbound_kerberos_connection.yml | 39 --- .../sysmon_win_binary_github_com.yml | 38 --- .../sysmon_win_binary_susp_com.yml | 33 --- .../sysmon_wuauclt_network_connection.yml | 28 --- .../win_net_crypto_mining.yml | 47 ---- .../sigma/other/win_defender_amsi_trigger.yml | 26 -- rules/sigma/other/win_defender_bypass.yml | 35 --- rules/sigma/other/win_defender_disabled.yml | 32 --- rules/sigma/other/win_defender_exclusions.yml | 27 -- .../other/win_defender_history_delete.yml | 31 --- .../other/win_defender_psexec_wmi_asr.yml | 35 --- ...win_defender_tamper_protection_trigger.yml | 29 --- rules/sigma/other/win_defender_threat.yml | 29 --- .../other/win_exchange_cve_2021_42321.yml | 21 -- .../win_exchange_proxylogon_oabvirtualdir.yml | 31 --- ...ange_proxyshell_certificate_generation.yml | 35 --- ...win_exchange_proxyshell_mailbox_export.yml | 39 --- ...hange_proxyshell_remove_mailbox_export.yml | 28 --- .../win_exchange_transportagent_failed.yml | 28 --- .../other/win_lateral_movement_condrv.yml | 36 --- rules/sigma/other/win_ldap_recon.yml | 82 ------ rules/sigma/other/win_pcap_drivers.yml | 43 ---- ...gon_exploitation_using_wellknown_tools.yml | 30 --- .../sigma/other/win_rare_schtask_creation.yml | 25 -- .../other/win_security_wmi_persistence.yml | 35 --- .../other/win_system_defender_disabled.yml | 33 --- rules/sigma/other/win_tool_psexec.yml | 42 ---- rules/sigma/other/win_wmi_persistence.yml | 36 --- .../pipe_created/pipe_created_tool_psexec.yml | 49 ---- ...sysmon_alternate_powershell_hosts_pipe.yml | 39 --- .../sysmon_apt_turla_namedpipes.yml | 40 --- .../sysmon_cred_dump_tools_named_pipes.yml | 42 ---- .../sysmon_efspotato_namedpipe.yml | 37 --- .../pipe_created/sysmon_mal_cobaltstrike.yml | 49 ---- .../sysmon_mal_cobaltstrike_re.yml | 79 ------ .../pipe_created/sysmon_mal_namedpipes.yml | 71 ------ .../sysmon_powershell_execution_pipe.yml | 27 -- .../sysmon_psexec_pipes_artifacts.yml | 37 --- .../sysmon_susp_adfs_namedpipe_connection.yml | 42 ---- ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 77 ------ .../sysmon_susp_wmi_consumer_namedpipe.yml | 33 --- ...ell_classic_alternate_powershell_hosts.yml | 34 --- .../powershell_classic_powercat.yml | 33 --- ...hell_classic_remote_powershell_session.yml | 34 --- ...susp_athremotefxvgpudisablementcommand.yml | 41 --- .../powershell_classic_susp_zip_compress.yml | 35 --- ...powershell_classic_suspicious_download.yml | 31 --- ...powershell_delete_volume_shadow_copies.yml | 36 --- .../powershell_downgrade_attack.yml | 31 --- .../powershell_exe_calling_ps.yml | 34 --- .../powershell_renamed_powershell.yml | 30 --- ...owershell_tamper_with_windows_defender.yml | 32 --- ...shell_wsman_com_provider_no_powershell.yml | 32 --- .../powershell_xor_commandline.yml | 30 --- .../powershell_alternate_powershell_hosts.yml | 31 --- .../powershell_bad_opsec_artifacts.yml | 41 --- .../powershell_clear_powershell_history.yml | 40 --- .../powershell_decompress_commands.yml | 30 --- .../powershell_get_clipboard.yml | 30 --- .../powershell_invoke_obfuscation_clip.yml | 30 --- ...hell_invoke_obfuscation_obfuscated_iex.yml | 43 ---- .../powershell_invoke_obfuscation_stdin.yml | 30 --- .../powershell_invoke_obfuscation_var.yml | 30 --- ...rshell_invoke_obfuscation_via_compress.yml | 30 --- ...wershell_invoke_obfuscation_via_rundll.yml | 30 --- ...owershell_invoke_obfuscation_via_stdin.yml | 30 --- ...rshell_invoke_obfuscation_via_use_clip.yml | 30 --- ...shell_invoke_obfuscation_via_use_mhsta.yml | 30 --- ...ll_invoke_obfuscation_via_use_rundll32.yml | 30 --- .../powershell_invoke_obfuscation_via_var.yml | 30 --- .../powershell_module/powershell_powercat.yml | 30 --- .../powershell_remote_powershell_session.yml | 31 --- ...susp_athremotefxvgpudisablementcommand.yml | 38 --- .../powershell_susp_zip_compress.yml | 35 --- ...ell_suspicious_download_in_contextinfo.yml | 30 --- ...ious_invocation_generic_in_contextinfo.yml | 38 --- ...ous_invocation_specific_in_contextinfo.yml | 95 ------- ...ppvpublishingserver_exe_in_contextinfo.yml | 30 --- .../powershell_accessing_win_api.yml | 73 ------ .../powershell_adrecon_execution.yml | 30 --- .../powershell_automated_collection.yml | 41 --- .../powershell_azurehound_commands.yml | 32 --- .../powershell_cl_invocation_lolscript.yml | 28 --- ...wershell_cl_invocation_lolscript_count.yml | 28 --- ...powershell_cl_mutexverifiers_lolscript.yml | 29 --- ...hell_cl_mutexverifiers_lolscript_count.yml | 29 --- .../powershell_create_local_user.yml | 29 --- .../powershell_data_compressed.yml | 32 --- .../powershell_detect_vm_env.yml | 33 --- .../powershell_dnscat_execution.yml | 26 -- .../powershell_icmp_exfiltration.yml | 31 --- .../powershell_invoke_nightmare.yml | 25 -- ...ke_obfuscation_clip_in_scriptblocktext.yml | 27 -- ...tion_obfuscated_iex_in_scriptblocktext.yml | 40 --- ...e_obfuscation_stdin_in_scriptblocktext.yml | 27 -- ...oke_obfuscation_var_in_scriptblocktext.yml | 27 -- ...cation_via_compress_in_scriptblocktext.yml | 27 -- ...uscation_via_rundll_in_scriptblocktext.yml | 27 -- ...fuscation_via_stdin_in_scriptblocktext.yml | 27 -- ...cation_via_use_clip_in_scriptblocktext.yml | 27 -- ...ation_via_use_mhsta_in_scriptblocktext.yml | 27 -- ...on_via_use_rundll32_in_scriptblocktext.yml | 27 -- ...obfuscation_via_var_in_scriptblocktext.yml | 27 -- .../powershell_keylogging.yml | 31 --- .../powershell_malicious_commandlets.yml | 124 ---------- .../powershell_malicious_keywords.yml | 47 ---- ...ll_memorydump_getstoragediagnosticinfo.yml | 27 -- ...wershell_nishang_malicious_commandlets.yml | 97 -------- .../powershell_ntfs_ads_access.yml | 36 --- ...rshell_powerview_malicious_commandlets.yml | 150 ----------- .../powershell_prompt_credentials.yml | 28 --- .../powershell_script/powershell_psattack.yml | 26 -- ...ershell_set_policies_to_unsecure_level.yml | 30 --- .../powershell_shellcode_b64.yml | 33 --- ...shell_shellintel_malicious_commandlets.yml | 29 --- .../powershell_software_discovery.yml | 34 --- ...ll_store_file_in_alternate_data_stream.yml | 31 --- ...l_susp_zip_compress_in_scriptblocktext.yml | 32 --- ...suspicious_download_in_scriptblocktext.yml | 30 --- ...shell_suspicious_export_pfxcertificate.yml | 29 --- ...powershell_suspicious_getprocess_lsass.yml | 27 -- ..._invocation_generic_in_scriptblocktext.yml | 38 --- ..._invocation_specific_in_scripblocktext.yml | 95 ------- .../powershell_suspicious_keywords.yml | 40 --- .../powershell_suspicious_mail_acces.yml | 31 --- ...hell_suspicious_mounted_share_deletion.yml | 29 --- .../powershell_suspicious_recon.yml | 31 --- .../powershell_suspicious_win32_pnpentity.yml | 26 -- .../powershell_suspicious_windowstyle.yml | 29 --- ...ublishingserver_exe_in_scriptblocktext.yml | 30 --- .../powershell_timestomp.yml | 35 --- .../powershell_trigger_profiles.yml | 34 --- .../powershell_web_request.yml | 37 --- ...hell_windows_firewall_profile_disabled.yml | 34 --- .../powershell_winlogon_helper_dll.yml | 36 --- .../powershell_wmi_persistence.yml | 36 --- .../powershell_wmimplant.yml | 45 ---- .../sysmon_cmstp_execution_by_access.yml | 38 --- ...mon_cobaltstrike_bof_injection_pattern.yml | 33 --- .../sysmon_cred_dump_lsass_access.yml | 79 ------ .../sysmon_direct_syscall_ntopenprocess.yml | 26 -- .../sysmon_in_memory_assembly_execution.yml | 80 ------ .../process_access/sysmon_invoke_phantom.yml | 33 --- .../sysmon_lazagne_cred_dump_lsass_access.yml | 37 --- ...sysmon_littlecorporal_generated_maldoc.yml | 30 --- ...ndocumented_autoelevated_com_interface.yml | 33 --- .../sysmon_lsass_dump_comsvcs_dll.yml | 32 --- .../process_access/sysmon_lsass_memdump.yml | 35 --- .../sysmon_malware_verclsid_shellcode.yml | 41 --- .../sysmon_mimikatz_trough_winrm.yml | 37 --- ...sysmon_pypykatz_cred_dump_lsass_access.yml | 38 --- .../sysmon_svchost_cred_dump.yml | 29 --- .../sysmon_uac_bypass_wow64_logger.yml | 31 --- .../win_susp_shell_spawn_from_winrm.yml | 36 --- ...sing_windows_telemetry_for_persistence.yml | 38 --- .../process_creation_advanced_ip_scanner.yml | 31 --- ...rocess_creation_alternate_data_streams.yml | 52 ---- .../process_creation_apt_gallium.yml | 38 --- .../process_creation_apt_gallium_sha1.yml | 49 ---- .../process_creation_apt_pandemic.yml | 37 --- .../process_creation_apt_slingshot.yml | 36 --- ...s_creation_apt_turla_commands_critical.yml | 36 --- .../process_creation_apt_wocao.yml | 49 ---- .../process_creation_automated_collection.yml | 46 ---- .../process_creation_c3_load_by_rundll32.yml | 29 --- .../process_creation_certoc_execution.yml | 33 --- .../process_creation_clip.yml | 27 -- ...creation_cobaltstrike_load_by_rundll32.yml | 32 --- .../process_creation_conti_cmd_ransomware.yml | 38 --- .../process_creation_coti_sqlcmd.yml | 36 --- ...process_creation_discover_private_keys.yml | 45 ---- ...cess_creation_dns_serverlevelplugindll.yml | 44 ---- .../process_creation_dotnet.yml | 38 --- .../process_creation_hack_dumpert.yml | 29 --- .../process_creation_infdefaultinstall.yml | 34 --- ...data_exfiltration_by_using_datasvcutil.yml | 43 ---- ...reation_lolbins_by_office_applications.yml | 40 --- ...suspicious_driver_installed_by_pnputil.yml | 46 ---- ...n_lolbins_with_wmiprvse_parent_process.yml | 37 --- .../process_creation_msdeploy.yml | 40 --- ..._applications_spawning_wmi_commandline.yml | 43 ---- ..._from_proxy_executing_regsvr32_payload.yml | 59 ----- ...from_proxy_executing_regsvr32_payload2.yml | 55 ---- ...eation_office_spawning_wmi_commandline.yml | 38 --- .../process_creation_pingback_backdoor.yml | 37 --- ...eation_protocolhandler_suspicious_file.yml | 35 --- ...ss_creation_root_certificate_installed.yml | 40 --- .../process_creation_sdelete.yml | 36 --- .../process_creation_software_discovery.yml | 41 --- ...ocess_creation_stickykey_like_backdoor.yml | 45 ---- .../process_creation_stordiag_execution.yml | 36 --- .../process_creation_susp_7z.yml | 38 --- ...susp_athremotefxvgpudisablementcommand.yml | 42 ---- .../process_creation_susp_del.yml | 36 --- .../process_creation_susp_recon.yml | 32 --- .../process_creation_susp_web_request_cmd.yml | 35 --- .../process_creation_susp_winzip.yml | 35 --- .../process_creation_susp_zip_compress.yml | 36 --- ...ingserver_execute_arbitrary_powershell.yml | 37 --- ...ublishingserver_vbs_execute_powershell.yml | 35 --- ...ss_creation_sysinternals_eula_accepted.yml | 31 --- ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 38 --- .../process_creation_tool_psexec.yml | 43 ---- ...s_creation_win_exchange_transportagent.yml | 29 --- .../process_mailboxexport_share.yml | 37 --- .../process_susp_esentutl_params.yml | 37 --- .../sysmon_abusing_debug_privilege.yml | 51 ---- ..._accesschk_usage_after_priv_escalation.yml | 36 --- ...levated_msi_spawned_cmd_and_powershell.yml | 38 --- ...ays_install_elevated_windows_installer.yml | 47 ---- .../sysmon_apt_muddywater_dnstunnel.yml | 34 --- .../process_creation/sysmon_apt_sourgrum.yml | 49 ---- ...sian_confluence_cve_2021_26084_exploit.yml | 39 --- .../sysmon_cmstp_execution_by_creation.yml | 35 --- .../sysmon_creation_mavinject_dll.yml | 38 --- .../sysmon_cve_2021_26857_msexchange.yml | 32 --- .../sysmon_expand_cabinet_files.yml | 43 ---- .../process_creation/sysmon_hack_wce.yml | 39 --- .../sysmon_high_integrity_sdclt.yml | 30 --- ...on_scripts_userinitmprlogonscript_proc.yml | 39 --- .../sysmon_long_powershell_commandline.yml | 34 --- .../sysmon_netcat_execution.yml | 34 --- .../sysmon_proxy_execution_wuauclt.yml | 40 --- ...move_windows_defender_definition_files.yml | 36 --- .../sysmon_sdclt_child_process.yml | 27 -- .../sysmon_susp_plink_remote_forward.yml | 30 --- .../sysmon_susp_service_modification.yml | 38 --- .../sysmon_susp_webdav_client_execution.yml | 30 --- .../sysmon_uninstall_crowdstrike_falcon.yml | 35 --- .../sysmon_vmtoolsd_susp_child_process.yml | 46 ---- .../wim_pc_apt_chafer_mar18.yml | 59 ----- .../win_ad_find_discovery.yml | 48 ---- .../win_anydesk_silent_install.yml | 34 --- .../win_apt_apt29_thinktanks.yml | 37 --- .../process_creation/win_apt_babyshark.yml | 38 --- .../win_apt_bear_activity_gtr19.yml | 52 ---- .../process_creation/win_apt_bluemashroom.yml | 31 --- .../process_creation/win_apt_cloudhopper.yml | 34 --- .../process_creation/win_apt_dragonfly.yml | 30 --- .../sigma/process_creation/win_apt_elise.yml | 34 --- .../win_apt_emissarypanda_sep19.yml | 31 --- .../process_creation/win_apt_empiremonkey.yml | 31 --- .../win_apt_equationgroup_dll_u_load.yml | 34 --- .../win_apt_evilnum_jul20.yml | 38 --- .../win_apt_greenbug_may20.yml | 63 ----- .../process_creation/win_apt_hafnium.yml | 94 ------- .../win_apt_hurricane_panda.yml | 33 --- .../win_apt_judgement_panda_gtr19.yml | 44 ---- .../win_apt_ke3chang_regadd.yml | 32 --- .../win_apt_lazarus_activity_apr21.yml | 43 ---- .../win_apt_lazarus_activity_dec20.yml | 46 ---- .../win_apt_lazarus_loader.yml | 48 ---- .../win_apt_lazarus_session_highjack.yml | 33 --- .../process_creation/win_apt_mustangpanda.yml | 45 ---- .../process_creation/win_apt_revil_kaseya.yml | 49 ---- .../sigma/process_creation/win_apt_sofacy.yml | 40 --- .../process_creation/win_apt_ta17_293a_ps.yml | 30 --- .../win_apt_ta505_dropper.yml | 29 --- .../process_creation/win_apt_taidoor.yml | 37 --- .../win_apt_tropictrooper.yml | 26 -- .../win_apt_turla_comrat_may20.yml | 38 --- .../process_creation/win_apt_unc2452_cmds.yml | 61 ----- .../process_creation/win_apt_unc2452_ps.yml | 36 --- .../win_apt_unidentified_nov_18.yml | 29 --- .../win_apt_winnti_mal_hk_jan20.yml | 47 ---- .../win_apt_winnti_pipemon.yml | 36 --- .../process_creation/win_apt_zxshell.yml | 40 --- .../win_attrib_hiding_files.yml | 44 ---- .../win_bad_opsec_sacrificial_processes.yml | 64 ----- .../process_creation/win_bootconf_mod.yml | 43 ---- .../win_bypass_squiblytwo.yml | 48 ---- .../win_change_default_file_association.yml | 44 ---- .../win_cl_invocation_lolscript.yml | 29 --- .../win_cl_mutexverifiers_lolscript.yml | 30 --- .../win_class_exec_xwizard.yml | 28 --- .../process_creation/win_cmdkey_recon.yml | 34 --- .../win_cmstp_com_object_access.yml | 52 ---- .../win_cobaltstrike_process_patterns.yml | 51 ---- .../win_commandline_path_traversal.yml | 33 --- ...win_commandline_path_traversal_evasion.yml | 34 --- .../win_control_panel_item.yml | 43 ---- ...g_sensitive_files_with_credential_data.yml | 51 ---- ..._credential_access_via_password_filter.yml | 33 --- .../process_creation/win_crime_fireball.yml | 34 --- .../win_crime_maze_ransomware.yml | 52 ---- .../win_crime_snatch_ransomware.yml | 32 --- .../win_crypto_mining_monero.yml | 41 --- .../win_data_compressed_with_rar.yml | 41 --- .../win_detecting_fake_instances_of_hxtsr.yml | 31 --- .../win_dll_sideload_xwizard.yml | 29 --- .../win_dns_exfiltration_tools_execution.yml | 32 --- .../win_dnscat2_powershell_implementation.yml | 41 --- .../win_encoded_frombase64string.yml | 33 --- .../process_creation/win_encoded_iex.yml | 40 --- .../win_etw_modification_cmdline.yml | 34 --- .../win_etw_trace_evasion.yml | 72 ------ ...ltration_and_tunneling_tools_execution.yml | 32 --- .../win_exploit_cve_2015_1641.yml | 30 --- .../win_exploit_cve_2017_0261.yml | 35 --- .../win_exploit_cve_2017_11882.yml | 35 --- .../win_exploit_cve_2017_8759.yml | 35 --- .../win_exploit_cve_2019_1378.yml | 47 ---- .../win_exploit_cve_2019_1388.yml | 39 --- .../win_exploit_cve_2020_10189.yml | 39 --- .../win_exploit_cve_2020_1048.yml | 40 --- .../win_exploit_cve_2020_1350.yml | 34 --- .../win_exploit_systemnightmare.yml | 28 --- .../win_file_permission_modifications.yml | 40 --- .../win_grabbing_sensitive_hives_via_reg.yml | 56 ----- .../process_creation/win_hack_adcspwn.yml | 29 --- .../process_creation/win_hack_bloodhound.yml | 54 ---- .../process_creation/win_hack_koadic.yml | 41 --- .../process_creation/win_hack_rubeus.yml | 42 ---- .../win_hack_secutyxploded.yml | 33 --- rules/sigma/process_creation/win_hh_chm.yml | 35 --- .../win_hiding_malware_in_fonts_folder.yml | 35 --- .../win_hktl_createminidump.yml | 30 --- .../win_hktl_uacme_uac_bypass.yml | 31 --- .../process_creation/win_html_help_spawn.yml | 48 ---- .../process_creation/win_hwp_exploits.yml | 39 --- .../win_impacket_compiled_tools.yml | 63 ----- .../win_impacket_lateralization.yml | 59 ----- .../process_creation/win_indirect_cmd.yml | 37 --- ...n_indirect_cmd_compatibility_assistant.yml | 35 --- .../win_install_reg_debugger_backdoor.yml | 37 --- .../process_creation/win_interactive_at.yml | 35 --- .../win_invoke_obfuscation_clip.yml | 27 -- ...obfuscation_obfuscated_iex_commandline.yml | 41 --- .../win_invoke_obfuscation_stdin.yml | 27 -- .../win_invoke_obfuscation_var.yml | 27 -- .../win_invoke_obfuscation_via_compress.yml | 27 -- .../win_invoke_obfuscation_via_rundll.yml | 27 -- .../win_invoke_obfuscation_via_stdin.yml | 27 -- .../win_invoke_obfuscation_via_use_clip.yml | 27 -- .../win_invoke_obfuscation_via_use_mhsta.yml | 27 -- ...in_invoke_obfuscation_via_use_rundll32.yml | 27 -- .../win_invoke_obfuscation_via_var.yml | 27 -- .../sigma/process_creation/win_lethalhta.yml | 30 --- ...n_local_system_owner_account_discovery.yml | 81 ------ .../win_lolbas_execution_of_wuauclt.yml | 35 --- .../win_lolbin_execution_via_winget.yml | 35 --- .../sigma/process_creation/win_lsass_dump.yml | 46 ---- .../sigma/process_creation/win_mal_adwind.yml | 38 --- .../process_creation/win_malware_conti.yml | 32 --- .../win_malware_conti_7zip.yml | 28 --- .../win_malware_conti_shadowcopy.yml | 32 --- .../process_creation/win_malware_dridex.yml | 49 ---- .../process_creation/win_malware_dtrack.yml | 30 --- .../process_creation/win_malware_emotet.yml | 44 ---- .../process_creation/win_malware_formbook.yml | 64 ----- .../process_creation/win_malware_notpetya.yml | 49 ---- .../process_creation/win_malware_qbot.yml | 43 ---- .../process_creation/win_malware_ryuk.yml | 32 --- .../win_malware_script_dropper.yml | 47 ---- .../win_malware_trickbot_recon_activity.yml | 36 --- .../win_malware_trickbot_wermgr.yml | 34 --- .../process_creation/win_malware_wannacry.yml | 85 ------- .../win_manage_bde_lolbas.yml | 33 --- .../win_mavinject_proc_inj.yml | 29 --- ...r_cobaltstrike_getsystem_service_start.yml | 70 ------ .../win_mimikatz_command_line.yml | 47 ---- .../process_creation/win_mmc_spawn_shell.yml | 42 ---- ..._modif_of_services_for_via_commandline.yml | 35 --- ...in_monitoring_for_persistence_via_bits.yml | 37 --- .../sigma/process_creation/win_mouse_lock.yml | 37 --- .../process_creation/win_mshta_javascript.yml | 34 --- .../win_mshta_spawn_shell.yml | 47 ---- .../win_multiple_suspicious_cli.yml | 66 ----- rules/sigma/process_creation/win_net_enum.yml | 38 --- .../process_creation/win_net_user_add.yml | 39 --- .../win_netsh_allow_port_rdp.yml | 41 --- .../process_creation/win_netsh_fw_add.yml | 32 --- .../win_netsh_fw_add_susp_image.yml | 72 ------ .../win_netsh_packet_capture.yml | 32 --- .../process_creation/win_netsh_port_fwd.yml | 46 ---- .../win_netsh_port_fwd_3389.yml | 38 --- .../win_netsh_wifi_credential_harvesting.yml | 39 --- .../process_creation/win_network_sniffing.yml | 42 ---- .../win_new_service_creation.yml | 37 --- .../process_creation/win_nltest_recon.yml | 47 ---- .../win_non_interactive_powershell.yml | 32 --- .../win_non_priv_reg_or_ps.yml | 51 ---- .../process_creation/win_office_shell.yml | 62 ----- ..._office_spawn_exe_from_users_directory.yml | 46 ---- .../win_pc_set_policies_to_unsecure_level.yml | 33 --- .../win_pc_susp_cmdl32_lolbas.yml | 34 --- .../win_pc_susp_reg_bitlocker.yml | 44 ---- .../win_pc_susp_schtasks_user_temp.yml | 29 --- .../process_creation/win_pc_susp_zipexec.yml | 40 --- .../win_plugx_susp_exe_locations.yml | 108 -------- .../win_possible_applocker_bypass.yml | 46 ---- ...ation_via_service_registry_permissions.yml | 41 --- .../win_powershell_amsi_bypass.yml | 32 --- .../win_powershell_audio_capture.yml | 27 -- .../win_powershell_b64_shellcode.yml | 30 --- .../win_powershell_bitsjob.yml | 34 --- ...in_powershell_cmdline_reversed_strings.yml | 56 ----- ..._powershell_cmdline_special_characters.yml | 38 --- ...wershell_cmdline_specific_comb_methods.yml | 60 ----- .../win_powershell_defender_exclusion.yml | 41 --- .../win_powershell_disable_windef_av.yml | 50 ---- .../win_powershell_dll_execution.yml | 35 --- .../win_powershell_downgrade_attack.yml | 40 --- .../win_powershell_download.yml | 39 --- .../win_powershell_frombase64string.yml | 28 --- ...in_powershell_reverse_shell_connection.yml | 34 --- ...ershell_suspicious_parameter_variation.yml | 70 ------ .../win_powershell_xor_commandline.yml | 35 --- .../win_powersploit_empire_schtasks.yml | 57 ----- .../win_proc_wrong_parent.yml | 55 ---- rules/sigma/process_creation/win_procdump.yml | 32 --- ...in_process_creation_bitsadmin_download.yml | 51 ---- .../win_process_dump_rdrleakdiag.yml | 27 -- .../win_process_dump_rundll32_comsvcs.yml | 34 --- .../process_creation/win_psexesvc_start.yml | 26 -- .../win_purplesharp_indicators.yml | 31 --- .../process_creation/win_query_registry.yml | 51 ---- .../win_rasautou_dll_execution.yml | 38 --- .../win_rdp_hijack_shadowing.yml | 29 --- .../win_redmimicry_winnti_proc.yml | 37 --- .../process_creation/win_reg_add_run_key.yml | 31 --- .../win_regedit_export_critical_keys.yml | 40 --- .../win_regedit_export_keys.yml | 43 ---- .../win_regedit_import_keys.yml | 41 --- .../win_regedit_import_keys_ads.yml | 41 --- rules/sigma/process_creation/win_regini.yml | 34 --- .../sigma/process_creation/win_regini_ads.yml | 34 --- .../win_remote_powershell_session_process.yml | 36 --- .../win_remote_time_discovery.yml | 42 ---- .../process_creation/win_renamed_binary.yml | 74 ------ .../win_renamed_binary_highly_relevant.yml | 59 ----- .../process_creation/win_renamed_jusched.yml | 36 --- .../process_creation/win_renamed_megasync.yml | 37 --- .../process_creation/win_renamed_paexec.yml | 43 ---- .../win_renamed_powershell.yml | 38 --- .../process_creation/win_renamed_procdump.yml | 44 ---- .../process_creation/win_renamed_psexec.yml | 36 --- .../process_creation/win_renamed_whoami.yml | 30 --- .../win_run_powershell_script_from_ads.yml | 32 --- ...un_powershell_script_from_input_stream.yml | 29 --- .../process_creation/win_run_virtualbox.yml | 44 ---- .../win_rundll32_without_parameters.yml | 35 --- .../win_script_event_consumer_spawn.yml | 43 ---- .../win_sdbinst_shim_persistence.yml | 34 --- .../win_service_execution.yml | 31 --- .../process_creation/win_service_stop.yml | 33 --- .../win_shadow_copies_access_symlink.yml | 30 --- .../win_shadow_copies_creation.yml | 36 --- .../win_shadow_copies_deletion.yml | 67 ----- .../win_shell_spawn_mshta.yml | 38 --- .../win_shell_spawn_susp_program.yml | 49 ---- .../win_silenttrinity_stage_use.yml | 26 -- .../win_soundrec_audio_capture.yml | 29 --- rules/sigma/process_creation/win_spn_enum.yml | 32 --- ...uthenticated_privileged_console_access.yml | 34 --- .../win_sus_auditpol_usage.yml | 35 --- .../process_creation/win_susp_adfind.yml | 38 --- .../process_creation/win_susp_atbroker.yml | 58 ----- .../process_creation/win_susp_bcdedit.yml | 35 --- .../process_creation/win_susp_bginfo.yml | 34 --- .../win_susp_bitstransfer.yml | 38 --- .../sigma/process_creation/win_susp_calc.yml | 33 --- rules/sigma/process_creation/win_susp_cdb.yml | 32 --- .../win_susp_certutil_command.yml | 61 ----- .../win_susp_certutil_encode.yml | 32 --- .../win_susp_child_process_as_system_.yml | 47 ---- .../process_creation/win_susp_cli_escape.yml | 33 --- .../win_susp_cmd_http_appdata.yml | 41 --- .../win_susp_cmd_shadowcopy_access.yml | 26 -- .../win_susp_codepage_switch.yml | 34 --- .../win_susp_commands_recon_activity.yml | 52 ---- .../win_susp_compression_params.yml | 43 ---- .../win_susp_comsvcs_procdump.yml | 42 ---- .../process_creation/win_susp_conhost.yml | 31 --- .../win_susp_control_cve_2021_40444.yml | 35 --- .../win_susp_control_dll_load.yml | 35 --- .../win_susp_copy_lateral_movement.yml | 55 ---- .../win_susp_copy_system32.yml | 37 --- .../process_creation/win_susp_covenant.yml | 43 ---- .../win_susp_crackmapexec_execution.yml | 41 --- ...sp_crackmapexec_powershell_obfuscation.yml | 43 ---- rules/sigma/process_creation/win_susp_csc.yml | 37 --- .../process_creation/win_susp_csc_folder.yml | 46 ---- rules/sigma/process_creation/win_susp_csi.yml | 48 ---- .../win_susp_curl_download.yml | 35 --- .../win_susp_curl_fileupload.yml | 32 --- .../win_susp_curl_start_combo.yml | 34 --- .../win_susp_dctask64_proc_inject.yml | 37 --- .../win_susp_desktopimgdownldr.yml | 44 ---- .../win_susp_devtoolslauncher.yml | 30 --- ...susp_direct_asep_reg_keys_modification.yml | 47 ---- .../win_susp_disable_eventlog.yml | 38 --- .../win_susp_disable_ie_features.yml | 38 --- .../win_susp_disable_raccine.yml | 42 ---- .../process_creation/win_susp_diskshadow.yml | 34 --- .../process_creation/win_susp_ditsnap.yml | 31 --- rules/sigma/process_creation/win_susp_dnx.yml | 29 --- .../win_susp_double_extension.yml | 40 --- .../sigma/process_creation/win_susp_dxcap.yml | 32 --- .../win_susp_emotet_rundll32_execution.yml | 42 ---- .../win_susp_eventlog_clear.yml | 51 ---- .../win_susp_execution_path.yml | 52 ---- .../win_susp_execution_path_webserver.yml | 40 --- .../process_creation/win_susp_explorer.yml | 32 --- .../win_susp_explorer_break_proctree.yml | 31 --- .../win_susp_file_characteristics.yml | 42 ---- ...p_file_download_via_gfxdownloadwrapper.yml | 32 --- .../process_creation/win_susp_findstr.yml | 38 --- .../process_creation/win_susp_findstr_lnk.yml | 35 --- .../win_susp_finger_usage.yml | 28 --- .../win_susp_firewall_disable.yml | 30 --- .../win_susp_fsutil_usage.yml | 37 --- rules/sigma/process_creation/win_susp_ftp.yml | 46 ---- rules/sigma/process_creation/win_susp_gup.yml | 34 --- .../win_susp_iss_module_install.yml | 34 --- .../win_susp_mounted_share_deletion.yml | 33 --- .../win_susp_mpcmdrun_download.yml | 36 --- .../win_susp_mshta_pattern.yml | 49 ---- .../process_creation/win_susp_msiexec_cwd.yml | 31 --- .../win_susp_msiexec_web_install.yml | 31 --- .../process_creation/win_susp_msoffice.yml | 33 --- .../win_susp_net_execution.yml | 58 ----- .../win_susp_netsh_dll_persistence.yml | 37 --- .../process_creation/win_susp_ngrok_pua.yml | 55 ---- .../process_creation/win_susp_ntdsutil.yml | 28 --- .../process_creation/win_susp_odbcconf.yml | 37 --- .../process_creation/win_susp_openwith.yml | 30 --- .../process_creation/win_susp_outlook.yml | 37 --- .../win_susp_outlook_temp.yml | 28 --- .../process_creation/win_susp_pcwutl.yml | 33 --- .../process_creation/win_susp_pester.yml | 45 ---- .../process_creation/win_susp_ping_hex_ip.yml | 32 --- .../win_susp_powershell_empire_launch.yml | 36 --- .../win_susp_powershell_empire_uac_bypass.yml | 34 --- .../win_susp_powershell_enc_cmd.yml | 61 ----- .../win_susp_powershell_encoded_param.yml | 28 --- .../win_susp_powershell_getprocess_lsass.yml | 27 -- .../win_susp_powershell_hidden_b64_cmd.yml | 79 ------ .../win_susp_powershell_parent_combo.yml | 38 --- .../win_susp_powershell_parent_process.yml | 67 ----- .../win_susp_powershell_sam_access.yml | 35 --- .../sigma/process_creation/win_susp_print.yml | 40 --- .../process_creation/win_susp_procdump.yml | 33 --- .../win_susp_procdump_lsass.yml | 40 --- .../process_creation/win_susp_ps_appdata.yml | 37 --- .../win_susp_ps_downloadfile.yml | 34 --- .../process_creation/win_susp_psexec_eula.yml | 30 --- .../win_susp_psexex_paexec_flags.yml | 49 ---- .../win_susp_psr_capture_screenshots.yml | 31 --- .../process_creation/win_susp_rar_flags.yml | 38 --- .../win_susp_rasdial_activity.yml | 29 --- .../win_susp_razorinstaller_explorer.yml | 34 --- .../win_susp_rclone_execution.yml | 73 ------ .../win_susp_recon_activity.yml | 41 --- .../win_susp_reg_disable_sec_services.yml | 47 ---- .../win_susp_regedit_trustedinstaller.yml | 29 --- .../win_susp_register_cimprovider.yml | 34 --- .../win_susp_registration_via_cscript.yml | 36 --- .../win_susp_regsvr32_anomalies.yml | 75 ------ .../win_susp_regsvr32_flags_anomaly.yml | 34 --- .../win_susp_regsvr32_no_dll.yml | 44 ---- .../win_susp_renamed_dctask64.yml | 38 --- .../win_susp_renamed_debugview.yml | 31 --- .../win_susp_renamed_paexec.yml | 37 --- .../process_creation/win_susp_rpcping.yml | 51 ---- .../win_susp_run_locations.yml | 40 --- .../win_susp_rundll32_activity.yml | 107 -------- .../win_susp_rundll32_by_ordinal.yml | 39 --- .../win_susp_rundll32_inline_vbs.yml | 32 --- .../win_susp_rundll32_no_params.yml | 35 --- ...p_rundll32_setupapi_installhinfsection.yml | 45 ---- .../win_susp_rundll32_sys.yml | 30 --- .../win_susp_runonce_execution.yml | 34 --- .../win_susp_runscripthelper.yml | 31 --- .../win_susp_schtask_creation.yml | 39 --- .../win_susp_schtask_creation_temp_folder.yml | 37 --- .../win_susp_screenconnect_access.yml | 35 --- .../win_susp_screensaver_reg.yml | 56 ----- .../win_susp_script_exec_from_temp.yml | 45 ---- .../win_susp_script_execution.yml | 38 --- .../win_susp_service_dacl_modification.yml | 39 --- .../process_creation/win_susp_service_dir.yml | 40 --- .../win_susp_service_path_modification.yml | 39 --- ...susp_servu_exploitation_cve_2021_35211.yml | 33 --- .../win_susp_servu_process_pattern.yml | 44 ---- .../win_susp_shell_spawn_from_mssql.yml | 34 --- .../win_susp_shimcache_flush.yml | 42 ---- .../process_creation/win_susp_splwow64.yml | 27 -- .../win_susp_spoolsv_child_processes.yml | 91 ------- .../win_susp_sqldumper_activity.yml | 32 --- .../win_susp_squirrel_lolbin.yml | 66 ----- .../process_creation/win_susp_svchost.yml | 37 --- .../win_susp_svchost_no_cli.yml | 43 ---- .../win_susp_sysprep_appdata.yml | 33 --- .../win_susp_sysvol_access.yml | 30 --- .../win_susp_taskmgr_localsystem.yml | 28 --- .../win_susp_taskmgr_parent.yml | 32 --- .../win_susp_tracker_execution.yml | 35 --- .../win_susp_tscon_localsystem.yml | 31 --- .../win_susp_tscon_rdp_redirect.yml | 30 --- .../win_susp_uac_bypass_trustedpath.yml | 27 -- .../win_susp_use_of_csharp_console.yml | 30 --- .../win_susp_use_of_sqlps_bin.yml | 40 --- .../win_susp_use_of_sqltoolsps_bin.yml | 39 --- .../win_susp_use_of_te_bin.yml | 33 --- .../win_susp_use_of_vsjitdebugger_bin.yml | 38 --- .../win_susp_userinit_child.yml | 33 --- .../process_creation/win_susp_vboxdrvinst.yml | 39 --- .../win_susp_vbscript_unc2452.yml | 37 --- .../win_susp_volsnap_disable.yml | 31 --- .../process_creation/win_susp_whoami.yml | 30 --- .../win_susp_whoami_anomaly.yml | 49 ---- .../win_susp_winrar_execution.yml | 34 --- .../win_susp_winrm_awl_bypass.yml | 37 --- .../win_susp_winrm_execution.yml | 33 --- .../win_susp_wmi_execution.yml | 50 ---- .../win_susp_wmic_eventconsumer_create.yml | 32 --- .../win_susp_wmic_proc_create_rundll32.yml | 30 --- ...n_susp_wmic_security_product_uninstall.yml | 52 ---- .../process_creation/win_susp_workfolders.yml | 30 --- .../process_creation/win_susp_wsl_lolbin.yml | 33 --- .../process_creation/win_susp_wuauclt.yml | 40 --- .../win_sysmon_driver_unload.yml | 35 --- .../win_system_exe_anomaly.yml | 66 ----- .../win_tap_installer_execution.yml | 24 -- .../win_task_folder_evasion.yml | 45 ---- .../win_termserv_proc_spawn.yml | 34 --- .../win_tools_relay_attacks.yml | 52 ---- .../process_creation/win_trust_discovery.yml | 52 ---- .../win_uac_bypass_changepk_slui.yml | 34 --- .../win_uac_bypass_cleanmgr.yml | 33 --- .../win_uac_bypass_computerdefaults.yml | 34 --- .../win_uac_bypass_consent_comctl32.yml | 33 --- .../win_uac_bypass_dismhost.yml | 35 --- .../win_uac_bypass_ieinstal.yml | 34 --- .../win_uac_bypass_msconfig_gui.yml | 32 --- .../win_uac_bypass_ntfs_reparse_point.yml | 45 ---- .../win_uac_bypass_pkgmgr_dism.yml | 33 --- .../win_uac_bypass_winsat.yml | 33 --- .../process_creation/win_uac_bypass_wmp.yml | 36 --- .../win_uac_bypass_wsreset.yml | 32 --- .../sigma/process_creation/win_uac_cmstp.yml | 40 --- .../process_creation/win_uac_fodhelper.yml | 33 --- .../process_creation/win_uac_wsreset.yml | 30 --- ..._change_sevice_image_path_by_non_admin.yml | 41 --- .../win_using_settingsynchost_as_lolbin.yml | 39 --- .../win_verclsid_runs_com.yml | 33 --- .../win_visual_basic_compiler.yml | 28 --- .../win_vul_java_remote_debugging.yml | 32 --- .../win_webshell_detection.yml | 86 ------- .../win_webshell_recon_detection.yml | 50 ---- .../process_creation/win_webshell_spawn.yml | 43 ---- .../process_creation/win_whoami_as_system.yml | 32 --- .../process_creation/win_whoami_priv.yml | 30 --- .../win_win10_sched_task_0day.yml | 37 --- .../process_creation/win_winword_dll_load.yml | 29 --- ..._wmi_backdoor_exchange_transport_agent.yml | 27 -- ..._wmi_persistence_script_event_consumer.yml | 30 --- .../win_wmi_spwns_powershell.yml | 40 --- .../win_wmiprvse_spawning_process.yml | 41 --- .../win_workflow_compiler.yml | 37 --- ...win_write_protect_for_storage_disabled.yml | 27 -- .../win_wsreset_uac_bypass.yml | 34 --- .../win_xsl_script_processing.yml | 35 --- ...w_disk_access_using_illegitimate_tools.yml | 53 ---- ...sing_windows_telemetry_for_persistence.yml | 56 ----- .../registry_event_apt_chafer_mar18.yml | 46 ---- .../registry_event_apt_pandemic.yml | 38 --- ...cve_2021_31979_cve_2021_33771_exploits.yml | 39 --- .../registry_event_defender_disabled.yml | 48 ---- .../registry_event_defender_exclusions.yml | 36 --- ..._defender_realtime_protection_disabled.yml | 48 ---- ...egistry_event_dns_serverlevelplugindll.yml | 41 --- .../registry_event_mal_adwind.yml | 36 --- .../registry_event_mstsc_history_cleared.yml | 39 --- .../registry_event_net_ntlm_downgrade.yml | 42 ---- ...registry_event_stickykey_like_backdoor.yml | 42 ---- ...istry_event_sysinternals_eula_accepted.yml | 32 --- .../registry_event_uac_bypass_eventvwr.yml | 36 --- .../registry_event_uac_bypass_winsat.yml | 38 --- .../registry_event_uac_bypass_wmp.yml | 34 --- .../registry_event/sysmon_apt_leviathan.yml | 29 --- .../sysmon_apt_oceanlotus_registry.yml | 54 ---- .../sysmon_asep_reg_keys_modification.yml | 234 ------------------ .../sysmon_bypass_via_wsreset.yml | 38 --- .../sysmon_cmstp_execution_by_registry.yml | 39 --- .../sysmon_cobaltstrike_service_installs.yml | 51 ---- .../registry_event/sysmon_comhijack_sdclt.yml | 32 --- .../registry_event/sysmon_cve_2020_1048.yml | 40 --- .../registry_event/sysmon_dhcp_calloutdll.yml | 37 --- ...ble_microsoft_office_security_features.yml | 43 ---- ...y_events_logging_adding_reg_key_minint.yml | 43 ---- ...ysmon_disable_wdigest_credential_guard.yml | 32 --- ...twork_protection_on_microsoft_defender.yml | 35 --- ...d_pua_protection_on_microsoft_defender.yml | 34 --- ...amper_protection_on_microsoft_defender.yml | 34 --- .../sysmon_dns_over_https_enabled.yml | 48 ---- ...on_enabling_cor_profiler_env_variables.yml | 34 --- .../registry_event/sysmon_etw_disabled.yml | 39 --- .../registry_event/sysmon_hack_wce_reg.yml | 32 --- ...n_hybridconnectionmgr_svc_installation.yml | 32 --- ...gon_scripts_userinitmprlogonscript_reg.yml | 33 --- .../sysmon_modify_screensaver_binary_path.yml | 37 --- .../sysmon_narrator_feedback_persistance.yml | 36 --- .../sysmon_new_application_appcompat.yml | 34 --- ..._dll_added_to_appcertdlls_registry_key.yml | 42 ---- ...dll_added_to_appinit_dlls_registry_key.yml | 47 ---- .../sysmon_office_test_regadd.yml | 33 --- .../sysmon_office_vsto_persistence.yml | 42 ---- .../sysmon_powershell_as_service.yml | 37 --- .../sysmon_rdp_registry_modification.yml | 40 --- .../sysmon_rdp_settings_hijack.yml | 33 --- .../sysmon_redmimicry_winnti_reg.yml | 29 --- .../sysmon_reg_office_security.yml | 34 --- .../sysmon_reg_silentprocessexit.yml | 33 --- .../sysmon_reg_silentprocessexit_lsass.yml | 31 --- .../sysmon_reg_vbs_payload_stored.yml | 45 ---- .../sysmon_registry_add_local_hidden_user.yml | 35 --- ...ysmon_registry_persistence_key_linking.yml | 38 --- ...smon_registry_persistence_search_order.yml | 69 ------ .../sysmon_registry_susp_printer_driver.yml | 37 --- ...mon_registry_trust_record_modification.yml | 33 --- .../sysmon_removal_amsi_registry_key.yml | 36 --- ...mon_removal_com_hijacking_registry_key.yml | 36 --- .../registry_event/sysmon_runkey_winekey.yml | 36 --- .../sysmon_runonce_persistence.yml | 33 --- .../sysmon_ssp_added_lsa_config.yml | 40 --- .../sysmon_susp_atbroker_change.yml | 36 --- .../sysmon_susp_download_run_key.yml | 37 --- .../sysmon_susp_lsass_dll_load.yml | 36 --- .../sysmon_susp_mic_cam_access.yml | 48 ---- .../sysmon_susp_reg_persist_explorer_run.yml | 47 ---- .../sysmon_susp_run_key_img_folder.yml | 51 ---- .../sysmon_susp_service_installed.yml | 46 ---- ...sysmon_suspicious_keyboard_layout_load.yml | 43 ---- ...mon_sysinternals_sdelete_registry_keys.yml | 32 --- .../registry_event/sysmon_taskcache_entry.yml | 34 --- .../sysmon_uac_bypass_sdclt.yml | 40 --- ...sysmon_volume_shadow_copy_service_keys.yml | 35 --- .../sysmon_wab_dllpath_reg_change.yml | 36 --- ...smon_wdigest_enable_uselogoncredential.yml | 32 --- .../sysmon_win_reg_persistence.yml | 48 ---- ...sysmon_win_reg_persistence_recycle_bin.yml | 35 --- .../sysmon_win_reg_telemetry_persistence.yml | 40 --- .../win_outlook_c2_registry_key.yml | 37 --- .../win_outlook_registry_todaypage.yml | 41 --- .../win_outlook_registry_webview.yml | 42 ---- .../win_portproxy_registry_key.yml | 36 --- .../win_registry_file_association_exefile.yml | 34 --- ...win_registry_mimikatz_printernightmare.yml | 59 ----- ..._registry_shell_open_keys_manipulation.yml | 55 ---- ...napi_in_powershell_credentials_dumping.yml | 30 --- .../sysmon_config_modification_error.yml | 29 --- .../sysmon_config_modification_status.yml | 31 --- .../sysmon_dcom_iertutil_dll_hijack.yml | 38 --- .../sysmon_wmi_event_subscription.yml | 26 -- .../sysmon_wmi_susp_encoded_scripts.yml | 43 ---- .../wmi_event/sysmon_wmi_susp_scripting.yml | 60 ----- 1127 files changed, 4 insertions(+), 42988 deletions(-) create mode 100644 .gitmodules create mode 160000 rules delete mode 100644 rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml delete mode 100644 rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml delete mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml delete mode 100644 rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml delete mode 100644 rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml delete mode 100644 rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml delete mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml delete mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml delete mode 100644 rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml delete mode 100644 rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml delete mode 100644 rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml delete mode 100644 rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml delete mode 100644 rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml delete mode 100644 rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4634_Logoff.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml delete mode 100644 rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml delete mode 100644 rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml delete mode 100644 rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml delete mode 100644 rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml delete mode 100644 rules/sigma/builtin/win_account_discovery.yml delete mode 100644 rules/sigma/builtin/win_ad_object_writedac_access.yml delete mode 100644 rules/sigma/builtin/win_ad_replication_non_machine_account.yml delete mode 100644 rules/sigma/builtin/win_ad_user_enumeration.yml delete mode 100644 rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml delete mode 100644 rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml delete mode 100644 rules/sigma/builtin/win_admin_rdp_login.yml delete mode 100644 rules/sigma/builtin/win_admin_share_access.yml delete mode 100644 rules/sigma/builtin/win_alert_active_directory_user_control.yml delete mode 100644 rules/sigma/builtin/win_alert_ad_user_backdoors.yml delete mode 100644 rules/sigma/builtin/win_alert_enable_weak_encryption.yml delete mode 100644 rules/sigma/builtin/win_alert_lsass_access.yml delete mode 100644 rules/sigma/builtin/win_alert_mimikatz_keywords.yml delete mode 100644 rules/sigma/builtin/win_alert_ruler.yml delete mode 100644 rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml delete mode 100644 rules/sigma/builtin/win_apt_carbonpaper_turla.yml delete mode 100644 rules/sigma/builtin/win_apt_chafer_mar18_security.yml delete mode 100644 rules/sigma/builtin/win_apt_chafer_mar18_system.yml delete mode 100644 rules/sigma/builtin/win_apt_gallium.yml delete mode 100644 rules/sigma/builtin/win_apt_slingshot.yml delete mode 100644 rules/sigma/builtin/win_apt_stonedrill.yml delete mode 100644 rules/sigma/builtin/win_apt_turla_service_png.yml delete mode 100644 rules/sigma/builtin/win_apt_wocao.yml delete mode 100644 rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml delete mode 100644 rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml delete mode 100644 rules/sigma/builtin/win_atsvc_task.yml delete mode 100644 rules/sigma/builtin/win_audit_cve.yml delete mode 100644 rules/sigma/builtin/win_av_relevant_match.yml delete mode 100644 rules/sigma/builtin/win_camera_microphone_access.yml delete mode 100644 rules/sigma/builtin/win_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml delete mode 100644 rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml delete mode 100644 rules/sigma/builtin/win_dcsync.yml delete mode 100644 rules/sigma/builtin/win_disable_event_logging.yml delete mode 100644 rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml delete mode 100644 rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml delete mode 100644 rules/sigma/builtin/win_etw_modification.yml delete mode 100644 rules/sigma/builtin/win_event_log_cleared.yml delete mode 100644 rules/sigma/builtin/win_exchange_transportagent.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml delete mode 100644 rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml delete mode 100644 rules/sigma/builtin/win_external_device.yml delete mode 100644 rules/sigma/builtin/win_global_catalog_enumeration.yml delete mode 100644 rules/sigma/builtin/win_gpo_scheduledtasks.yml delete mode 100644 rules/sigma/builtin/win_hack_smbexec.yml delete mode 100644 rules/sigma/builtin/win_hidden_user_creation.yml delete mode 100644 rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml delete mode 100644 rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml delete mode 100644 rules/sigma/builtin/win_impacket_psexec.yml delete mode 100644 rules/sigma/builtin/win_impacket_secretdump.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_var_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml delete mode 100644 rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml delete mode 100644 rules/sigma/builtin/win_iso_mount.yml delete mode 100644 rules/sigma/builtin/win_lm_namedpipe.yml delete mode 100644 rules/sigma/builtin/win_lolbas_execution_of_nltest.yml delete mode 100644 rules/sigma/builtin/win_lsass_access_non_system_account.yml delete mode 100644 rules/sigma/builtin/win_mal_creddumper.yml delete mode 100644 rules/sigma/builtin/win_mal_wceaux_dll.yml delete mode 100644 rules/sigma/builtin/win_metasploit_authentication.yml delete mode 100644 rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml delete mode 100644 rules/sigma/builtin/win_mmc20_lateral_movement.yml delete mode 100644 rules/sigma/builtin/win_moriya_rootkit.yml delete mode 100644 rules/sigma/builtin/win_net_ntlm_downgrade.yml delete mode 100644 rules/sigma/builtin/win_net_use_admin_share.yml delete mode 100644 rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml delete mode 100644 rules/sigma/builtin/win_not_allowed_rdp_access.yml delete mode 100644 rules/sigma/builtin/win_ntfs_vuln_exploit.yml delete mode 100644 rules/sigma/builtin/win_overpass_the_hash.yml delete mode 100644 rules/sigma/builtin/win_pass_the_hash.yml delete mode 100644 rules/sigma/builtin/win_pass_the_hash_2.yml delete mode 100644 rules/sigma/builtin/win_petitpotam_network_share.yml delete mode 100644 rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml delete mode 100644 rules/sigma/builtin/win_possible_dc_shadow.yml delete mode 100644 rules/sigma/builtin/win_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/builtin/win_privesc_cve_2020_1472.yml delete mode 100644 rules/sigma/builtin/win_protected_storage_service_access.yml delete mode 100644 rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml delete mode 100644 rules/sigma/builtin/win_rare_schtasks_creations.yml delete mode 100644 rules/sigma/builtin/win_rare_service_installs.yml delete mode 100644 rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml delete mode 100644 rules/sigma/builtin/win_rdp_localhost_login.yml delete mode 100644 rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml delete mode 100644 rules/sigma/builtin/win_rdp_reverse_tunnel.yml delete mode 100644 rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml delete mode 100644 rules/sigma/builtin/win_remote_powershell_session.yml delete mode 100644 rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml delete mode 100644 rules/sigma/builtin/win_root_certificate_installed.yml delete mode 100644 rules/sigma/builtin/win_sam_registry_hive_handle_request.yml delete mode 100644 rules/sigma/builtin/win_scheduled_task_deletion.yml delete mode 100644 rules/sigma/builtin/win_scm_database_handle_failure.yml delete mode 100644 rules/sigma/builtin/win_scm_database_privileged_operation.yml delete mode 100644 rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml delete mode 100644 rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/builtin/win_security_mal_creddumper.yml delete mode 100644 rules/sigma/builtin/win_security_mal_service_installs.yml delete mode 100644 rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml delete mode 100644 rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml delete mode 100644 rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/builtin/win_security_tap_driver_installation.yml delete mode 100644 rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml delete mode 100644 rules/sigma/builtin/win_smb_file_creation_admin_shares.yml delete mode 100644 rules/sigma/builtin/win_software_atera_rmm_agent_install.yml delete mode 100644 rules/sigma/builtin/win_susp_add_domain_trust.yml delete mode 100644 rules/sigma/builtin/win_susp_add_sid_history.yml delete mode 100644 rules/sigma/builtin/win_susp_backup_delete.yml delete mode 100644 rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml delete mode 100644 rules/sigma/builtin/win_susp_dhcp_config.yml delete mode 100644 rules/sigma/builtin/win_susp_dhcp_config_failed.yml delete mode 100644 rules/sigma/builtin/win_susp_dns_config.yml delete mode 100644 rules/sigma/builtin/win_susp_dsrm_password_change.yml delete mode 100644 rules/sigma/builtin/win_susp_eventlog_cleared.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_guest_logon.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logon_reasons.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logon_source.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_process.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml delete mode 100644 rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml delete mode 100644 rules/sigma/builtin/win_susp_interactive_logons.yml delete mode 100644 rules/sigma/builtin/win_susp_kerberos_manipulation.yml delete mode 100644 rules/sigma/builtin/win_susp_ldap_dataexchange.yml delete mode 100644 rules/sigma/builtin/win_susp_local_anon_logon_created.yml delete mode 100644 rules/sigma/builtin/win_susp_logon_explicit_credentials.yml delete mode 100644 rules/sigma/builtin/win_susp_lsass_dump.yml delete mode 100644 rules/sigma/builtin/win_susp_lsass_dump_generic.yml delete mode 100644 rules/sigma/builtin/win_susp_mshta_execution.yml delete mode 100644 rules/sigma/builtin/win_susp_msmpeng_crash.yml delete mode 100644 rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml delete mode 100644 rules/sigma/builtin/win_susp_net_recon_activity.yml delete mode 100644 rules/sigma/builtin/win_susp_ntlm_auth.yml delete mode 100644 rules/sigma/builtin/win_susp_ntlm_rdp.yml delete mode 100644 rules/sigma/builtin/win_susp_proceshacker.yml delete mode 100644 rules/sigma/builtin/win_susp_psexec.yml delete mode 100644 rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml delete mode 100644 rules/sigma/builtin/win_susp_rc4_kerberos.yml delete mode 100644 rules/sigma/builtin/win_susp_rottenpotato.yml delete mode 100644 rules/sigma/builtin/win_susp_sam_dump.yml delete mode 100644 rules/sigma/builtin/win_susp_sdelete.yml delete mode 100644 rules/sigma/builtin/win_susp_time_modification.yml delete mode 100644 rules/sigma/builtin/win_susp_wmi_login.yml delete mode 100644 rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml delete mode 100644 rules/sigma/builtin/win_svcctl_remote_service.yml delete mode 100644 rules/sigma/builtin/win_syskey_registry_access.yml delete mode 100644 rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml delete mode 100644 rules/sigma/builtin/win_system_susp_eventlog_cleared.yml delete mode 100644 rules/sigma/builtin/win_tap_driver_installation.yml delete mode 100644 rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml delete mode 100644 rules/sigma/builtin/win_usb_device_plugged.yml delete mode 100644 rules/sigma/builtin/win_user_added_to_local_administrators.yml delete mode 100644 rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml delete mode 100644 rules/sigma/builtin/win_user_creation.yml delete mode 100644 rules/sigma/builtin/win_user_driver_loaded.yml delete mode 100644 rules/sigma/builtin/win_volume_shadow_copy_mount.yml delete mode 100644 rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml delete mode 100644 rules/sigma/builtin/win_vul_cve_2020_0688.yml delete mode 100644 rules/sigma/builtin/win_vul_cve_2020_1472.yml delete mode 100644 rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_cactustorch.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml delete mode 100644 rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml delete mode 100644 rules/sigma/create_stream_hash/sysmon_ads_executable.yml delete mode 100644 rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml delete mode 100644 rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml delete mode 100644 rules/sigma/dns_query/dns_net_susp_ipify.yml delete mode 100644 rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml delete mode 100644 rules/sigma/dns_query/dns_query_mega_nz.yml delete mode 100644 rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml delete mode 100644 rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml delete mode 100644 rules/sigma/driver_load/driver_load_mal_creddumper.yml delete mode 100644 rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml delete mode 100644 rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml delete mode 100644 rules/sigma/driver_load/driver_load_susp_temp_use.yml delete mode 100644 rules/sigma/driver_load/driver_load_vuln_dell_driver.yml delete mode 100644 rules/sigma/driver_load/driver_load_windivert.yml delete mode 100644 rules/sigma/edr/edr_command_execution_by_office_applications.yml delete mode 100644 rules/sigma/file_delete/sysmon_delete_prefetch.yml delete mode 100644 rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml delete mode 100644 rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml delete mode 100644 rules/sigma/file_event/file_event_advanced_ip_scanner.yml delete mode 100644 rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml delete mode 100644 rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml delete mode 100644 rules/sigma/file_event/file_event_hack_dumpert.yml delete mode 100644 rules/sigma/file_event/file_event_hktl_createminidump.yml delete mode 100644 rules/sigma/file_event/file_event_lsass_dump.yml delete mode 100644 rules/sigma/file_event/file_event_mal_adwind.yml delete mode 100644 rules/sigma/file_event/file_event_mal_vhd_download.yml delete mode 100644 rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml delete mode 100644 rules/sigma/file_event/file_event_moriya_rootkit.yml delete mode 100644 rules/sigma/file_event/file_event_pingback_backdoor.yml delete mode 100644 rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml delete mode 100644 rules/sigma/file_event/file_event_susp_task_write.yml delete mode 100644 rules/sigma/file_event/file_event_tool_psexec.yml delete mode 100644 rules/sigma/file_event/file_event_uac_bypass_winsat.yml delete mode 100644 rules/sigma/file_event/file_event_uac_bypass_wmp.yml delete mode 100644 rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml delete mode 100644 rules/sigma/file_event/file_event_winrm_awl_bypass.yml delete mode 100644 rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/file_event/sysmon_creation_system_file.yml delete mode 100644 rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml delete mode 100644 rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml delete mode 100644 rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml delete mode 100644 rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml delete mode 100644 rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml delete mode 100644 rules/sigma/file_event/sysmon_office_persistence.yml delete mode 100644 rules/sigma/file_event/sysmon_outlook_newform.yml delete mode 100644 rules/sigma/file_event/sysmon_pcre_net_temp_file.yml delete mode 100644 rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml delete mode 100644 rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml delete mode 100644 rules/sigma/file_event/sysmon_quarkspw_filedump.yml delete mode 100644 rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml delete mode 100644 rules/sigma/file_event/sysmon_startup_folder_file_write.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_clr_logs.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_desktop_ini.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml delete mode 100644 rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml delete mode 100644 rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml delete mode 100644 rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml delete mode 100644 rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml delete mode 100644 rules/sigma/file_event/sysmon_webshell_creation_detect.yml delete mode 100644 rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml delete mode 100644 rules/sigma/file_event/win_cve_2021_1675_printspooler.yml delete mode 100644 rules/sigma/file_event/win_file_winword_cve_2021_40444.yml delete mode 100644 rules/sigma/file_event/win_hivenightmare_file_exports.yml delete mode 100644 rules/sigma/file_event/win_outlook_c2_macro_creation.yml delete mode 100644 rules/sigma/file_event/win_rclone_exec_file.yml delete mode 100644 rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml delete mode 100644 rules/sigma/image_load/image_load_pingback_backdoor.yml delete mode 100644 rules/sigma/image_load/image_load_silenttrinity_stage_use.yml delete mode 100644 rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml delete mode 100644 rules/sigma/image_load/process_creation_tttracer_mod_load.yml delete mode 100644 rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml delete mode 100644 rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml delete mode 100644 rules/sigma/image_load/sysmon_foggyweb_nobelium.yml delete mode 100644 rules/sigma/image_load/sysmon_in_memory_powershell.yml delete mode 100644 rules/sigma/image_load/sysmon_pcre_net_load.yml delete mode 100644 rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml delete mode 100644 rules/sigma/image_load/sysmon_spoolsv_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_fax_dll.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_image_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_python_image_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_system_drawing_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml delete mode 100644 rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml delete mode 100644 rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml delete mode 100644 rules/sigma/image_load/sysmon_tttracer_mod_load.yml delete mode 100644 rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml delete mode 100644 rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml delete mode 100644 rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml delete mode 100644 rules/sigma/image_load/sysmon_wmi_module_load.yml delete mode 100644 rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml delete mode 100644 rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml delete mode 100644 rules/sigma/image_load/sysmon_wsman_provider_image_load.yml delete mode 100644 rules/sigma/image_load/win_susp_svchost_clfsw32.yml delete mode 100644 rules/sigma/image_load/win_suspicious_vss_ps_load.yml delete mode 100644 rules/sigma/malware/av_exploiting.yml delete mode 100644 rules/sigma/malware/av_hacktool.yml delete mode 100644 rules/sigma/malware/av_password_dumper.yml delete mode 100644 rules/sigma/malware/av_printernightmare_cve_2021_34527.yml delete mode 100644 rules/sigma/malware/av_relevant_files.yml delete mode 100644 rules/sigma/malware/av_webshell.yml delete mode 100644 rules/sigma/malware/file_event_mal_octopus_scanner.yml delete mode 100644 rules/sigma/malware/process_creation_mal_blue_mockingbird.yml delete mode 100644 rules/sigma/malware/process_creation_mal_darkside_ransomware.yml delete mode 100644 rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml delete mode 100644 rules/sigma/malware/process_creation_mal_ryuk.yml delete mode 100644 rules/sigma/malware/registry_event_mal_azorult.yml delete mode 100644 rules/sigma/malware/registry_event_mal_blue_mockingbird.yml delete mode 100644 rules/sigma/malware/registry_event_mal_flowcloud.yml delete mode 100644 rules/sigma/malware/registry_event_mal_netwire.yml delete mode 100644 rules/sigma/malware/registry_event_mal_ursnif.yml delete mode 100644 rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml delete mode 100644 rules/sigma/network_connection/sysmon_dllhost_net_connections.yml delete mode 100644 rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml delete mode 100644 rules/sigma/network_connection/sysmon_notepad_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_powershell_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml delete mode 100644 rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml delete mode 100644 rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml delete mode 100644 rules/sigma/network_connection/sysmon_rundll32_net_connections.yml delete mode 100644 rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_susp_rdp.yml delete mode 100644 rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml delete mode 100644 rules/sigma/network_connection/sysmon_win_binary_github_com.yml delete mode 100644 rules/sigma/network_connection/sysmon_win_binary_susp_com.yml delete mode 100644 rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml delete mode 100644 rules/sigma/network_connection/win_net_crypto_mining.yml delete mode 100644 rules/sigma/other/win_defender_amsi_trigger.yml delete mode 100644 rules/sigma/other/win_defender_bypass.yml delete mode 100644 rules/sigma/other/win_defender_disabled.yml delete mode 100644 rules/sigma/other/win_defender_exclusions.yml delete mode 100644 rules/sigma/other/win_defender_history_delete.yml delete mode 100644 rules/sigma/other/win_defender_psexec_wmi_asr.yml delete mode 100644 rules/sigma/other/win_defender_tamper_protection_trigger.yml delete mode 100644 rules/sigma/other/win_defender_threat.yml delete mode 100644 rules/sigma/other/win_exchange_cve_2021_42321.yml delete mode 100644 rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml delete mode 100644 rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml delete mode 100644 rules/sigma/other/win_exchange_transportagent_failed.yml delete mode 100644 rules/sigma/other/win_lateral_movement_condrv.yml delete mode 100644 rules/sigma/other/win_ldap_recon.yml delete mode 100644 rules/sigma/other/win_pcap_drivers.yml delete mode 100644 rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml delete mode 100644 rules/sigma/other/win_rare_schtask_creation.yml delete mode 100644 rules/sigma/other/win_security_wmi_persistence.yml delete mode 100644 rules/sigma/other/win_system_defender_disabled.yml delete mode 100644 rules/sigma/other/win_tool_psexec.yml delete mode 100644 rules/sigma/other/win_wmi_persistence.yml delete mode 100644 rules/sigma/pipe_created/pipe_created_tool_psexec.yml delete mode 100644 rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml delete mode 100644 rules/sigma/pipe_created/sysmon_mal_namedpipes.yml delete mode 100644 rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml delete mode 100644 rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml delete mode 100644 rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml delete mode 100644 rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_powercat.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_automated_collection.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_create_local_user.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_data_compressed.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_keylogging.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_psattack.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_software_discovery.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_timestomp.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_web_request.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml delete mode 100644 rules/sigma/powershell/powershell_script/powershell_wmimplant.yml delete mode 100644 rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml delete mode 100644 rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml delete mode 100644 rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml delete mode 100644 rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml delete mode 100644 rules/sigma/process_access/sysmon_invoke_phantom.yml delete mode 100644 rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml delete mode 100644 rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml delete mode 100644 rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml delete mode 100644 rules/sigma/process_access/sysmon_lsass_memdump.yml delete mode 100644 rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml delete mode 100644 rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml delete mode 100644 rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml delete mode 100644 rules/sigma/process_access/sysmon_svchost_cred_dump.yml delete mode 100644 rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml delete mode 100644 rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml delete mode 100644 rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml delete mode 100644 rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml delete mode 100644 rules/sigma/process_creation/process_creation_alternate_data_streams.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_gallium.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_pandemic.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_slingshot.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml delete mode 100644 rules/sigma/process_creation/process_creation_apt_wocao.yml delete mode 100644 rules/sigma/process_creation/process_creation_automated_collection.yml delete mode 100644 rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml delete mode 100644 rules/sigma/process_creation/process_creation_certoc_execution.yml delete mode 100644 rules/sigma/process_creation/process_creation_clip.yml delete mode 100644 rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml delete mode 100644 rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml delete mode 100644 rules/sigma/process_creation/process_creation_coti_sqlcmd.yml delete mode 100644 rules/sigma/process_creation/process_creation_discover_private_keys.yml delete mode 100644 rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml delete mode 100644 rules/sigma/process_creation/process_creation_dotnet.yml delete mode 100644 rules/sigma/process_creation/process_creation_hack_dumpert.yml delete mode 100644 rules/sigma/process_creation/process_creation_infdefaultinstall.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml delete mode 100644 rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml delete mode 100644 rules/sigma/process_creation/process_creation_msdeploy.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml delete mode 100644 rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml delete mode 100644 rules/sigma/process_creation/process_creation_pingback_backdoor.yml delete mode 100644 rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml delete mode 100644 rules/sigma/process_creation/process_creation_root_certificate_installed.yml delete mode 100644 rules/sigma/process_creation/process_creation_sdelete.yml delete mode 100644 rules/sigma/process_creation/process_creation_software_discovery.yml delete mode 100644 rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml delete mode 100644 rules/sigma/process_creation/process_creation_stordiag_execution.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_7z.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_del.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_recon.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_winzip.yml delete mode 100644 rules/sigma/process_creation/process_creation_susp_zip_compress.yml delete mode 100644 rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml delete mode 100644 rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml delete mode 100644 rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml delete mode 100644 rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml delete mode 100644 rules/sigma/process_creation/process_creation_tool_psexec.yml delete mode 100644 rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml delete mode 100644 rules/sigma/process_creation/process_mailboxexport_share.yml delete mode 100644 rules/sigma/process_creation/process_susp_esentutl_params.yml delete mode 100644 rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml delete mode 100644 rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml delete mode 100644 rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml delete mode 100644 rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml delete mode 100644 rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml delete mode 100644 rules/sigma/process_creation/sysmon_apt_sourgrum.yml delete mode 100644 rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml delete mode 100644 rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml delete mode 100644 rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml delete mode 100644 rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml delete mode 100644 rules/sigma/process_creation/sysmon_expand_cabinet_files.yml delete mode 100644 rules/sigma/process_creation/sysmon_hack_wce.yml delete mode 100644 rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml delete mode 100644 rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml delete mode 100644 rules/sigma/process_creation/sysmon_long_powershell_commandline.yml delete mode 100644 rules/sigma/process_creation/sysmon_netcat_execution.yml delete mode 100644 rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml delete mode 100644 rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml delete mode 100644 rules/sigma/process_creation/sysmon_sdclt_child_process.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_service_modification.yml delete mode 100644 rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml delete mode 100644 rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml delete mode 100644 rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml delete mode 100644 rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml delete mode 100644 rules/sigma/process_creation/win_ad_find_discovery.yml delete mode 100644 rules/sigma/process_creation/win_anydesk_silent_install.yml delete mode 100644 rules/sigma/process_creation/win_apt_apt29_thinktanks.yml delete mode 100644 rules/sigma/process_creation/win_apt_babyshark.yml delete mode 100644 rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml delete mode 100644 rules/sigma/process_creation/win_apt_bluemashroom.yml delete mode 100644 rules/sigma/process_creation/win_apt_cloudhopper.yml delete mode 100644 rules/sigma/process_creation/win_apt_dragonfly.yml delete mode 100644 rules/sigma/process_creation/win_apt_elise.yml delete mode 100644 rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml delete mode 100644 rules/sigma/process_creation/win_apt_empiremonkey.yml delete mode 100644 rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml delete mode 100644 rules/sigma/process_creation/win_apt_evilnum_jul20.yml delete mode 100644 rules/sigma/process_creation/win_apt_greenbug_may20.yml delete mode 100644 rules/sigma/process_creation/win_apt_hafnium.yml delete mode 100644 rules/sigma/process_creation/win_apt_hurricane_panda.yml delete mode 100644 rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml delete mode 100644 rules/sigma/process_creation/win_apt_ke3chang_regadd.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_loader.yml delete mode 100644 rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml delete mode 100644 rules/sigma/process_creation/win_apt_mustangpanda.yml delete mode 100644 rules/sigma/process_creation/win_apt_revil_kaseya.yml delete mode 100644 rules/sigma/process_creation/win_apt_sofacy.yml delete mode 100644 rules/sigma/process_creation/win_apt_ta17_293a_ps.yml delete mode 100644 rules/sigma/process_creation/win_apt_ta505_dropper.yml delete mode 100644 rules/sigma/process_creation/win_apt_taidoor.yml delete mode 100644 rules/sigma/process_creation/win_apt_tropictrooper.yml delete mode 100644 rules/sigma/process_creation/win_apt_turla_comrat_may20.yml delete mode 100644 rules/sigma/process_creation/win_apt_unc2452_cmds.yml delete mode 100644 rules/sigma/process_creation/win_apt_unc2452_ps.yml delete mode 100644 rules/sigma/process_creation/win_apt_unidentified_nov_18.yml delete mode 100644 rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml delete mode 100644 rules/sigma/process_creation/win_apt_winnti_pipemon.yml delete mode 100644 rules/sigma/process_creation/win_apt_zxshell.yml delete mode 100644 rules/sigma/process_creation/win_attrib_hiding_files.yml delete mode 100644 rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml delete mode 100644 rules/sigma/process_creation/win_bootconf_mod.yml delete mode 100644 rules/sigma/process_creation/win_bypass_squiblytwo.yml delete mode 100644 rules/sigma/process_creation/win_change_default_file_association.yml delete mode 100644 rules/sigma/process_creation/win_cl_invocation_lolscript.yml delete mode 100644 rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml delete mode 100644 rules/sigma/process_creation/win_class_exec_xwizard.yml delete mode 100644 rules/sigma/process_creation/win_cmdkey_recon.yml delete mode 100644 rules/sigma/process_creation/win_cmstp_com_object_access.yml delete mode 100644 rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml delete mode 100644 rules/sigma/process_creation/win_commandline_path_traversal.yml delete mode 100644 rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml delete mode 100644 rules/sigma/process_creation/win_control_panel_item.yml delete mode 100644 rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml delete mode 100644 rules/sigma/process_creation/win_credential_access_via_password_filter.yml delete mode 100644 rules/sigma/process_creation/win_crime_fireball.yml delete mode 100644 rules/sigma/process_creation/win_crime_maze_ransomware.yml delete mode 100644 rules/sigma/process_creation/win_crime_snatch_ransomware.yml delete mode 100644 rules/sigma/process_creation/win_crypto_mining_monero.yml delete mode 100644 rules/sigma/process_creation/win_data_compressed_with_rar.yml delete mode 100644 rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml delete mode 100644 rules/sigma/process_creation/win_dll_sideload_xwizard.yml delete mode 100644 rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml delete mode 100644 rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml delete mode 100644 rules/sigma/process_creation/win_encoded_frombase64string.yml delete mode 100644 rules/sigma/process_creation/win_encoded_iex.yml delete mode 100644 rules/sigma/process_creation/win_etw_modification_cmdline.yml delete mode 100644 rules/sigma/process_creation/win_etw_trace_evasion.yml delete mode 100644 rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2015_1641.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_0261.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_11882.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2017_8759.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2019_1378.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2019_1388.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_10189.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_1048.yml delete mode 100644 rules/sigma/process_creation/win_exploit_cve_2020_1350.yml delete mode 100644 rules/sigma/process_creation/win_exploit_systemnightmare.yml delete mode 100644 rules/sigma/process_creation/win_file_permission_modifications.yml delete mode 100644 rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml delete mode 100644 rules/sigma/process_creation/win_hack_adcspwn.yml delete mode 100644 rules/sigma/process_creation/win_hack_bloodhound.yml delete mode 100644 rules/sigma/process_creation/win_hack_koadic.yml delete mode 100644 rules/sigma/process_creation/win_hack_rubeus.yml delete mode 100644 rules/sigma/process_creation/win_hack_secutyxploded.yml delete mode 100644 rules/sigma/process_creation/win_hh_chm.yml delete mode 100644 rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml delete mode 100644 rules/sigma/process_creation/win_hktl_createminidump.yml delete mode 100644 rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_html_help_spawn.yml delete mode 100644 rules/sigma/process_creation/win_hwp_exploits.yml delete mode 100644 rules/sigma/process_creation/win_impacket_compiled_tools.yml delete mode 100644 rules/sigma/process_creation/win_impacket_lateralization.yml delete mode 100644 rules/sigma/process_creation/win_indirect_cmd.yml delete mode 100644 rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml delete mode 100644 rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml delete mode 100644 rules/sigma/process_creation/win_interactive_at.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_clip.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_var.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml delete mode 100644 rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml delete mode 100644 rules/sigma/process_creation/win_lethalhta.yml delete mode 100644 rules/sigma/process_creation/win_local_system_owner_account_discovery.yml delete mode 100644 rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml delete mode 100644 rules/sigma/process_creation/win_lolbin_execution_via_winget.yml delete mode 100644 rules/sigma/process_creation/win_lsass_dump.yml delete mode 100644 rules/sigma/process_creation/win_mal_adwind.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti_7zip.yml delete mode 100644 rules/sigma/process_creation/win_malware_conti_shadowcopy.yml delete mode 100644 rules/sigma/process_creation/win_malware_dridex.yml delete mode 100644 rules/sigma/process_creation/win_malware_dtrack.yml delete mode 100644 rules/sigma/process_creation/win_malware_emotet.yml delete mode 100644 rules/sigma/process_creation/win_malware_formbook.yml delete mode 100644 rules/sigma/process_creation/win_malware_notpetya.yml delete mode 100644 rules/sigma/process_creation/win_malware_qbot.yml delete mode 100644 rules/sigma/process_creation/win_malware_ryuk.yml delete mode 100644 rules/sigma/process_creation/win_malware_script_dropper.yml delete mode 100644 rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_malware_trickbot_wermgr.yml delete mode 100644 rules/sigma/process_creation/win_malware_wannacry.yml delete mode 100644 rules/sigma/process_creation/win_manage_bde_lolbas.yml delete mode 100644 rules/sigma/process_creation/win_mavinject_proc_inj.yml delete mode 100644 rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml delete mode 100644 rules/sigma/process_creation/win_mimikatz_command_line.yml delete mode 100644 rules/sigma/process_creation/win_mmc_spawn_shell.yml delete mode 100644 rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml delete mode 100644 rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml delete mode 100644 rules/sigma/process_creation/win_mouse_lock.yml delete mode 100644 rules/sigma/process_creation/win_mshta_javascript.yml delete mode 100644 rules/sigma/process_creation/win_mshta_spawn_shell.yml delete mode 100644 rules/sigma/process_creation/win_multiple_suspicious_cli.yml delete mode 100644 rules/sigma/process_creation/win_net_enum.yml delete mode 100644 rules/sigma/process_creation/win_net_user_add.yml delete mode 100644 rules/sigma/process_creation/win_netsh_allow_port_rdp.yml delete mode 100644 rules/sigma/process_creation/win_netsh_fw_add.yml delete mode 100644 rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml delete mode 100644 rules/sigma/process_creation/win_netsh_packet_capture.yml delete mode 100644 rules/sigma/process_creation/win_netsh_port_fwd.yml delete mode 100644 rules/sigma/process_creation/win_netsh_port_fwd_3389.yml delete mode 100644 rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml delete mode 100644 rules/sigma/process_creation/win_network_sniffing.yml delete mode 100644 rules/sigma/process_creation/win_new_service_creation.yml delete mode 100644 rules/sigma/process_creation/win_nltest_recon.yml delete mode 100644 rules/sigma/process_creation/win_non_interactive_powershell.yml delete mode 100644 rules/sigma/process_creation/win_non_priv_reg_or_ps.yml delete mode 100644 rules/sigma/process_creation/win_office_shell.yml delete mode 100644 rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml delete mode 100644 rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml delete mode 100644 rules/sigma/process_creation/win_pc_susp_zipexec.yml delete mode 100644 rules/sigma/process_creation/win_plugx_susp_exe_locations.yml delete mode 100644 rules/sigma/process_creation/win_possible_applocker_bypass.yml delete mode 100644 rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml delete mode 100644 rules/sigma/process_creation/win_powershell_amsi_bypass.yml delete mode 100644 rules/sigma/process_creation/win_powershell_audio_capture.yml delete mode 100644 rules/sigma/process_creation/win_powershell_b64_shellcode.yml delete mode 100644 rules/sigma/process_creation/win_powershell_bitsjob.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml delete mode 100644 rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml delete mode 100644 rules/sigma/process_creation/win_powershell_defender_exclusion.yml delete mode 100644 rules/sigma/process_creation/win_powershell_disable_windef_av.yml delete mode 100644 rules/sigma/process_creation/win_powershell_dll_execution.yml delete mode 100644 rules/sigma/process_creation/win_powershell_downgrade_attack.yml delete mode 100644 rules/sigma/process_creation/win_powershell_download.yml delete mode 100644 rules/sigma/process_creation/win_powershell_frombase64string.yml delete mode 100644 rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml delete mode 100644 rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml delete mode 100644 rules/sigma/process_creation/win_powershell_xor_commandline.yml delete mode 100644 rules/sigma/process_creation/win_powersploit_empire_schtasks.yml delete mode 100644 rules/sigma/process_creation/win_proc_wrong_parent.yml delete mode 100644 rules/sigma/process_creation/win_procdump.yml delete mode 100644 rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml delete mode 100644 rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml delete mode 100644 rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml delete mode 100644 rules/sigma/process_creation/win_psexesvc_start.yml delete mode 100644 rules/sigma/process_creation/win_purplesharp_indicators.yml delete mode 100644 rules/sigma/process_creation/win_query_registry.yml delete mode 100644 rules/sigma/process_creation/win_rasautou_dll_execution.yml delete mode 100644 rules/sigma/process_creation/win_rdp_hijack_shadowing.yml delete mode 100644 rules/sigma/process_creation/win_redmimicry_winnti_proc.yml delete mode 100644 rules/sigma/process_creation/win_reg_add_run_key.yml delete mode 100644 rules/sigma/process_creation/win_regedit_export_critical_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_export_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_import_keys.yml delete mode 100644 rules/sigma/process_creation/win_regedit_import_keys_ads.yml delete mode 100644 rules/sigma/process_creation/win_regini.yml delete mode 100644 rules/sigma/process_creation/win_regini_ads.yml delete mode 100644 rules/sigma/process_creation/win_remote_powershell_session_process.yml delete mode 100644 rules/sigma/process_creation/win_remote_time_discovery.yml delete mode 100644 rules/sigma/process_creation/win_renamed_binary.yml delete mode 100644 rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml delete mode 100644 rules/sigma/process_creation/win_renamed_jusched.yml delete mode 100644 rules/sigma/process_creation/win_renamed_megasync.yml delete mode 100644 rules/sigma/process_creation/win_renamed_paexec.yml delete mode 100644 rules/sigma/process_creation/win_renamed_powershell.yml delete mode 100644 rules/sigma/process_creation/win_renamed_procdump.yml delete mode 100644 rules/sigma/process_creation/win_renamed_psexec.yml delete mode 100644 rules/sigma/process_creation/win_renamed_whoami.yml delete mode 100644 rules/sigma/process_creation/win_run_powershell_script_from_ads.yml delete mode 100644 rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml delete mode 100644 rules/sigma/process_creation/win_run_virtualbox.yml delete mode 100644 rules/sigma/process_creation/win_rundll32_without_parameters.yml delete mode 100644 rules/sigma/process_creation/win_script_event_consumer_spawn.yml delete mode 100644 rules/sigma/process_creation/win_sdbinst_shim_persistence.yml delete mode 100644 rules/sigma/process_creation/win_service_execution.yml delete mode 100644 rules/sigma/process_creation/win_service_stop.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_access_symlink.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_creation.yml delete mode 100644 rules/sigma/process_creation/win_shadow_copies_deletion.yml delete mode 100644 rules/sigma/process_creation/win_shell_spawn_mshta.yml delete mode 100644 rules/sigma/process_creation/win_shell_spawn_susp_program.yml delete mode 100644 rules/sigma/process_creation/win_silenttrinity_stage_use.yml delete mode 100644 rules/sigma/process_creation/win_soundrec_audio_capture.yml delete mode 100644 rules/sigma/process_creation/win_spn_enum.yml delete mode 100644 rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml delete mode 100644 rules/sigma/process_creation/win_sus_auditpol_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_adfind.yml delete mode 100644 rules/sigma/process_creation/win_susp_atbroker.yml delete mode 100644 rules/sigma/process_creation/win_susp_bcdedit.yml delete mode 100644 rules/sigma/process_creation/win_susp_bginfo.yml delete mode 100644 rules/sigma/process_creation/win_susp_bitstransfer.yml delete mode 100644 rules/sigma/process_creation/win_susp_calc.yml delete mode 100644 rules/sigma/process_creation/win_susp_cdb.yml delete mode 100644 rules/sigma/process_creation/win_susp_certutil_command.yml delete mode 100644 rules/sigma/process_creation/win_susp_certutil_encode.yml delete mode 100644 rules/sigma/process_creation/win_susp_child_process_as_system_.yml delete mode 100644 rules/sigma/process_creation/win_susp_cli_escape.yml delete mode 100644 rules/sigma/process_creation/win_susp_cmd_http_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_codepage_switch.yml delete mode 100644 rules/sigma/process_creation/win_susp_commands_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_compression_params.yml delete mode 100644 rules/sigma/process_creation/win_susp_comsvcs_procdump.yml delete mode 100644 rules/sigma/process_creation/win_susp_conhost.yml delete mode 100644 rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml delete mode 100644 rules/sigma/process_creation/win_susp_control_dll_load.yml delete mode 100644 rules/sigma/process_creation/win_susp_copy_lateral_movement.yml delete mode 100644 rules/sigma/process_creation/win_susp_copy_system32.yml delete mode 100644 rules/sigma/process_creation/win_susp_covenant.yml delete mode 100644 rules/sigma/process_creation/win_susp_crackmapexec_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml delete mode 100644 rules/sigma/process_creation/win_susp_csc.yml delete mode 100644 rules/sigma/process_creation/win_susp_csc_folder.yml delete mode 100644 rules/sigma/process_creation/win_susp_csi.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_download.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_fileupload.yml delete mode 100644 rules/sigma/process_creation/win_susp_curl_start_combo.yml delete mode 100644 rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml delete mode 100644 rules/sigma/process_creation/win_susp_desktopimgdownldr.yml delete mode 100644 rules/sigma/process_creation/win_susp_devtoolslauncher.yml delete mode 100644 rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_eventlog.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_ie_features.yml delete mode 100644 rules/sigma/process_creation/win_susp_disable_raccine.yml delete mode 100644 rules/sigma/process_creation/win_susp_diskshadow.yml delete mode 100644 rules/sigma/process_creation/win_susp_ditsnap.yml delete mode 100644 rules/sigma/process_creation/win_susp_dnx.yml delete mode 100644 rules/sigma/process_creation/win_susp_double_extension.yml delete mode 100644 rules/sigma/process_creation/win_susp_dxcap.yml delete mode 100644 rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_eventlog_clear.yml delete mode 100644 rules/sigma/process_creation/win_susp_execution_path.yml delete mode 100644 rules/sigma/process_creation/win_susp_execution_path_webserver.yml delete mode 100644 rules/sigma/process_creation/win_susp_explorer.yml delete mode 100644 rules/sigma/process_creation/win_susp_explorer_break_proctree.yml delete mode 100644 rules/sigma/process_creation/win_susp_file_characteristics.yml delete mode 100644 rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml delete mode 100644 rules/sigma/process_creation/win_susp_findstr.yml delete mode 100644 rules/sigma/process_creation/win_susp_findstr_lnk.yml delete mode 100644 rules/sigma/process_creation/win_susp_finger_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_firewall_disable.yml delete mode 100644 rules/sigma/process_creation/win_susp_fsutil_usage.yml delete mode 100644 rules/sigma/process_creation/win_susp_ftp.yml delete mode 100644 rules/sigma/process_creation/win_susp_gup.yml delete mode 100644 rules/sigma/process_creation/win_susp_iss_module_install.yml delete mode 100644 rules/sigma/process_creation/win_susp_mounted_share_deletion.yml delete mode 100644 rules/sigma/process_creation/win_susp_mpcmdrun_download.yml delete mode 100644 rules/sigma/process_creation/win_susp_mshta_pattern.yml delete mode 100644 rules/sigma/process_creation/win_susp_msiexec_cwd.yml delete mode 100644 rules/sigma/process_creation/win_susp_msiexec_web_install.yml delete mode 100644 rules/sigma/process_creation/win_susp_msoffice.yml delete mode 100644 rules/sigma/process_creation/win_susp_net_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml delete mode 100644 rules/sigma/process_creation/win_susp_ngrok_pua.yml delete mode 100644 rules/sigma/process_creation/win_susp_ntdsutil.yml delete mode 100644 rules/sigma/process_creation/win_susp_odbcconf.yml delete mode 100644 rules/sigma/process_creation/win_susp_openwith.yml delete mode 100644 rules/sigma/process_creation/win_susp_outlook.yml delete mode 100644 rules/sigma/process_creation/win_susp_outlook_temp.yml delete mode 100644 rules/sigma/process_creation/win_susp_pcwutl.yml delete mode 100644 rules/sigma/process_creation/win_susp_pester.yml delete mode 100644 rules/sigma/process_creation/win_susp_ping_hex_ip.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_empire_launch.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_encoded_param.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_parent_combo.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_parent_process.yml delete mode 100644 rules/sigma/process_creation/win_susp_powershell_sam_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_print.yml delete mode 100644 rules/sigma/process_creation/win_susp_procdump.yml delete mode 100644 rules/sigma/process_creation/win_susp_procdump_lsass.yml delete mode 100644 rules/sigma/process_creation/win_susp_ps_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_ps_downloadfile.yml delete mode 100644 rules/sigma/process_creation/win_susp_psexec_eula.yml delete mode 100644 rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml delete mode 100644 rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml delete mode 100644 rules/sigma/process_creation/win_susp_rar_flags.yml delete mode 100644 rules/sigma/process_creation/win_susp_rasdial_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml delete mode 100644 rules/sigma/process_creation/win_susp_rclone_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_recon_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml delete mode 100644 rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml delete mode 100644 rules/sigma/process_creation/win_susp_register_cimprovider.yml delete mode 100644 rules/sigma/process_creation/win_susp_registration_via_cscript.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_dctask64.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_debugview.yml delete mode 100644 rules/sigma/process_creation/win_susp_renamed_paexec.yml delete mode 100644 rules/sigma/process_creation/win_susp_rpcping.yml delete mode 100644 rules/sigma/process_creation/win_susp_run_locations.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_no_params.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml delete mode 100644 rules/sigma/process_creation/win_susp_rundll32_sys.yml delete mode 100644 rules/sigma/process_creation/win_susp_runonce_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_runscripthelper.yml delete mode 100644 rules/sigma/process_creation/win_susp_schtask_creation.yml delete mode 100644 rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml delete mode 100644 rules/sigma/process_creation/win_susp_screenconnect_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_screensaver_reg.yml delete mode 100644 rules/sigma/process_creation/win_susp_script_exec_from_temp.yml delete mode 100644 rules/sigma/process_creation/win_susp_script_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_dacl_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_dir.yml delete mode 100644 rules/sigma/process_creation/win_susp_service_path_modification.yml delete mode 100644 rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml delete mode 100644 rules/sigma/process_creation/win_susp_servu_process_pattern.yml delete mode 100644 rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml delete mode 100644 rules/sigma/process_creation/win_susp_shimcache_flush.yml delete mode 100644 rules/sigma/process_creation/win_susp_splwow64.yml delete mode 100644 rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml delete mode 100644 rules/sigma/process_creation/win_susp_sqldumper_activity.yml delete mode 100644 rules/sigma/process_creation/win_susp_squirrel_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_susp_svchost.yml delete mode 100644 rules/sigma/process_creation/win_susp_svchost_no_cli.yml delete mode 100644 rules/sigma/process_creation/win_susp_sysprep_appdata.yml delete mode 100644 rules/sigma/process_creation/win_susp_sysvol_access.yml delete mode 100644 rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml delete mode 100644 rules/sigma/process_creation/win_susp_taskmgr_parent.yml delete mode 100644 rules/sigma/process_creation/win_susp_tracker_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_tscon_localsystem.yml delete mode 100644 rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml delete mode 100644 rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_csharp_console.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_te_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml delete mode 100644 rules/sigma/process_creation/win_susp_userinit_child.yml delete mode 100644 rules/sigma/process_creation/win_susp_vboxdrvinst.yml delete mode 100644 rules/sigma/process_creation/win_susp_vbscript_unc2452.yml delete mode 100644 rules/sigma/process_creation/win_susp_volsnap_disable.yml delete mode 100644 rules/sigma/process_creation/win_susp_whoami.yml delete mode 100644 rules/sigma/process_creation/win_susp_whoami_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrar_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml delete mode 100644 rules/sigma/process_creation/win_susp_winrm_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmi_execution.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml delete mode 100644 rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml delete mode 100644 rules/sigma/process_creation/win_susp_workfolders.yml delete mode 100644 rules/sigma/process_creation/win_susp_wsl_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_susp_wuauclt.yml delete mode 100644 rules/sigma/process_creation/win_sysmon_driver_unload.yml delete mode 100644 rules/sigma/process_creation/win_system_exe_anomaly.yml delete mode 100644 rules/sigma/process_creation/win_tap_installer_execution.yml delete mode 100644 rules/sigma/process_creation/win_task_folder_evasion.yml delete mode 100644 rules/sigma/process_creation/win_termserv_proc_spawn.yml delete mode 100644 rules/sigma/process_creation/win_tools_relay_attacks.yml delete mode 100644 rules/sigma/process_creation/win_trust_discovery.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_dismhost.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_ieinstal.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_winsat.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_wmp.yml delete mode 100644 rules/sigma/process_creation/win_uac_bypass_wsreset.yml delete mode 100644 rules/sigma/process_creation/win_uac_cmstp.yml delete mode 100644 rules/sigma/process_creation/win_uac_fodhelper.yml delete mode 100644 rules/sigma/process_creation/win_uac_wsreset.yml delete mode 100644 rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml delete mode 100644 rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml delete mode 100644 rules/sigma/process_creation/win_verclsid_runs_com.yml delete mode 100644 rules/sigma/process_creation/win_visual_basic_compiler.yml delete mode 100644 rules/sigma/process_creation/win_vul_java_remote_debugging.yml delete mode 100644 rules/sigma/process_creation/win_webshell_detection.yml delete mode 100644 rules/sigma/process_creation/win_webshell_recon_detection.yml delete mode 100644 rules/sigma/process_creation/win_webshell_spawn.yml delete mode 100644 rules/sigma/process_creation/win_whoami_as_system.yml delete mode 100644 rules/sigma/process_creation/win_whoami_priv.yml delete mode 100644 rules/sigma/process_creation/win_win10_sched_task_0day.yml delete mode 100644 rules/sigma/process_creation/win_winword_dll_load.yml delete mode 100644 rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml delete mode 100644 rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml delete mode 100644 rules/sigma/process_creation/win_wmi_spwns_powershell.yml delete mode 100644 rules/sigma/process_creation/win_wmiprvse_spawning_process.yml delete mode 100644 rules/sigma/process_creation/win_workflow_compiler.yml delete mode 100644 rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml delete mode 100644 rules/sigma/process_creation/win_wsreset_uac_bypass.yml delete mode 100644 rules/sigma/process_creation/win_xsl_script_processing.yml delete mode 100644 rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml delete mode 100644 rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml delete mode 100644 rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml delete mode 100644 rules/sigma/registry_event/registry_event_apt_pandemic.yml delete mode 100644 rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_disabled.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_exclusions.yml delete mode 100644 rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml delete mode 100644 rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml delete mode 100644 rules/sigma/registry_event/registry_event_mal_adwind.yml delete mode 100644 rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml delete mode 100644 rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml delete mode 100644 rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml delete mode 100644 rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml delete mode 100644 rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml delete mode 100644 rules/sigma/registry_event/sysmon_apt_leviathan.yml delete mode 100644 rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml delete mode 100644 rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml delete mode 100644 rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml delete mode 100644 rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml delete mode 100644 rules/sigma/registry_event/sysmon_comhijack_sdclt.yml delete mode 100644 rules/sigma/registry_event/sysmon_cve_2020_1048.yml delete mode 100644 rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml delete mode 100644 rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml delete mode 100644 rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml delete mode 100644 rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml delete mode 100644 rules/sigma/registry_event/sysmon_etw_disabled.yml delete mode 100644 rules/sigma/registry_event/sysmon_hack_wce_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml delete mode 100644 rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml delete mode 100644 rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_application_appcompat.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_office_test_regadd.yml delete mode 100644 rules/sigma/registry_event/sysmon_office_vsto_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_powershell_as_service.yml delete mode 100644 rules/sigma/registry_event/sysmon_rdp_registry_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml delete mode 100644 rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_office_security.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml delete mode 100644 rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml delete mode 100644 rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml delete mode 100644 rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_runkey_winekey.yml delete mode 100644 rules/sigma/registry_event/sysmon_runonce_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_atbroker_change.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_download_run_key.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml delete mode 100644 rules/sigma/registry_event/sysmon_susp_service_installed.yml delete mode 100644 rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml delete mode 100644 rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml delete mode 100644 rules/sigma/registry_event/sysmon_taskcache_entry.yml delete mode 100644 rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml delete mode 100644 rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml delete mode 100644 rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml delete mode 100644 rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_persistence.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml delete mode 100644 rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml delete mode 100644 rules/sigma/registry_event/win_outlook_c2_registry_key.yml delete mode 100644 rules/sigma/registry_event/win_outlook_registry_todaypage.yml delete mode 100644 rules/sigma/registry_event/win_outlook_registry_webview.yml delete mode 100644 rules/sigma/registry_event/win_portproxy_registry_key.yml delete mode 100644 rules/sigma/registry_event/win_registry_file_association_exefile.yml delete mode 100644 rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml delete mode 100644 rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml delete mode 100644 rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml delete mode 100644 rules/sigma/sysmon/sysmon_config_modification_error.yml delete mode 100644 rules/sigma/sysmon/sysmon_config_modification_status.yml delete mode 100644 rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml delete mode 100644 rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..b43020e1 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "rules"] + path = rules + url = git@github.com:Yamato-Security/hayabusa-rules.git diff --git a/rules b/rules new file mode 160000 index 00000000..631db512 --- /dev/null +++ b/rules @@ -0,0 +1 @@ +Subproject commit 631db51204d801fa75bfef48c31c389929fbb9be diff --git a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml deleted file mode 100644 index ec1f5fd6..00000000 --- a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: Powershell 2.0 Downgrade Attack -title_jp: Powershell 2.0へのダウングレード攻撃 -output: 'Powershell 2.0 downgrade attack detected!' -output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' -description: An attacker may have started Powershell 2.0 to evade detection. -description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 - -id: bc082394-73e6-4d00-a9af-e7b524ef5085 -level: medium -status: test -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 400 - EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' -falsepositives: - - legacy application -tags: - - attack.defense_evasion - - attack.t1562.010 - - lolbas -references: - - https://attack.mitre.org/techniques/T1562/010/ - - https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/ -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml deleted file mode 100644 index d206de9a..00000000 --- a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/25 - -title: Security log was cleared -title_jp: セキュリティログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" -description: Somebody has cleared the Security event log. -description_jp: 誰かがセキュリティログをクリアした。 - -id: c2f690ac-53f8-4745-8cfe-7127dda28c74 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 1102 - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1070.001 -references: - - https://attack.mitre.org/techniques/T1070/001/ -sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml deleted file mode 100644 index 171c3387..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Unknown Reason -title_jp: ログオンに失敗 - 不明な理由 -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: a85096da-be85-48d7-8ad5-2f957cd74daa -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - filter: - - SubStatus: "0xc0000064" - - SubStatus: "0xc000006a" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml deleted file mode 100644 index a48aedf8..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Wrong Password -title_jp: ログオンに失敗 - パスワードが間違っている -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: e87bd730-df45-4ae9-85de-6c75369c5d29 -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - SubStatus: "0xc000006a" -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml deleted file mode 100644 index d31e06c0..00000000 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Failure - Username does not exist -title_jp: ログオンに失敗 - ユーザ名は存在しない -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 8afa97ce-a217-4f7c-aced-3e320a57756d -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4625 - SubStatus: "0xc0000064" -falsepositives: - - normal system usage -tags: -references: -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml deleted file mode 100644 index 01c79f75..00000000 --- a/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml +++ /dev/null @@ -1,48 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Unknown process used a high privilege -title_jp: 不明なプロセスが高い権限を使った -output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' -description: | - Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. - For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) - Disk wipers like bcwipe will also generate this. - More legitimate filepaths may have to be added to the filter. - This is marked as a medium alert as there is a high possibility for false positives. -description_jp: - -id: 5b6e58ee-c231-4a54-9eee-af2577802e08 -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4673 - filter: - - ProcessName: C:\Windows\System32\net.exe - - ProcessName: C:\Windows\System32\lsass.exe - - ProcessName: C:\Windows\System32\audiodg.exe - - ProcessName: C:\Windows\System32\svchost.exe - - ProcessName: C:\Windows\System32\mmc.exe - - ProcessName: C:\Windows\System32\net.exe - - ProcessName: C:\Windows\explorer.exe - - ProcessName: C:\Windows\System32\SettingSyncHost.exe - - ProcessName: C:\Windows\System32\sdiagnhost.exe - - ProcessName|startswith: C:\Program Files - - SubjectUserName: LOCAL SERVICE - condition: selection and not filter -falsepositives: - - normal system usage -tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1561 - - attack.impact -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673 - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 -sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml deleted file mode 100644 index ff4d1519..00000000 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml +++ /dev/null @@ -1,28 +0,0 @@ -author: Eric Conrad, Yamato Security -creation_date: 2020/11/08 -uodated_date: 2021/11/26 - -title: Hidden user account created! (Possible Backdoor) -title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり) -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' -description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. -description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. - -id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4720 - TargetUserName|endswith: "$" -falsepositives: - - domain controller -tags: - - attack.persistence - - attack.11136.001 -references: - - https://attack.mitre.org/techniques/T1136/001/ -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml deleted file mode 100644 index 1bafa9d0..00000000 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Yamato Security -creation_date: 2020/11/08 -uodated_date: 2021/11/26 - -title: Local user account created -title_jp: ローカルユーザアカウントが作成された -output: 'User: %TargetUserName% : SID:%TargetSid%' -output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' -description: A local user account was created. -description_jp: ローカルユーザアカウントが作成された. - -id: 13edce80-2b02-4469-8de4-a3e37271dcdb -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4720 - filter: - TargetUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.11136.001 -references: - - https://attack.mitre.org/techniques/T1136/001/ -sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml deleted file mode 100644 index 6302e534..00000000 --- a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml +++ /dev/null @@ -1,31 +0,0 @@ -author: Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to the global Domain Admins group -title_jp: ユーザがグローバルドメイン管理者グループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' -description: A user was added to the Domain Admins group. -description_jp: ユーザがドメイン管理者グループに追加された。 - -id: 4bb89c86-a138-42a0-baaf-fc2f777a4506 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - TargetUserName: Domain Admins - filter: - SubjectUserName|endswith: $ - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml deleted file mode 100644 index 5cc4fcbc..00000000 --- a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: User added to global security group -title_jp: ユーザがグローバルセキュリティグループに追加された -output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' -output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' -description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action. -description_jp: ユーザがグローバルのセキュリティグループに追加された。 - -id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b -level: medium -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - filter: - SubjectUserName|endswith: $ - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml deleted file mode 100644 index ab188cfa..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local Administrators group -title_jp: ユーザがローカル管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to the local Administrators group. -description_jp: ユーザがローカル管理者グループに追加された。 - -id: 611e2e76-a28f-4255-812c-eb8836b2f5bb -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4732 - TargetUserName: Administrators - condition: selection -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml deleted file mode 100644 index 2112fa3c..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local Domain Admins group -title_jp: ユーザがローカルドメイン管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to the local Domain Admins group. -description_jp: ユーザがドメイン管理者グループに追加された。 - -id: bc58e432-959f-464d-812e-d60ce5d46fa1 -level: high -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - TargetUserName: Domain Admins - condition: selection -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml deleted file mode 100644 index b925c4b8..00000000 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ /dev/null @@ -1,32 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: User added to local security group -title_jp: ユーザがローカルセキュリティグループに追加された -output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' -description: A user was added to a security-enabled local group. -description_jp: ユーザがローカルセキュリティグループに追加された。 - -id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0 -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4728 - filter: - - TargetUserName: Administrators - - TargetUserName: None - - TargetUserName: Domain Admins - condition: selection and not filter -falsepositives: - - system administrator -tags: - - attack.persistence - - attack.t1098 -references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 -sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml deleted file mode 100644 index c263438e..00000000 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -creation_date: 2020/11/08 -updated_date: 2021/11/26 - -title: Possible AS-REP Roasting -title_jp: AS-REPロースティングの可能性 -output: 'Possible AS-REP Roasting' -output_jp: 'AS-REPロースティングのリスクがある' -description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. -description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. - -id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a -level: medium -status: test -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' #RC4-HMAC - PreAuthType: 0 #Logon without pre-authentication - condition: selection -falsepositives: - - legacy application -tags: - - attack.credential_access - - attack.t1558.004 -references: - - https://attack.mitre.org/techniques/T1558/004/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml deleted file mode 100644 index 3ea40566..00000000 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Yusuke Matsui, Yamato Security -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: Kerberoasting -title_jp: Kerberoast攻撃 -output: 'Possible Kerberoasting Risk Activity.' -output_jp: 'Kerberoast攻撃のリスクがある' -description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. -description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. - -id: f19849e7-b5ba-404b-a731-9b624d7f6d19 -level: medium -status: test -detection: - selection: - Channel: Security - EventID: 4768 - TicketEncryptionType: '0x17' #RC4-HMAC - PreAuthType: 2 #Standard password authentication - condition: selection -falsepositives: - - legacy application -tags: - - attack.credential_access - - attack.t1558.003 -references: - - https://attack.mitre.org/techniques/T1558/003/ -ruletype: hayabusa diff --git a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml deleted file mode 100644 index d76fd058..00000000 --- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/25 - -title: System log file was cleared -title_jp: システムログがクリアされた -output: "User: %LogFileClearedSubjectUserName%" -output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" -description: Somebody has cleared the System event log. -description_jp: 誰かがシステムログをクリアした。 - -id: f481a1f3-969e-4187-b3a5-b47c272bfebd -level: high -status: stable -detection: - selection: - Channel: System - EventID: 104 - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1070.001 -references: - - https://attack.mitre.org/techniques/T1070/001/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml deleted file mode 100644 index 03ee4e3e..00000000 --- a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/22 - -title: Event log service startup type changed to disabled -title_jp: イベントログサービスのスタートアップの種類が無効に変更された -output: 'Old setting: %param2% : New setting: %param3%' -output: '設定前: %param2% : 設定後: %param3%' - -id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5 -level: medium -status: test -detection: - selection: - Channel: System - EventID: 7040 - param1: 'Windows Event Log' - param3: "disabled" - condition: selection -falsepositives: - - system administrator -tags: - - attack.defense_evasion - - attack.t1562.002 -references: - - https://attack.mitre.org/techniques/T1562/002/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml deleted file mode 100644 index 4dbbdbd5..00000000 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ /dev/null @@ -1,32 +0,0 @@ -author: Eric Conrad, Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/23 - -title: Malicious service installed -title_jp: 悪意のあるサービスがインストールされた -output: 'Service: %ServiceName% : Image path: %ImagePath' -output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath' -description: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt -description_jp: Malicious service was installed based on suspicious entries in ./config/regex/detectlist_suspicous_services.txt - -id: dbbfd9f3-9508-478b-887e-03ddb9236909 -level: high -status: test -detection: - selection: - Channel: System - EventID: 7045 - ServiceName: - regexes: ./config/regex/detectlist_suspicous_services.txt - ImagePath: - min_length: 1000 - allowlist: ./config/regex/allowlist_legitimate_services.txt - condition: selection -falsepositives: - - normal system usage -tags: - - attack.persistence - - attack.t1543.003 -references: - - https://attack.mitre.org/techniques/T1543/003/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml deleted file mode 100644 index 247f8113..00000000 --- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: Bits Job Creation -title_jp: Bits Jobの作成 -output: 'Job Title: %JobTitle% : URL: %Url%' -output_jp: 'Job名: %JobTitle% : URL: %Url%' -description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. - -id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-Bits-Client/Operational - EventID: 59 - condition: selection -falsepositives: - - normal system usage -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 - - lolbas -references: - - https://attack.mitre.org/techniques/T1197/ - - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml deleted file mode 100644 index 3ff9d7e4..00000000 --- a/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Eric Conrad, Yamato Security -date: 2020/11/08 -modified: 2021/11/22 - -title: PowerShell Execution Pipeline -title_jp: PowerShellパイプライン実行 -output: 'Command: %CommandLine%' -output_jp: 'コマンド: %CommandLine%' -description: Displays powershell execution -description_jp: Powershellの実行を出力する。 - -id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4103 - ContextInfo: - - Host Application - - ホスト アプリケーション - condition: selection -falsepositives: - - normal system usage -tags: - - attack.defense_evasion - - attack.t1059.001 - - lolbas -references: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml deleted file mode 100644 index fac3f62b..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 0 - System -title_jp: ログオンタイプ 0 - System -output: 'Bootup' -output_jp: 'システム起動' -description: Prints logon information -description_jp: Prints logon information - -id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 0 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml deleted file mode 100644 index 334c86e1..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 10 - RDP (Remote Interactive) -title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ) -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: a4e05f05-ff88-48b9-8524-a88c1c32fe19 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 10 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml deleted file mode 100644 index 23b6a503..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 11 - CachedInteractive -title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 11 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml deleted file mode 100644 index 0b4aa4a8..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 12 - CachedRemoteInteractive -title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 12 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml deleted file mode 100644 index 06d7a123..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 13 - CachedUnlock -title_jp: ログオンタイプ 13 - キャッシュされたアンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 13 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml deleted file mode 100644 index f555d9e9..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 2 - Interactive -title_jp: ログオンタイプ 2 - インタラクティブ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information -description_jp: Prints logon information - -id: 7beb4832-f357-47a4-afd8-803d69a5c85c -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 2 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml deleted file mode 100644 index 6612ee6f..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 3 - Network -title_jp: ログオンタイプ 3 - ネットワーク -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: c7b22878-e5d8-4c30-b245-e51fd354359e -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 3 - filter: - - IpAddress: "-" - - IpAddress: "127.0.0.1" - - IpAddress: "::1" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml deleted file mode 100644 index e5cc2622..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 4 - Batch -title_jp: ログオンタイプ 4 - バッチ -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: 8ad8b25f-6052-4cfd-9a50-717cb514af13 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 4 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml deleted file mode 100644 index e0120d5d..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 5 - Service -title_jp: ログオンタイプ 5 - サービス -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: 408e1304-51d7-4d3e-ab31-afd07192400b -level: low -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 5 - filter: - - TargetUserName: "SYSTEM" - - TargetUserName: "NETWORK SERVICE" - - TargetUserName: "LOCAL SERVICE" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml deleted file mode 100644 index df6a2716..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 7 - Unlock -title_jp: ログオンタイプ 7 - アンロック -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information -description_jp: Prints logon information - -id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 7 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml deleted file mode 100644 index 2070d324..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 8 - NetworkCleartext -title_jp: ログオンタイプ 8 - ネットワーク平文 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' -description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication. -description_jp: Prints logon information - -id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 8 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml deleted file mode 100644 index 5148ef63..00000000 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logon Type 9 - NewCredentials -title_jp: ログオンタイプ 9 - 新しい資格情報 -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' -description: Prints logon information. -description_jp: Prints logon information. - -id: d80facaa-ca97-47bb-aed2-66362416eb49 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4624 - LogonType: 9 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/events/Security/Logons/4634_Logoff.yml deleted file mode 100644 index e7fafe50..00000000 --- a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logoff -title_jp: ログオフ -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4634 - filter: - TargetUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml deleted file mode 100644 index 34b7a268..00000000 --- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Logoff - User Initiated -title_jp: ログオフ - ユーザが行った -output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' -output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 6bad16f1-02c4-4075-b414-3cd16944bc65 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4647 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml deleted file mode 100644 index c3c9346f..00000000 --- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Admin Logon -title_jp: 管理者ログオン -output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' -output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' -description: Prints logon information. -description_jp: Prints logon information. - -id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4672 - filter: - - SubjectUserName: "SYSTEM" - - SubjectUserName: "LOCAL SERVICE" - - SubjectUserName: "NETWORK SERVICE" - - SubjectUserName|endswith: "$" - condition: selection and not filter -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml deleted file mode 100644 index 20a61d27..00000000 --- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Kerberos TGT was requested -title_jp: Kerberos TGTが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' -description: Prints logon information. -description_jp: Prints logon information. - -id: d9f336ea-bb16-4a35-8a9c-183216b8d59c -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4768 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml deleted file mode 100644 index 87e7a13c..00000000 --- a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Kerberos Service Ticket Requested -title_jp: Kerberosサービスチケットが要求された -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' -description: Prints logon information. -description_jp: Prints logon information. - -id: da6257f3-cf49-464a-96fc-c84a7ce20636 -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4769 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml deleted file mode 100644 index 2ca207a7..00000000 --- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: NTLM Logon to Local Account -title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' -description: Prints logon information. -description_jp: Prints logon information. - -id: 4fbe94b0-577a-4f77-9b13-250e27d440fa -level: informational -status: stable -detection: - selection: - Channel: Security - EventID: 4776 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml deleted file mode 100644 index 4e0d4f88..00000000 --- a/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Zach Mathis -date: 2020/11/08 -modified: 2021/11/26 - -title: Connection to wireless access point -title_jp: ローカルアカウントへのNTLMログオン -output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' -output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' -description: Prints connection info to wireless access points. -description_jp: Prints connection info to wireless access points. - -id: 90dd0797-f481-453d-a97e-dd78436893f9 -level: informational -status: stable -detection: - selection: - Channel: Microsoft-Windows-WLAN-AutoConfig - EventID: 8001 -falsepositives: - - normal system usage -tags: -references: -sample-evtx: -ruletype: hayabusa \ No newline at end of file diff --git a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml deleted file mode 100644 index f95c5efa..00000000 --- a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Azure AD Health Monitoring Agent Registry Keys Access -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -description: | - This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. - This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: Key - SELECTION_4: - ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent - SELECTION_5: - ProcessName: - - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*' - - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*' - - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*' - - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*' - - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*' - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: ff151c33-45fa-475d-af4f-c2f93571f4fe -level: medium -logsource: - product: windows - service: security -references: -- https://o365blog.com/post/hybridhealthagent/ -- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml deleted file mode 100644 index 21db7456..00000000 --- a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Azure AD Health Service Agents Registry Keys Access -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -description: | - This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). - Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). - This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. - Make sure you set the SACL to propagate to its sub-keys. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: Key - SELECTION_4: - ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent - SELECTION_5: - ProcessName: - - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*' - - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*' - - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*' - - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*' - - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*' - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8 -level: medium -logsource: - product: windows - service: security -references: -- https://o365blog.com/post/hybridhealthagent/ -- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml deleted file mode 100644 index 68bea3d8..00000000 --- a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Powerview Add-DomainObjectAcl DCSync AD Extend Right -author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community -date: 2019/04/03 -description: backdooring domain object to grant the rights associated with DCSync - to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync - Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer -detection: - SELECTION_1: - EventID: 5136 - SELECTION_2: - AttributeLDAPDisplayName: ntSecurityDescriptor - SELECTION_3: - AttributeValue: - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' - - '*89e95b76-444d-4c62-991a-0facbeda640c*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- New Domain Controller computer account, check user SIDs within the value attribute - of event 5136 and verify if it's a regular user or DC computer account. -id: 2c99737c-585d-4431-b61a-c911d86ff32f -level: critical -logsource: - product: windows - service: security -modified: 2021/07/09 -references: -- https://twitter.com/menasec1/status/1111556090137903104 -- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf -status: experimental -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_discovery.yml b/rules/sigma/builtin/win_account_discovery.yml deleted file mode 100644 index 05caa275..00000000 --- a/rules/sigma/builtin/win_account_discovery.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: AD Privileged Users or Groups Reconnaissance -author: Samir Bousseaden -date: 2019/04/03 -description: Detect priv users or groups recon based on 4661 eventid and known privileged - users or groups SIDs -detection: - SELECTION_1: - EventID: 4661 - SELECTION_2: - ObjectType: - - SAM_USER - - SAM_GROUP - SELECTION_3: - ObjectName: - - '*-512' - - '*-502' - - '*-500' - - '*-505' - - '*-519' - - '*-520' - - '*-544' - - '*-551' - - '*-555' - SELECTION_4: - ObjectName: '*admin*' - condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4)) -falsepositives: -- if source account name is not an admin then its super suspicious -id: 35ba1d85-724d-42a3-889f-2e2362bcaf23 -level: high -logsource: - definition: 'Requirements: enable Object Access SAM on your Domain Controllers' - product: windows - service: security -modified: 2021/09/08 -references: -- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_object_writedac_access.yml b/rules/sigma/builtin/win_ad_object_writedac_access.yml deleted file mode 100644 index 15733227..00000000 --- a/rules/sigma/builtin/win_ad_object_writedac_access.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: AD Object WriteDAC Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects WRITE_DAC access to a domain object -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectServer: DS - SELECTION_3: - AccessMask: '0x40000' - SELECTION_4: - ObjectType: - - 19195a5b-6da0-11d0-afd3-00c04fd930c9 - - domainDNS - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 028c7842-4243-41cd-be6f-12f3cf1a26c7 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1222 -- attack.t1222.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml deleted file mode 100644 index 5bd9e091..00000000 --- a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Active Directory Replication from Non Machine Account -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/07/26 -description: Detects potential abuse of Active Directory Replication Service (ADRS) - from a non machine account to request credentials. -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - AccessMask: '0x100' - SELECTION_3: - Properties: - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*89e95b76-444d-4c62-991a-0facbeda640c*' - SELECTION_4: - SubjectUserName: '*$' - SELECTION_5: - SubjectUserName: MSOL_* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4 - or SELECTION_5)) -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -id: 17d619c1-e020-4347-957e-1d1207455c93 -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_user_enumeration.yml b/rules/sigma/builtin/win_ad_user_enumeration.yml deleted file mode 100644 index d0b4ef44..00000000 --- a/rules/sigma/builtin/win_ad_user_enumeration.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: AD User Enumeration -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/30 -description: Detects access to a domain user from a non-machine account -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*' - SELECTION_3: - SubjectUserName: '*$' - SELECTION_4: - SubjectUserName: MSOL_* - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4)) -falsepositives: -- Administrators configuring new users. -id: ab6bffca-beff-4baa-af11-6733f296d57a -level: medium -logsource: - definition: Requires the "Read all properties" permission on the user object to - be audited for the "Everyone" principal - product: windows - service: security -modified: 2021/08/09 -references: -- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf -- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html -- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml deleted file mode 100644 index 8dca1652..00000000 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: ADCS Certificate Template Configuration Vulnerability -author: Orlinum , BlueDefenZer -date: 2021/11/17 -description: Detects certificate creation with template allowing risk permission subject -detection: - SELECTION_1: - EventID: 4898 - SELECTION_2: - TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - SELECTION_3: - EventID: 4899 - SELECTION_4: - NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) -falsepositives: -- Administrator activity -- Penetration tests -- Proxy SSL certificate with subject modification -- Smart card enrollement -id: 5ee3a654-372f-11ec-8d3d-0242ac130003 -level: low -logsource: - definition: Certificate services loaded a template would trigger event ID 4898 and - certificate Services template was updated would trigger event ID 4899. A risk - permission seems to be comming if template contain specific flag. - product: windows - service: security -references: -- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml deleted file mode 100644 index 13145824..00000000 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: ADCS Certificate Template Configuration Vulnerability with Risky EKU -author: Orlinum , BlueDefenZer -date: 2021/11/17 -description: Detects certificate creation with template allowing risk permission subject - and risky EKU -detection: - SELECTION_1: - EventID: 4898 - SELECTION_2: - TemplateContent: - - '*1.3.6.1.5.5.7.3.2*' - - '*1.3.6.1.5.2.3.4*' - - '*1.3.6.1.4.1.311.20.2.2*' - - '*2.5.29.37.0*' - SELECTION_3: - TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - SELECTION_4: - EventID: 4899 - SELECTION_5: - NewTemplateContent: - - '*1.3.6.1.5.5.7.3.2*' - - '*1.3.6.1.5.2.3.4*' - - '*1.3.6.1.4.1.311.20.2.2*' - - '*2.5.29.37.0*' - SELECTION_6: - NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6)) -falsepositives: -- Administrator activity -- Penetration tests -- Proxy SSL certificate with subject modification -- Smart card enrollement -id: bfbd3291-de87-4b7c-88a2-d6a5deb28668 -level: high -logsource: - definition: Certificate services loaded a template would trigger event ID 4898 and - certificate Services template was updated would trigger event ID 4899. A risk - permission seems to be comming if template contain specific flag with risky EKU. - product: windows - service: security -references: -- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_rdp_login.yml b/rules/sigma/builtin/win_admin_rdp_login.yml deleted file mode 100644 index 9bfb6c01..00000000 --- a/rules/sigma/builtin/win_admin_rdp_login.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Admin User Remote Logon -author: juju4 -date: 2017/10/29 -description: Detect remote login by Administrator user (depending on internal pattern). -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 10 - SELECTION_3: - AuthenticationPackageName: Negotiate - SELECTION_4: - TargetUserName: Admin* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Legitimate administrative activity. -id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a -level: low -logsource: - definition: 'Requirements: Identifiable administrators usernames (pattern or special - unique character. ex: "Admin-*"), internal policy mandating use only as secondary - account' - product: windows - service: security -modified: 2021/07/07 -references: -- https://car.mitre.org/wiki/CAR-2016-04-005 -status: experimental -tags: -- attack.lateral_movement -- attack.t1078 -- attack.t1078.001 -- attack.t1078.002 -- attack.t1078.003 -- car.2016-04-005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_share_access.yml b/rules/sigma/builtin/win_admin_share_access.yml deleted file mode 100644 index b884e1fe..00000000 --- a/rules/sigma/builtin/win_admin_share_access.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Access to ADMIN$ Share -author: Florian Roth -date: 2017/03/04 -description: Detects access to $ADMIN share -detection: - SELECTION_1: - EventID: 5140 - SELECTION_2: - ShareName: Admin$ - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Legitimate administrative activity -id: 098d7118-55bc-4912-a836-dc6483a8d150 -level: low -logsource: - definition: The advanced audit policy setting "Object Access > Audit File Share" - must be configured for Success/Failure - product: windows - service: security -modified: 2020/08/23 -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_active_directory_user_control.yml b/rules/sigma/builtin/win_alert_active_directory_user_control.yml deleted file mode 100644 index 882c68ea..00000000 --- a/rules/sigma/builtin/win_alert_active_directory_user_control.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Enabled User Right in AD to Control User Objects -author: '@neu5ron' -date: 2017/07/30 -description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege - right in Active Directory it would allow control of other AD user objects. -detection: - SELECTION_1: - EventID: 4704 - SELECTION_2: - PrivilegeList: - - '*SeEnableDelegationPrivilege*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd -level: high -logsource: - definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy - Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy - Change' - product: windows - service: security -modified: 2020/08/23 -references: -- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ -status: experimental -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml deleted file mode 100644 index 6d556326..00000000 --- a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml +++ /dev/null @@ -1,53 +0,0 @@ - -title: Active Directory User Backdoors -author: '@neu5ron' -date: 2017/04/13 -description: Detects scenarios where one can control another users or computers account - without having to use their credentials. -detection: - SELECTION_1: - EventID: 4738 - SELECTION_10: - AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity - SELECTION_2: - AllowedToDelegateTo: '-' - SELECTION_3: - AllowedToDelegateTo|re: ^$ - SELECTION_4: - EventID: 5136 - SELECTION_5: - AttributeLDAPDisplayName: msDS-AllowedToDelegateTo - SELECTION_6: - EventID: 5136 - SELECTION_7: - ObjectClass: user - SELECTION_8: - AttributeLDAPDisplayName: servicePrincipalName - SELECTION_9: - EventID: 5136 - condition: (((((SELECTION_1 and not (SELECTION_2)) and not (SELECTION_3)) or (SELECTION_4 - and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9 - and SELECTION_10)) -falsepositives: -- Unknown -id: 300bac00-e041-4ee2-9c36-e262656a6ecc -level: high -logsource: - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Account Management\Audit User Account - Management, DS Access > Audit Directory Service Changes, Group Policy : Computer - Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit - Policies\DS Access\Audit Directory Service Changes' - product: windows - service: security -modified: 2020/08/23 -references: -- https://msdn.microsoft.com/en-us/library/cc220234.aspx -- https://adsecurity.org/?p=3466 -- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/ -status: experimental -tags: -- attack.t1098 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml deleted file mode 100644 index ab6468e1..00000000 --- a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml +++ /dev/null @@ -1,91 +0,0 @@ - -title: Weak Encryption Enabled and Kerberoast -author: '@neu5ron' -date: 2017/07/30 -description: Detects scenario where weak encryption is enabled for a user profile - which could be used for hash/password cracking. -detection: - SELECTION_1: - EventID: 4738 - SELECTION_2: - NewUacValue: - - '*8???' - - '*9???' - - '*A???' - - '*B???' - - '*C???' - - '*D???' - - '*E???' - - '*F???' - SELECTION_3: - OldUacValue: - - '*8???' - - '*9???' - - '*A???' - - '*B???' - - '*C???' - - '*D???' - - '*E???' - - '*F???' - SELECTION_4: - NewUacValue: - - '*1????' - - '*3????' - - '*5????' - - '*7????' - - '*9????' - - '*B????' - - '*D????' - - '*F????' - SELECTION_5: - OldUacValue: - - '*1????' - - '*3????' - - '*5????' - - '*7????' - - '*9????' - - '*B????' - - '*D????' - - '*F????' - SELECTION_6: - NewUacValue: - - '*8??' - - '*9??' - - '*A??' - - '*B??' - - '*C??' - - '*D??' - - '*E??' - - '*F??' - SELECTION_7: - OldUacValue: - - '*8??' - - '*9??' - - '*A??' - - '*B??' - - '*C??' - - '*D??' - - '*E??' - - '*F??' - condition: (SELECTION_1 and (((SELECTION_2 and not (SELECTION_3)) or (SELECTION_4 - and not (SELECTION_5))) or (SELECTION_6 and not (SELECTION_7)))) -falsepositives: -- Unknown -id: f6de9536-0441-4b3f-a646-f4e00f300ffd -level: high -logsource: - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Account Management\Audit User Account - Management' - product: windows - service: security -references: -- https://adsecurity.org/?p=2053 -- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_lsass_access.yml b/rules/sigma/builtin/win_alert_lsass_access.yml deleted file mode 100644 index d93aece5..00000000 --- a/rules/sigma/builtin/win_alert_lsass_access.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: LSASS Access Detected via Attack Surface Reduction -author: Markus Neis -date: 2018/08/26 -description: Detects Access to LSASS Process -detection: - SELECTION_1: - EventID: 1121 - SELECTION_2: - Path: '*\lsass.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Google Chrome GoogleUpdate.exe -- Some Taskmgr.exe related activity -id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 -level: high -logsource: - definition: 'Requirements:Enabled Block credential stealing from the Windows local - security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' - product: windows - service: windefend -modified: 2021/11/13 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml deleted file mode 100644 index f462131e..00000000 --- a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Mimikatz Use -author: Florian Roth -date: 2017/01/10 -description: This method detects mimikatz keywords in different Eventlogs (some of - them only appear in older Mimikatz version that are however still used by different - threat groups) -detection: - SELECTION_1: - - \mimikatz - - mimikatz.exe - - \mimilib.dll - - <3 eo.oe - - eo.oe.kiwi - - privilege::debug - - sekurlsa::logonpasswords - - lsadump::sam - - mimidrv.sys - - ' p::d ' - - ' s::l ' - - gentilkiwi.com - - Kiwi Legit Printer - condition: (SELECTION_1) -falsepositives: -- Naughty administrators -- Penetration test -- AV Signature updates -- Files with Mimikatz in their filename -id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 -level: critical -logsource: - product: windows -modified: 2021/08/26 -status: experimental -tags: -- attack.s0002 -- attack.t1003 -- attack.lateral_movement -- attack.credential_access -- car.2013-07-001 -- car.2019-04-004 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.001 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ruler.yml b/rules/sigma/builtin/win_alert_ruler.yml deleted file mode 100644 index 4aaf7869..00000000 --- a/rules/sigma/builtin/win_alert_ruler.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Hacktool Ruler -author: Florian Roth -date: 2017/05/31 -description: This events that are generated when using the hacktool Ruler by Sensepost -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Workstation: RULER - SELECTION_3: - EventID: 4624 - SELECTION_4: - EventID: 4625 - SELECTION_5: - WorkstationName: RULER - condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5)) -falsepositives: -- Go utilities that use staaldraad awesome NTLM library -id: 24549159-ac1b-479c-8175-d42aea947cae -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://github.com/sensepost/ruler -- https://github.com/sensepost/ruler/issues/47 -- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 -status: experimental -tags: -- attack.discovery -- attack.execution -- attack.t1087 -- attack.t1075 -- attack.t1114 -- attack.t1059 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml deleted file mode 100644 index 438305cd..00000000 --- a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml +++ /dev/null @@ -1,48 +0,0 @@ - -title: File Was Not Allowed To Run -author: Pushkarev Dmitry -date: 2020/06/28 -description: Detect run not allowed files. Applocker is a very useful tool, especially - on servers where unprivileged users have access. For example terminal servers. You - need configure applocker and log collect to receive these events. -detection: - SELECTION_1: - EventID: 8004 - SELECTION_2: - EventID: 8007 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- need tuning applocker or add exceptions in SIEM -fields: -- PolicyName -- RuleId -- RuleName -- TargetUser -- TargetProcessId -- FilePath -- FileHash -- Fqbn -id: 401e5d00-b944-11ea-8f9a-00163ecd60ae -level: medium -logsource: - product: windows - service: applocker -modified: 2020/08/23 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker -- https://nxlog.co/documentation/nxlog-user-guide/applocker.html -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1064 -- attack.t1204 -- attack.t1035 -- attack.t1204.002 -- attack.t1059.001 -- attack.t1059.003 -- attack.t1059.005 -- attack.t1059.006 -- attack.t1059.007 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml deleted file mode 100644 index 4b762d27..00000000 --- a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Turla Service Install -author: Florian Roth -date: 2017/03/31 -description: This method detects a service install of malicious services mentioned - in Carbon Paper - Turla report by ESET -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: - - srservice - - ipvpn - - hkmsvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 -level: high -logsource: - product: windows - service: system -references: -- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ -status: experimental -tags: -- attack.persistence -- attack.g0010 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml deleted file mode 100644 index ec02fb45..00000000 --- a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Chafer Activity -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report - in March 2018 -detection: - SELECTION_1: - EventID: 4698 - SELECTION_2: - TaskName: - - SC Scheduled Scan - - UpdatMachine - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: c0580559-a6bd-4ef6-b9b7-83703d98b561 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/19 -references: -- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -related: -- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: derived -status: experimental -tags: -- attack.persistence -- attack.g0049 -- attack.t1053 -- attack.t1053.005 -- attack.s0111 -- attack.t1050 -- attack.t1543.003 -- attack.defense_evasion -- attack.t1112 -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml deleted file mode 100644 index f7d9a946..00000000 --- a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Chafer Activity -author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -description: Detects Chafer activity attributed to OilRig as reported in Nyotron report - in March 2018 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: - - SC Scheduled Scan - - UpdatMachine - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/19 -references: -- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ -status: experimental -tags: -- attack.persistence -- attack.g0049 -- attack.t1053 -- attack.t1053.005 -- attack.s0111 -- attack.t1050 -- attack.t1543.003 -- attack.defense_evasion -- attack.t1112 -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_gallium.yml b/rules/sigma/builtin/win_apt_gallium.yml deleted file mode 100644 index a85c5c9b..00000000 --- a/rules/sigma/builtin/win_apt_gallium.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: GALLIUM Artefacts -author: Tim Burrell -date: 2020/02/07 -description: Detects artefacts associated with activity group GALLIUM - Microsoft - Threat Intelligence Center indicators released in December 2019. -detection: - SELECTION_1: - EventID: 257 - SELECTION_2: - QNAME: - - asyspy256.ddns.net - - hotkillmail9sddcc.ddns.net - - rosaf112.ddns.net - - cvdfhjh1231.myftp.biz - - sz2016rose.ddns.net - - dffwescwer4325.myftp.biz - - cvdfhjh1231.ddns.net - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 3db10f25-2527-4b79-8d4b-471eb900ee29 -level: high -logsource: - product: windows - service: dns-server -modified: 2021/09/19 -references: -- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ -- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) -related: -- id: 440a56bf-7873-4439-940a-1c8a671073c2 - type: derived -status: experimental -tags: -- attack.credential_access -- attack.command_and_control -- attack.t1071 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_slingshot.yml b/rules/sigma/builtin/win_apt_slingshot.yml deleted file mode 100644 index 3824cb83..00000000 --- a/rules/sigma/builtin/win_apt_slingshot.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Defrag Deactivation -author: Florian Roth, Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -description: Detects the deactivation and disabling of the Scheduled defragmentation - task as seen by Slingshot APT group -detection: - SELECTION_1: - EventID: 4701 - SELECTION_2: - TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 -level: medium -logsource: - definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' - product: windows - service: security -modified: 2021/09/19 -references: -- https://securelist.com/apt-slingshot/84312/ -related: -- id: 958d81aa-8566-4cea-a565-59ccd4df27b0 - type: derived -status: experimental -tags: -- attack.persistence -- attack.t1053 -- attack.s0111 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_stonedrill.yml b/rules/sigma/builtin/win_apt_stonedrill.yml deleted file mode 100644 index 9a58cd58..00000000 --- a/rules/sigma/builtin/win_apt_stonedrill.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: StoneDrill Service Install -author: Florian Roth -date: 2017/03/07 -description: This method detects a service install of the malicious Microsoft Network - Realtime Inspection Service service described in StoneDrill report by Kaspersky -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: NtsSrv - SELECTION_3: - ServiceFileName: '* LocalService' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unlikely -id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 -level: high -logsource: - product: windows - service: system -references: -- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ -status: experimental -tags: -- attack.persistence -- attack.g0064 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_turla_service_png.yml b/rules/sigma/builtin/win_apt_turla_service_png.yml deleted file mode 100644 index 6d3424e9..00000000 --- a/rules/sigma/builtin/win_apt_turla_service_png.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Turla PNG Dropper Service -author: Florian Roth -date: 2018/11/23 -description: This method detects malicious services mentioned in Turla PNG dropper - report by NCC Group in November 2018 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: WerFaultSvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unlikely -id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 -level: critical -logsource: - product: windows - service: system -references: -- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ -status: experimental -tags: -- attack.persistence -- attack.g0010 -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_wocao.yml b/rules/sigma/builtin/win_apt_wocao.yml deleted file mode 100644 index 75c0a3b6..00000000 --- a/rules/sigma/builtin/win_apt_wocao.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Operation Wocao Activity -author: Florian Roth, frack113 -date: 2019/12/20 -description: Detects activity mentioned in Operation Wocao report -detection: - SELECTION_1: - EventID: 4799 - SELECTION_2: - TargetUserName: Administr* - SELECTION_3: - CallerProcessName: '*\checkadmin.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Administrators that use checkadmin.exe tool to enumerate local administrators -id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d -level: high -logsource: - product: windows - service: security -modified: 2021/09/19 -references: -- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ -- https://twitter.com/SBousseaden/status/1207671369963646976 -status: experimental -tags: -- attack.discovery -- attack.t1012 -- attack.defense_evasion -- attack.t1036.004 -- attack.t1036 -- attack.t1027 -- attack.execution -- attack.t1053.005 -- attack.t1053 -- attack.t1059.001 -- attack.t1086 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml deleted file mode 100644 index 870ee845..00000000 --- a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Arbitrary Shell Command Execution Via Settingcontent-Ms -author: Sreeman -date: 2020/03/13 -description: The .SettingContent-ms file type was introduced in Windows 10 and allows - a user to create "shortcuts" to various Windows 10 setting pages. These files are - simply XML and contain paths to various Windows 10 settings binaries. -detection: - SELECTION_1: - CommandLine: '*.SettingContent-ms*' - SELECTION_2: - FilePath: '*immersivecontrolpanel*' - condition: (SELECTION_1 and not (SELECTION_2)) -falsepositives: -- unknown -fields: -- ParentProcess -- CommandLine -- ParentCommandLine -id: 24de4f3b-804c-4165-b442-5a06a2302c7e -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -status: experimental -tags: -- attack.t1204 -- attack.t1193 -- attack.t1566.001 -- attack.execution -- attack.initial_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml deleted file mode 100644 index 966f66be..00000000 --- a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Using AppVLP To Circumvent ASR File Path Rule -author: Sreeman -date: 2020/03/13 -description: Application Virtualization Utility is included with Microsoft Office.We - are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used - for Application Virtualization, but we can use it as an abuse binary to circumvent - the ASR file path rule folder or to mark a file as a system file -detection: - SELECTION_1: - CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf) - condition: SELECTION_1 -falsepositives: -- unknown -fields: -- ParentProcess -- CommandLine -- ParentCommandLine -id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -level: medium -logsource: - product: windows - service: security -modified: 2021/06/11 -status: experimental -tags: -- attack.t1218 -- attack.defense_evasion -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_atsvc_task.yml b/rules/sigma/builtin/win_atsvc_task.yml deleted file mode 100644 index e15f4db2..00000000 --- a/rules/sigma/builtin/win_atsvc_task.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Remote Task Creation via ATSVC Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: Detects remote task creation via at.exe or API interacting with ATSVC - namedpipe -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: atsvc - SELECTION_4: - Accesses: '*WriteData*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: f6de6525-4509-495a-8a82-1f8b0ed73a00 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -status: experimental -tags: -- attack.lateral_movement -- attack.persistence -- attack.t1053 -- car.2013-05-004 -- car.2015-04-001 -- attack.t1053.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_audit_cve.yml b/rules/sigma/builtin/win_audit_cve.yml deleted file mode 100644 index e5a726e8..00000000 --- a/rules/sigma/builtin/win_audit_cve.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Audit CVE Event -author: Florian Roth -date: 2020/01/15 -description: Detects events generated by Windows to indicate the exploitation of a - known vulnerability (e.g. CVE-2020-0601) -detection: - SELECTION_1: - Provider_Name: Microsoft-Windows-Audit-CVE - condition: SELECTION_1 -falsepositives: -- Unknown -id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2 -level: critical -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://twitter.com/mattifestation/status/1217179698008068096 -- https://twitter.com/VM_vivisector/status/1217190929330655232 -- https://twitter.com/davisrichardg/status/1217517547576348673 -- https://twitter.com/DidierStevens/status/1217533958096924676 -- https://twitter.com/FlemmingRiis/status/1217147415482060800 -status: experimental -tags: -- attack.execution -- attack.t1203 -- attack.privilege_escalation -- attack.t1068 -- attack.defense_evasion -- attack.t1211 -- attack.credential_access -- attack.t1212 -- attack.lateral_movement -- attack.t1210 -- attack.impact -- attack.t1499.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_av_relevant_match.yml b/rules/sigma/builtin/win_av_relevant_match.yml deleted file mode 100644 index 6b50e7f4..00000000 --- a/rules/sigma/builtin/win_av_relevant_match.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: Relevant Anti-Virus Event -author: Florian Roth -date: 2017/02/19 -description: This detection method points out highly relevant Antivirus events -detection: - SELECTION_1: - - HTool- - - Hacktool - - ASP/Backdoor - - JSP/Backdoor - - PHP/Backdoor - - Backdoor.ASP - - Backdoor.JSP - - Backdoor.PHP - - Webshell - - Portscan - - Mimikatz - - .WinCred. - - PlugX - - Korplug - - Pwdump - - Chopper - - WmiExec - - Xscan - - Clearlog - - ASPXSpy - SELECTION_2: - - Keygen - - Crack - condition: ((SELECTION_1) and not (SELECTION_2)) -falsepositives: -- Some software piracy tools (key generators, cracks) are classified as hack tools -id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 -level: high -logsource: - product: windows - service: application -modified: 2021/11/20 -status: experimental -tags: -- attack.resource_development -- attack.t1588 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_camera_microphone_access.yml b/rules/sigma/builtin/win_camera_microphone_access.yml deleted file mode 100644 index 14f0bf85..00000000 --- a/rules/sigma/builtin/win_camera_microphone_access.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Processes Accessing the Microphone and Webcam -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/07 -description: Potential adversaries accessing the microphone and webcam in an endpoint. -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - EventID: 4656 - SELECTION_3: - EventID: 4663 - SELECTION_4: - ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*' - SELECTION_5: - ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)) -falsepositives: -- Unknown -id: 8cd538a4-62d5-4e83-810b-12d41e428d6e -level: medium -logsource: - product: windows - service: security -references: -- https://twitter.com/duzvik/status/1269671601852813320 -- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 -status: experimental -tags: -- attack.collection -- attack.t1123 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml deleted file mode 100644 index 13d65f62..00000000 --- a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: CobaltStrike Service Installations -author: Florian Roth, Wojciech Lesicki -date: 2021/05/26 -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: '*ADMIN$*' - SELECTION_3: - ImagePath: '*.exe*' - SELECTION_4: - ImagePath: '*%COMSPEC%*' - SELECTION_5: - ImagePath: '*start*' - SELECTION_6: - ImagePath: '*powershell*' - SELECTION_7: - ImagePath: '*powershell -nop -w hidden -encodedcommand*' - SELECTION_8: - ImagePath: - - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*' - - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*' - - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6) or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: 5a105d34-05fc-401e-8553-272b45c1522d -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://www.sans.org/webcasts/119395 -- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ -- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.lateral_movement -- attack.t1021.002 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml deleted file mode 100644 index e1b45c52..00000000 --- a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: DCERPC SMB Spoolss Named Pipe -author: OTR (Open Threat Research) -date: 2018/11/28 -description: Detects the use of the spoolss named pipe over SMB. This can be used - to trigger the authentication via NTLM of any machine that has the spoolservice - enabled. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: spoolss - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Domain Controllers acting as printer servers too? :) -id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e -level: medium -logsource: - product: windows - service: security -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -- https://dirkjanm.io/a-different-way-of-abusing-zerologon/ -- https://twitter.com/_dirkjan/status/1309214379003588608 -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml deleted file mode 100644 index ad7b67a4..00000000 --- a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program - Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer - DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\Internet Explorer\iertutil.dll' - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Unknown -id: c39f0c81-7348-4965-ab27-2fde35a1b641 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcsync.yml b/rules/sigma/builtin/win_dcsync.yml deleted file mode 100644 index 0486e61f..00000000 --- a/rules/sigma/builtin/win_dcsync.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Mimikatz DC Sync -author: Benjamin Delpy, Florian Roth, Scott Dermott -date: 2018/06/03 -description: Detects Mimikatz DC sync security events -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - Properties: - - '*Replicating Directory Changes All*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - SELECTION_3: - SubjectDomainName: Window Manager - SELECTION_4: - SubjectUserName: - - NT AUTHORITY* - - MSOL_* - SELECTION_5: - SubjectUserName: '*$' - condition: ((((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- Valid DC Sync that is not covered by the filters; please report -- Local Domain Admin account used for Azure AD Connect -id: 611eab06-a145-4dfa-a295-3ccc5c20f59a -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://twitter.com/gentilkiwi/status/1003236624925413376 -- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 -status: experimental -tags: -- attack.credential_access -- attack.s0002 -- attack.t1003 -- attack.t1003.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_disable_event_logging.yml b/rules/sigma/builtin/win_disable_event_logging.yml deleted file mode 100644 index e641c5dc..00000000 --- a/rules/sigma/builtin/win_disable_event_logging.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Disabling Windows Event Auditing -author: '@neu5ron' -date: 2017/11/19 -description: 'Detects scenarios where system auditing (ie: windows event log auditing) - is disabled. This may be used in a scenario where an entity would want to bypass - local logging to evade detection when windows event logging is enabled and reviewed. - Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, - which will make sure that Active Directory GPOs take precedence over local/edited - computer policies via something such as "gpedit.msc". Please note, that disabling - "Local Group Policy Object Processing" may cause an issue in scenarios of one off - specific GPO modifications -- however it is recommended to perform these modifications - in Active Directory anyways.' -detection: - SELECTION_1: - EventID: 4719 - SELECTION_2: - AuditPolicyChanges: - - '*%%8448*' - - '*%%8450*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 69aeb277-f15f-4d2d-b32a-55e883609563 -level: high -logsource: - definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, - Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy - Change' - product: windows - service: security -references: -- https://bit.ly/WinLogsZero2Hero -status: experimental -tags: -- attack.defense_evasion -- attack.t1054 -- attack.t1562.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml deleted file mode 100644 index 5665cfed..00000000 --- a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: DPAPI Domain Backup Key Extraction -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -description: Detects tools extracting LSA secret DPAPI domain backup key from Domain - Controllers -detection: - SELECTION_1: - EventID: 4662 - SELECTION_2: - ObjectType: SecretObject - SELECTION_3: - AccessMask: '0x2' - SELECTION_4: - ObjectName: BCKUPKEY - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 4ac1f50b-3bd0-4968-902d-868b4647937e -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml deleted file mode 100644 index 2d83f8a0..00000000 --- a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DPAPI Domain Master Key Backup Attempt -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects anyone attempting a backup for the DPAPI Master Key. This events - gets generated at the source and not the Domain Controller. -detection: - SELECTION_1: - EventID: 4692 - condition: SELECTION_1 -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_etw_modification.yml b/rules/sigma/builtin/win_etw_modification.yml deleted file mode 100644 index e9c22434..00000000 --- a/rules/sigma/builtin/win_etw_modification.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: COMPlus_ETWEnabled Registry Modification -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - ObjectName: '*\SOFTWARE\Microsoft\.NETFramework' - SELECTION_3: - ObjectValueName: ETWEnabled - SELECTION_4: - NewValue: '0' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/_xpn_/status/1268712093928378368 -- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr -- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables -- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 -- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39 -- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ -- https://bunnyinside.com/?term=f71e8cb9c76a -- http://managed670.rssing.com/chan-5590147/all_p1.html -- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_event_log_cleared.yml b/rules/sigma/builtin/win_event_log_cleared.yml deleted file mode 100644 index 13eedec4..00000000 --- a/rules/sigma/builtin/win_event_log_cleared.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Security Event Log Cleared -author: Saw Winn Naung -date: 2021/08/15 -description: Checks for event id 1102 which indicates the security event log was cleared. -detection: - SELECTION_1: - EventID: 1102 - SELECTION_2: - Provider_Name: Microsoft-Windows-Eventlog - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate administrative activity -fields: -- SubjectLogonId -- SubjectUserName -- SubjectUserSid -- SubjectDomainName -id: a122ac13-daf8-4175-83a2-72c387be339d -level: medium -logsource: - product: windows - service: security -modified: 2021/10/13 -references: -- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml -status: experimental -tags: -- attack.t1107 -- attack.t1070.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exchange_transportagent.yml b/rules/sigma/builtin/win_exchange_transportagent.yml deleted file mode 100644 index 45b86cf0..00000000 --- a/rules/sigma/builtin/win_exchange_transportagent.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: MSExchange Transport Agent Installation -author: Tobias Michalski -date: 2021/06/08 -description: Detects the Installation of a Exchange Transport Agent -detection: - condition: Install-TransportAgent -falsepositives: -- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator - for this. -fields: -- AssemblyPath -id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 -level: medium -logsource: - product: windows - service: msexchange-management -modified: 2021/09/19 -references: -- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -related: -- id: 83809e84-4475-4b69-bc3e-4aad8568612f - type: derived -status: experimental -tags: -- attack.persistence -- attack.t1505.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml deleted file mode 100644 index 50c5cb01..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Possible CVE-2021-1675 Print Spooler Exploitation -author: Florian Roth, KevTheHermit, fuzzyf10w -date: 2021/06/30 -description: Detects events of driver load errors in print service logs that could - be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 -detection: - SELECTION_1: - EventID: 808 - SELECTION_2: - EventID: 4909 - SELECTION_3: - ErrorCode: - - '0x45A' - - '0x7e' - SELECTION_4: - - The print spooler failed to load a plug-in module - - MyExploit.dll - - evil.dll - - \addCube.dll - - \rev.dll - - \rev2.dll - - \main64.dll - - \mimilib.dll - - \mimispool.dll - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4)) -falsepositives: -- Problems with printer drivers -fields: -- PluginDllName -id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 -level: high -logsource: - product: windows - service: printservice-admin -modified: 2021/07/08 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -- https://twitter.com/fuzzyf10w/status/1410202370835898371 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml deleted file mode 100644 index 208ccbbf..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation -author: Florian Roth -date: 2021/07/01 -description: Detects driver load events print service operational log that are a sign - of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 -detection: - SELECTION_1: - EventID: '316' - SELECTION_2: - - 'UNIDRV.DLL, kernelbase.dll, ' - - ' 123 ' - - ' 1234 ' - - mimispool - condition: (SELECTION_1 and (SELECTION_2)) -falsepositives: -- Unknown -fields: -- DriverAdded -id: f34d942d-c8c4-4f1f-b196-22471aecf10a -level: critical -logsource: - product: windows - service: printservice-operational -references: -- https://twitter.com/MalwareJake/status/1410421967463731200 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml deleted file mode 100644 index e27b3a11..00000000 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation IPC Access -author: INIT_6 -date: 2021/07/02 -description: Detects remote printer driver load from Detailed File Share in Security - logs that are a sign of successful exploitation attempts against print spooler vulnerability - CVE-2021-1675 and CVE-2021-34527 -detection: - SELECTION_1: - EventID: '5145' - SELECTION_2: - ShareName: \\\*\IPC$ - SELECTION_3: - RelativeTargetName: spoolss - SELECTION_4: - AccessMask: '0x3' - SELECTION_5: - ObjectType: File - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- nothing observed so far -id: 8fe1c584-ee61-444b-be21-e9054b229694 -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/INIT_3/status/1410662463641731075 -status: experimental -tags: -- attack.execution -- attack.t1569 -- cve.2021.1675 -- cve.2021.34527 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_external_device.yml b/rules/sigma/builtin/win_external_device.yml deleted file mode 100644 index e381b4bc..00000000 --- a/rules/sigma/builtin/win_external_device.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: External Disk Drive Or USB Storage Device -author: Keith Wright -date: 2019/11/20 -description: Detects external diskdrives or plugged in USB devices , EventID 6416 - on windows 10 or later -detection: - SELECTION_1: - EventID: 6416 - SELECTION_2: - ClassName: DiskDrive - SELECTION_3: - DeviceDescription: USB Mass Storage Device - condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3) -falsepositives: -- Legitimate administrative activity -id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 -level: low -logsource: - product: windows - service: security -modified: 2021/08/09 -status: experimental -tags: -- attack.t1091 -- attack.t1200 -- attack.lateral_movement -- attack.initial_access -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_global_catalog_enumeration.yml b/rules/sigma/builtin/win_global_catalog_enumeration.yml deleted file mode 100644 index 4d7e1d49..00000000 --- a/rules/sigma/builtin/win_global_catalog_enumeration.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Enumeration via the Global Catalog -author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/11 -description: Detects enumeration of the global catalog (that can be performed using - BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain - width. -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestinationPort: 3268 - SELECTION_3: - DestinationPort: 3269 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress - > 2000 -falsepositives: -- Exclude known DCs. -id: 619b020f-0fd7-4f23-87db-3f51ef837a34 -level: medium -logsource: - definition: The advanced audit policy setting "Windows Filtering Platform > Filtering - Platform Connection" must be configured for Success - product: windows - service: security -modified: 2021/06/01 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_gpo_scheduledtasks.yml b/rules/sigma/builtin/win_gpo_scheduledtasks.yml deleted file mode 100644 index b264d962..00000000 --- a/rules/sigma/builtin/win_gpo_scheduledtasks.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Persistence and Execution at Scale via GPO Scheduled Task -author: Samir Bousseaden -date: 2019/04/03 -description: Detect lateral movement using GPO scheduled task, usually used to deploy - ransomware at scale -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\SYSVOL - SELECTION_3: - RelativeTargetName: '*ScheduledTasks.xml' - SELECTION_4: - Accesses: - - '*WriteData*' - - '*%%4417*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- if the source IP is not localhost then it's super suspicious, better to monitor - both local and remote changes to GPO scheduledtasks -id: a8f29a7b-b137-4446-80a0-b804272f3da2 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://twitter.com/menasec1/status/1106899890377052160 -- https://www.secureworks.com/blog/ransomware-as-a-distraction -status: experimental -tags: -- attack.persistence -- attack.lateral_movement -- attack.t1053 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hack_smbexec.yml b/rules/sigma/builtin/win_hack_smbexec.yml deleted file mode 100644 index 99faa199..00000000 --- a/rules/sigma/builtin/win_hack_smbexec.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: smbexec.py Service Installation -author: Omer Faruk Celik -date: 2018/03/20 -description: Detects the use of smbexec.py tool by detecting a specific service installation -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: BTOBTO - SELECTION_3: - ServiceFileName: '*\execute.bat' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Penetration Test -- Unknown -fields: -- ServiceName -- ServiceFileName -id: 52a85084-6989-40c3-8f32-091e12e13f09 -level: critical -logsource: - product: windows - service: system -modified: 2020/08/23 -references: -- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ -status: experimental -tags: -- attack.lateral_movement -- attack.execution -- attack.t1077 -- attack.t1021.002 -- attack.t1035 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hidden_user_creation.yml b/rules/sigma/builtin/win_hidden_user_creation.yml deleted file mode 100644 index 45f43c4a..00000000 --- a/rules/sigma/builtin/win_hidden_user_creation.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Hidden Local User Creation -author: Christian Burkard -date: 2021/05/03 -description: Detects the creation of a local hidden user account which should not - happen for event ID 4720. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - TargetUserName: '*$' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- EventCode -- AccountName -id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 -level: high -logsource: - product: windows - service: security -references: -- https://twitter.com/SBousseaden/status/1387743867663958021 -status: experimental -tags: -- attack.persistence -- attack.t1136.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml deleted file mode 100644 index 747f4c44..00000000 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: HybridConnectionManager Service Installation -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Rule to detect the Hybrid Connection Manager service installation. -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceName: HybridConnectionManager - SELECTION_3: - ServiceFileName: '*HybridConnectionManager*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of Hybrid Connection Manager via Azure function apps. -id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 -level: high -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml deleted file mode 100644 index e1baa865..00000000 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: HybridConnectionManager Service Running -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Rule to detect the Hybrid Connection Manager service running on an endpoint. -detection: - SELECTION_1: - EventID: 40300 - SELECTION_2: - EventID: 40301 - SELECTION_3: - EventID: 40302 - SELECTION_4: - - HybridConnection - - sb:// - - servicebus.windows.net - - HybridConnectionManage - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4)) -falsepositives: -- Legitimate use of Hybrid Connection Manager via Azure function apps. -id: b55d23e5-6821-44ff-8a6e-67218891e49f -level: high -logsource: - product: windows - service: microsoft-servicebus-client -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_psexec.yml b/rules/sigma/builtin/win_impacket_psexec.yml deleted file mode 100644 index 2ae66da8..00000000 --- a/rules/sigma/builtin/win_impacket_psexec.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Impacket PsExec Execution -author: Bhabesh Raj -date: 2020/12/14 -description: Detects execution of Impacket's psexec.py. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: - - '*RemCom_stdint*' - - '*RemCom_stdoutt*' - - '*RemCom_stderrt*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- nothing observed so far -id: 32d56ea1-417f-44ff-822b-882873f5f43b -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_secretdump.yml b/rules/sigma/builtin/win_impacket_secretdump.yml deleted file mode 100644 index 702db365..00000000 --- a/rules/sigma/builtin/win_impacket_secretdump.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Possible Impacket SecretDump Remote Activity -author: Samir Bousseaden, wagga -date: 2019/04/03 -description: Detect AD credential dumping using impacket secretdump HKTL -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\ADMIN$ - SELECTION_3: - RelativeTargetName: '*SYSTEM32\\*' - SELECTION_4: - RelativeTargetName: '*.tmp*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: 252902e3-5830-4cf6-bf21-c22083dfd5cf -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -modified: 2021/06/27 -references: -- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml deleted file mode 100644 index 3708781f..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation CLIP+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/13 -description: Detects Obfuscated use of Clip.exe to execute PowerShell -detection: - SELECTION_1: - ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: system -modified: 2021/09/16 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml deleted file mode 100644 index 8dede200..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation CLIP+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/13 -description: Detects Obfuscated use of Clip.exe to execute PowerShell -detection: - SELECTION_1: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 -level: high -logsource: - product: windows - service: security -modified: 2021/09/16 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: f7385ee2-0e0c-11eb-adc1-0242ac120002 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml deleted file mode 100644 index fa8d939f..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Invoke-Obfuscation Obfuscated IEX Invocation -author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - SELECTION_3: - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - SELECTION_4: - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - SELECTION_5: - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - SELECTION_6: - ImagePath|re: \\*mdr\*\W\s*\)\.Name - SELECTION_7: - ImagePath|re: \$VerbosePreference\.ToString\( - SELECTION_8: - ImagePath|re: \String\]\s*\$VerbosePreference - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 - or SELECTION_6 or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -level: high -logsource: - product: windows - service: system -modified: 2021/09/16 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml deleted file mode 100644 index f833b779..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Invoke-Obfuscation Obfuscated IEX Invocation -author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the code block linked in the references -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - SELECTION_3: - ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - SELECTION_4: - ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - SELECTION_5: - ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - SELECTION_6: - ServiceFileName|re: \\*mdr\*\W\s*\)\.Name - SELECTION_7: - ServiceFileName|re: \$VerbosePreference\.ToString\( - SELECTION_8: - ServiceFileName|re: \String\]\s*\$VerbosePreference - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 - or SELECTION_6 or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: fd0f5778-d3cb-4c9a-9695-66759d04702a -level: high -logsource: - product: windows - service: security -modified: 2021/09/16 -references: -- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" -related: -- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml deleted file mode 100644 index 7fbb3b31..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation STDIN+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of stdin to execute PowerShell -detection: - SELECTION_1: - ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: system -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml deleted file mode 100644 index a92fbad5..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation STDIN+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of stdin to execute PowerShell -detection: - SELECTION_1: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 -level: high -logsource: - product: windows - service: security -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 72862bf2-0eb1-11eb-adc1-0242ac120002 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml deleted file mode 100644 index b4e189fb..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation VAR+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of Environment Variables to execute PowerShell -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*" - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 -level: high -logsource: - product: windows - service: system -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml deleted file mode 100644 index 9882cbdf..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation VAR+ Launcher -author: Jonathan Cheong, oscd.community -date: 2020/10/15 -description: Detects Obfuscated use of Environment Variables to execute PowerShell -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*" - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: dcf2db1f-f091-425b-a821-c05875b8925a -level: high -logsource: - product: windows - service: security -modified: 2021/09/17 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml deleted file mode 100644 index d5ca47b4..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation COMPRESS OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -detection: - SELECTION_1: - ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 175997c5-803c-4b08-8bb0-70b099f47595 -level: medium -logsource: - product: windows - service: system -modified: 2021/08/09 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml deleted file mode 100644 index d667dba5..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation COMPRESS OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -detection: - SELECTION_1: - ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml deleted file mode 100644 index 01ab25fd..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation RUNDLL LAUNCHER -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -detection: - SELECTION_1: - ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 -level: medium -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml deleted file mode 100644 index 0ba84a39..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation RUNDLL LAUNCHER -author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER -detection: - SELECTION_1: - ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca -level: medium -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml deleted file mode 100644 index 89378b77..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Stdin -author: Nikita Nazarov, oscd.community -date: 2020/10/12 -description: Detects Obfuscated Powershell via Stdin in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 487c7524-f892-4054-b263-8a0ace63fc25 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml deleted file mode 100644 index bd8b9f94..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Stdin -author: Nikita Nazarov, oscd.community -date: 2020/10/12 -description: Detects Obfuscated Powershell via Stdin in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 487c7524-f892-4054-b263-8a0ace63fc25 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml deleted file mode 100644 index 3ec75741..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use Clip -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Clip.exe in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).* - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 63e3365d-4824-42d8-8b82-e56810fefa0c -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml deleted file mode 100644 index aecd5454..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use Clip -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Clip.exe in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).* - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 63e3365d-4824-42d8-8b82-e56810fefa0c - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml deleted file mode 100644 index ed66aa8e..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use MSHTA -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use MSHTA in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml deleted file mode 100644 index 7ccc780b..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use MSHTA -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use MSHTA in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml deleted file mode 100644 index b51c72f8..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation Via Use Rundll32 -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Rundll32 in Scripts -detection: - SELECTION_1: - ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*" - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml deleted file mode 100644 index 750beec7..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation Via Use Rundll32 -author: Nikita Nazarov, oscd.community -date: 2020/10/09 -description: Detects Obfuscated Powershell via use Rundll32 in Scripts -detection: - SELECTION_1: - ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*" - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml deleted file mode 100644 index 80b11728..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -description: Detects Obfuscated Powershell via VAR++ LAUNCHER -detection: - SELECTION_1: - ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c - SELECTION_2: - EventID: 7045 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 -level: high -logsource: - product: windows - service: system -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml deleted file mode 100644 index a639a197..00000000 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -description: Detects Obfuscated Powershell via VAR++ LAUNCHER -detection: - SELECTION_1: - ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c - SELECTION_2: - EventID: 4697 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 -level: high -logsource: - product: windows - service: security -modified: 2021/09/18 -references: -- https://github.com/Neo23x0/sigma/issues/1009 -related: -- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_iso_mount.yml b/rules/sigma/builtin/win_iso_mount.yml deleted file mode 100644 index 26102f86..00000000 --- a/rules/sigma/builtin/win_iso_mount.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: ISO Image Mount -author: Syed Hasan (@syedhasan009) -date: 2021/05/29 -description: Detects the mount of ISO images on an endpoint -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - ObjectServer: Security - SELECTION_3: - ObjectType: File - SELECTION_4: - ObjectName: \Device\CdRom* - SELECTION_5: - ObjectName: \Device\CdRom0\setup.exe - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Software installation ISO files -id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Removable Storage" - must be configured for Success/Failure - product: windows - service: security -modified: 2021/11/20 -references: -- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore -- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages -- https://twitter.com/MsftSecIntel/status/1257324139515269121 -status: experimental -tags: -- attack.initial_access -- attack.t1566.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lm_namedpipe.yml b/rules/sigma/builtin/win_lm_namedpipe.yml deleted file mode 100644 index 5075f9fc..00000000 --- a/rules/sigma/builtin/win_lm_namedpipe.yml +++ /dev/null @@ -1,54 +0,0 @@ - -title: First Time Seen Remote Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: This detection excludes known namped pipes accessible remotely and notify - on newly observed ones, may help to detect lateral movement and remote exec using - named pipes -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - EventID: 5145 - SELECTION_4: - ShareName: \\*\IPC$ - SELECTION_5: - RelativeTargetName: - - atsvc - - samr - - lsarpc - - winreg - - netlogon - - srvsvc - - protected_storage - - wkssvc - - browser - - netdfs - - svcctl - - spoolss - - ntsvcs - - LSM_API_service - - HydraLsPipe - - TermSrv_API_service - - MsFteWds - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 and SELECTION_4 - and SELECTION_5)) -falsepositives: -- update the excluded named pipe to filter out any newly observed legit named pipe -id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://twitter.com/menasec1/status/1104489274387451904 -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml deleted file mode 100644 index a87f181a..00000000 --- a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Correct Execution of Nltest.exe -author: Arun Chauhan -date: 2021/10/04 -description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, - domain trusts, parent domain and the current user permissions. -detection: - SELECTION_1: - EventID: 4689 - SELECTION_2: - ProcessName: '*nltest.exe' - SELECTION_3: - Status: '0x0' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Red team activity -- rare legitimate use by an administrator -fields: -- SubjectUserName -- SubjectDomainName -id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 -level: high -logsource: - product: windows - service: security -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm -- https://attack.mitre.org/software/S0359/ -status: experimental -tags: -- attack.discovery -- attack.t1482 -- attack.t1018 -- attack.t1016 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lsass_access_non_system_account.yml b/rules/sigma/builtin/win_lsass_access_non_system_account.yml deleted file mode 100644 index 87e87b3d..00000000 --- a/rules/sigma/builtin/win_lsass_access_non_system_account.yml +++ /dev/null @@ -1,70 +0,0 @@ - -title: LSASS Access from Non System Account -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -description: Detects potential mimikatz-like tools accessing LSASS from non system - account -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - EventID: 4656 - SELECTION_3: - AccessMask: - - '0x40' - - '0x1400' - - '0x1000' - - '0x100000' - - '0x1410' - - '0x1010' - - '0x1438' - - '0x143a' - - '0x1418' - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - - '40' - - '1400' - - '1000' - - '100000' - - '1410' - - '1010' - - '1438' - - 143a - - '1418' - - 1f0fff - - 1f1fff - - 1f2fff - - 1f3fff - SELECTION_4: - ObjectType: Process - SELECTION_5: - ObjectName: '*\lsass.exe' - SELECTION_6: - SubjectUserName: '*$' - SELECTION_7: - ProcessName: C:\Program Files* - condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5) - and not (SELECTION_6)) and not (SELECTION_7)) -falsepositives: -- Unknown -fields: -- ComputerName -- ObjectName -- SubjectUserName -- ProcessName -id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 -level: critical -logsource: - product: windows - service: security -modified: 2021/03/17 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_creddumper.yml b/rules/sigma/builtin/win_mal_creddumper.yml deleted file mode 100644 index e9f4807a..00000000 --- a/rules/sigma/builtin/win_mal_creddumper.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed -level: high -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_wceaux_dll.yml b/rules/sigma/builtin/win_mal_wceaux_dll.yml deleted file mode 100644 index 45c1eb04..00000000 --- a/rules/sigma/builtin/win_mal_wceaux_dll.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: WCE wceaux.dll Access -author: Thomas Patzke -date: 2017/06/14 -description: Detects wceaux.dll access while WCE pass-the-hash remote command execution - on source host -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4658 - SELECTION_3: - EventID: 4660 - SELECTION_4: - EventID: 4663 - SELECTION_5: - ObjectName: '*\wceaux.dll' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Penetration testing -id: 1de68c67-af5c-4097-9c85-fe5578e09e67 -level: critical -logsource: - product: windows - service: security -references: -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://jpcertcc.github.io/ToolAnalysisResultSheet -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_metasploit_authentication.yml b/rules/sigma/builtin/win_metasploit_authentication.yml deleted file mode 100644 index a1d7f3a3..00000000 --- a/rules/sigma/builtin/win_metasploit_authentication.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Metasploit SMB Authentication -author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/06 -description: Alerts on Metasploit host's authentications on the domain. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - EventID: 4624 - SELECTION_3: - LogonType: 3 - SELECTION_4: - AuthenticationPackageName: NTLM - SELECTION_5: - WorkstationName|re: ^[A-Za-z0-9]{16}$ - SELECTION_6: - ProcessName|re: ^$ - SELECTION_7: - EventID: 4776 - SELECTION_8: - Workstation|re: ^[A-Za-z0-9]{16}$ - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8)) -falsepositives: -- Linux hostnames composed of 16 characters. -id: 72124974-a68b-4366-b990-d30e0b2a190d -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index eec1f046..00000000 --- a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,66 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 7045 - SELECTION_10: - ImagePath: '*cmd.exe*' - SELECTION_11: - ImagePath: '*/c*' - SELECTION_12: - ImagePath: '*echo*' - SELECTION_13: - ImagePath: '*\pipe\\*' - SELECTION_14: - ImagePath: '*rundll32*' - SELECTION_15: - ImagePath: '*.dll,a*' - SELECTION_16: - ImagePath: '*/p:*' - SELECTION_2: - ImagePath: '*cmd*' - SELECTION_3: - ImagePath: '*/c*' - SELECTION_4: - ImagePath: '*echo*' - SELECTION_5: - ImagePath: '*\pipe\\*' - SELECTION_6: - ImagePath: '*%COMSPEC%*' - SELECTION_7: - ImagePath: '*/c*' - SELECTION_8: - ImagePath: '*echo*' - SELECTION_9: - ImagePath: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ImagePath -id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mmc20_lateral_movement.yml b/rules/sigma/builtin/win_mmc20_lateral_movement.yml deleted file mode 100644 index 59d719b3..00000000 --- a/rules/sigma/builtin/win_mmc20_lateral_movement.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: MMC20 Lateral Movement -author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' -date: 2020/03/04 -description: Detects MMC20.Application Lateral Movement; specifically looks for the - spawning of the parent MMC.exe with a command line of "-Embedding" as a child of - svchost.exe -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - ParentImage: '*\svchost.exe' - SELECTION_3: - Image: '*\mmc.exe' - SELECTION_4: - CommandLine: '*-Embedding*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unlikely -id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd -level: high -logsource: - category: process_creation - product: windows -modified: 2020/08/23 -references: -- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing -status: experimental -tags: -- attack.execution -- attack.t1175 -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_moriya_rootkit.yml b/rules/sigma/builtin/win_moriya_rootkit.yml deleted file mode 100644 index d7ceedf2..00000000 --- a/rules/sigma/builtin/win_moriya_rootkit.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Moriya Rootkit -author: Bhabesh Raj -date: 2021/05/06 -description: Detects the use of Moriya rootkit as described in the securelist's Operation - TunnelSnake report -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: ZzNetSvc - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- None -id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -level: critical -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_ntlm_downgrade.yml b/rules/sigma/builtin/win_net_ntlm_downgrade.yml deleted file mode 100644 index 31b36e4b..00000000 --- a/rules/sigma/builtin/win_net_ntlm_downgrade.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: NetNTLM Downgrade Attack -author: Florian Roth, wagga -date: 2018/03/20 -description: Detects NetNTLM downgrade attack -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - ObjectName: '*\REGISTRY\MACHINE\SYSTEM*' - SELECTION_3: - ObjectName: '*ControlSet*' - SELECTION_4: - ObjectName: '*\Control\Lsa*' - SELECTION_5: - ObjectValueName: - - LmCompatibilityLevel - - NtlmMinClientSec - - RestrictSendingNTLMTraffic - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: d3abac66-f11c-4ed0-8acb-50cc29c97eed -level: critical -logsource: - definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' - product: windows - service: security -modified: 2021/06/27 -references: -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -related: -- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_use_admin_share.yml b/rules/sigma/builtin/win_net_use_admin_share.yml deleted file mode 100644 index 29ad7473..00000000 --- a/rules/sigma/builtin/win_net_use_admin_share.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Mounted Windows Admin Shares with net.exe -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, - wagga -date: 2020/10/05 -description: Detects when an admin share is mounted using net.exe -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: - - '*\net.exe' - - '*\net1.exe' - SELECTION_3: - CommandLine: '* use *' - SELECTION_4: - CommandLine: '*\\\*\\*$*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Administrators -id: 3abd6094-7027-475f-9630-8ab9be7b9725 -level: medium -logsource: - category: process_creation - product: windows -modified: 2021/06/27 -references: -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml deleted file mode 100644 index 594e73f1..00000000 --- a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: New or Renamed User Account with '$' in Attribute 'SamAccountName'. -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -description: Detects possible bypass EDR and SIEM via abnormal user account name. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - EventID: 4781 - SELECTION_3: - SamAccountName: '*$*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Unknown -fields: -- EventID -- SamAccountName -- SubjectUserName -id: cfeed607-6aa4-4bbd-9627-b637deb723c8 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -status: experimental -tags: -- attack.defense_evasion -- attack.t1036 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_not_allowed_rdp_access.yml b/rules/sigma/builtin/win_not_allowed_rdp_access.yml deleted file mode 100644 index 1d79dbb4..00000000 --- a/rules/sigma/builtin/win_not_allowed_rdp_access.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Denied Access To Remote Desktop -author: Pushkarev Dmitry -date: 2020/06/27 -description: This event is generated when an authenticated user who is not allowed - to log on remotely attempts to connect to this computer through Remote Desktop. - Often, this event can be generated by attackers when searching for available windows - servers in the network. -detection: - SELECTION_1: - EventID: 4825 - condition: SELECTION_1 -falsepositives: -- Valid user was not added to RDP group -fields: -- EventCode -- AccountName -- ClientAddress -id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9 -level: medium -logsource: - product: windows - service: security -references: -- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 -status: experimental -tags: -- attack.lateral_movement -- attack.t1076 -- attack.t1021.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml deleted file mode 100644 index 519b471e..00000000 --- a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: NTFS Vulnerability Exploitation -author: Florian Roth -date: 2021/01/11 -description: This the exploitation of a NTFS vulnerability as reported without many - details via Twitter -detection: - SELECTION_1: - Provider_Name: Ntfs - SELECTION_2: - EventID: 55 - SELECTION_3: - Origin: File System Driver - SELECTION_4: - Description: '*contains a corrupted file record*' - SELECTION_5: - Description: '*The name of the file is "\"*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unlikely -id: f14719ce-d3ab-4e25-9ce6-2899092260b0 -level: critical -logsource: - product: windows - service: system -modified: 2021/11/17 -references: -- https://twitter.com/jonasLyk/status/1347900440000811010 -- https://twitter.com/wdormann/status/1347958161609809921 -status: experimental -tags: -- attack.impact -- attack.t1499.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_overpass_the_hash.yml b/rules/sigma/builtin/win_overpass_the_hash.yml deleted file mode 100644 index 6681cb74..00000000 --- a/rules/sigma/builtin/win_overpass_the_hash.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Successful Overpass the Hash Attempt -author: Roberto Rodriguez (source), Dominik Schaudel (rule) -date: 2018/02/12 -description: Detects successful logon with logon type 9 (NewCredentials) which matches - the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 9 - SELECTION_3: - LogonProcessName: seclogo - SELECTION_4: - AuthenticationPackageName: Negotiate - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Runas command-line tool using /netonly parameter -id: 192a0330-c20b-4356-90b6-7b7049ae0b87 -level: high -logsource: - product: windows - service: security -references: -- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- attack.s0002 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash.yml b/rules/sigma/builtin/win_pass_the_hash.yml deleted file mode 100644 index c9549334..00000000 --- a/rules/sigma/builtin/win_pass_the_hash.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Pass the Hash Activity -author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) -date: 2017/03/08 -description: Detects the attack technique pass the hash which is used to move laterally - inside the network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - EventID: 4625 - SELECTION_3: - LogonType: '3' - SELECTION_4: - LogonProcessName: NtLmSsp - SELECTION_5: - WorkstationName: '%Workstations%' - SELECTION_6: - ComputerName: '%Workstations%' - SELECTION_7: - AccountName: ANONYMOUS LOGON - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5 - and SELECTION_6) and not (SELECTION_7)) -falsepositives: -- Administrator activity -- Penetration tests -id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 -level: medium -logsource: - definition: The successful use of PtH for lateral movement between workstations - would trigger event ID 4624, a failed logon attempt would trigger an event ID - 4625 - product: windows - service: security -references: -- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- car.2016-04-004 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash_2.yml b/rules/sigma/builtin/win_pass_the_hash_2.yml deleted file mode 100644 index 2cce718f..00000000 --- a/rules/sigma/builtin/win_pass_the_hash_2.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: Pass the Hash Activity 2 -author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) -date: 2019/06/14 -description: Detects the attack technique pass the hash which is used to move laterally - inside the network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - SubjectUserSid: S-1-0-0 - SELECTION_3: - LogonType: '3' - SELECTION_4: - LogonProcessName: NtLmSsp - SELECTION_5: - KeyLength: '0' - SELECTION_6: - LogonType: '9' - SELECTION_7: - LogonProcessName: seclogo - SELECTION_8: - AccountName: ANONYMOUS LOGON - condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7))) and not (SELECTION_8)) -falsepositives: -- Administrator activity -- Penetration tests -id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b -level: medium -logsource: - definition: The successful use of PtH for lateral movement between workstations - would trigger event ID 4624 - product: windows - service: security -references: -- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events -- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ -status: stable -tags: -- attack.lateral_movement -- attack.t1075 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_network_share.yml b/rules/sigma/builtin/win_petitpotam_network_share.yml deleted file mode 100644 index 7c6c8a7e..00000000 --- a/rules/sigma/builtin/win_petitpotam_network_share.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Possible PetitPotam Coerce Authentication Attempt -author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -description: Detect PetitPotam coerced authentication activity. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\\* - SELECTION_3: - ShareName: '*\IPC$' - SELECTION_4: - RelativeTargetName: lsarpc - SELECTION_5: - SubjectUserName: ANONYMOUS LOGON - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown. Feedback welcomed. -id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Detailed File Share" - must be configured for Success/Failure - product: windows - service: security -references: -- https://github.com/topotam/PetitPotam -- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml -status: experimental -tags: -- attack.credential_access -- attack.t1187 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml deleted file mode 100644 index 0bf1ffbc..00000000 --- a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml +++ /dev/null @@ -1,44 +0,0 @@ - -title: PetitPotam Suspicious Kerberos TGT Request -author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer - certificate by abusing Active Directory Certificate Services in combination with - PetitPotam, the next step would be to leverage the certificate for malicious purposes. - One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool - like Rubeus. This request will generate a 4768 event with some unusual fields depending - on the environment. This analytic will require tuning, we recommend filtering Account_Name - to the Domain Controller computer accounts. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - TargetUserName: '*$' - SELECTION_3: - CertThumbprint: '*' - SELECTION_4: - IpAddress: ::1 - SELECTION_5: - CertThumbprint: '' - condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- False positives are possible if the environment is using certificates for authentication. - We recommend filtering Account_Name to the Domain Controller computer accounts. -id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 -level: high -logsource: - definition: The advanced audit policy setting "Account Logon > Kerberos Authentication - Service" must be configured for Success/Failure - product: windows - service: security -modified: 2021/09/07 -references: -- https://github.com/topotam/PetitPotam -- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ -- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml -status: experimental -tags: -- attack.credential_access -- attack.t1187 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_possible_dc_shadow.yml b/rules/sigma/builtin/win_possible_dc_shadow.yml deleted file mode 100644 index 698d33a8..00000000 --- a/rules/sigma/builtin/win_possible_dc_shadow.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Possible DC Shadow -author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2019/10/25 -description: Detects DCShadow via create new SPN -detection: - SELECTION_1: - EventID: 4742 - SELECTION_2: - ServicePrincipalNames: '*GC/*' - SELECTION_3: - EventID: 5136 - SELECTION_4: - AttributeLDAPDisplayName: servicePrincipalName - SELECTION_5: - AttributeValue: GC/* - condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5)) -falsepositives: -- Exclude known DCs -id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml -- https://twitter.com/gentilkiwi/status/1003236624925413376 -- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 -- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d -status: experimental -tags: -- attack.credential_access -- attack.t1207 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml deleted file mode 100644 index 0f2671e9..00000000 --- a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: PowerShell Scripts Installed as Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: a2e5019d-a658-4c6a-92bf-7197b54e2cae -level: high -logsource: - product: windows - service: system -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml deleted file mode 100644 index 1cacfe12..00000000 --- a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Possible Zerologon (CVE-2020-1472) Exploitation -author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community -date: 2020/10/15 -description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) -detection: - SELECTION_1: - EventID: 4742 - SELECTION_2: - SubjectUserName: ANONYMOUS LOGON - SELECTION_3: - TargetUserName: '%DC-MACHINE-NAME%' - SELECTION_4: - PasswordLastSet: '-' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- automatic DC computer account password change -- legitimate DC computer account password change -id: dd7876d8-0f09-11eb-adc1-0242ac120002 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 -- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ -status: experimental -tags: -- attack.t1068 -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_protected_storage_service_access.yml b/rules/sigma/builtin/win_protected_storage_service_access.yml deleted file mode 100644 index 1fbee11a..00000000 --- a/rules/sigma/builtin/win_protected_storage_service_access.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Protected Storage Service Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects access to a protected_storage service over the network. Potential - abuse of DPAPI to extract domain backup keys from Domain Controllers -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: '*IPC*' - SELECTION_3: - RelativeTargetName: protected_storage - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 45545954-4016-43c6-855e-eae8f1c369dc -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1021 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml deleted file mode 100644 index 9c1364aa..00000000 --- a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: QuarksPwDump Clearing Access History -author: Florian Roth -date: 2017/05/15 -description: Detects QuarksPwDump clearing access history in hive -detection: - SELECTION_1: - EventID: 16 - SELECTION_2: - HiveName: '*\AppData\Local\Temp\SAM*' - SELECTION_3: - HiveName: '*.dmp' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 39f919f3-980b-4e6f-a975-8af7e507ef2b -level: critical -logsource: - product: windows - service: system -modified: 2019/11/13 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_schtasks_creations.yml b/rules/sigma/builtin/win_rare_schtasks_creations.yml deleted file mode 100644 index 2453fd24..00000000 --- a/rules/sigma/builtin/win_rare_schtasks_creations.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Rare Schtasks Creations -author: Florian Roth -date: 2017/03/23 -description: Detects rare scheduled tasks creations that only appear a few times per - time frame and could reveal password dumpers, backdoor installs or other types of - malicious code -detection: - SELECTION_1: - EventID: 4698 - condition: SELECTION_1 | count() by TaskName < 5 -falsepositives: -- Software installation -- Software updates -id: b0d77106-7bb0-41fe-bd94-d1752164d066 -level: low -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). We also recommend extracting the Command field - from the embedded XML in the event data. - product: windows - service: security -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.persistence -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_service_installs.yml b/rules/sigma/builtin/win_rare_service_installs.yml deleted file mode 100644 index 956abf96..00000000 --- a/rules/sigma/builtin/win_rare_service_installs.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Rare Service Installs -author: Florian Roth -date: 2017/03/08 -description: Detects rare service installs that only appear a few times per time frame - and could reveal password dumpers, backdoor installs or other types of malicious - services -detection: - SELECTION_1: - EventID: 7045 - condition: SELECTION_1 | count() by ServiceFileName < 5 -falsepositives: -- Software installation -- Software updates -id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae -level: low -logsource: - product: windows - service: system -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml deleted file mode 100644 index 8c6ee0a1..00000000 --- a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln -author: Florian Roth (rule), Adam Bradbury (idea) -date: 2019/06/02 -description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable - to CVE-2019-0708 RDP RCE aka BlueKeep -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - TargetUserName: AAAAAAA - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 8400629e-79a9-4737-b387-5db940ab2367 -level: critical -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://twitter.com/AdamTheAnalyst/status/1134394070045003776 -- https://github.com/zerosum0x0/CVE-2019-0708 -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_localhost_login.yml b/rules/sigma/builtin/win_rdp_localhost_login.yml deleted file mode 100644 index e0b37345..00000000 --- a/rules/sigma/builtin/win_rdp_localhost_login.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: RDP Login from Localhost -author: Thomas Patzke -date: 2019/01/28 -description: RDP login with localhost source address may be a tunnelled login -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 10 - SELECTION_3: - IpAddress: - - ::1 - - 127.0.0.1 - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 51e33403-2a37-4d66-a574-1fda1782cc31 -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1076 -- car.2013-07-002 -- attack.t1021.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml deleted file mode 100644 index c502101c..00000000 --- a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Potential RDP Exploit CVE-2019-0708 -author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements) -date: 2019/05/24 -description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 -detection: - SELECTION_1: - EventID: 56 - SELECTION_2: - EventID: 50 - SELECTION_3: - Provider_Name: TermDD - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Bad connections or network interruptions -id: aaa5b30d-f418-420b-83a0-299cb6024885 -level: high -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://github.com/zerosum0x0/CVE-2019-0708 -- https://github.com/Ekultek/BlueKeep -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml deleted file mode 100644 index 64eb9646..00000000 --- a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: RDP over Reverse SSH Tunnel WFP -author: Samir Bousseaden -date: 2019/02/16 -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - SourcePort: 3389 - SELECTION_3: - DestAddress: - - 127.* - - ::1 - SELECTION_4: - DestPort: 3389 - SELECTION_5: - SourceAddress: - - 127.* - - ::1 - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- unknown -id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41 -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://twitter.com/SBousseaden/status/1096148422984384514 -- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx -status: experimental -tags: -- attack.defense_evasion -- attack.command_and_control -- attack.lateral_movement -- attack.t1076 -- attack.t1090 -- attack.t1090.001 -- attack.t1090.002 -- attack.t1021.001 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml deleted file mode 100644 index 33858382..00000000 --- a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Register new Logon Process by Rubeus -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -description: Detects potential use of Rubeus via registered new trusted logon process -detection: - SELECTION_1: - EventID: 4611 - SELECTION_2: - LogonProcessName: User32LogonProcesss - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 12e6d621-194f-4f59-90cc-1959e21e69f7 -level: critical -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_powershell_session.yml b/rules/sigma/builtin/win_remote_powershell_session.yml deleted file mode 100644 index 0abee6a5..00000000 --- a/rules/sigma/builtin/win_remote_powershell_session.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Remote PowerShell Sessions Network Connections (WinRM) -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound - connections to ports 5985 OR 5986 -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestPort: 5985 - SELECTION_3: - DestPort: 5986 - SELECTION_4: - LayerRTID: 44 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Legitimate use of remote PowerShell execution -id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -level: high -logsource: - product: windows - service: security -modified: 2021/05/21 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml deleted file mode 100644 index 64260e10..00000000 --- a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Remote Registry Management Using Reg Utility -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Remote registry management using REG utility from non-admin workstation -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\winreg*' - SELECTION_3: - IpAddress: '%Admins_Workstations%' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Legitimate usage of remote registry management by administrator -id: 68fcba0d-73a5-475e-a915-e8b4c576827e -level: medium -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -- attack.discovery -- attack.t1012 -- attack.credential_access -- attack.t1552.002 -- attack.s0075 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_root_certificate_installed.yml b/rules/sigma/builtin/win_root_certificate_installed.yml deleted file mode 100644 index c6afd974..00000000 --- a/rules/sigma/builtin/win_root_certificate_installed.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Root Certificate Installed -author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2020/10/10 -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. -detection: - SELECTION_1: - EventID: 4104 - SELECTION_2: - ScriptBlockText: '*Cert:\LocalMachine\Root*' - SELECTION_3: - ScriptBlockText: '*Move-Item*' - SELECTION_4: - ScriptBlockText: '*Import-Certificate*' - condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4)) -falsepositives: -- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to - test if GPO push doesn't trigger FP -id: 42821614-9264-4761-acfc-5772c3286f76 -level: medium -logsource: - product: windows - service: powershell -modified: 2021/09/21 -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md -status: experimental -tags: -- attack.defense_evasion -- attack.t1553.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml deleted file mode 100644 index 01917a8b..00000000 --- a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: SAM Registry Hive Handle Request -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects handles requested to SAM registry hive -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ObjectType: Key - SELECTION_3: - ObjectName: '*\SAM' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ProcessName -- ObjectName -id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332 -level: critical -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html -status: experimental -tags: -- attack.discovery -- attack.t1012 -- attack.credential_access -- attack.t1552.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scheduled_task_deletion.yml b/rules/sigma/builtin/win_scheduled_task_deletion.yml deleted file mode 100644 index 20e4b058..00000000 --- a/rules/sigma/builtin/win_scheduled_task_deletion.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Scheduled Task Deletion -author: David Strassegger -date: 2021/01/22 -description: Detects scheduled task deletion events. Scheduled tasks are likely to - be deleted if not used for persistence. Malicious Software often creates tasks directly - under the root node e.g. \TASKNAME -detection: - SELECTION_1: - EventID: 4699 - condition: SELECTION_1 -falsepositives: -- Software installation -id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 -level: medium -logsource: - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. - product: windows - service: security -references: -- https://twitter.com/matthewdunwoody/status/1352356685982146562 -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1053 -- car.2013-08-001 -- attack.t1053.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_handle_failure.yml b/rules/sigma/builtin/win_scm_database_handle_failure.yml deleted file mode 100644 index 110c061d..00000000 --- a/rules/sigma/builtin/win_scm_database_handle_failure.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: SCM Database Handle Failure -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects non-system users failing to get a handle of the SCM database. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ObjectType: SC_MANAGER OBJECT - SELECTION_3: - ObjectName: ServicesActive - SELECTION_4: - SubjectLogonId: '0x3e4' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: 13addce7-47b2-4ca0-a98f-1de964d1d669 -level: critical -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html -status: experimental -tags: -- attack.discovery -- attack.t1010 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_privileged_operation.yml b/rules/sigma/builtin/win_scm_database_privileged_operation.yml deleted file mode 100644 index 568020cb..00000000 --- a/rules/sigma/builtin/win_scm_database_privileged_operation.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: SCM Database Privileged Operation -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/15 -description: Detects non-system users performing privileged operation os the SCM database -detection: - SELECTION_1: - EventID: 4674 - SELECTION_2: - ObjectType: SC_MANAGER OBJECT - SELECTION_3: - ObjectName: servicesactive - SELECTION_4: - PrivilegeList: SeTakeOwnershipPrivilege - SELECTION_5: - SubjectLogonId: '0x3e4' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5)) -falsepositives: -- Unknown -id: dae8171c-5ec6-4396-b210-8466585b53e9 -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html -status: experimental -tags: -- attack.privilege_escalation -- attack.t1548 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml deleted file mode 100644 index 8c3cde51..00000000 --- a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Remote WMI ActiveScriptEventConsumers -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers - remotely to move laterally in a network -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 3 - SELECTION_3: - ProcessName: '*scrcons.exe' - SELECTION_4: - TargetLogonId: '0x3e7' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- SCCM -id: 9599c180-e3a8-4743-8f92-7fb96d3be648 -level: high -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.persistence -- attack.t1546.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml deleted file mode 100644 index 4fd129a9..00000000 --- a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: CobaltStrike Service Installations -author: Florian Roth, Wojciech Lesicki -date: 2021/05/26 -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: '*ADMIN$*' - SELECTION_3: - ServiceFileName: '*.exe*' - SELECTION_4: - ServiceFileName: '*%COMSPEC%*' - SELECTION_5: - ServiceFileName: '*start*' - SELECTION_6: - ServiceFileName: '*powershell*' - SELECTION_7: - ServiceFileName: '*powershell -nop -w hidden -encodedcommand*' - SELECTION_8: - ServiceFileName: - - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*' - - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*' - - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5 - and SELECTION_6) or SELECTION_7 or SELECTION_8)) -falsepositives: -- Unknown -id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://www.sans.org/webcasts/119395 -- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ -- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ -related: -- id: 5a105d34-05fc-401e-8553-272b45c1522d - type: derived -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.lateral_movement -- attack.t1021.002 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_creddumper.yml b/rules/sigma/builtin/win_security_mal_creddumper.yml deleted file mode 100644 index 25aa5e17..00000000 --- a/rules/sigma/builtin/win_security_mal_creddumper.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 -level: high -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -related: -- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_service_installs.yml b/rules/sigma/builtin/win_security_mal_service_installs.yml deleted file mode 100644 index c5ce8b1c..00000000 --- a/rules/sigma/builtin/win_security_mal_service_installs.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Malicious Service Installations -author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) -date: 2017/03/27 -description: Detects known malicious service installs that only appear in cases of - lateral movement, credential dumping, and other suspicious activities. -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceName: javamtsup - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Penetration testing -id: cb062102-587e-4414-8efa-dbe3c7bf19c6 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://awakesecurity.com/blog/threat-hunting-for-paexec/ -- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html -- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf -related: -- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1003 -- attack.t1035 -- attack.t1050 -- car.2013-09-005 -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml deleted file mode 100644 index 38e48d2a..00000000 --- a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: Metasploit Or Impacket Service Installation Via SMB PsExec -author: Bartlomiej Czyz, Relativity -date: 2021/01/21 -description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and - Impacket psexec.py by triggering on specific service installation -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$ - SELECTION_3: - ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$) - SELECTION_4: - ServiceStartType: '3' - SELECTION_5: - ServiceType: '0x10' - SELECTION_6: - ServiceName: PSEXESVC - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - and not (SELECTION_6)) -falsepositives: -- Possible, different agents with a 8 character binary and a 4, 8 or 16 character - service name -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ServiceName -- ServiceFileName -id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 -level: high -logsource: - product: windows - service: security -modified: 2021/07/23 -references: -- https://bczyz1.github.io/2021/01/30/psexec.html -related: -- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 - type: derived -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -- attack.t1570 -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml deleted file mode 100644 index 12376834..00000000 --- a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ /dev/null @@ -1,69 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 4697 - SELECTION_10: - ServiceFileName: '*cmd.exe*' - SELECTION_11: - ServiceFileName: '*/c*' - SELECTION_12: - ServiceFileName: '*echo*' - SELECTION_13: - ServiceFileName: '*\pipe\\*' - SELECTION_14: - ServiceFileName: '*rundll32*' - SELECTION_15: - ServiceFileName: '*.dll,a*' - SELECTION_16: - ServiceFileName: '*/p:*' - SELECTION_2: - ServiceFileName: '*cmd*' - SELECTION_3: - ServiceFileName: '*/c*' - SELECTION_4: - ServiceFileName: '*echo*' - SELECTION_5: - ServiceFileName: '*\pipe\\*' - SELECTION_6: - ServiceFileName: '*%COMSPEC%*' - SELECTION_7: - ServiceFileName: '*/c*' - SELECTION_8: - ServiceFileName: '*echo*' - SELECTION_9: - ServiceFileName: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ServiceFileName -id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 -level: critical -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -related: -- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml deleted file mode 100644 index 5ba61d36..00000000 --- a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: PowerShell Scripts Installed as Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 -level: high -logsource: - product: windows - service: security -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -related: -- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_tap_driver_installation.yml b/rules/sigma/builtin/win_security_tap_driver_installation.yml deleted file mode 100644 index c70dae79..00000000 --- a/rules/sigma/builtin/win_security_tap_driver_installation.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Tap Driver Installation -author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques -detection: - SELECTION_1: - EventID: 4697 - SELECTION_2: - ServiceFileName: '*tap0901*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate OpenVPN TAP insntallation -id: 9c8afa4d-0022-48f0-9456-3712466f9701 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -related: -- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 - type: derived -status: experimental -tags: -- attack.exfiltration -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml deleted file mode 100644 index 9e2a8e04..00000000 --- a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Exchange Set OabVirtualDirectory ExternalUrl Property -author: Jose Rodriguez @Cyb3rPandaH -date: 2021/03/15 -description: Rule to detect an adversary setting OabVirtualDirectory External URL - property to a script in Exchange Management log -detection: - SELECTION_1: - - Set-OabVirtualDirectory - SELECTION_2: - - ExternalUrl - SELECTION_3: - - Page_Load - SELECTION_4: - - script - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 9db37458-4df2-46a5-95ab-307e7f29e675 -level: high -logsource: - product: windows - service: msexchange-management -modified: 2021/11/15 -references: -- https://twitter.com/OTR_Community/status/1371053369071132675 -status: experimental -tags: -- attack.persistence -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml deleted file mode 100644 index 9c708842..00000000 --- a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: SMB Create Remote File Admin Share -author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -date: 2020/08/06 -description: Look for non-system accounts SMB accessing a file with write (0x2) access - mask via administrative share (i.e C$). -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: '*C$' - SELECTION_3: - AccessMask: '0x2' - SELECTION_4: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: b210394c-ba12-4f89-9117-44a2464b9511 -level: high -logsource: - product: windows - service: security -references: -- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml -- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml deleted file mode 100644 index 9387fcbf..00000000 --- a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Atera Agent Installation -author: Bhabesh Raj -date: 2021/09/01 -description: Detects successful installation of Atera Remote Monitoring & Management - (RMM) agent as recently found to be used by Conti operators -detection: - SELECTION_1: - EventID: 1033 - SELECTION_2: - Provider_Name: MsiInstaller - SELECTION_3: - Message: '*AteraAgent*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Atera agent installation -id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent -status: experimental -tags: -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_domain_trust.yml b/rules/sigma/builtin/win_susp_add_domain_trust.yml deleted file mode 100644 index 9df063a5..00000000 --- a/rules/sigma/builtin/win_susp_add_domain_trust.yml +++ /dev/null @@ -1,21 +0,0 @@ - -title: Addition of Domain Trusts -author: Thomas Patzke -date: 2019/12/03 -description: Addition of domains is seldom and should be verified for legitimacy. -detection: - SELECTION_1: - EventID: 4706 - condition: SELECTION_1 -falsepositives: -- Legitimate extension of domain structure -id: 0255a820-e564-4e40-af2b-6ac61160335c -level: medium -logsource: - product: windows - service: security -status: stable -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_sid_history.yml b/rules/sigma/builtin/win_susp_add_sid_history.yml deleted file mode 100644 index 4350892f..00000000 --- a/rules/sigma/builtin/win_susp_add_sid_history.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Addition of SID History to Active Directory Object -author: Thomas Patzke, @atc_project (improvements) -date: 2017/02/19 -description: An attacker can use the SID history attribute to gain additional privileges. -detection: - SELECTION_1: - EventID: 4765 - SELECTION_2: - EventID: 4766 - SELECTION_3: - EventID: 4738 - SELECTION_4: - SidHistory: - - '-' - - '%%1793' - SELECTION_5: - SidHistory|re: ^$ - condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and not (SELECTION_4)) - and not (SELECTION_5))) -falsepositives: -- Migration of an account into a new domain -id: 2632954e-db1c-49cb-9936-67d1ef1d17d2 -level: medium -logsource: - product: windows - service: security -references: -- https://adsecurity.org/?p=1772 -status: stable -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1178 -- attack.t1134.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_backup_delete.yml b/rules/sigma/builtin/win_susp_backup_delete.yml deleted file mode 100644 index 2faf96f1..00000000 --- a/rules/sigma/builtin/win_susp_backup_delete.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Backup Catalog Deleted -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) -date: 2017/05/12 -description: Detects backup catalog deletions -detection: - SELECTION_1: - EventID: 524 - SELECTION_2: - Provider_Name: Microsoft-Windows-Backup - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 9703792d-fd9a-456d-a672-ff92efe4806a -level: medium -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx -- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -status: experimental -tags: -- attack.defense_evasion -- attack.t1107 -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml deleted file mode 100644 index ba6e3a58..00000000 --- a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Failed Code Integrity Checks -author: Thomas Patzke -date: 2019/12/03 -description: Code integrity failures may indicate tampered executables. -detection: - SELECTION_1: - EventID: 5038 - SELECTION_2: - EventID: 6281 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Disk device errors -id: 470ec5fa-7b4e-4071-b200-4c753100f49b -level: low -logsource: - product: windows - service: security -modified: 2020/08/23 -status: stable -tags: -- attack.defense_evasion -- attack.t1009 -- attack.t1027.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config.yml b/rules/sigma/builtin/win_susp_dhcp_config.yml deleted file mode 100644 index b2720813..00000000 --- a/rules/sigma/builtin/win_susp_dhcp_config.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: DHCP Server Loaded the CallOut DLL -author: Dimitrios Slamaris -date: 2017/05/15 -description: This rule detects a DHCP server in which a specified Callout DLL (in - registry) was loaded -detection: - SELECTION_1: - EventID: 1033 - SELECTION_2: - Provider_Name: Microsoft-Windows-DHCP-Server - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 -level: critical -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html -- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx -- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml deleted file mode 100644 index 70697751..00000000 --- a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: DHCP Server Error Failed Loading the CallOut DLL -author: Dimitrios Slamaris, @atc_project (fix) -date: 2017/05/15 -description: This rule detects a DHCP server error in which a specified Callout DLL - (in registry) could not be loaded -detection: - SELECTION_1: - EventID: 1031 - SELECTION_2: - EventID: 1032 - SELECTION_3: - EventID: 1034 - SELECTION_4: - Provider_Name: Microsoft-Windows-DHCP-Server - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Unknown -id: 75edd3fd-7146-48e5-9848-3013d7f0282c -level: critical -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html -- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx -- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dns_config.yml b/rules/sigma/builtin/win_susp_dns_config.yml deleted file mode 100644 index 91810c41..00000000 --- a/rules/sigma/builtin/win_susp_dns_config.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DNS Server Error Failed Loading the ServerLevelPluginDLL -author: Florian Roth -date: 2017/05/08 -description: This rule detects a DNS server error in which a specified plugin DLL - (in registry) could not be loaded -detection: - SELECTION_1: - EventID: 150 - SELECTION_2: - EventID: 770 - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unknown -id: cbe51394-cd93-4473-b555-edf0144952d9 -level: critical -logsource: - product: windows - service: dns-server -references: -- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx -- https://twitter.com/gentilkiwi/status/861641945944391680 -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dsrm_password_change.yml b/rules/sigma/builtin/win_susp_dsrm_password_change.yml deleted file mode 100644 index 95ff1bb3..00000000 --- a/rules/sigma/builtin/win_susp_dsrm_password_change.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Password Change on Directory Service Restore Mode (DSRM) Account -author: Thomas Patzke -date: 2017/02/19 -description: The Directory Service Restore Mode (DSRM) account is a local administrator - account on Domain Controllers. Attackers may change the password to gain persistence. -detection: - SELECTION_1: - EventID: 4794 - condition: SELECTION_1 -falsepositives: -- Initial installation of a domain controller -id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 -level: high -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://adsecurity.org/?p=1714 -status: stable -tags: -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_susp_eventlog_cleared.yml deleted file mode 100644 index 8309611a..00000000 --- a/rules/sigma/builtin/win_susp_eventlog_cleared.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Eventlog Cleared -author: Florian Roth -date: 2017/01/10 -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution -detection: - SELECTION_1: - EventID: 517 - SELECTION_2: - EventID: 1102 - SELECTION_3: - Provider_Name: Microsoft-Windows-Eventlog - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Rollout of log collection agents (the setup routine often includes a reset of the - local Eventlog) -- System provisioning (system reset before the golden image creation) -id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 -level: high -logsource: - product: windows - service: security -modified: 2021/10/13 -references: -- https://twitter.com/deviouspolack/status/832535435960209408 -- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -related: -- id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes -status: experimental -tags: -- attack.defense_evasion -- attack.t1070 -- attack.t1070.001 -- car.2016-04-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_guest_logon.yml b/rules/sigma/builtin/win_susp_failed_guest_logon.yml deleted file mode 100644 index e44823b4..00000000 --- a/rules/sigma/builtin/win_susp_failed_guest_logon.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious Rejected SMB Guest Logon From IP -author: Florian Roth, KevTheHermit, fuzzyf10w -date: 2021/06/30 -description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in - Windows Spooler Service -detection: - SELECTION_1: - EventID: 31017 - SELECTION_2: - Description: '*Rejected an insecure guest logon*' - SELECTION_3: - UserName: '' - SELECTION_4: - ServerName: \1* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Account fallback reasons (after failed login with specific account) -fields: -- Computer -- User -id: 71886b70-d7b4-4dbf-acce-87d2ca135262 -level: medium -logsource: - product: windows - service: smbclient-security -modified: 2021/07/05 -references: -- https://twitter.com/KevTheHermit/status/1410203844064301056 -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -status: experimental -tags: -- attack.credential_access -- attack.t1110.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml deleted file mode 100644 index 2b41b9fd..00000000 --- a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Account Tampering - Suspicious Failed Logon Reasons -author: Florian Roth -date: 2017/02/19 -description: This method uses uncommon error codes on failed logons to determine suspicious - activity and tampering with accounts that have been disabled or somehow restricted. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - EventID: 4776 - SELECTION_3: - Status: - - '0xC0000072' - - '0xC000006F' - - '0xC0000070' - - '0xC0000413' - - '0xC000018C' - - '0xC000015B' - SELECTION_4: - SubjectUserSid: S-1-0-0 - condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- User using a disabled account -id: 9eb99343-d336-4020-a3cd-67f3819e68ee -level: high -logsource: - product: windows - service: security -modified: 2021/10/29 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 -- https://twitter.com/SBousseaden/status/1101431884540710913 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.initial_access -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_source.yml b/rules/sigma/builtin/win_susp_failed_logon_source.yml deleted file mode 100644 index 51d806bd..00000000 --- a/rules/sigma/builtin/win_susp_failed_logon_source.yml +++ /dev/null @@ -1,57 +0,0 @@ - -title: Failed Logon From Public IP -author: NVISO -date: 2020/05/06 -description: A login from a public IP can indicate a misconfigured firewall or network - boundary. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - IpAddress: '*-*' - SELECTION_3: - IpAddress: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - - 169.254.* - SELECTION_4: - IpAddress: ::1 - SELECTION_5: - IpAddress: - - fe80::* - - fc00::* - condition: (SELECTION_1 and not ((SELECTION_2 or SELECTION_3 or SELECTION_4 or - SELECTION_5))) -falsepositives: -- Legitimate logon attempts over the internet -- IPv4-to-IPv6 mapped IPs -id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 -level: medium -logsource: - product: windows - service: security -status: experimental -tags: -- attack.initial_access -- attack.persistence -- attack.t1078 -- attack.t1190 -- attack.t1133 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml deleted file mode 100644 index b5198853..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Multiple Users Attempting To Authenticate Using Explicit Credentials -author: Mauricio Velazco -date: 2021/06/01 -description: Detects a source user failing to authenticate with multiple users using - explicit credentials on a host. -detection: - SELECTION_1: - EventID: 4648 - condition: SELECTION_1 | count(Account_Name) by ComputerName > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml deleted file mode 100644 index 9c43959b..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Multiple Users Failing to Authenticate from Single Process -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple accounts from a single process on - the system. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - LogonType: 2 - SELECTION_3: - ProcessName: '-' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by ProcessName > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: fe563ab6-ded4-4916-b49f-a3a8445fe280 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -- https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml deleted file mode 100644 index 8e6d1d1b..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 529 - SELECTION_2: - EventID: 4625 - SELECTION_3: - TargetUserName: '*' - SELECTION_4: - WorkstationName: '*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName) - by WorkstationName > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: e98374a6-e2d9-4076-9b5c-11bdb2569995 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml deleted file mode 100644 index 2f5be1ee..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Failed Logins with Different Accounts from Single Source System -author: Florian Roth -date: 2017/01/10 -description: Detects suspicious failed logins with different user accounts from a - single source system -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - TargetUserName: '*' - SELECTION_3: - Workstation: '*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName) - by Workstation > 3 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 -level: medium -logsource: - product: windows - service: security -modified: 2021/09/21 -related: -- id: e98374a6-e2d9-4076-9b5c-11bdb2569995 - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml deleted file mode 100644 index 85f238bc..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Valid Users Failing to Authenticate From Single Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects multiple failed logins with multiple valid domain accounts from - a single source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4771 - SELECTION_2: - Status: '0x18' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml deleted file mode 100644 index 3efef0e8..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Disabled Users Failing To Authenticate From Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects failed logins with multiple disabled domain accounts from a single - source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - Status: '0x12' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: 4b6fe998-b69c-46d8-901b-13677c9fb663 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml deleted file mode 100644 index ad15a8cb..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Invalid Users Failing To Authenticate From Source Using Kerberos -author: Mauricio Velazco, frack113 -date: 2021/06/01 -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the Kerberos protocol. -detection: - SELECTION_1: - EventID: 4768 - SELECTION_2: - Status: '0x6' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Vulnerability scanners -- Misconfigured systems -- Remote administration tools -- VPN terminators -- Multiuser systems like Citrix server farms -id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml deleted file mode 100644 index f7efc427..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Valid Users Failing to Authenticate from Single Source Using NTLM -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple valid domain accounts from a single - source system using the NTLM protocol. -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Status: '*0xC000006A' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by Workstation > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml deleted file mode 100644 index c51d606e..00000000 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Invalid Users Failing To Authenticate From Single Source Using NTLM -author: Mauricio Velazco -date: 2021/06/01 -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the NTLM protocol. -detection: - SELECTION_1: - EventID: 4776 - SELECTION_2: - Status: '*0xC0000064' - SELECTION_3: - TargetUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by Workstation > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: 56d62ef8-3462-4890-9859-7b41e541f8d5 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml deleted file mode 100644 index 8002f8f7..00000000 --- a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Multiple Users Remotely Failing To Authenticate From Single Source -author: Mauricio Velazco -date: 2021/06/01 -description: Detects a source system failing to authenticate against a remote host - with multiple users. -detection: - SELECTION_1: - EventID: 4625 - SELECTION_2: - LogonType: 3 - SELECTION_3: - IpAddress: '-' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) | count(TargetUserName) - by IpAddress > 10 -falsepositives: -- Terminal servers -- Jump servers -- Other multiuser systems like Citrix server farms -- Workstations with frequently changing users -id: add2ef8d-dc91-4002-9e7e-f2702369f53a -level: medium -logsource: - product: windows - service: security -modified: 2021/07/09 -references: -- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying -status: experimental -tags: -- attack.t1110.003 -- attack.initial_access -- attack.privilege_escalation -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_interactive_logons.yml b/rules/sigma/builtin/win_susp_interactive_logons.yml deleted file mode 100644 index c0f6713d..00000000 --- a/rules/sigma/builtin/win_susp_interactive_logons.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Interactive Logon to Server Systems -author: Florian Roth -date: 2017/03/17 -description: Detects interactive console logons to Server Systems -detection: - SELECTION_1: - EventID: 528 - SELECTION_2: - EventID: 529 - SELECTION_3: - EventID: 4624 - SELECTION_4: - EventID: 4625 - SELECTION_5: - LogonType: 2 - SELECTION_6: - ComputerName: - - '%ServerSystems%' - - '%DomainControllers%' - SELECTION_7: - LogonProcessName: Advapi - SELECTION_8: - ComputerName: '%Workstations%' - condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5 - and SELECTION_6) and not (SELECTION_7 and SELECTION_8)) -falsepositives: -- Administrative activity via KVM or ILO board -id: 3ff152b2-1388-4984-9cd9-a323323fdadf -level: medium -logsource: - product: windows - service: security -status: experimental -tags: -- attack.lateral_movement -- attack.t1078 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml deleted file mode 100644 index 84a40a82..00000000 --- a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml +++ /dev/null @@ -1,60 +0,0 @@ - -title: Kerberos Manipulation -author: Florian Roth -date: 2017/02/10 -description: This method triggers on rare Kerberos Failure Codes caused by manipulations - of Kerberos messages -detection: - SELECTION_1: - EventID: 675 - SELECTION_2: - EventID: 4768 - SELECTION_3: - EventID: 4769 - SELECTION_4: - EventID: 4771 - SELECTION_5: - FailureCode: - - '0x9' - - '0xA' - - '0xB' - - '0xF' - - '0x10' - - '0x11' - - '0x13' - - '0x14' - - '0x1A' - - '0x1F' - - '0x21' - - '0x22' - - '0x23' - - '0x24' - - '0x26' - - '0x27' - - '0x28' - - '0x29' - - '0x2C' - - '0x2D' - - '0x2E' - - '0x2F' - - '0x31' - - '0x32' - - '0x3E' - - '0x3F' - - '0x40' - - '0x41' - - '0x43' - - '0x44' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Faulty legacy applications -id: f7644214-0eb0-4ace-9455-331ec4c09253 -level: high -logsource: - product: windows - service: security -status: experimental -tags: -- attack.credential_access -- attack.t1212 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml deleted file mode 100644 index ff34fef6..00000000 --- a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious LDAP-Attributes Used -author: xknow @xknow_infosec -date: 2019/03/24 -description: Detects the usage of particular AttributeLDAPDisplayNames, which are - known for data exchange via LDAP by the tool LDAPFragger and are additionally not - commonly used in companies. -detection: - SELECTION_1: - EventID: 5136 - SELECTION_2: - AttributeValue: '*' - SELECTION_3: - AttributeLDAPDisplayName: - - primaryInternationalISDNNumber - - otherFacsimileTelephoneNumber - - primaryTelexNumber - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Companies, who may use these default LDAP-Attributes for personal information -id: d00a9a72-2c09-4459-ad03-5e0a23351e36 -level: high -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 -- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ -- https://github.com/fox-it/LDAPFragger -status: experimental -tags: -- attack.t1071 -- attack.t1001.003 -- attack.command_and_control -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml deleted file mode 100644 index 9d4d3d4f..00000000 --- a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Suspicious Windows ANONYMOUS LOGON Local Account Created -author: James Pemberton / @4A616D6573 -date: 2019/10/31 -description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, - such as using additional spaces. Created as an covering detection for exclusion - of Logon Type 3 from ANONYMOUS LOGON accounts. -detection: - SELECTION_1: - EventID: 4720 - SELECTION_2: - SamAccountName: '*ANONYMOUS*' - SELECTION_3: - SamAccountName: '*LOGON*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 1bbf25b9-8038-4154-a50b-118f2a32be27 -level: high -logsource: - product: windows - service: security -modified: 2021/07/06 -references: -- https://twitter.com/SBousseaden/status/1189469425482829824 -status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 -- attack.t1136.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml deleted file mode 100644 index 3cdfaa0f..00000000 --- a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Suspicious Remote Logon with Explicit Credentials -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st -date: 2020/10/05 -description: Detects suspicious processes logging on with explicit credentials -detection: - SELECTION_1: - EventID: 4648 - SELECTION_2: - ProcessName: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\pwsh.exe' - - '*\winrs.exe' - - '*\wmic.exe' - - '*\net.exe' - - '*\net1.exe' - - '*\reg.exe' - SELECTION_3: - TargetServerName: localhost - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Administrators that use the RunAS command or scheduled tasks -id: 941e5c45-cda7-4864-8cea-bbb7458d194a -level: medium -logsource: - product: windows - service: security -modified: 2021/11/12 -references: -- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -status: experimental -tags: -- attack.t1078 -- attack.lateral_movement -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump.yml b/rules/sigma/builtin/win_susp_lsass_dump.yml deleted file mode 100644 index 72a5f42b..00000000 --- a/rules/sigma/builtin/win_susp_lsass_dump.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Password Dumper Activity on LSASS -author: sigma -date: 2017/02/12 -description: Detects process handle on LSASS process with certain access mask and - object type SAM_DOMAIN -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - ProcessName: '*\lsass.exe' - SELECTION_3: - AccessMask: '0x705' - SELECTION_4: - ObjectType: SAM_DOMAIN - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c -level: high -logsource: - product: windows - service: security -modified: 2021/06/21 -references: -- https://twitter.com/jackcr/status/807385668833968128 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml deleted file mode 100644 index ff536f86..00000000 --- a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml +++ /dev/null @@ -1,85 +0,0 @@ - -title: Generic Password Dumper Activity on LSASS -author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, - Aleksey Potapov, oscd.community (update) -date: 2019/11/01 -description: Detects process handle on LSASS process with certain access mask -detection: - SELECTION_1: - ObjectName: '*\lsass.exe' - SELECTION_2: - EventID: 4656 - SELECTION_3: - AccessMask: - - '*0x40*' - - '*0x1400*' - - '*0x1000*' - - '*0x100000*' - - '*0x1410*' - - '*0x1010*' - - '*0x1438*' - - '*0x143a*' - - '*0x1418*' - - '*0x1f0fff*' - - '*0x1f1fff*' - - '*0x1f2fff*' - - '*0x1f3fff*' - SELECTION_4: - EventID: 4663 - SELECTION_5: - AccessList: - - '*4484*' - - '*4416*' - SELECTION_6: - ProcessName: - - '*\wmiprvse.exe' - - '*\taskmgr.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\lsm.exe' - - '*\csrss.exe' - - '*\wininit.exe' - - '*\vmtoolsd.exe' - - '*\minionhost.exe' - - '*\VsTskMgr.exe' - - '*\thor64.exe' - - '*\MicrosoftEdgeUpdate.exe' - - '*\GamingServices.exe' - - '*\svchost.exe' - SELECTION_7: - ProcessName: - - C:\Windows\System32\\* - - C:\Windows\SysWow64\\* - - C:\Windows\SysNative\\* - - C:\Program Files\\* - - C:\Windows\Temp\asgard2-agent\\* - SELECTION_8: - ProcessName: - - C:\Program Files* - condition: (((SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and - SELECTION_5))) and not (SELECTION_6 and SELECTION_7)) and not (SELECTION_8)) -falsepositives: -- Legitimate software accessing LSASS process for legitimate reason; update the whitelist - with it -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ProcessName -- ProcessID -id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 -level: high -logsource: - product: windows - service: security -modified: 2021/11/09 -references: -- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- car.2019-04-004 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_mshta_execution.yml b/rules/sigma/builtin/win_susp_mshta_execution.yml deleted file mode 100644 index d18df3fa..00000000 --- a/rules/sigma/builtin/win_susp_mshta_execution.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: MSHTA Suspicious Execution 01 -author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -date: 2019/02/22 -description: Detection for mshta.exe suspicious execution patterns sometimes involving - file polyglotism -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: '*\mshta.exe' - SELECTION_3: - CommandLine: - - '*vbscript*' - - '*.jpg*' - - '*.png*' - - '*.lnk*' - - '*.xls*' - - '*.doc*' - - '*.zip*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- False positives depend on scripts and administrative tools used in the monitored - environment -id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 -level: high -logsource: - category: process_creation - product: windows -modified: 2020/08/23 -references: -- http://blog.sevagas.com/?Hacking-around-HTA-files -- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 -- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script -- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 -status: experimental -tags: -- attack.defense_evasion -- attack.t1140 -- attack.t1218.005 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_msmpeng_crash.yml b/rules/sigma/builtin/win_susp_msmpeng_crash.yml deleted file mode 100644 index 83a03004..00000000 --- a/rules/sigma/builtin/win_susp_msmpeng_crash.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Microsoft Malware Protection Engine Crash -author: Florian Roth -date: 2017/05/09 -description: This rule detects a suspicious crash of the Microsoft Malware Protection - Engine -detection: - SELECTION_1: - Provider_Name: Application Error - SELECTION_2: - EventID: 1000 - SELECTION_3: - Provider_Name: Windows Error Reporting - SELECTION_4: - EventID: 1001 - SELECTION_5: - - MsMpEng.exe - SELECTION_6: - - mpengine.dll - condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and - (SELECTION_5 and SELECTION_6)) -falsepositives: -- MsMpEng.exe can crash when C:\ is full -id: 6c82cf5c-090d-4d57-9188-533577631108 -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 -- https://technet.microsoft.com/en-us/library/security/4022344 -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1211 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml deleted file mode 100644 index 2c7e5f3b..00000000 --- a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Suspicious Multiple File Rename Or Delete Occurred -author: Vasiliy Burov, oscd.community -date: 2020/10/16 -description: Detects multiple file rename or delete events occurrence within a specified - period of time by a same user (these events may signalize about ransomware activity). -detection: - SELECTION_1: - EventID: 4663 - SELECTION_2: - ObjectType: File - SELECTION_3: - AccessList: '%%1537' - SELECTION_4: - Keywords: '0x8020000000000000' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) | count() - by SubjectLogonId > 10 -falsepositives: -- Software uninstallation -- Files restore activities -id: 97919310-06a7-482c-9639-92b67ed63cf8 -level: medium -logsource: - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local - Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security - Settings/Advanced Audit Policy Configuration/Object Access' - product: windows - service: security -references: -- https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html -status: experimental -tags: -- attack.impact -- attack.t1486 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_net_recon_activity.yml b/rules/sigma/builtin/win_susp_net_recon_activity.yml deleted file mode 100644 index a6a1ff0d..00000000 --- a/rules/sigma/builtin/win_susp_net_recon_activity.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Reconnaissance Activity -author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), - oscd.community -date: 2017/03/07 -description: Detects activity as "net user administrator /domain" and "net group domain - admins /domain" -detection: - SELECTION_1: - EventID: 4661 - SELECTION_2: - ObjectType: - - SAM_USER - - SAM_GROUP - SELECTION_3: - ObjectName: S-1-5-21-* - SELECTION_4: - AccessMask: '0x2d' - SELECTION_5: - ObjectName: - - '*-500' - - '*-512' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Administrator activity -- Penetration tests -id: 968eef52-9cff-4454-8992-1e74b9cbad6c -level: high -logsource: - definition: The volume of Event ID 4661 is high on Domain Controllers and therefore - "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured - in the recommendations for server systems - product: windows - service: security -modified: 2020/08/23 -references: -- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -status: experimental -tags: -- attack.discovery -- attack.t1087 -- attack.t1087.002 -- attack.t1069 -- attack.t1069.002 -- attack.s0039 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_auth.yml b/rules/sigma/builtin/win_susp_ntlm_auth.yml deleted file mode 100644 index a86566f9..00000000 --- a/rules/sigma/builtin/win_susp_ntlm_auth.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: NTLM Logon -author: Florian Roth -date: 2018/06/08 -description: Detects logons using NTLM, which could be caused by a legacy source or - attackers -detection: - SELECTION_1: - EventID: 8002 - SELECTION_2: - ProcessName: '*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legacy hosts -id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b -level: low -logsource: - definition: Requires events from Microsoft-Windows-NTLM/Operational - product: windows - service: ntlm -modified: 2021/11/20 -references: -- https://twitter.com/JohnLaTwC/status/1004895028995477505 -- https://goo.gl/PsqrhT -status: experimental -tags: -- attack.lateral_movement -- attack.t1075 -- attack.t1550.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_rdp.yml b/rules/sigma/builtin/win_susp_ntlm_rdp.yml deleted file mode 100644 index 0d7a6604..00000000 --- a/rules/sigma/builtin/win_susp_ntlm_rdp.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Potential Remote Desktop Connection to Non-Domain Host -author: James Pemberton -date: 2020/05/22 -description: Detects logons using NTLM to hosts that are potentially not part of the - domain. -detection: - SELECTION_1: - EventID: 8001 - SELECTION_2: - TargetName: TERMSRV* - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Host connections to valid domains, exclude these. -- Host connections not using host FQDN. -- Host connections to external legitimate domains. -fields: -- Computer -- UserName -- DomainName -- TargetName -id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad -level: medium -logsource: - definition: Requires events from Microsoft-Windows-NTLM/Operational - product: windows - service: ntlm -references: -- n/a -status: experimental -tags: -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_proceshacker.yml b/rules/sigma/builtin/win_susp_proceshacker.yml deleted file mode 100644 index 1fe43beb..00000000 --- a/rules/sigma/builtin/win_susp_proceshacker.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: ProcessHacker Privilege Elevation -author: Florian Roth -date: 2021/05/27 -description: Detects a ProcessHacker tool that elevated privileges to a very high - level -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ServiceName: ProcessHacker* - SELECTION_3: - AccountName: LocalSystem - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unlikely -id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 -level: high -logsource: - product: windows - service: system -references: -- https://twitter.com/1kwpeter/status/1397816101455765504 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1543.003 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_psexec.yml b/rules/sigma/builtin/win_susp_psexec.yml deleted file mode 100644 index 2d651b26..00000000 --- a/rules/sigma/builtin/win_susp_psexec.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Suspicious PsExec Execution -author: Samir Bousseaden -date: 2019/04/03 -description: detects execution of psexec or paexec with renamed service name, this - rule helps to filter out the noise if psexec is used for legit purposes or if attacker - uses a different psexec client other than sysinternal one -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' - SELECTION_4: - EventID: 5145 - SELECTION_5: - ShareName: \\*\IPC$ - SELECTION_6: - RelativeTargetName: PSEXESVC* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4 - and SELECTION_5 and SELECTION_6)) -falsepositives: -- nothing observed so far -id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 -level: high -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html -status: experimental -tags: -- attack.lateral_movement -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml deleted file mode 100644 index b70fac83..00000000 --- a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Suspicious Access to Sensitive File Extensions -author: Samir Bousseaden -date: 2019/04/03 -description: Detects known sensitive file extensions accessed on a network share -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Help Desk operator doing backup or re-imaging end user machine or pentest or backup - software -- Users working with these data types or exchanging message files -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- RelativeTargetName -id: 91c945bc-2ad1-4799-a591-4d00198a1215 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/09 -status: experimental -tags: -- attack.collection -- attack.t1039 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rc4_kerberos.yml b/rules/sigma/builtin/win_susp_rc4_kerberos.yml deleted file mode 100644 index 1da55067..00000000 --- a/rules/sigma/builtin/win_susp_rc4_kerberos.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Suspicious Kerberos RC4 Ticket Encryption -author: Florian Roth -date: 2017/02/06 -description: Detects service ticket requests using RC4 encryption type -detection: - SELECTION_1: - EventID: 4769 - SELECTION_2: - TicketOptions: '0x40810000' - SELECTION_3: - TicketEncryptionType: '0x17' - SELECTION_4: - ServiceName: $* - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Service accounts used on legacy systems (e.g. NetApp) -- Windows Domains with DFL 2003 and legacy systems -id: 496a0e47-0a33-4dca-b009-9e6ca3591f39 -level: medium -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://adsecurity.org/?p=3458 -- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity -status: experimental -tags: -- attack.credential_access -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rottenpotato.yml b/rules/sigma/builtin/win_susp_rottenpotato.yml deleted file mode 100644 index aee0c95d..00000000 --- a/rules/sigma/builtin/win_susp_rottenpotato.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: RottenPotato Like Attack Pattern -author: '@SBousseaden, Florian Roth' -date: 2019/11/15 -description: Detects logon events that have characteristics of events generated during - an attack with RottenPotato and the like -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - LogonType: 3 - SELECTION_3: - TargetUserName: ANONYMOUS_LOGON - SELECTION_4: - WorkstationName: '-' - SELECTION_5: - IpAddress: 127.0.0.1 - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f -level: high -logsource: - product: windows - service: security -modified: 2021/07/07 -references: -- https://twitter.com/SBousseaden/status/1195284233729777665 -status: experimental -tags: -- attack.privilege_escalation -- attack.credential_access -- attack.t1171 -- attack.t1557.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sam_dump.yml b/rules/sigma/builtin/win_susp_sam_dump.yml deleted file mode 100644 index c2a0a130..00000000 --- a/rules/sigma/builtin/win_susp_sam_dump.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: SAM Dump to AppData -author: Florian Roth -date: 2018/01/27 -description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other - password dumpers -detection: - SELECTION_1: - EventID: 16 - SELECTION_2: - - \AppData\Local\Temp\SAM- - SELECTION_3: - - .dmp - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Penetration testing -id: 839dd1e8-eda8-4834-8145-01beeee33acd -level: high -logsource: - definition: The source of this type of event is Kernel-General - product: windows - service: system -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sdelete.yml b/rules/sigma/builtin/win_susp_sdelete.yml deleted file mode 100644 index eca49526..00000000 --- a/rules/sigma/builtin/win_susp_sdelete.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Secure Deletion with SDelete -author: Thomas Patzke -date: 2017/06/14 -description: Detects renaming of file while deletion with SDelete tool. -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - EventID: 4658 - SELECTION_4: - ObjectName: - - '*.AAA' - - '*.ZZZ' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- Legitimate usage of SDelete -id: 39a80702-d7ca-4a83-b776-525b1f86a36d -level: medium -logsource: - product: windows - service: security -modified: 2020/08/02 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete -status: experimental -tags: -- attack.impact -- attack.defense_evasion -- attack.t1107 -- attack.t1070.004 -- attack.t1066 -- attack.t1027.005 -- attack.t1485 -- attack.t1553.002 -- attack.s0195 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_time_modification.yml b/rules/sigma/builtin/win_susp_time_modification.yml deleted file mode 100644 index abeb35b5..00000000 --- a/rules/sigma/builtin/win_susp_time_modification.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Unauthorized System Time Modification -author: '@neu5ron' -date: 2019/02/05 -description: Detect scenarios where a potentially unauthorized application or user - is modifying the system time. -detection: - SELECTION_1: - EventID: 4616 - SELECTION_2: - ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe - SELECTION_3: - ProcessName: C:\Windows\System32\VBoxService.exe - SELECTION_4: - ProcessName: C:\Windows\System32\svchost.exe - SELECTION_5: - SubjectUserSid: S-1-5-19 - condition: (SELECTION_1 and not (((SELECTION_2 or SELECTION_3) or (SELECTION_4 - and SELECTION_5)))) -falsepositives: -- HyperV or other virtualization technologies with binary not listed in filter portion - of detection -id: faa031b5-21ed-4e02-8881-2591f98d82ed -level: medium -logsource: - definition: 'Requirements: Audit Policy : System > Audit Security State Change, - Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\System\Audit Security State Change' - product: windows - service: security -modified: 2020/01/27 -references: -- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) -- Live environment caused by malware -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 -status: experimental -tags: -- attack.defense_evasion -- attack.t1099 -- attack.t1070.006 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_wmi_login.yml b/rules/sigma/builtin/win_susp_wmi_login.yml deleted file mode 100644 index af31284e..00000000 --- a/rules/sigma/builtin/win_susp_wmi_login.yml +++ /dev/null @@ -1,24 +0,0 @@ - -title: Login with WMI -author: Thomas Patzke -date: 2019/12/04 -description: Detection of logins performed with WMI -detection: - SELECTION_1: - EventID: 4624 - SELECTION_2: - ProcessName: '*\WmiPrvSE.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Monitoring tools -- Legitimate system administration -id: 5af54681-df95-4c26-854f-2565e13cfab0 -level: low -logsource: - product: windows - service: security -status: stable -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index e9d683d5..00000000 --- a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Suspicious Outbound Kerberos Connection -author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. -detection: - SELECTION_1: - EventID: 5156 - SELECTION_2: - DestinationPort: 88 - SELECTION_3: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Other browsers -id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 -level: high -logsource: - product: windows - service: security -modified: 2019/11/13 -references: -- https://github.com/GhostPack/Rubeus -status: experimental -tags: -- attack.lateral_movement -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_svcctl_remote_service.yml b/rules/sigma/builtin/win_svcctl_remote_service.yml deleted file mode 100644 index de4e3024..00000000 --- a/rules/sigma/builtin/win_svcctl_remote_service.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Remote Service Activity via SVCCTL Named Pipe -author: Samir Bousseaden -date: 2019/04/03 -description: Detects remote service activity via remote access to the svcctl named - pipe -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - ShareName: \\*\IPC$ - SELECTION_3: - RelativeTargetName: svcctl - SELECTION_4: - Accesses: '*WriteData*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- pentesting -id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 -level: medium -logsource: - definition: The advanced audit policy setting "Object Access > Audit Detailed File - Share" must be configured for Success/Failure - product: windows - service: security -references: -- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -status: experimental -tags: -- attack.lateral_movement -- attack.persistence -- attack.t1077 -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_syskey_registry_access.yml b/rules/sigma/builtin/win_syskey_registry_access.yml deleted file mode 100644 index 09270214..00000000 --- a/rules/sigma/builtin/win_syskey_registry_access.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: SysKey Registry Keys Access -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -description: Detects handle requests and access operations to specific registry keys - to calculate the SysKey -detection: - SELECTION_1: - EventID: 4656 - SELECTION_2: - EventID: 4663 - SELECTION_3: - ObjectType: key - SELECTION_4: - ObjectName: - - '*lsa\JD' - - '*lsa\GBG' - - '*lsa\Skew1' - - '*lsa\Data' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 -level: critical -logsource: - product: windows - service: security -modified: 2019/11/10 -references: -- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html -status: experimental -tags: -- attack.discovery -- attack.t1012 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml deleted file mode 100644 index d0c57140..00000000 --- a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Sysmon Channel Reference Deletion -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/07/14 -description: Potential threat actor tampering with Sysmon manifest and eventually - disabling it -detection: - SELECTION_1: - ObjectName: - - '*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*' - - '*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational*' - SELECTION_2: - EventID: 4657 - SELECTION_3: - ObjectValueName: Enabled - SELECTION_4: - NewValue: '0' - SELECTION_5: - EventID: 4663 - SELECTION_6: - AccessMask: 65536 - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc -level: critical -logsource: - product: windows - service: security -references: -- https://twitter.com/Flangvik/status/1283054508084473861 -- https://twitter.com/SecurityJosh/status/1283027365770276866 -- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html -- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml deleted file mode 100644 index 56c69cef..00000000 --- a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Eventlog Cleared -author: Florian Roth -date: 2017/01/10 -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution -detection: - SELECTION_1: - EventID: 104 - SELECTION_2: - Provider_Name: Microsoft-Windows-Eventlog - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Rollout of log collection agents (the setup routine often includes a reset of the - local Eventlog) -- System provisioning (system reset before the golden image creation) -id: a62b37e0-45d3-48d9-a517-90c1a1b0186b -level: high -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://twitter.com/deviouspolack/status/832535435960209408 -- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -related: -- id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes -- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1070 -- attack.t1070.001 -- car.2016-04-002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_tap_driver_installation.yml b/rules/sigma/builtin/win_tap_driver_installation.yml deleted file mode 100644 index 0daf9eaa..00000000 --- a/rules/sigma/builtin/win_tap_driver_installation.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: Tap Driver Installation -author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques -detection: - SELECTION_1: - EventID: 7045 - SELECTION_2: - ImagePath: '*tap0901*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate OpenVPN TAP insntallation -id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 -level: medium -logsource: - product: windows - service: system -modified: 2021/09/21 -status: experimental -tags: -- attack.exfiltration -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml deleted file mode 100644 index 556771b6..00000000 --- a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: Transferring Files with Credential Data via Network Shares -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Transferring files with well-known filenames (sensitive files with credential - data) using network shares -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: - - '*\mimidrv*' - - '*\lsass*' - - '*\windows\minidump\\*' - - '*\hiberfil*' - - '*\sqldmpr*' - - '*\sam*' - - '*\ntds.dit*' - - '*\security*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Transferring sensitive files for legitimate administration work by legitimate administrator -id: 910ab938-668b-401b-b08c-b596e80fdca5 -level: medium -logsource: - product: windows - service: security -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -- attack.t1003.001 -- attack.t1003.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_usb_device_plugged.yml b/rules/sigma/builtin/win_usb_device_plugged.yml deleted file mode 100644 index 23f93a97..00000000 --- a/rules/sigma/builtin/win_usb_device_plugged.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: USB Device Plugged -author: Florian Roth -date: 2017/11/09 -description: Detects plugged USB devices -detection: - SELECTION_1: - EventID: 2003 - SELECTION_2: - EventID: 2100 - SELECTION_3: - EventID: 2102 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) -falsepositives: -- Legitimate administrative activity -id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 -level: low -logsource: - product: windows - service: driver-framework -references: -- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ -- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ -status: experimental -tags: -- attack.initial_access -- attack.t1200 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/win_user_added_to_local_administrators.yml deleted file mode 100644 index 06b76c48..00000000 --- a/rules/sigma/builtin/win_user_added_to_local_administrators.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: User Added to Local Administrators -author: Florian Roth -date: 2017/03/14 -description: This rule triggers on user accounts that are added to the local Administrators - group, which could be legitimate activity or a sign of privilege escalation activity -detection: - SELECTION_1: - EventID: 4732 - SELECTION_2: - TargetUserName: Administr* - SELECTION_3: - TargetSid: S-1-5-32-544 - SELECTION_4: - SubjectUserName: '*$' - condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Legitimate administrative activity -id: c265cf08-3f99-46c1-8d59-328247057d57 -level: medium -logsource: - product: windows - service: security -modified: 2021/07/07 -status: stable -tags: -- attack.privilege_escalation -- attack.t1078 -- attack.persistence -- attack.t1098 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml deleted file mode 100644 index 92b07a83..00000000 --- a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -description: The 'LsaRegisterLogonProcess' function verifies that the application - making the function call is a logon process by checking that it has the SeTcbPrivilege - privilege set. Possible Rubeus tries to get a handle to LSA. -detection: - SELECTION_1: - EventID: 4673 - SELECTION_2: - Service: LsaRegisterLogonProcess() - SELECTION_3: - Keywords: '0x8010000000000000' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 -level: high -logsource: - product: windows - service: security -modified: 2021/08/14 -references: -- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.t1208 -- attack.t1558.003 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_creation.yml b/rules/sigma/builtin/win_user_creation.yml deleted file mode 100644 index 27ec53cc..00000000 --- a/rules/sigma/builtin/win_user_creation.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Local User Creation -author: Patrick Bareiss -date: 2019/04/18 -description: Detects local user creation on windows servers, which shouldn't happen - in an Active Directory environment. Apply this Sigma Use Case on your windows server - logs and not on your DC logs. -detection: - SELECTION_1: - EventID: 4720 - condition: SELECTION_1 -falsepositives: -- Domain Controller Logs -- Local accounts managed by privileged account management tools -fields: -- EventCode -- AccountName -- AccountDomain -id: 66b6be3d-55d0-4f47-9855-d69df21740ea -level: low -logsource: - product: windows - service: security -modified: 2020/08/23 -references: -- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ -status: experimental -tags: -- attack.persistence -- attack.t1136 -- attack.t1136.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_driver_loaded.yml b/rules/sigma/builtin/win_user_driver_loaded.yml deleted file mode 100644 index 951db50a..00000000 --- a/rules/sigma/builtin/win_user_driver_loaded.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Suspicious Driver Loaded By User -author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to - load or unload a device driver. With this privilege, the user can dynamically load - and unload device drivers or other code in to kernel mode. This user right does - not apply to Plug and Play device drivers. If you exclude privileged users/admins - and processes, which are allowed to do so, you are maybe left with bad programs - trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) - and the usage of Sysinternals and various other tools. So you have to work with - a whitelist to find the bad stuff. -detection: - SELECTION_1: - EventID: 4673 - SELECTION_2: - PrivilegeList: SeLoadDriverPrivilege - SELECTION_3: - Service: '-' - SELECTION_4: - ProcessName: - - '*\Windows\System32\Dism.exe' - - '*\Windows\System32\rundll32.exe' - - '*\Windows\System32\fltMC.exe' - - '*\Windows\HelpPane.exe' - - '*\Windows\System32\mmc.exe' - - '*\Windows\System32\svchost.exe' - - '*\Windows\System32\wimserv.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs - etc. - but not much. You have to baseline this according to your used products and - allowed tools. Also try to exclude users, which are allowed to load drivers.' -id: f63508a0-c809-4435-b3be-ed819394d612 -level: medium -logsource: - product: windows - service: security -references: -- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 -status: experimental -tags: -- attack.t1089 -- attack.defense_evasion -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml deleted file mode 100644 index 5aec87e1..00000000 --- a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Volume Shadow Copy Mount -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -description: Detects volume shadow copy mount -detection: - SELECTION_1: - Provider_Name: Microsoft-Windows-Ntfs - SELECTION_2: - EventID: 98 - SELECTION_3: - DeviceName: '*HarddiskVolumeShadowCopy*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of volume shadow copy mounts (backups maybe). -id: f512acbf-e662-4903-843e-97ce4652b740 -level: medium -logsource: - product: windows - service: system -modified: 2021/10/13 -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy -status: experimental -tags: -- attack.credential_access -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml deleted file mode 100644 index 80f1cca6..00000000 --- a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: VSSAudit Security Event Source Registration -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -description: Detects the registration of the security event source VSSAudit. It would - usually trigger when volume shadow copy operations happen. -detection: - SELECTION_1: - AuditSourceName: VSSAudit - SELECTION_2: - EventID: 4904 - SELECTION_3: - EventID: 4905 - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. -id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b -level: medium -logsource: - product: windows - service: security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy -status: experimental -tags: -- attack.credential_access -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_0688.yml b/rules/sigma/builtin/win_vul_cve_2020_0688.yml deleted file mode 100644 index b8960b6d..00000000 --- a/rules/sigma/builtin/win_vul_cve_2020_0688.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CVE-2020-0688 Exploitation via Eventlog -author: Florian Roth, wagga -date: 2020/02/29 -description: Detects the exploitation of Microsoft Exchange vulnerability as described - in CVE-2020-0688 -detection: - SELECTION_1: - EventID: 4 - SELECTION_2: - Provider_Name: MSExchange Control Panel - SELECTION_3: - Level: Error - SELECTION_4: - - '&__VIEWSTATE=' - condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4) -falsepositives: -- Unknown -id: d6266bf5-935e-4661-b477-78772735a7cb -level: high -logsource: - product: windows - service: application -modified: 2021/10/13 -references: -- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ -- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ -status: experimental -tags: -- attack.initial_access -- attack.t1190 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_1472.yml b/rules/sigma/builtin/win_vul_cve_2020_1472.yml deleted file mode 100644 index 7b73408e..00000000 --- a/rules/sigma/builtin/win_vul_cve_2020_1472.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Vulnerable Netlogon Secure Channel Connection Allowed -author: NVISO -date: 2020/09/15 -description: Detects that a vulnerable Netlogon secure channel connection was allowed, - which could be an indicator of CVE-2020-1472. -detection: - SELECTION_1: - EventID: 5829 - condition: SELECTION_1 -falsepositives: -- Unknown -fields: -- SAMAccountName -id: a0cb7110-edf0-47a4-9177-541a4083128a -level: high -logsource: - product: windows - service: system -modified: 2021/08/09 -references: -- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc -status: experimental -tags: -- attack.privilege_escalation -- attack.t1548 -ruletype: SIGMA diff --git a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index 3278229c..00000000 --- a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: T1047 Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 5145 - SELECTION_2: - RelativeTargetName: '*\wbem\wbemcomn.dll' - SELECTION_3: - SubjectUserName: '*$' - condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3)) -falsepositives: -- Unknown -id: f6c68d5f-e101-4b86-8c84-7d96851fd65c -level: critical -logsource: - product: windows - service: security -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml deleted file mode 100644 index 75c2655a..00000000 --- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: CACTUSTORCH Remote Thread Creation -author: '@SBousseaden (detection), Thomas Patzke (rule)' -date: 2019/02/01 -description: Detects remote thread creation from CACTUSTORCH as described in references. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: - - '*\System32\cscript.exe' - - '*\System32\wscript.exe' - - '*\System32\mshta.exe' - - '*\winword.exe' - - '*\excel.exe' - SELECTION_3: - TargetImage: '*\SysWOW64\\*' - SELECTION_4: - StartModule|re: ^$ - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: 2e4e488a-6164-4811-9ea1-f960c7359c40 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/12 -references: -- https://twitter.com/SBousseaden/status/1090588499517079552 -- https://github.com/mdsecactivebreach/CACTUSTORCH -status: experimental -tags: -- attack.defense_evasion -- attack.t1093 -- attack.t1055.012 -- attack.execution -- attack.t1064 -- attack.t1059.005 -- attack.t1059.007 -- attack.t1218.005 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml deleted file mode 100644 index 4e260051..00000000 --- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: CobaltStrike Process Injection -author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community -date: 2018/11/30 -description: Detects a possible remote threat creation with certain characteristics - which are typical for Cobalt Strike beacons -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - StartAddress: - - '*0B80' - - '*0C7C' - - '*0C88' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/20 -references: -- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f -- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1055 -- attack.t1055.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml deleted file mode 100644 index aac6829d..00000000 --- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: CreateRemoteThread API and LoadLibrary -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -description: Detects potential use of CreateRemoteThread api and LoadLibrary function - to inject DLL into a process -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - StartModule: '*\kernel32.dll' - SELECTION_3: - StartFunction: LoadLibraryA - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 052ec6f6-1adc-41e6-907a-f1c813478bee -level: critical -logsource: - category: create_remote_thread - product: windows -modified: 2020/08/28 -references: -- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1055 -- attack.t1055.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml deleted file mode 100644 index 9c56270b..00000000 --- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Password Dumper Remote Thread in LSASS -author: Thomas Patzke -date: 2017/02/19 -description: Detects password dumper activity by monitoring remote thread creation - EventID 8 in combination with the lsass.exe process as TargetImage. The process - in field Process is the malicious program. A single execution can lead to hundreds - of events. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - TargetImage: '*\lsass.exe' - SELECTION_3: - StartModule: '' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Antivirus products -id: f239b326-2f41-4d6b-9dfa-c846a60ef505 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/06/21 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm -status: stable -tags: -- attack.credential_access -- attack.t1003 -- attack.s0005 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml deleted file mode 100644 index 5a3396c2..00000000 --- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Accessing WinAPI in PowerShell. Code Injection. -author: Nikita Nazarov, oscd.community -date: 2020/10/06 -description: Detecting Code injection with PowerShell in another process -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: '*\powershell.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 -level: high -logsource: - category: create_remote_thread - definition: Note that you have to configure logging for CreateRemoteThread in Symson - config - product: windows -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -status: experimental -tags: -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml deleted file mode 100644 index 65c06f01..00000000 --- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: PowerShell Rundll32 Remote Thread Creation -author: Florian Roth -date: 2018/06/25 -description: Detects PowerShell remote thread creation in Rundll32.exe -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: '*\powershell.exe' - SELECTION_3: - TargetImage: '*\rundll32.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 99b97608-3e21-4bfe-8217-2a127c396a0e -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/11/12 -references: -- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html -status: experimental -tags: -- attack.defense_evasion -- attack.execution -- attack.t1085 -- attack.t1218.011 -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml deleted file mode 100644 index 62d05fa3..00000000 --- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ /dev/null @@ -1,89 +0,0 @@ - -title: Suspicious Remote Thread Created -author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", - however, this is still largely observed in the wild. This rule aims to detect suspicious - processes (those we would not expect to behave in this way like word.exe or outlook.exe) - creating remote threads on other processes. It is a generalistic rule, but it should - have a low FP ratio due to the selected range of processes. -detection: - SELECTION_1: - EventID: 8 - SELECTION_2: - SourceImage: - - '*\bash.exe' - - '*\cvtres.exe' - - '*\defrag.exe' - - '*\dnx.exe' - - '*\esentutl.exe' - - '*\excel.exe' - - '*\expand.exe' - - '*\explorer.exe' - - '*\find.exe' - - '*\findstr.exe' - - '*\forfiles.exe' - - '*\git.exe' - - '*\gpupdate.exe' - - '*\hh.exe' - - '*\iexplore.exe' - - '*\installutil.exe' - - '*\lync.exe' - - '*\makecab.exe' - - '*\mDNSResponder.exe' - - '*\monitoringhost.exe' - - '*\msbuild.exe' - - '*\mshta.exe' - - '*\msiexec.exe' - - '*\mspaint.exe' - - '*\outlook.exe' - - '*\ping.exe' - - '*\powerpnt.exe' - - '*\powershell.exe' - - '*\provtool.exe' - - '*\python.exe' - - '*\regsvr32.exe' - - '*\robocopy.exe' - - '*\runonce.exe' - - '*\sapcimc.exe' - - '*\schtasks.exe' - - '*\smartscreen.exe' - - '*\spoolsv.exe' - - '*\tstheme.exe' - - '*\userinit.exe' - - '*\vssadmin.exe' - - '*\vssvc.exe' - - '*\w3wp.exe' - - '*\winlogon.exe' - - '*\winscp.exe' - - '*\wmic.exe' - - '*\word.exe' - - '*\wscript.exe' - SELECTION_3: - SourceImage: '*Visual Studio*' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unknown -fields: -- ComputerName -- User -- SourceImage -- TargetImage -id: 66d31e5f-52d6-40a4-9615-002d3789a119 -level: high -logsource: - category: create_remote_thread - product: windows -modified: 2021/06/27 -notes: -- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite - for process injection for .NET in-memory offensive tools. -references: -- Personal research, statistical analysis -- https://lolbas-project.github.io -status: experimental -tags: -- attack.privilege_escalation -- attack.defense_evasion -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml deleted file mode 100644 index cf32a722..00000000 --- a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Executable in ADS -author: Florian Roth, @0xrawsec -date: 2018/06/03 -description: Detects the creation of an ADS data stream that contains an executable - (non-empty imphash) -detection: - SELECTION_1: - EventID: 15 - SELECTION_2: - Imphash: '00000000000000000000000000000000' - SELECTION_3: - Imphash|re: ^$ - condition: (SELECTION_1 and not ((SELECTION_2) or (SELECTION_3))) -falsepositives: -- unknown -fields: -- TargetFilename -- Image -id: b69888d4-380c-45ce-9cf9-d9ce46e67821 -level: critical -logsource: - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' - product: windows -modified: 2020/08/26 -references: -- https://twitter.com/0xrawsec/status/1002478725605273600?s=21 -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -- attack.s0139 -- attack.t1564.004 -ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml deleted file mode 100644 index 9e3a7b40..00000000 --- a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Exports Registry Key To an Alternate Data Stream -author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -description: Exports the target Registry key and hides it in the specified alternate - data stream. -detection: - SELECTION_1: - EventID: 15 - SELECTION_2: - Image: '*\regedit.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -fields: -- TargetFilename -id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 -level: high -logsource: - category: create_stream_hash - product: windows -references: -- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml -- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -status: experimental -tags: -- attack.defense_evasion -- attack.t1564.004 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml deleted file mode 100644 index 061ce08f..00000000 --- a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Suspicious Cobalt Strike DNS Beaconing -author: Florian Roth -date: 2021/11/09 -description: Detects a program that invoked suspicious DNS queries known from Cobalt - Strike beacons -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: - - aaa.stage.* - - post.1* - SELECTION_3: - QueryName: '*.stage.123456.*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Unknown -fields: -- Image -- CommandLine -id: f356a9c4-effd-4608-bbf8-408afd5cd006 -level: critical -logsource: - category: dns_query - product: windows -references: -- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns -- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ -status: experimental -tags: -- attack.command_and_control -- attack.t1071 -- attack.t1071.004 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_susp_ipify.yml b/rules/sigma/dns_query/dns_net_susp_ipify.yml deleted file mode 100644 index 6c6a7533..00000000 --- a/rules/sigma/dns_query/dns_net_susp_ipify.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Suspicious DNS Query for IP Lookup Service APIs -author: Brandon George (blog post), Thomas Patzke (rule) -date: 2021/07/08 -description: Detects DNS queries for ip lookup services such as api.ipify.org not - originating from a browser process. -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: - - canireachthe.net - - ipv4.icanhazip.com - - ip.anysrc.net - - edns.ip-api.com - - wtfismyip.com - - checkip.dyndns.org - - api.2ip.ua - - icanhazip.com - - api.ipify.org - - ip-api.com - - checkip.amazonaws.com - - ipecho.net - - ipinfo.io - - ipv4bot.whatismyipaddress.com - - freegeoip.app - SELECTION_3: - Image: - - '*\chrome.exe' - - '*\iexplore.exe' - - '*\firefox.exe' - - '*\brave.exe' - - '*\opera.exe' - - '*\msedge.exe' - - '*\vivaldi.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Legitimate usage of ip lookup services such as ipify API -id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 -level: medium -logsource: - category: dns_query - product: windows -modified: 2021/09/10 -references: -- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon -- https://twitter.com/neonprimetime/status/1436376497980428318 -status: experimental -tags: -- attack.reconnaissance -- attack.t1590 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml deleted file mode 100644 index 098f6e01..00000000 --- a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: DNS HybridConnectionManager Service Bus -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -description: Detects Azure Hybrid Connection Manager services querying the Azure service - bus service -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*servicebus.windows.net*' - SELECTION_3: - Image: '*HybridConnectionManager*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service -id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d -level: high -logsource: - category: dns_query - product: windows -modified: 2021/06/10 -references: -- https://twitter.com/Cyb3rWard0g/status/1381642789369286662 -status: experimental -tags: -- attack.persistence -- attack.t1554 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_mega_nz.yml b/rules/sigma/dns_query/dns_query_mega_nz.yml deleted file mode 100644 index d0ae8a7b..00000000 --- a/rules/sigma/dns_query/dns_query_mega_nz.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: DNS Query for MEGA.io Upload Domain -author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -description: Detects DNS queries for subdomains used for upload to MEGA.io -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*userstorage.mega.co.nz*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Mega upload -id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 -level: high -logsource: - category: dns_query - product: windows -references: -- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -status: experimental -tags: -- attack.exfiltration -- attack.t1567.002 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml deleted file mode 100644 index f45dd33d..00000000 --- a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml +++ /dev/null @@ -1,76 +0,0 @@ - -title: Possible DNS Rebinding -author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -description: Detects several different DNS-answers by one domain with IPs from internal - and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved - in host cache for a while TTL). -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - QueryName: '*' - SELECTION_3: - QueryStatus: '0' - SELECTION_4: - QueryResults: - - (::ffff:)?10.* - - (::ffff:)?192.168.* - - (::ffff:)?172.16.* - - (::ffff:)?172.17.* - - (::ffff:)?172.18.* - - (::ffff:)?172.19.* - - (::ffff:)?172.20.* - - (::ffff:)?172.21.* - - (::ffff:)?172.22.* - - (::ffff:)?172.23.* - - (::ffff:)?172.24.* - - (::ffff:)?172.25.* - - (::ffff:)?172.26.* - - (::ffff:)?172.27.* - - (::ffff:)?172.28.* - - (::ffff:)?172.29.* - - (::ffff:)?172.30.* - - (::ffff:)?172.31.* - - (::ffff:)?127.* - SELECTION_5: - QueryName: '*' - SELECTION_6: - QueryStatus: '0' - SELECTION_7: - QueryResults: - - (::ffff:)?10.* - - (::ffff:)?192.168.* - - (::ffff:)?172.16.* - - (::ffff:)?172.17.* - - (::ffff:)?172.18.* - - (::ffff:)?172.19.* - - (::ffff:)?172.20.* - - (::ffff:)?172.21.* - - (::ffff:)?172.22.* - - (::ffff:)?172.23.* - - (::ffff:)?172.24.* - - (::ffff:)?172.25.* - - (::ffff:)?172.26.* - - (::ffff:)?172.27.* - - (::ffff:)?172.28.* - - (::ffff:)?172.29.* - - (::ffff:)?172.30.* - - (::ffff:)?172.31.* - - (::ffff:)?127.* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5 - and SELECTION_6) and not (SELECTION_7)) | count(QueryName) by ComputerName > - 3 -id: eb07e747-2552-44cd-af36-b659ae0958e4 -level: medium -logsource: - category: dns_query - product: windows -modified: 2020/08/28 -references: -- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 -status: experimental -tags: -- attack.initial_access -- attack.t1189 -ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml deleted file mode 100644 index 399f4c18..00000000 --- a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Regsvr32 Network Activity -author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -description: Detects network connections and DNS queries initiated by Regsvr32.exe -detection: - SELECTION_1: - EventID: 22 - SELECTION_2: - Image: '*\regsvr32.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- ComputerName -- User -- Image -- DestinationIp -- DestinationPort -id: 36e037c4-c228-4866-b6a3-48eb292b9955 -level: high -logsource: - category: dns_query - product: windows -modified: 2021/09/21 -references: -- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ -- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -related: -- id: c7e91a02-d771-4a6d-a700-42587e0b1095 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1559.001 -- attack.t1175 -- attack.defense_evasion -- attack.t1218.010 -- attack.t1117 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/driver_load/driver_load_mal_creddumper.yml deleted file mode 100644 index be4611a2..00000000 --- a/rules/sigma/driver_load/driver_load_mal_creddumper.yml +++ /dev/null @@ -1,46 +0,0 @@ - -title: Credential Dumping Tools Service Execution -author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -description: Detects well-known credential dumping tools execution via service execution - events -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*fgexec*' - - '*dumpsvc*' - - '*cachedump*' - - '*mimidrv*' - - '*gsecdump*' - - '*servpw*' - - '*pwdump*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate Administrator using credential dumping tool for password recovery -id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 -level: critical -logsource: - category: driver_load - product: windows -modified: 2021/11/10 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -related: -- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived -status: experimental -tags: -- attack.credential_access -- attack.execution -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.004 -- attack.t1003.005 -- attack.t1003.006 -- attack.t1035 -- attack.t1569.002 -- attack.s0005 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index c3a686f5..00000000 --- a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,69 +0,0 @@ - -title: Meterpreter or Cobalt Strike Getsystem Service Installation -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation -detection: - SELECTION_1: - EventID: 6 - SELECTION_10: - ImagePath: '*cmd.exe*' - SELECTION_11: - ImagePath: '*/c*' - SELECTION_12: - ImagePath: '*echo*' - SELECTION_13: - ImagePath: '*\pipe\\*' - SELECTION_14: - ImagePath: '*rundll32*' - SELECTION_15: - ImagePath: '*.dll,a*' - SELECTION_16: - ImagePath: '*/p:*' - SELECTION_2: - ImagePath: '*cmd*' - SELECTION_3: - ImagePath: '*/c*' - SELECTION_4: - ImagePath: '*echo*' - SELECTION_5: - ImagePath: '*\pipe\\*' - SELECTION_6: - ImagePath: '*%COMSPEC%*' - SELECTION_7: - ImagePath: '*/c*' - SELECTION_8: - ImagePath: '*echo*' - SELECTION_9: - ImagePath: '*\pipe\\*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) - or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10 - and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15 - and SELECTION_16))) -falsepositives: -- Highly unlikely -fields: -- ComputerName -- SubjectDomainName -- SubjectUserName -- ImagePath -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 -level: critical -logsource: - category: driver_load - product: windows -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -related: -- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: experimental -tags: -- attack.privilege_escalation -- attack.t1134 -- attack.t1134.001 -- attack.t1134.002 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml deleted file mode 100644 index 2d4eff19..00000000 --- a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: PowerShell Scripts Run by a Services -author: oscd.community, Natalia Shornikova -date: 2020/10/06 -description: Detects powershell script installed as a Service -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*powershell*' - - '*pwsh*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 -level: high -logsource: - category: driver_load - product: windows -modified: 2021/09/21 -references: -- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse -related: -- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived -status: experimental -tags: -- attack.execution -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/driver_load/driver_load_susp_temp_use.yml deleted file mode 100644 index 3c95b5ba..00000000 --- a/rules/sigma/driver_load/driver_load_susp_temp_use.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Suspicious Driver Load from Temp -author: Florian Roth -date: 2017/02/12 -description: Detects a driver load from a temporary directory -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: '*\Temp\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- there is a relevant set of false positives depending on applications in the environment -id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 -level: high -logsource: - category: driver_load - product: windows -modified: 2020/08/23 -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1050 -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml deleted file mode 100644 index 1afc0de5..00000000 --- a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Vulnerable Dell BIOS Update Driver Load -author: Florian Roth -date: 2021/05/05 -description: Detects the load of the vulnerable Dell BIOS update driver as reported - in CVE-2021-21551 -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: '*\DBUtil_2_3.Sys*' - SELECTION_3: - Hashes: - - '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*' - - '*c948ae14761095e4d76b55d9de86412258be7afd*' - - '*c996d7971c49252c582171d9380360f2*' - - '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*' - - '*10b30bdee43b3a2ec4aa63375577ade650269d25*' - - '*d2fd132ab7bbc6bbb87a84f026fa0244*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- legitimate BIOS driver updates (should be rare) -id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -level: high -logsource: - category: driver_load - product: windows -references: -- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ -status: experimental -tags: -- attack.privilege_escalation -- cve.2021.21551 -- attack.t1543 -ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_windivert.yml b/rules/sigma/driver_load/driver_load_windivert.yml deleted file mode 100644 index bbd6699d..00000000 --- a/rules/sigma/driver_load/driver_load_windivert.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: WinDivert Driver Load -author: Florian Roth -date: 2021/07/30 -description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection - package for Windows -detection: - SELECTION_1: - EventID: 6 - SELECTION_2: - ImageLoaded: - - '*\WinDivert.sys*' - - '*\WinDivert64.sys*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- legitimate WinDivert driver usage -id: 679085d5-f427-4484-9f58-1dc30a7c426d -level: high -logsource: - category: driver_load - product: windows -references: -- https://reqrypt.org/windivert-doc.html -- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ -status: experimental -tags: -- attack.collection -- attack.defense_evasion -- attack.t1599.001 -- attack.t1557.001 -ruletype: SIGMA diff --git a/rules/sigma/edr/edr_command_execution_by_office_applications.yml b/rules/sigma/edr/edr_command_execution_by_office_applications.yml deleted file mode 100644 index aaa27e57..00000000 --- a/rules/sigma/edr/edr_command_execution_by_office_applications.yml +++ /dev/null @@ -1,37 +0,0 @@ -title: EDR WMI Command Execution by Office Applications -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) -date: 2021/08/23 -description: Initial execution of malicious document calls wmic Win32_Process::Create - to execute the file with regsvr32 -detection: - SELECTION_1: - EventLog: EDR - SELECTION_2: - EventType: WMIExecution - SELECTION_3: - WMIcommand: '*Win32_Process\:\:Create*' - SELECTION_4: - Image: - - '*\winword.exe' - - '*\excel.exe' - - '*\powerpnt.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815 -level: high -logsource: - category: edr - product: windows -modified: 2021/11/09 -references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -status: experimental -tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/file_delete/sysmon_delete_prefetch.yml deleted file mode 100644 index ad26aa1a..00000000 --- a/rules/sigma/file_delete/sysmon_delete_prefetch.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Prefetch File Deletion -author: Cedric MAURUGEON -date: 2021/09/29 -description: Detects the deletion of a prefetch file (AntiForensic) -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - TargetFilename: C:\Windows\Prefetch\\* - SELECTION_4: - TargetFilename: '*.pf' - SELECTION_5: - Image: C:\windows\system32\svchost.exe - SELECTION_6: - User: NT AUTHORITY\SYSTEM - condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6)) -falsepositives: -- Unknown -id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 -level: high -logsource: - category: file_delete - product: windows -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml deleted file mode 100644 index 09e8b1ac..00000000 --- a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Sysinternals SDelete File Deletion -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection to trigger for the deletion of files by Sysinternals - SDelete. It looks for the common name pattern used to rename files. -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - TargetFilename: - - '*.AAA' - - '*.ZZZ' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3) -falsepositives: -- Legitime usage of SDelete -id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc -level: medium -logsource: - category: file_delete - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/9 -- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.004 -ruletype: SIGMA diff --git a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml deleted file mode 100644 index 2f9f5720..00000000 --- a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Windows Spooler Service Suspicious File Deletion -author: Bhabesh Raj -date: 2021/07/01 -description: Detect DLL deletions from Spooler Service driver folder -detection: - SELECTION_1: - EventID: 23 - SELECTION_2: - EventID: 26 - SELECTION_3: - Image: '*spoolsv.exe' - SELECTION_4: - TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*' - condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf -level: high -logsource: - category: file_delete - product: windows -modified: 2021/08/24 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/cube0x0/CVE-2021-1675 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1574 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml deleted file mode 100644 index 5e595fd6..00000000 --- a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Advanced IP Scanner -author: '@ROxPinTeddy' -date: 2020/05/12 -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for - ransomware groups. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate administrative use -id: fed85bf9-e075-4280-9159-fbe8a023d6fa -level: medium -logsource: - category: file_event - product: windows -modified: 2021/09/11 -references: -- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ -- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html -- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc -- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf -- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer -related: -- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f - type: derived -status: experimental -tags: -- attack.discovery -- attack.t1046 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml deleted file mode 100644 index d6f8fd79..00000000 --- a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Unidentified Attacker November 2018 -author: '@41thexplorer, Microsoft Defender ATP' -date: 2018/11/20 -description: A sigma rule detecting an unidetefied attacker who used phishing emails - to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 - campaign in 2016. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*ds7002.lnk*' - condition: (SELECTION_1 and SELECTION_2) -id: 3a3f81ca-652c-482b-adeb-b1c804727f74 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://twitter.com/DrunkBinary/status/1063075530180886529 -related: -- id: 7453575c-a747-40b9-839b-125a0aae324b - type: derived -status: stable -tags: -- attack.execution -- attack.t1218.011 -- attack.t1085 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml deleted file mode 100644 index d5138819..00000000 --- a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum -author: Sittikorn S -date: 2021/07/16 -description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 - CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*C:\Windows\system32\physmem.sys*' - - '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*' - - '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*' - - '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*' - - '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*' - - '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*' - - '*C:\Windows\system32\config\config\startwus.dat*' - - '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*' - - '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*' - - '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ -- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ -status: experimental -tags: -- attack.credential_access -- attack.t1566 -- attack.t1203 -- cve.2021.33771 -- cve.2021.31979 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hack_dumpert.yml b/rules/sigma/file_event/file_event_hack_dumpert.yml deleted file mode 100644 index 7b10aec1..00000000 --- a/rules/sigma/file_event/file_event_hack_dumpert.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Dumpert Process Dumper -author: Florian Roth -date: 2020/02/04 -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe - process memory -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\Temp\dumpert.dmp - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Very unlikely -id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://github.com/outflanknl/Dumpert -- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ -related: -- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 - type: derived -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hktl_createminidump.yml b/rules/sigma/file_event/file_event_hktl_createminidump.yml deleted file mode 100644 index 759c245f..00000000 --- a/rules/sigma/file_event/file_event_hktl_createminidump.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: CreateMiniDump Hacktool -author: Florian Roth -date: 2019/12/22 -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process - memory for credential extraction on the attacker's machine -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\lsass.dmp' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: db2110f3-479d-42a6-94fb-d35bc1e46492 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass -related: -- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d - type: derived -status: deprecated -tags: -- attack.credential_access -- attack.t1003.001 -- attack.t1003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_lsass_dump.yml b/rules/sigma/file_event/file_event_lsass_dump.yml deleted file mode 100644 index f8a18a0b..00000000 --- a/rules/sigma/file_event/file_event_lsass_dump.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: LSASS Process Memory Dump Files -author: Florian Roth -date: 2021/11/15 -description: Detects file names used by different memory dumping tools to create a - memory dump of the LSASS process memory, which contains user credentials -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\lsass.dmp' - - '*\lsass.zip' - - '*\lsass.rar' - SELECTION_3: - TargetFilename: - - '*\lsass_2*' - - '*\lsassdump*' - - '*\lsassdmp*' - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Unknown -id: a5a2d357-1ab8-4675-a967-ef9990a59391 -level: high -logsource: - category: file_event - product: windows -references: -- https://www.google.com/search?q=procdump+lsass -related: -- id: db2110f3-479d-42a6-94fb-d35bc1e46492 - type: obsoletes -status: experimental -tags: -- attack.credential_access -- attack.t1003.001 -- attack.t1003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_adwind.yml b/rules/sigma/file_event/file_event_mal_adwind.yml deleted file mode 100644 index 89d02db2..00000000 --- a/rules/sigma/file_event/file_event_mal_adwind.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: Adwind RAT / JRAT -author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Roaming\Oracle\bin\java*' - SELECTION_3: - TargetFilename: '*.exe*' - SELECTION_4: - TargetFilename: '*\Retrive*' - SELECTION_5: - TargetFilename: '*.vbs*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 -- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -related: -- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1059.005 -- attack.t1059.007 -- attack.t1064 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_vhd_download.yml b/rules/sigma/file_event/file_event_mal_vhd_download.yml deleted file mode 100644 index d52d9515..00000000 --- a/rules/sigma/file_event/file_event_mal_vhd_download.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Suspicious VHD Image Download From Browser -author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/10/25 -description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate - payloads and evade security controls -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*chrome.exe' - - '*firefox.exe' - - '*microsoftedge.exe' - - '*microsoftedgecp.exe' - - '*msedge.exe' - - '*iexplorer.exe' - - '*brave.exe' - - '*opera.exe' - SELECTION_3: - TargetFilename: '*.vhd*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate user creation -id: 8468111a-ef07-4654-903b-b863a80bbc95 -level: medium -logsource: - category: file_event - definition: in sysmon add ".vhd - " - product: windows -modified: 2021/10/29 -references: -- https://redcanary.com/blog/intelligence-insights-october-2021/ -- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ -- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ -status: test -tags: -- attack.resource_development -- attack.t1587.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml deleted file mode 100644 index dc9d26df..00000000 --- a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Mimikatz Kirbi File Creation -author: Florian Roth -date: 2021/11/08 -description: Detects the creation of files that contain Kerberos tickets based on - an extension used by the popular tool Mimikatz -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*.kirbi' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 -level: critical -logsource: - category: file_event - product: windows -references: -- https://cobalt.io/blog/kerberoast-attack-techniques -status: test -tags: -- attack.credential_access -- attack.t1558 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_moriya_rootkit.yml b/rules/sigma/file_event/file_event_moriya_rootkit.yml deleted file mode 100644 index 3f7ba19a..00000000 --- a/rules/sigma/file_event/file_event_moriya_rootkit.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Moriya Rootkit -author: Bhabesh Raj -date: 2021/05/06 -description: Detects the use of Moriya rootkit as described in the securelist's Operation - TunnelSnake report -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- None -id: a1507d71-0b60-44f6-b17c-bf53220fdd88 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 -related: -- id: 25b9c01c-350d-4b95-bed1-836d04a4f324 - type: derived -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1543.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_pingback_backdoor.yml b/rules/sigma/file_event/file_event_pingback_backdoor.yml deleted file mode 100644 index 8b387765..00000000 --- a/rules/sigma/file_event/file_event_pingback_backdoor.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Pingback Backdoor -author: Bhabesh Raj -date: 2021/05/05 -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*updata.exe' - SELECTION_3: - TargetFilename: C:\Windows\oci.dll - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very unlikely -id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 -level: high -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel -- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 -status: experimental -tags: -- attack.persistence -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml deleted file mode 100644 index cf7d60b7..00000000 --- a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ /dev/null @@ -1,47 +0,0 @@ - -title: Created Files by Office Applications -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) -date: 2021/08/23 -description: This rule will monitor executable and script file creation by office - applications. Please add more file extensions or magic bytes to the logic of your - choice. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*winword.exe' - - '*excel.exe' - - '*powerpnt.exe' - SELECTION_3: - TargetFilename: - - '*.exe' - - '*.dll' - - '*.ocx' - - '*.com' - - '*.ps1' - - '*.vbs' - - '*.sys' - - '*.bat' - - '*.scr' - - '*.proj' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -level: high -logsource: - category: file_event - product: windows -modified: 2021/11/10 -references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -status: experimental -tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_susp_task_write.yml b/rules/sigma/file_event/file_event_susp_task_write.yml deleted file mode 100644 index 5429a0cf..00000000 --- a/rules/sigma/file_event/file_event_susp_task_write.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Suspicious Scheduled Task Writ to System32 Tasks -author: Florian Roth -date: 2021/11/16 -description: -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Windows\System32\Tasks*' - SELECTION_3: - Image: - - '*\AppData\\*' - - '*C:\PerfLogs*' - - '*\Windows\System32\config\systemprofile*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 80e1f67a-4596-4351-98f5-a9c3efabac95 -level: high -logsource: - category: file_event - product: windows -references: -- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ -status: experimental -tags: -- attack.persistence -- attack.execution -- attack.t1053 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_tool_psexec.yml b/rules/sigma/file_event/file_event_tool_psexec.yml deleted file mode 100644 index f5a257b3..00000000 --- a/rules/sigma/file_event/file_event_tool_psexec.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: PsExec Tool Execution -author: Thomas Patzke -date: 2017/06/12 -description: Detects PsExec service installation and execution events (service and - Sysmon) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\PSEXESVC.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- EventID -- CommandLine -- ParentCommandLine -- ServiceName -- ServiceFileName -- TargetFilename -- PipeName -id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d -level: low -logsource: - category: file_event - product: windows -modified: 2021/09/21 -references: -- https://www.jpcert.or.jp/english/pub/sr/ir_research.html -- https://jpcertcc.github.io/ToolAnalysisResultSheet -related: -- id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived -status: experimental -tags: -- attack.execution -- attack.t1035 -- attack.t1569.002 -- attack.s0029 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml deleted file mode 100644 index 81183bbd..00000000 --- a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: UAC Bypass Abusing Winsat Path Parsing - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: - - '*\AppData\Local\Temp\system32\winsat.exe' - - '*\AppData\Local\Temp\system32\winmm.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 155dbf56-e0a4-4dd0-8905-8a98705045e8 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml deleted file mode 100644 index d5ca7ab4..00000000 --- a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: UAC Bypass Using Windows Media Player - File -author: Christian Burkard -date: 2021/08/23 -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\OskSupport.dll' - SELECTION_4: - Image: C:\Windows\system32\DllHost.exe - SELECTION_5: - TargetFilename: C:\Program Files\Windows Media Player\osk.exe - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- Unknown -id: 68578b43-65df-4f81-9a9b-92f32711a951 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml deleted file mode 100644 index e442758a..00000000 --- a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml +++ /dev/null @@ -1,50 +0,0 @@ - -title: Windows Shell File Write to Suspicious Folder -author: Florian Roth -date: 2021/11/20 -description: Detects a Windows executable that writes files to suspicious folders -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\msbuild.exe' - SELECTION_3: - TargetFilename: - - '*C:\Users\Public*' - - '*C:\PerfLogs*' - SELECTION_4: - Image: - - '*\schtasks.exe' - - '*\wmic.exe' - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - SELECTION_5: - TargetFilename: - - '*C:\Users\Public*' - - '*C:\PerfLogs*' - - '*\AppData\\*' - - '*C:\Windows\Temp*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5))) -falsepositives: -- Unknown -fields: -- CommandLine -- ParentCommandLine -id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 -level: high -logsource: - category: file_event - product: windows -references: -- No references -status: experimental -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml deleted file mode 100644 index 8d003e2a..00000000 --- a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl -author: Julia Fomina, oscd.community -date: 2020/10/06 -description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via - winrm.vbs and copied cscript.exe (can be renamed) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*WsmPty.xsl' - - '*WsmTxt.xsl' - SELECTION_3: - TargetFilename: - - C:\Windows\System32\\* - - C:\Windows\SysWOW64\\* - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unlikely -id: d353dac0-1b41-46c2-820c-d7d2561fc6ed -level: medium -logsource: - category: file_event - product: windows -modified: 2021/09/19 -references: -- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 -related: -- id: 074e0ded-6ced-4ebd-8b4d-53f55908119 - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.t1216 -ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index a6f4e9a5..00000000 --- a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: System - SELECTION_3: - TargetFilename: '*\wbem\wbemcomn.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 614a7e17-5643-4d89-b6fe-f9df1a79641c -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/09 -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_creation_system_file.yml b/rules/sigma/file_event/sysmon_creation_system_file.yml deleted file mode 100644 index fca4521b..00000000 --- a/rules/sigma/file_event/sysmon_creation_system_file.yml +++ /dev/null @@ -1,68 +0,0 @@ - -title: File Created with System Process Name -author: Sander Wiebing -date: 2020/05/26 -description: Detects the creation of an executable with a system process name in a - suspicious folder -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\runtimebroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' - SELECTION_3: - TargetFilename: - - C:\Windows\System32\\* - - C:\Windows\system32\\* - - C:\Windows\SysWow64\\* - - C:\Windows\SysWOW64\\* - - C:\Windows\winsxs\\* - - C:\Windows\WinSxS\\* - - \SystemRoot\System32\\* - SELECTION_4: - Image: '*\Windows\System32\dism.exe' - SELECTION_5: - TargetFilename: C:\$WINDOWS.~BT\\* - SELECTION_6: - Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe - condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3 and SELECTION_4)) - and not (SELECTION_5 and SELECTION_6)) -falsepositives: -- System processes copied outside the default folder -fields: -- Image -id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d -level: high -logsource: - category: file_event - product: windows -modified: 2021/10/28 -status: test -tags: -- attack.defense_evasion -- attack.t1036 -- attack.t1036.005 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml deleted file mode 100644 index cf546df7..00000000 --- a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ /dev/null @@ -1,58 +0,0 @@ - -title: Cred Dump Tools Dropped Files -author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -description: Files with well-known filenames (parts of credential dump software or - files produced by them) creation -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\pwdump*' - - '*\kirbi*' - - '*\pwhashes*' - - '*\wce_ccache*' - - '*\wce_krbtkts*' - - '*\fgdump-log*' - SELECTION_3: - TargetFilename: - - '*\test.pwd' - - '*\lsremora64.dll' - - '*\lsremora.dll' - - '*\fgexec.exe' - - '*\wceaux.dll' - - '*\SAM.out' - - '*\SECURITY.out' - - '*\SYSTEM.out' - - '*\NTDS.out' - - '*\DumpExt.dll' - - '*\DumpSvc.exe' - - '*\cachedump64.exe' - - '*\cachedump.exe' - - '*\pstgdump.exe' - - '*\servpw.exe' - - '*\servpw64.exe' - - '*\pwdump.exe' - - '*\procdump64.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Administrator using tool for password recovery -id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -- attack.t1003.002 -- attack.t1003.003 -- attack.t1003.004 -- attack.t1003.005 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml deleted file mode 100644 index 1a282c20..00000000 --- a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: CVE-2021-26858 Exchange Exploitation -author: Bhabesh Raj -date: 2021/03/03 -description: Detects possible successful exploitation for vulnerability described - in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange - Server’s Unified Messaging service | which could indicate dropping web shells or - other malicious content -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*UMWorkerProcess.exe' - SELECTION_3: - TargetFilename: - - '*CacheCleanup.bin' - - '*.txt' - - '*.LOG' - - '*.cfg' - - '*cleanup.bin' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Unknown -fields: -- ComputerName -- TargetFilename -id: b06335b3-55ac-4b41-937e-16b7f5d57dfd -level: critical -logsource: - category: file_event - product: windows -references: -- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -status: experimental -tags: -- attack.t1203 -- attack.execution -- cve.2021.26858 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml deleted file mode 100644 index a66f5b02..00000000 --- a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Powerup Write Hijack DLL -author: Subhash Popuri (@pbssubhash) -date: 2021/08/21 -description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege - escalation. In it's default mode, it builds a self deleting .bat file which executes - malicious command. The detection rule relies on creation of the malicious bat file - (debug.bat by default). -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - TargetFilename: '*.bat' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Pentest -- Any powershell script that creates bat files -id: 602a1f13-c640-4d73-b053-be9a2fa58b96 -level: high -logsource: - category: file_event - product: windows -references: -- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.defense_evasion -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml deleted file mode 100644 index ace295fb..00000000 --- a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Detection of SafetyKatz -author: Markus Neis -date: 2018/07/24 -description: Detects possible SafetyKatz Behaviour -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Temp\debug.bin' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: e074832a-eada-4fd7-94a1-10642b130e16 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://github.com/GhostPack/SafetyKatz -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml deleted file mode 100644 index 9d54ad3e..00000000 --- a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: LSASS Memory Dump File Creation -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: LSASS memory dump creation using operating systems utilities. Procdump - will use process name in output file if no name is specified -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*lsass*' - SELECTION_3: - TargetFilename: '*dmp' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Dumping lsass memory for forensic investigation purposes by legitimate incident - responder or forensic invetigator -- Dumps of another process that contains lsass in its process name (substring) -fields: -- ComputerName -- TargetFilename -id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a -level: high -logsource: - category: file_event - product: windows -modified: 2021/08/16 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_office_persistence.yml b/rules/sigma/file_event/sysmon_office_persistence.yml deleted file mode 100644 index afa4c9dc..00000000 --- a/rules/sigma/file_event/sysmon_office_persistence.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Microsoft Office Add-In Loading -author: NVISO -date: 2020/05/11 -description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll - are simply .dll fit for Word or Excel). -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Microsoft\Word\Startup\\*' - SELECTION_3: - TargetFilename: '*.wll' - SELECTION_4: - TargetFilename: '*\Microsoft\Excel\Startup\\*' - SELECTION_5: - TargetFilename: '*.xll' - SELECTION_6: - TargetFilename: '*\Microsoft\Addins\\*' - SELECTION_7: - TargetFilename: - - '*.xlam' - - '*.xla' - condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and - SELECTION_5)) or (SELECTION_6 and SELECTION_7))) -falsepositives: -- Legitimate add-ins -id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- Internal Research -status: experimental -tags: -- attack.persistence -- attack.t1137 -- attack.t1137.006 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_outlook_newform.yml b/rules/sigma/file_event/sysmon_outlook_newform.yml deleted file mode 100644 index 94b0b8dd..00000000 --- a/rules/sigma/file_event/sysmon_outlook_newform.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Outlook Form Installation -author: Tobias Michalski -date: 2021/06/10 -description: Detects the creation of new Outlook form which can contain malicious - code -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: \outlook.exe - SELECTION_3: - TargetFilename: '*\appdata\local\microsoft\FORMS\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -fields: -- TargetFilename -id: c3edc6a5-d9d4-48d8-930e-aab518390917 -level: high -logsource: - category: file_event - product: windows -references: -- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -status: experimental -tags: -- attack.persistence -- attack.t1137.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml deleted file mode 100644 index 2bee4489..00000000 --- a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: PCRE.NET Package Temp Files -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -description: Detects processes creating temp files related to PCRE.NET package -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da -level: high -logsource: - category: file_event - product: windows -modified: 2021/08/14 -references: -- https://twitter.com/rbmaslen/status/1321859647091970051 -- https://twitter.com/tifkin_/status/1321916444557365248 -status: experimental -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml deleted file mode 100644 index 9c9acc39..00000000 --- a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml +++ /dev/null @@ -1,121 +0,0 @@ - -title: Malicious PowerShell Commandlet Names -author: Markus Neis -date: 2018/04/07 -description: Detects the creation of known powershell scripts for exploitation -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Penetration Tests -id: f331aa1f-8c53-4fc3-b083-cc159bc971cb -level: high -logsource: - category: file_event - product: windows -references: -- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml -status: experimental -tags: -- attack.execution -- attack.t1086 -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml deleted file mode 100644 index d8f3f241..00000000 --- a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: PowerShell Writing Startup Shortcuts -author: Christopher Peacock '@securepeacock', SCYTHE -date: 2021/10/24 -description: Attempts to detect PowerShell writing startup shortcuts. This procedure - was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries - using PowerShell to write malicious .lnk files into the startup directory to establish - persistence. Accordingly, this detection opportunity is likely to identify persistence - mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence - mechanism eventually launches the command-line script that leads to the installation - of a malicious DLL" -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - TargetFilename: '*\start menu\programs\startup\\*' - SELECTION_4: - TargetFilename: '*.lnk' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -- Depending on your environment accepted applications may leverage this at times. - It is recomended to search for anomolies inidicative of malware. -id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -level: high -logsource: - category: file_event - product: windows -references: -- https://redcanary.com/blog/intelligence-insights-october-2021/ -- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder -status: experimental -tags: -- attack.registry_run_keys_/_startup_folder -- attack.t1547.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml deleted file mode 100644 index 0d7e58b5..00000000 --- a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: QuarksPwDump Dump File -author: Florian Roth -date: 2018/02/10 -description: Detects a dump file written by QuarksPwDump password dumper -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\SAM-*' - SELECTION_3: - TargetFilename: '*.dmp*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 847def9e-924d-4e90-b7c4-5f581395a2b4 -level: critical -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml deleted file mode 100644 index 7144b964..00000000 --- a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: RedMimicry Winnti Playbook Dropped File -author: Alexander Rausch -date: 2020/06/24 -description: Detects actions caused by the RedMimicry Winnti playbook -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*gthread-3.6.dll*' - - '*sigcmm-2.4.dll*' - - '*\Windows\Temp\tmp.bat*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 130c9e58-28ac-4f83-8574-0a4cc913b97e -level: high -logsource: - category: file_event - product: windows -references: -- https://redmimicry.com -status: experimental -tags: -- attack.defense_evasion -- attack.t1027 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml deleted file mode 100644 index 474f4758..00000000 --- a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Startup Folder File Write -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection for files being created in the Windows startup directory. - This could be an indicator of persistence. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 2aa0a6b4-a865-495b-ab51-c28249537b75 -level: low -logsource: - category: file_event - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/12 -- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html -status: experimental -tags: -- attack.persistence -- attack.t1547.001 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml deleted file mode 100644 index 36e1cb6c..00000000 --- a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Suspicious ADSI-Cache Usage By Unknown Tool -author: xknow @xknow_infosec -date: 2019/03/24 -description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect - tools like LDAPFragger. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*' - SELECTION_3: - TargetFilename: '*.sch' - SELECTION_4: - Image: - - C:\windows\system32\svchost.exe - - C:\windows\system32\dllhost.exe - - C:\windows\system32\mmc.exe - - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe - - C:\Windows\CCM\CcmExec.exe - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity - by MMC, Powershell, Windows etc. -id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 -- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ -- https://github.com/fox-it/LDAPFragger -status: experimental -tags: -- attack.t1071 -- attack.t1001.003 -- attack.command_and_control -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/file_event/sysmon_susp_clr_logs.yml deleted file mode 100644 index cff06d72..00000000 --- a/rules/sigma/file_event/sysmon_susp_clr_logs.yml +++ /dev/null @@ -1,45 +0,0 @@ - -title: Suspcious CLR Logs Creation -author: omkar72, oscd.community, Wojciech Lesicki -date: 2020/10/12 -description: Detects suspicious .NET assembly executions. Could detect using Cobalt - Strike's command execute-assembly. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Microsoft\CLR*' - SELECTION_3: - TargetFilename: '*\UsageLogs\\*' - SELECTION_4: - TargetFilename: - - '*mshta*' - - '*cscript*' - - '*wscript*' - - '*regsvr32*' - - '*wmic*' - - '*rundll32*' - - '*svchost*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc - in command line and msiexec.exe as parent process -id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -level: high -logsource: - category: file_event - definition: Check your sysmon configuration for monitoring UsageLogs folder. In - SwiftOnSecurity configuration we have that thanks @SBousseaden - product: windows -modified: 2021/11/17 -references: -- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ -- https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml -status: experimental -tags: -- attack.execution -- attack.defense_evasion -- attack.t1059.001 -- attack.t1218 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml deleted file mode 100644 index 8269eafd..00000000 --- a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Suspicious desktop.ini Action -author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/19 -description: Detects unusual processes accessing desktop.ini, which can be leveraged - to alter how Explorer displays a folder's content (i.e. renaming files) without - changing them on disk. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\desktop.ini' - SELECTION_3: - Image: - - C:\Windows\explorer.exe - - C:\Windows\System32\msiexec.exe - - C:\Windows\System32\mmc.exe - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- Operations performed through Windows SCCM or equivalent -id: 81315b50-6b60-4d8f-9928-3466e1022515 -level: medium -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ -status: experimental -tags: -- attack.persistence -- attack.t1023 -- attack.t1547.009 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml deleted file mode 100644 index 71481373..00000000 --- a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Suspicious PFX File Creation -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A general detection for processes creating PFX files. This could be an - indicator of an adversary exporting a local certificate to a PFX file. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*.pfx' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- System administrators managing certififcates. -id: dca1b3e8-e043-4ec8-85d7-867f334b5724 -level: medium -logsource: - category: file_event - product: windows -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/14 -- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html -status: experimental -tags: -- attack.credential_access -- attack.t1552.004 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml deleted file mode 100644 index 22e29910..00000000 --- a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious PROCEXP152.sys File Created In TMP -author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -description: Detects the creation of the PROCEXP152.sys file in the application-data - local temporary folder. This driver is used by Sysinternals Process Explorer but - also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), - which uses KDU. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_3: - TargetFilename: '*PROCEXP152.sys' - SELECTION_4: - Image: - - '*\procexp64.exe*' - - '*\procexp.exe*' - - '*\procmon64.exe*' - - '*\procmon.exe*' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other legimate tools using this driver and filename (like Sysinternals). Note - - Clever attackers may easily bypass this detection by just renaming the driver filename. - Therefore just Medium-level and don't rely on it. -id: 3da70954-0f2c-4103-adff-b7440368f50e -level: medium -logsource: - category: file_event - product: windows -references: -- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -status: experimental -tags: -- attack.t1089 -- attack.t1562.001 -- attack.defense_evasion -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml deleted file mode 100644 index 9f340600..00000000 --- a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Powershell Profile.ps1 Modification -author: HieuTT35 -date: 2019/10/24 -description: Detects a change in profile.ps1 of the Powershell profile -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\profile.ps1*' - SELECTION_3: - TargetFilename: '*\My Documents\PowerShell\\*' - SELECTION_4: - TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*' - condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4)) -falsepositives: -- System administrator create Powershell profile manually -id: b5b78988-486d-4a80-b991-930eff3ff8bf -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/24 -references: -- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ -status: experimental -tags: -- attack.persistence -- attack.privilege_escalation -- attack.t1546.013 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml deleted file mode 100644 index 112ec4af..00000000 --- a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Hijack Legit RDP Session to Move Laterally -author: Samir Bousseaden -date: 2019/02/21 -description: Detects the usage of tsclient share to place a backdoor on the RDP source - machine's startup folder -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*\mstsc.exe' - SELECTION_3: - TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -id: 52753ea4-b3a0-4365-910d-36cff487b789 -level: high -logsource: - category: file_event - product: windows -status: experimental -tags: -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml deleted file mode 100644 index 4b4354b6..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using Consent and Comctl32 - File -author: Christian Burkard -date: 2021/08/23 -description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll - (UACMe 22) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Windows\System32\consent.exe.@* - SELECTION_3: - TargetFilename: '*\comctl32.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 62ed5b55-f991-406a-85d9-e8e8fdf18789 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml deleted file mode 100644 index 0754223c..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using .NET Code Profiler on MMC -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe - DLL hijacking (UACMe 39) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\pe386.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 93a19907-d4f9-4deb-9f91-aac4692776a6 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml deleted file mode 100644 index 9676afb4..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: UAC Bypass Using IEInstal - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: C:\Program Files\Internet Explorer\IEInstal.exe - SELECTION_3: - TargetFilename: C:\Users\\* - SELECTION_4: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_5: - TargetFilename: '*consent.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) -falsepositives: -- Unknown -id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml deleted file mode 100644 index ff744dca..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: UAC Bypass Using MSConfig Token Modification - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 41bb431f-56d8-4691-bb56-ed34e390906f -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml deleted file mode 100644 index de79c275..00000000 --- a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: UAC Bypass Using NTFS Reparse Point - File -author: Christian Burkard -date: 2021/08/30 -description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe - DLL hijacking (UACMe 36) -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: C:\Users\\* - SELECTION_3: - TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/hfiref0x/UACME -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml deleted file mode 100644 index 40389d2e..00000000 --- a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml +++ /dev/null @@ -1,60 +0,0 @@ - -title: Windows Webshell Creation -author: Beyu Denis, oscd.community -date: 2019/10/22 -description: Possible webshell file creation on a static web site -detection: - SELECTION_1: - EventID: 11 - SELECTION_10: - TargetFilename: '*.pl*' - SELECTION_11: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_2: - TargetFilename: '*\inetpub\wwwroot\\*' - SELECTION_3: - TargetFilename: - - '*.asp*' - - '*.ashx*' - - '*.ph*' - SELECTION_4: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_5: - TargetFilename: - - '*\www\\*' - - '*\htdocs\\*' - - '*\html\\*' - SELECTION_6: - TargetFilename: '*.ph*' - SELECTION_7: - TargetFilename: - - '*\AppData\Local\Temp\\*' - - '*\Windows\Temp\\*' - SELECTION_8: - TargetFilename: '*.jsp' - SELECTION_9: - TargetFilename: '*\cgi-bin\\*' - condition: (SELECTION_1 and ((((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - or ((SELECTION_5 and SELECTION_6) and not (SELECTION_7))) or ((SELECTION_8 or - (SELECTION_9 and SELECTION_10)) and not (SELECTION_11)))) -falsepositives: -- Legitimate administrator or developer creating legitimate executable files in a - web application folder -id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 -level: critical -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- PT ESC rule and personal experience -status: experimental -tags: -- attack.persistence -- attack.t1100 -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml deleted file mode 100644 index 48e26ae1..00000000 --- a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: WMI Persistence - Script Event Consumer File Write -author: Thomas Patzke -date: 2018/03/07 -description: Detects file writes of WMI script event consumer -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: C:\WINDOWS\system32\wbem\scrcons.exe - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) -id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 -level: high -logsource: - category: file_event - product: windows -modified: 2020/08/23 -references: -- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -status: experimental -tags: -- attack.t1084 -- attack.t1546.003 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml deleted file mode 100644 index 51720d15..00000000 --- a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml +++ /dev/null @@ -1,37 +0,0 @@ - -title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern -author: Florian Roth -date: 2021/06/29 -description: Detects the default filename used in PoC code against print spooler vulnerability - CVE-2021-1675 -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*' - - '*C:\Windows\System32\spool\drivers\x64\3\New\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -fields: -- ComputerName -- TargetFilename -id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/07/01 -references: -- https://github.com/hhlxf/PrintNightmare -- https://github.com/afwu/PrintNightmare -- https://github.com/cube0x0/CVE-2021-1675 -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.resource_development -- attack.t1587 -- cve.2021.1675 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml deleted file mode 100644 index 5042704f..00000000 --- a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious Word Cab File Write CVE-2021-40444 -author: Florian Roth, Sittikorn S -date: 2021/09/10 -description: Detects file creation patterns noticeable during the exploitation of - CVE-2021-40444 -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: \winword.exe - SELECTION_3: - TargetFilename: '*.cab' - SELECTION_4: - TargetFilename: '*\Windows\INetCache*' - SELECTION_5: - TargetFilename: '*\AppData\Local\Temp\\*' - SELECTION_6: - TargetFilename: '*.inf*' - condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -fields: -- TargetFilename -id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -level: critical -logsource: - category: file_event - product: windows -modified: 2021/09/13 -references: -- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 -- https://twitter.com/vanitasnk/status/1437329511142420483?s=21 -status: experimental -tags: -- attack.resource_development -- attack.t1587 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/file_event/win_hivenightmare_file_exports.yml deleted file mode 100644 index 6d80bb79..00000000 --- a/rules/sigma/file_event/win_hivenightmare_file_exports.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Typical HiveNightmare SAM File Export -author: Florian Roth -date: 2021/07/23 -description: Detects files written by the different tools that exploit HiveNightmare -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\hive_sam_*' - - '*\SAM-2021-*' - - '*\SAM-2022-*' - - '*\SAM-haxx*' - - '*\Sam.save*' - SELECTION_3: - TargetFilename: - - C:\windows\temp\sam - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) -falsepositives: -- Files that accidentally contain these strings -fields: -- CommandLine -- ParentCommandLine -id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7 -level: high -logsource: - category: file_event - product: windows -references: -- https://github.com/GossiTheDog/HiveNightmare -- https://github.com/FireFart/hivenightmare/ -- https://github.com/WiredPulse/Invoke-HiveNightmare -- https://twitter.com/cube0x0/status/1418920190759378944 -status: experimental -tags: -- attack.credential_access -- attack.t1552.001 -- cve.2021.36934 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml deleted file mode 100644 index d9f6f964..00000000 --- a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Outlook C2 Macro Creation -author: '@ScoubiMtl' -date: 2021/04/05 -description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. - VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both - events Registry & File Creation happens at the same time. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- User genuinly creates a VB Macro for their email -id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 -level: medium -logsource: - category: file_event - product: windows -references: -- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -status: experimental -tags: -- attack.persistence -- attack.command_and_control -- attack.t1137 -- attack.t1008 -- attack.t1546 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_rclone_exec_file.yml b/rules/sigma/file_event/win_rclone_exec_file.yml deleted file mode 100644 index 1455ae44..00000000 --- a/rules/sigma/file_event/win_rclone_exec_file.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Rclone Config File Creation -author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -description: Detects Rclone config file being created -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: '*:\Users\\*' - SELECTION_3: - TargetFilename: '*\.config\rclone\\*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Legitimate Rclone usage (rare) -id: 34986307-b7f4-49be-92f3-e7a4d01ac5db -level: high -logsource: - category: file_event - product: windows -modified: 2021/10/04 -references: -- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ -status: experimental -tags: -- attack.exfiltration -- attack.t1567.002 -ruletype: SIGMA diff --git a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml deleted file mode 100644 index ec85a436..00000000 --- a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Suspicious Desktopimgdownldr Target File -author: Florian Roth -date: 2020/07/03 -description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores - a file to a suspicious location or contains a file with a suspicious extension -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - Image: '*svchost.exe' - SELECTION_3: - TargetFilename: '*\Personalization\LockScreenImage\\*' - SELECTION_4: - TargetFilename: '*C:\Windows\\*' - SELECTION_5: - TargetFilename: - - '*.jpg*' - - '*.jpeg*' - - '*.png*' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - and not (SELECTION_5)) -falsepositives: -- False positives depend on scripts and administrative tools used in the monitored - environment -fields: -- CommandLine -- ParentCommandLine -id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 -level: high -logsource: - category: file_event - product: windows -references: -- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ -- https://twitter.com/SBousseaden/status/1278977301745741825 -status: experimental -tags: -- attack.defense_evasion -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_pingback_backdoor.yml b/rules/sigma/image_load/image_load_pingback_backdoor.yml deleted file mode 100644 index a9f33802..00000000 --- a/rules/sigma/image_load/image_load_pingback_backdoor.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Pingback Backdoor -author: Bhabesh Raj -date: 2021/05/05 -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*msdtc.exe' - SELECTION_3: - ImageLoaded: C:\Windows\oci.dll - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very unlikely -id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b -level: high -logsource: - category: image_load - product: windows -modified: 2021/09/09 -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel -- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 -status: experimental -tags: -- attack.persistence -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml deleted file mode 100644 index cc88231c..00000000 --- a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: SILENTTRINITY Stager Execution -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -description: Detects SILENTTRINITY stager use -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: '*st2stager*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d -level: high -logsource: - category: image_load - product: windows -modified: 2021/10/04 -references: -- https://github.com/byt3bl33d3r/SILENTTRINITY -related: -- id: 03552375-cc2c-4883-bbe4-7958d5a980be - type: derived -status: experimental -tags: -- attack.command_and_control -- attack.t1071 -ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml deleted file mode 100644 index f533e5fb..00000000 --- a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Wmiprvse Wbemcomn DLL Hijack -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\wmiprvse.exe' - SELECTION_3: - ImageLoaded: '*\wbem\wbemcomn.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: 7707a579-e0d8-4886-a853-ce47e4575aaa -level: critical -logsource: - category: image_load - product: windows -modified: 2021/09/09 -references: -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html -status: experimental -tags: -- attack.execution -- attack.t1047 -- attack.lateral_movement -- attack.t1021.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml deleted file mode 100644 index 95031338..00000000 --- a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Time Travel Debugging Utility Usage -author: Ensar Şamil, @sblmsrsn, @oscd_initiative -date: 2020/10/06 -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - ParentImage: '*\tttracer.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate usage by software developers/testers -id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a -level: high -logsource: - category: process_creation - product: windows -modified: 2021/09/21 -references: -- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ -- https://twitter.com/mattifestation/status/1196390321783025666 -- https://twitter.com/oulusoyum/status/1191329746069655553 -related: -- id: e76c8240-d68f-4773-8880-5c6f63595aaf - type: derived -status: experimental -tags: -- attack.defense_evasion -- attack.credential_access -- attack.t1218 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml deleted file mode 100644 index 2b9dcdbc..00000000 --- a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Abusing Azure Browser SSO -author: Den Iuzvyk -date: 2020/07/15 -description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens - for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure - AD and a user logs in with their Azure AD account) wanting to perform SSO authentication - in the browser. An attacker can use this to authenticate to Azure AD in a browser - as that user. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*MicrosoftAccountTokenProvider.dll' - SELECTION_3: - Image: - - '*BackgroundTaskHost.exe' - - '*devenv.exe' - - '*iexplore.exe' - - '*MicrosoftEdge.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- unknown -id: 50f852e6-af22-4c78-9ede-42ef36aa3453 -level: high -logsource: - category: image_load - product: windows -modified: 2020/12/23 -references: -- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml deleted file mode 100644 index cd4202f9..00000000 --- a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Alternate PowerShell Hosts -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: System.Management.Automation - SELECTION_3: - ImageLoaded: '*System.Management.Automation*' - SELECTION_4: - Image: '*\powershell.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unknown -id: fe6e002f-f244-4278-9263-20e4b593827f -level: medium -logsource: - category: image_load - product: windows -modified: 2021/05/12 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html -status: experimental -tags: -- attack.execution -- attack.t1059.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml deleted file mode 100644 index ae5fc804..00000000 --- a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml +++ /dev/null @@ -1,25 +0,0 @@ - -title: FoggyWeb Backdoor DLL Loading -author: Florian Roth -date: 2021/09/27 -description: Detects DLL image load activity as used by FoggyWeb backdoor loader -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: C:\Windows\ADFS\version.dll - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c -level: critical -logsource: - category: image_load - product: windows -references: -- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ -status: experimental -tags: -- attack.resource_development -- attack.t1587 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/image_load/sysmon_in_memory_powershell.yml deleted file mode 100644 index c08df0f6..00000000 --- a/rules/sigma/image_load/sysmon_in_memory_powershell.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: In-memory PowerShell -author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton -date: 2019/11/14 -description: Detects loading of essential DLL used by PowerShell, but not by the process - powershell.exe. Detects meterpreter's "load powershell" extension. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\System.Management.Automation.Dll' - - '*\System.Management.Automation.ni.Dll' - SELECTION_3: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\WINDOWS\System32\sdiagnhost.exe' - - '*\mscorsvw.exe' - - '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe' - - '*\sqlps.exe' - - '*\wsmprovhost.exe' - - '*\winrshost.exe' - - '*\syncappvpublishingserver.exe' - - '*\runscripthelper.exe' - - '*\ServerManager.exe' - - '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -enrichment: -- EN_0001_cache_sysmon_event_id_1_info -- EN_0003_enrich_other_sysmon_events_with_event_id_1_data -falsepositives: -- Used by some .NET binaries, minimal on user workstation. -- Used by Microsoft SQL Server Management Studio -id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f -level: high -logsource: - category: image_load - product: windows -modified: 2021/11/11 -references: -- https://adsecurity.org/?p=2921 -- https://github.com/p3nt4/PowerShdll -related: -- id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes -status: experimental -tags: -- attack.t1086 -- attack.t1059.001 -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_pcre_net_load.yml b/rules/sigma/image_load/sysmon_pcre_net_load.yml deleted file mode 100644 index 06efb137..00000000 --- a/rules/sigma/image_load/sysmon_pcre_net_load.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: PCRE.NET Package Image Load -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -description: Detects processes loading modules related to PCRE.NET package -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 84b0a8f3-680b-4096-a45b-e9a89221727c -level: high -logsource: - category: image_load - product: windows -modified: 2021/08/14 -references: -- https://twitter.com/rbmaslen/status/1321859647091970051 -- https://twitter.com/tifkin_/status/1321916444557365248 -status: experimental -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml deleted file mode 100644 index 2c4d93bc..00000000 --- a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: WMI Script Host Process Image Loaded -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe - functionality being used via images being loaded by a process. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\scrcons.exe' - SELECTION_3: - ImageLoaded: - - '*\vbscript.dll' - - '*\wbemdisp.dll' - - '*\wshom.ocx' - - '*\scrrun.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown -id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 -level: high -logsource: - category: image_load - product: windows -references: -- https://twitter.com/HunterPlaybook/status/1301207718355759107 -- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ -- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html -status: experimental -tags: -- attack.lateral_movement -- attack.privilege_escalation -- attack.persistence -- attack.t1546.003 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml deleted file mode 100644 index 7040913e..00000000 --- a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Windows Spooler Service Suspicious Binary Load -author: FPT.EagleEye, Thomas Patzke (improvements) -date: 2021/06/29 -description: Detect DLL Load from Spooler Service backup folder -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*spoolsv.exe' - SELECTION_3: - ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*' - SELECTION_4: - ImageLoaded: '*.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Loading of legitimate driver -id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14 -level: informational -logsource: - category: image_load - product: windows -modified: 2021/08/24 -references: -- https://github.com/hhlxf/PrintNightmare -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1574 -- cve.2021.1675 -- cve.2021.34527 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/image_load/sysmon_susp_fax_dll.yml deleted file mode 100644 index 527347bc..00000000 --- a/rules/sigma/image_load/sysmon_susp_fax_dll.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Fax Service DLL Search Order Hijack -author: NVISO -date: 2020/05/04 -description: The Fax service attempts to load ualapi.dll, which is non-existent. An - attacker can then (side)load their own malicious DLL using this service. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*fxssvc.exe' - SELECTION_3: - ImageLoaded: - - '*ualapi.dll' - SELECTION_4: - ImageLoaded: - - C:\Windows\WinSxS\\* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Unlikely -id: 828af599-4c53-4ed2-ba4a-a9f835c434ea -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://windows-internals.com/faxing-your-way-to-system/ -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.t1073 -- attack.t1038 -- attack.t1574.001 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_image_load.yml b/rules/sigma/image_load/sysmon_susp_image_load.yml deleted file mode 100644 index 5e7c1c98..00000000 --- a/rules/sigma/image_load/sysmon_susp_image_load.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Possible Process Hollowing Image Loading -author: Markus Neis -date: 2018/01/07 -description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. - through process hollowing by Mimikatz -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\notepad.exe' - SELECTION_3: - ImageLoaded: - - '*\samlib.dll' - - '*\WinSCard.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Very likely, needs more tuning -id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -status: experimental -tags: -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml deleted file mode 100644 index 8bf01a6a..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: dotNET DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects any assembly DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - C:\Windows\assembly\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: ff0f2b05-09db-4095-b96d-1b75ca24894a -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml deleted file mode 100644 index 2d6e9c41..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: CLR DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects CLR DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\clr.dll*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: d13c43f0-f66b-4279-8b2c-5912077c1780 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml deleted file mode 100644 index 85d73b1b..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: GAC DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects any GAC DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - C:\Windows\Microsoft.NET\assembly\GAC_MSIL* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: 90217a70-13fc-48e4-b3db-0d836c5824ac -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml deleted file mode 100644 index e0636a7c..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Active Directory Parsing DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects DSParse DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\dsparse.dll*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: a2a3b925-7bb0-433b-b508-db9003263cc4 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml deleted file mode 100644 index 34c4c4fe..00000000 --- a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Active Directory Kerberos DLL Loaded Via Office Applications -author: Antonlovesdnb -date: 2020/02/19 -description: Detects Kerberos DLL being loaded by an Office Product -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\kerberos.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/image_load/sysmon_susp_python_image_load.yml deleted file mode 100644 index 2af6e561..00000000 --- a/rules/sigma/image_load/sysmon_susp_python_image_load.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Python Py2Exe Image Load -author: Patrick St. John, OTR (Open Threat Research) -date: 2020/05/03 -description: Detects the image load of Python Core indicative of a Python script bundled - with Py2Exe. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Description: Python Core - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legit Py2Exe Binaries -fields: -- Description -id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/05/12 -references: -- https://www.py2exe.org/ -- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1027.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml deleted file mode 100644 index 013da64c..00000000 --- a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: CLR DLL Loaded Via Scripting Applications -author: omkar72, oscd.community -date: 2020/10/14 -description: Detects CLR DLL being loaded by an scripting applications -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - SELECTION_3: - ImageLoaded: - - '*\clr.dll' - - '*\mscoree.dll' - - '*\mscorlib.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- unknown -id: 4508a70e-97ef-4300-b62b-ff27992990ea -level: high -logsource: - category: image_load - product: windows -references: -- https://github.com/tyranid/DotNetToJScript -- https://thewover.github.io/Introducing-Donut/ -- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -status: experimental -tags: -- attack.execution -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml deleted file mode 100644 index 8d0ea2fe..00000000 --- a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Suspicious System.Drawing Load -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -description: A General detection for processes loading System.Drawing.ni.dll. This - could be an indicator of potential Screen Capture. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: '*\System.Drawing.ni.dll' - SELECTION_3: - Image: - - '*\WmiPrvSE.exe' - - '*\mmc.exe' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- unknown -id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/16 -references: -- https://github.com/OTRF/detection-hackathon-apt29/issues/16 -- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html -status: experimental -tags: -- attack.collection -- attack.t1113 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml deleted file mode 100644 index a91fa571..00000000 --- a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: VBA DLL Loaded Via Microsoft Word -author: Antonlovesdnb -date: 2020/02/19 -description: Detects DLL's Loaded Via Word Containing VBA Macros -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\VBE7.DLL' - - '*\VBEUI.DLL' - - '*\VBE7INTL.DLL' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Alerts on legitimate macro usage as well, will need to filter as appropriate -id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -status: experimental -tags: -- attack.execution -- attack.t1204 -- attack.t1204.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml deleted file mode 100644 index c63c492f..00000000 --- a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Windows Management Instrumentation DLL Loaded Via Microsoft Word -author: Michael R. (@nahamike01) -date: 2019/12/26 -description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - SELECTION_3: - ImageLoaded: - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\wbemdisp.dll' - - '*\wbemsvc.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Possible. Requires further testing. -id: a457f232-7df9-491d-898f-b5aabd2cbe2f -level: high -logsource: - category: image_load - product: windows -references: -- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 -- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/ -- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf -status: experimental -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml deleted file mode 100644 index 05dc8b88..00000000 --- a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ /dev/null @@ -1,73 +0,0 @@ - -title: Load of dbghelp/dbgcore DLL from Suspicious Process -author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by - suspicious processes. Tools like ProcessHacker and some attacker tradecract use - MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity - C2 Framework has a module that leverages this API to dump the contents of Lsass.exe - and transfer it over the network back to the attacker's machine. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\dbghelp.dll' - - '*\dbgcore.dll' - SELECTION_3: - Image: - - '*\msbuild.exe' - - '*\cmd.exe' - - '*\rundll32.exe' - - '*\powershell.exe' - - '*\word.exe' - - '*\excel.exe' - - '*\powerpnt.exe' - - '*\outlook.exe' - - '*\monitoringhost.exe' - - '*\wmic.exe' - - '*\bash.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\schtasks.exe' - - '*\dnx.exe' - - '*\regsvcs.exe' - - '*\sc.exe' - - '*\scriptrunner.exe' - SELECTION_4: - Image: '*Visual Studio*' - SELECTION_5: - ImageLoaded: - - '*\dbghelp.dll' - - '*\dbgcore.dll' - SELECTION_6: - Signed: 'FALSE' - SELECTION_7: - Image: '*Visual Studio*' - condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) and not (SELECTION_4)) - or ((SELECTION_5 and SELECTION_6) and not (SELECTION_7)))) -falsepositives: -- Penetration tests -fields: -- ComputerName -- User -- Image -- ImageLoaded -id: 0e277796-5f23-4e49-a490-483131d4f6e1 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html -- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml deleted file mode 100644 index 9e8e4668..00000000 --- a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Svchost DLL Search Order Hijack -author: SBousseaden -date: 2019/10/28 -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that - do not exist within C:\Windows\System32\ by default. An attacker can place their - malicious logic within the PROCESS_ATTACH block of their library and restart the - aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote - machine. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\svchost.exe' - SELECTION_3: - ImageLoaded: - - '*\tsmsisrv.dll' - - '*\tsvipsrv.dll' - - '*\wlbsctrl.dll' - SELECTION_4: - ImageLoaded: - - C:\Windows\WinSxS\\* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Pentest -id: 602a1f13-c640-4d73-b053-be9a2fa58b77 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.t1073 -- attack.t1574.002 -- attack.t1038 -- attack.t1574.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml deleted file mode 100644 index 51ebaf59..00000000 --- a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Time Travel Debugging Utility Usage -author: Ensar Şamil, @sblmsrsn, @oscd_initiative -date: 2020/10/06 -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\ttdrecord.dll' - - '*\ttdwriter.dll' - - '*\ttdloader.dll' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate usage by software developers/testers -id: e76c8240-d68f-4773-8880-5c6f63595aaf -level: high -logsource: - category: image_load - product: windows -modified: 2021/09/21 -references: -- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ -- https://twitter.com/mattifestation/status/1196390321783025666 -- https://twitter.com/oulusoyum/status/1191329746069655553 -status: experimental -tags: -- attack.defense_evasion -- attack.credential_access -- attack.t1218 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml deleted file mode 100644 index 0f9cf9e9..00000000 --- a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: UAC Bypass With Fake DLL -author: oscd.community, Dmitry Uchakin -date: 2020/10/06 -description: Attempts to load dismcore.dll after dropping it -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: - - '*\dism.exe' - SELECTION_3: - ImageLoaded: - - '*\dismcore.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Pentests -- Actions of a legitimate telnet client -id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 -level: high -logsource: - category: image_load - product: windows -references: -- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility -status: experimental -tags: -- attack.persistence -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1548.002 -- attack.t1574.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml deleted file mode 100644 index 4066e9f6..00000000 --- a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: UIPromptForCredentials DLLs -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -description: Detects potential use of UIPromptForCredentials functions by looking - for some of the DLLs needed for it. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\credui.dll' - - '*\wincredui.dll' - SELECTION_3: - OriginalFileName: - - credui.dll - - wincredui.dll - SELECTION_4: - Image: - - C:\Windows\System32\\* - - C:\Windows\explorer.exe* - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4)) -falsepositives: -- other legitimate processes loading those DLLs in your environment. -id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/20 -references: -- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password -- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -status: experimental -tags: -- attack.credential_access -- attack.collection -- attack.t1056.002 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml deleted file mode 100644 index 5669d048..00000000 --- a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Unsigned Image Loaded Into LSASS Process -author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -description: Loading unsigned image (DLL, EXE) into LSASS process -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\lsass.exe' - SELECTION_3: - Signed: 'false' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Valid user connecting using RDP -id: 857c8db3-c89b-42fb-882b-f681c7cf4da2 -level: medium -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1003.001 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_module_load.yml b/rules/sigma/image_load/sysmon_wmi_module_load.yml deleted file mode 100644 index dc7ec21f..00000000 --- a/rules/sigma/image_load/sysmon_wmi_module_load.yml +++ /dev/null @@ -1,64 +0,0 @@ - -title: WMI Modules Loaded -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -description: Detects non wmiprvse loading WMI modules -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\wmiclnt.dll' - - '*\WmiApRpl.dll' - - '*\wmiprov.dll' - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\WMINet_Utils.dll' - - '*\wbemsvc.dll' - - '*\fastprox.dll' - SELECTION_3: - Image: - - '*\WmiPrvSE.exe' - - '*\WmiApSrv.exe' - - '*\svchost.exe' - - '*\DeviceCensus.exe' - - '*\CompatTelRunner.exe' - - '*\sdiagnhost.exe' - - '*\SIHClient.exe' - - '*\ngentask.exe' - - '*\windows\system32\taskhostw.exe' - - '*\windows\system32\MoUsoCoreWorker.exe' - - '*\windows\system32\wbem\WMIADAP.exe' - - '*C:\Windows\Sysmon64.exe' - - '*C:\Windows\Sysmon.exe' - - '*C:\Windows\System32\wbem\unsecapp.exe' - - '*\logman.exe' - - '*\systeminfo.exe' - - '*\nvcontainer.exe' - - '*C:\Windows\System32\wbem\WMIC.exe' - SELECTION_4: - Image: - - C:\Program Files\\* - - C:\Program Files (x86)\\* - condition: (SELECTION_1 and (SELECTION_2 and not (SELECTION_3)) and not (SELECTION_4)) -falsepositives: -- Unknown -fields: -- ComputerName -- User -- Image -- ImageLoaded -id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/20 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html -status: experimental -tags: -- attack.execution -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml deleted file mode 100644 index e99b0f1b..00000000 --- a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: WMI Persistence - Command Line Event Consumer -author: Thomas Patzke -date: 2018/03/07 -description: Detects WMI command line event consumers -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: C:\Windows\System32\wbem\WmiPrvSE.exe - SELECTION_3: - ImageLoaded: '*\wbemcons.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Unknown (data set is too small; further testing needed) -id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 -level: high -logsource: - category: image_load - product: windows -modified: 2020/08/23 -references: -- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -status: experimental -tags: -- attack.t1084 -- attack.t1546.003 -- attack.persistence -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml deleted file mode 100644 index 060b0a77..00000000 --- a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: WMIC Loading Scripting Libraries -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/17 -description: Detects threat actors proxy executing code and bypassing application - controls by leveraging wmic and the `/FORMAT` argument switch to download and execute - an XSL file (i.e js, vbs, etc). -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\wmic.exe' - SELECTION_3: - ImageLoaded: - - '*\jscript.dll' - - '*\vbscript.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Apparently, wmic os get lastboottuptime loads vbscript.dll -id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 -level: high -logsource: - category: image_load - product: windows -references: -- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html -- https://twitter.com/dez_/status/986614411711442944 -- https://lolbas-project.github.io/lolbas/Binaries/Wmic/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1220 -ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml deleted file mode 100644 index 30483b48..00000000 --- a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml +++ /dev/null @@ -1,49 +0,0 @@ - -title: Suspicious WSMAN Provider Image Loads -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -description: Detects signs of potential use of the WSMAN provider from uncommon processes - locally and remote execution. -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - EventID: 7 - SELECTION_3: - ImageLoaded: - - '*\WsmSvc.dll' - - '*\WsmAuto.dll' - - '*\Microsoft.WSMan.Management.ni.dll' - SELECTION_4: - OriginalFileName: - - WsmSvc.dll - - WSMANAUTOMATION.DLL - - Microsoft.WSMan.Management.dll - SELECTION_5: - Image: '*\powershell.exe' - SELECTION_6: - Image: '*\svchost.exe' - SELECTION_7: - OriginalFileName: WsmWmiPl.dll - condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4) and not - (SELECTION_5)) or (SELECTION_6 and SELECTION_7))) -falsepositives: -- Unknown -id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 -level: medium -logsource: - category: image_load - product: windows -modified: 2021/11/17 -references: -- https://twitter.com/chadtilbury/status/1275851297770610688 -- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ -- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://github.com/bohops/WSMan-WinRM -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.lateral_movement -- attack.t1021.003 -ruletype: SIGMA diff --git a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml deleted file mode 100644 index a6d45e9c..00000000 --- a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: APT PRIVATELOG Image Load Pattern -author: Florian Roth -date: 2021/09/07 -description: Detects an image load pattern as seen when a tool named PRIVATELOG is - used and rarely observed under legitimate circumstances -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - Image: '*\svchost.exe' - SELECTION_3: - ImageLoaded: '*\clfsw32.dll' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) -falsepositives: -- Rarely observed -id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc -level: high -logsource: - category: image_load - product: windows -references: -- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html -status: experimental -tags: -- attack.defense_evasion -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml deleted file mode 100644 index c2a7adc2..00000000 --- a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Image Load of VSS_PS.dll by Uncommon Executable -author: Markus Neis, @markus_neis -date: 2021/07/07 -description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName - datapoint -detection: - SELECTION_1: - EventID: 7 - SELECTION_2: - ImageLoaded: - - '*\vss_ps.dll' - SELECTION_3: - Image: - - '*\svchost.exe' - - '*\msiexec.exe' - - '*\vssvc.exe' - - '*\srtasks.exe' - - '*\tiworker.exe' - - '*\dllhost.exe' - - '*\searchindexer.exe' - - '*dismhost.exe' - - '*taskhostw.exe' - - '*\clussvc.exe' - SELECTION_4: - Image: '*c:\windows\\*' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3 and SELECTION_4)) -falsepositives: -- unknown -id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 -level: high -logsource: - category: image_load - product: windows -references: -- 1bd85e1caa1415ebdc8852c91e37bbb7 -- https://twitter.com/am0nsec/status/1412232114980982787 -status: experimental -tags: -- attack.defense_evasion -- attack.impact -- attack.t1490 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_exploiting.yml b/rules/sigma/malware/av_exploiting.yml deleted file mode 100644 index 08f613a5..00000000 --- a/rules/sigma/malware/av_exploiting.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Antivirus Exploitation Framework Detection -author: Florian Roth -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports an exploitation - framework -detection: - SELECTION_1: - Signature: - - '*MeteTool*' - - '*MPreter*' - - '*Meterpreter*' - - '*Metasploit*' - - '*PowerSploit*' - - '*CobaltSrike*' - - '*Swrort*' - - '*Rozena*' - - '*Backdoor.Cobalt*' - - '*CobaltStr*' - - '*COBEACON*' - - '*Cometer*' - - '*Razy*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- FileName -- User -id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 -level: critical -logsource: - product: antivirus -modified: 2019/01/16 -references: -- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ -status: experimental -tags: -- attack.execution -- attack.t1203 -- attack.command_and_control -- attack.t1219 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_hacktool.yml b/rules/sigma/malware/av_hacktool.yml deleted file mode 100644 index e425932b..00000000 --- a/rules/sigma/malware/av_hacktool.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Antivirus Hacktool Detection -author: Florian Roth -date: 2021/08/16 -description: Detects a highly relevant Antivirus alert that reports a hack tool or - other attack tool -detection: - SELECTION_1: - Signature: - - HTOOL* - - HKTL* - - SecurityTool* - - ATK/* - SELECTION_2: - Signature: - - '*Hacktool*' - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unlikely -fields: -- FileName -- User -id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba -level: high -logsource: - product: antivirus -references: -- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_password_dumper.yml b/rules/sigma/malware/av_password_dumper.yml deleted file mode 100644 index e358a522..00000000 --- a/rules/sigma/malware/av_password_dumper.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: Antivirus Password Dumper Detection -author: Florian Roth -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports a password dumper -detection: - SELECTION_1: - Signature: - - '*DumpCreds*' - - '*Mimikatz*' - - '*PWCrack*' - - '*HTool/WCE*' - - '*PSWtool*' - - '*PWDump*' - - '*SecurityTool*' - - '*PShlSpy*' - - '*Rubeus*' - - '*Kekeo*' - - '*LsassDump*' - - '*Outflank*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- FileName -- User -id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 -level: critical -logsource: - product: antivirus -modified: 2019/10/04 -references: -- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ -- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection -status: experimental -tags: -- attack.credential_access -- attack.t1003 -- attack.t1558 -- attack.t1003.001 -- attack.t1003.002 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml deleted file mode 100644 index 11ea7d57..00000000 --- a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml +++ /dev/null @@ -1,30 +0,0 @@ - -title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection -author: Sittikorn S, Nuttakorn T -date: 2021/07/01 -description: Detects the suspicious file that is created from PoC code against Windows - Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), - CVE-2021-1675 . -detection: - SELECTION_1: - FileName: '*C:\Windows\System32\spool\drivers\x64\\*' - condition: SELECTION_1 -falsepositives: -- Unlikely -fields: -- Signature -- FileName -- ComputerName -id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561 -level: critical -logsource: - product: antivirus -references: -- https://twitter.com/mvelazco/status/1410291741241102338 -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 -status: stable -tags: -- attack.privilege_escalation -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_relevant_files.yml b/rules/sigma/malware/av_relevant_files.yml deleted file mode 100644 index 084f4989..00000000 --- a/rules/sigma/malware/av_relevant_files.yml +++ /dev/null @@ -1,82 +0,0 @@ - -title: Antivirus Relevant File Paths Alerts -author: Florian Roth, Arnim Rupp -date: 2018/09/09 -description: Detects an Antivirus alert in a highly relevant file path or with a relevant - file name -detection: - SELECTION_1: - FileName: - - C:\Windows\\* - - C:\Temp\\* - - C:\PerfLogs\\* - - C:\Users\Public\\* - - C:\Users\Default\\* - SELECTION_2: - FileName: - - '*\Client\\*' - - '*\tsclient\\*' - - '*\inetpub\\*' - - '*/www/*' - - '*apache*' - - '*tomcat*' - - '*nginx*' - - '*weblogic*' - SELECTION_3: - Filename: - - '*.ps1' - - '*.psm1' - - '*.vbs' - - '*.bat' - - '*.cmd' - - '*.sh' - - '*.chm' - - '*.xml' - - '*.txt' - - '*.jsp' - - '*.jspx' - - '*.asp' - - '*.aspx' - - '*.ashx' - - '*.asax' - - '*.asmx' - - '*.php' - - '*.cfm' - - '*.py' - - '*.pyc' - - '*.pl' - - '*.rb' - - '*.cgi' - - '*.war' - - '*.ear' - - '*.hta' - - '*.lnk' - - '*.scf' - - '*.sct' - - '*.vbe' - - '*.wsf' - - '*.wsh' - - '*.gif' - - '*.png' - - '*.jpg' - - '*.jpeg' - - '*.svg' - - '*.dat' - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3) -falsepositives: -- Unlikely -fields: -- Signature -- User -id: c9a88268-0047-4824-ba6e-4d81ce0b907c -level: high -logsource: - product: antivirus -modified: 2021/05/09 -references: -- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ -status: experimental -tags: -- attack.resource_development -- attack.t1588 -ruletype: SIGMA diff --git a/rules/sigma/malware/av_webshell.yml b/rules/sigma/malware/av_webshell.yml deleted file mode 100644 index 1ffda88b..00000000 --- a/rules/sigma/malware/av_webshell.yml +++ /dev/null @@ -1,80 +0,0 @@ - -title: Antivirus Web Shell Detection -author: Florian Roth, Arnim Rupp -date: 2018/09/09 -description: Detects a highly relevant Antivirus alert that reports a web shell. It's - highly recommended to tune this rule to the specific strings used by your anti virus - solution by downloading a big webshell repo from e.g. github and checking the matches. -detection: - SELECTION_1: - Signature: - - PHP/* - - JSP/* - - ASP/* - - Perl/* - - PHP.* - - JSP.* - - ASP.* - - Perl.* - - VBS/Uxor* - - IIS/BackDoor* - - JAVA/Backdoor* - - Troj/ASP* - - Troj/PHP* - - Troj/JSP* - SELECTION_2: - Signature: - - '*Webshell*' - - '*Chopper*' - - '*SinoChoper*' - - '*ASPXSpy*' - - '*Aspdoor*' - - '*filebrowser*' - - '*PHP_*' - - '*JSP_*' - - '*ASP_*' - - '*PHP:*' - - '*JSP:*' - - '*ASP:*' - - '*Perl:*' - - '*PHPShell*' - - '*Trojan.PHP*' - - '*Trojan.ASP*' - - '*Trojan.JSP*' - - '*Trojan.VBS*' - - '*PHP?Agent*' - - '*ASP?Agent*' - - '*JSP?Agent*' - - '*VBS?Agent*' - - '*Backdoor?PHP*' - - '*Backdoor?JSP*' - - '*Backdoor?ASP*' - - '*Backdoor?VBS*' - - '*Backdoor?Java*' - condition: (SELECTION_1 or SELECTION_2) -falsepositives: -- Unlikely -fields: -- FileName -- User -id: fdf135a2-9241-4f96-a114-bb404948f736 -level: critical -logsource: - product: antivirus -modified: 2021/05/08 -references: -- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ -- https://github.com/tennc/webshell -- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection -- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection -- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection -- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection -- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection -- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection -- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection -status: experimental -tags: -- attack.persistence -- attack.t1100 -- attack.t1505.003 -ruletype: SIGMA diff --git a/rules/sigma/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/malware/file_event_mal_octopus_scanner.yml deleted file mode 100644 index 611a0e31..00000000 --- a/rules/sigma/malware/file_event_mal_octopus_scanner.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Octopus Scanner Malware -author: NVISO -date: 2020/06/09 -description: Detects Octopus Scanner Malware. -detection: - SELECTION_1: - EventID: 11 - SELECTION_2: - TargetFilename: - - '*\AppData\Local\Microsoft\Cache134.dat' - - '*\AppData\Local\Microsoft\ExplorerSync.db' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 805c55d9-31e6-4846-9878-c34c75054fe9 -level: high -logsource: - category: file_event - product: windows -references: -- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain -status: experimental -tags: -- attack.t1195 -- attack.t1195.001 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml deleted file mode 100644 index dcb7ae82..00000000 --- a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Blue Mockingbird -author: Trent Liffick (@tliffick) -date: 2020/05/14 -description: Attempts to detect system changes made by Blue Mockingbird -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: '*\cmd.exe' - SELECTION_3: - CommandLine: '*sc config*' - SELECTION_4: - CommandLine: '*wercplsupporte.dll*' - SELECTION_5: - Image: '*\wmic.exe' - SELECTION_6: - CommandLine: '*COR_PROFILER' - condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5 - and SELECTION_6))) -falsepositives: -- unknown -id: c3198a27-23a0-4c2c-af19-e5328d49680e -level: high -logsource: - category: process_creation - product: windows -modified: 2021/09/11 -references: -- https://redcanary.com/blog/blue-mockingbird-cryptominer/ -related: -- id: ce239692-aa94-41b3-b32f-9cab259c96ea - type: merged -status: experimental -tags: -- attack.execution -- attack.t1112 -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml deleted file mode 100644 index a1ed5f01..00000000 --- a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: DarkSide Ransomware Pattern -author: Florian Roth -date: 2021/05/14 -description: Detects DarkSide Ransomware and helpers -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - CommandLine: - - "*=[char][byte]('0x'+*" - - '* -work worker0 -path *' - SELECTION_3: - ParentCommandLine: - - '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*' - SELECTION_4: - Image: - - '*\AppData\Local\Temp\\*' - condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) -falsepositives: -- Unknown -- UAC bypass method used by other malware -id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c -level: critical -logsource: - category: process_creation - product: windows -references: -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html -- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ -- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml deleted file mode 100644 index 37d2a39a..00000000 --- a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: LockerGoga Ransomware -author: Vasiliy Burov, oscd.community -date: 2020/10/18 -description: Detects LockerGoga Ransomware command line. -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - CommandLine: '*-i SM-tgytutrc -s*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unlikely -id: 74db3488-fd28-480a-95aa-b7af626de068 -level: critical -logsource: - category: process_creation - product: windows -references: -- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a -- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ -- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ -status: experimental -tags: -- attack.impact -- attack.t1486 -ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_ryuk.yml b/rules/sigma/malware/process_creation_mal_ryuk.yml deleted file mode 100644 index 3c24bb4f..00000000 --- a/rules/sigma/malware/process_creation_mal_ryuk.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Ryuk Ransomware -author: Vasiliy Burov -date: 2019/08/06 -description: Detects Ryuk Ransomware command lines -detection: - SELECTION_1: - EventID: 1 - SELECTION_2: - Image: - - '*\net.exe' - - '*\net1.exe' - SELECTION_3: - CommandLine: '*stop*' - SELECTION_4: - CommandLine: - - '*samss*' - - '*audioendpointbuilder*' - - '*unistoresvc_?????*' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unlikely -id: 0acaad27-9f02-4136-a243-c357202edd74 -level: critical -logsource: - category: process_creation - product: windows -references: -- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ -status: experimental -tags: -- attack.execution -- attack.t1204 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_azorult.yml b/rules/sigma/malware/registry_event_mal_azorult.yml deleted file mode 100644 index 99935e08..00000000 --- a/rules/sigma/malware/registry_event_mal_azorult.yml +++ /dev/null @@ -1,40 +0,0 @@ - -title: Registry Entries For Azorult Malware -author: Trent Liffick -date: 2020/05/08 -description: Detects the presence of a registry key created during Azorult execution -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - EventID: 12 - SELECTION_5: - EventID: 13 - SELECTION_6: - TargetObject: '*SYSTEM\\*' - SELECTION_7: - TargetObject: '*\services\localNETService' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5) - and SELECTION_6 and SELECTION_7) -falsepositives: -- unknown -fields: -- Image -- TargetObject -- TargetDetails -id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 -level: critical -logsource: - category: registry_event - product: windows -references: -- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a -status: experimental -tags: -- attack.execution -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml deleted file mode 100644 index 44f831f6..00000000 --- a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml +++ /dev/null @@ -1,34 +0,0 @@ - -title: Blue Mockingbird -author: Trent Liffick (@tliffick) -date: 2020/05/14 -description: Attempts to detect system changes made by Blue Mockingbird -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- unknown -id: 92b0b372-a939-44ed-a11b-5136cf680e27 -level: high -logsource: - category: registry_event - product: windows -modified: 2021/09/11 -references: -- https://redcanary.com/blog/blue-mockingbird-cryptominer/ -related: -- id: c3198a27-23a0-4c2c-af19-e5328d49680e - type: derived -status: experimental -tags: -- attack.execution -- attack.t1112 -- attack.t1047 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_flowcloud.yml b/rules/sigma/malware/registry_event_mal_flowcloud.yml deleted file mode 100644 index b1058002..00000000 --- a/rules/sigma/malware/registry_event_mal_flowcloud.yml +++ /dev/null @@ -1,36 +0,0 @@ - -title: FlowCloud Malware -author: NVISO -date: 2020/06/09 -description: Detects FlowCloud malware from threat group TA410. -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: - - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} - - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} - - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} - SELECTION_5: - TargetObject: - - HKLM\SYSTEM\Setup\PrintResponsor\\* - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)) -falsepositives: -- Unknown -id: 5118765f-6657-4ddb-a487-d7bd673abbf1 -level: critical -logsource: - category: registry_event - product: windows -modified: 2021/07/22 -references: -- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new -status: experimental -tags: -- attack.persistence -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_netwire.yml b/rules/sigma/malware/registry_event_mal_netwire.yml deleted file mode 100644 index 1ce88a79..00000000 --- a/rules/sigma/malware/registry_event_mal_netwire.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: NetWire RAT Registry Key -Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity - "Because Sysmon runs as a service, it has no filtering ability for, or concept of, - HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" - Therefore I set netwire in my - configuration. -author: Christopher Peacock -date: 2021/10/07 -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\software\NetWire*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) -falsepositives: -- No known false positives -id: 1d218616-71b0-4c40-855b-9dbe75510f7f -level: high -logsource: - category: registry_event - product: windows -references: -- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing -- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ -- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ -- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line -- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_ursnif.yml b/rules/sigma/malware/registry_event_mal_ursnif.yml deleted file mode 100644 index dcf82a6a..00000000 --- a/rules/sigma/malware/registry_event_mal_ursnif.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Ursnif -author: megan201296 -date: 2019/02/13 -description: Detects new registry key created by Ursnif malware. -detection: - SELECTION_1: - EventID: 12 - SELECTION_2: - EventID: 13 - SELECTION_3: - EventID: 14 - SELECTION_4: - TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' - SELECTION_5: - TargetObject: - - '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*' - - '*\SOFTWARE\AppDataLow\Software\Microsoft\Edge\\*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and not - (SELECTION_5)) -falsepositives: -- Unknown -id: 21f17060-b282-4249-ade0-589ea3591558 -level: critical -logsource: - category: registry_event - product: windows -modified: 2021/11/15 -references: -- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ -- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ -status: experimental -tags: -- attack.execution -- attack.t1112 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml deleted file mode 100644 index 9d47d0d6..00000000 --- a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Silenttrinity Stager Msbuild Activity -author: Kiran kumar s, oscd.community -date: 2020/10/11 -description: Detects a possible remote connections to Silenttrinity c2 -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\msbuild.exe' - SELECTION_3: - DestinationPort: - - '80' - - '443' - SELECTION_4: - Initiated: 'true' - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- unknown -id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 -level: high -logsource: - category: network_connection - product: windows -references: -- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ -status: experimental -tags: -- attack.execution -- attack.t1127.001 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml deleted file mode 100644 index 8394040b..00000000 --- a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml +++ /dev/null @@ -1,53 +0,0 @@ - -title: Dllhost Internet Connection -author: bartblaze -date: 2020/07/13 -description: Detects Dllhost that communicates with public IP addresses -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\dllhost.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Communication to other corporate systems that use IP addresses from public address - spaces -id: cfed2f44-16df-4bf3-833a-79405198b277 -level: medium -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml -status: experimental -tags: -- attack.defense_evasion -- attack.t1218 -- attack.execution -- attack.t1559.001 -- attack.t1175 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml deleted file mode 100644 index 98f059c7..00000000 --- a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml +++ /dev/null @@ -1,61 +0,0 @@ - -title: Excel Network Connections -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0" -date: 2021/11/10 -description: Detects an Excel process that opens suspicious network connections to - non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely - have to tune this rule for your organization, but it is certainly something you - should look for and could have applications for malicious activity beyond CVE-2021-42292. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\excel.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIsIpv6: 'false' - SELECTION_5: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.0.0.1* - SELECTION_6: - DestinationIsIpv6: 'false' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6)) -falsepositives: -- You may have to tune certain domains out that Excel may call out to, such as microsoft - or other business use case domains. -- Office documents commonly have templates that refer to external addresses, like - sharepoint.ourcompany.com may have to be tuned. -- It is highly recomended to baseline your activity and tune out common business use - cases. -id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 -level: medium -logsource: - category: network_connection - product: windows -references: -- https://corelight.com/blog/detecting-cve-2021-42292 -status: experimental -tags: -- attack.execution -- attack.t1203 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml deleted file mode 100644 index 5576ab1e..00000000 --- a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml +++ /dev/null @@ -1,111 +0,0 @@ - -title: Suspicious Typical Malware Back Connect Ports -author: Florian Roth -date: 2017/03/19 -description: Detects programs that connect to typical malware back connect ports based - on statistical analysis from two different sandbox system databases -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationPort: - - '4443' - - '2448' - - '8143' - - '1777' - - '1443' - - '243' - - '65535' - - '13506' - - '3360' - - '200' - - '198' - - '49180' - - '13507' - - '6625' - - '4444' - - '4438' - - '1904' - - '13505' - - '13504' - - '12102' - - '9631' - - '5445' - - '2443' - - '777' - - '13394' - - '13145' - - '12103' - - '5552' - - '3939' - - '3675' - - '666' - - '473' - - '5649' - - '4455' - - '4433' - - '1817' - - '100' - - '65520' - - '1960' - - '1515' - - '743' - - '700' - - '14154' - - '14103' - - '14102' - - '12322' - - '10101' - - '7210' - - '4040' - - '9943' - SELECTION_4: - EventID: 3 - SELECTION_5: - Image: '*\Program Files*' - SELECTION_6: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - SELECTION_7: - DestinationIsIpv6: 'false' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4 - and (SELECTION_5 or (SELECTION_6 and SELECTION_7))))) -falsepositives: -- unknown -id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 -level: medium -logsource: - category: network_connection - definition: 'Use the following config to generate the necessary Event ID 10 Process - Access events: VBE7.DLLUNKNOWN' - product: windows -modified: 2020/08/24 -references: -- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -status: experimental -tags: -- attack.command_and_control -- attack.t1571 -- attack.t1043 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml deleted file mode 100644 index 0911c917..00000000 --- a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Notepad Making Network Connection -author: EagleEye Team -date: 2020/05/14 -description: Detects suspicious network connection by Notepad -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\notepad.exe' - SELECTION_3: - DestinationPort: '9100' - condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3)) -falsepositives: -- None observed so far -id: e81528db-fc02-45e8-8e98-4e84aba1f10b -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf -- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ -status: experimental -tags: -- attack.command_and_control -- attack.execution -- attack.defense_evasion -- attack.t1055 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml deleted file mode 100644 index 96429c14..00000000 --- a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml +++ /dev/null @@ -1,63 +0,0 @@ - -title: PowerShell Network Connections -author: Florian Roth -date: 2017/03/13 -description: Detects a Powershell process that opens network connections - check for - suspicious target ports and target systems - adjust to your environment (e.g. extend - filters with company's ip range') -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\powershell.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIsIpv6: 'false' - SELECTION_5: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.0.0.1* - SELECTION_6: - DestinationIsIpv6: 'false' - SELECTION_7: - User: NT AUTHORITY\SYSTEM - SELECTION_8: - User: '*AUT*' - SELECTION_9: - User: '* NT*' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not - (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)) -falsepositives: -- Administrative scripts -id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -level: low -logsource: - category: network_connection - product: windows -modified: 2021/06/14 -references: -- https://www.youtube.com/watch?v=DLtJTxMWZ2o -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.t1086 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml deleted file mode 100644 index 38e1f4b9..00000000 --- a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml +++ /dev/null @@ -1,42 +0,0 @@ - -title: RDP Over Reverse SSH Tunnel -author: Samir Bousseaden -date: 2019/02/16 -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address and on TCP port 3389 -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\svchost.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - SourcePort: 3389 - SELECTION_5: - DestinationIp: - - 127.* - SELECTION_6: - DestinationIp: - - ::1 - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5 - or SELECTION_6)) -falsepositives: -- unknown -id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 -level: high -logsource: - category: network_connection - product: windows -modified: 2021/05/11 -references: -- https://twitter.com/SBousseaden/status/1096148422984384514 -status: experimental -tags: -- attack.command_and_control -- attack.t1572 -- attack.lateral_movement -- attack.t1021.001 -- attack.t1076 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml deleted file mode 100644 index e3c3567c..00000000 --- a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Regsvr32 Network Activity -author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -description: Detects network connections and DNS queries initiated by Regsvr32.exe -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\regsvr32.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unknown -fields: -- ComputerName -- User -- Image -- DestinationIp -- DestinationPort -id: c7e91a02-d771-4a6d-a700-42587e0b1095 -level: high -logsource: - category: network_connection - product: windows -modified: 2021/09/21 -references: -- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ -- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md -status: experimental -tags: -- attack.execution -- attack.t1559.001 -- attack.t1175 -- attack.defense_evasion -- attack.t1218.010 -- attack.t1117 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml deleted file mode 100644 index 79b124ec..00000000 --- a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Remote PowerShell Session -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -description: Detects remote PowerShell connections by monitoring network outbound - connections to ports 5985 or 5986 from a non-network service account. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 5985 - SELECTION_3: - DestinationPort: 5986 - SELECTION_4: - User: NT AUTHORITY\NETWORK SERVICE - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. -id: c539afac-c12a-46ed-b1bd-5a5567c9f045 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html -status: experimental -tags: -- attack.execution -- attack.t1059.001 -- attack.t1086 -- attack.lateral_movement -- attack.t1021.006 -- attack.t1028 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml deleted file mode 100644 index b3db683e..00000000 --- a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml +++ /dev/null @@ -1,52 +0,0 @@ - -title: Rundll32 Internet Connection -author: Florian Roth -date: 2017/11/04 -description: Detects a rundll32 that communicates with public IP addresses -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*\rundll32.exe' - SELECTION_3: - Initiated: 'true' - SELECTION_4: - DestinationIp: - - 10.* - - 192.168.* - - 172.16.* - - 172.17.* - - 172.18.* - - 172.19.* - - 172.20.* - - 172.21.* - - 172.22.* - - 172.23.* - - 172.24.* - - 172.25.* - - 172.26.* - - 172.27.* - - 172.28.* - - 172.29.* - - 172.30.* - - 172.31.* - - 127.* - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Communication to other corporate systems that use IP addresses from public address - spaces -id: cdc8da7d-c303-42f8-b08c-b4ab47230263 -level: medium -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 -status: experimental -tags: -- attack.defense_evasion -- attack.t1218.011 -- attack.t1085 -- attack.execution -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml deleted file mode 100644 index 0a65bd83..00000000 --- a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml +++ /dev/null @@ -1,43 +0,0 @@ - -title: Suspicious Program Location with Network Connections -author: Florian Roth -date: 2017/03/19 -description: Detects programs with network connections running in suspicious files - system locations -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - '*\Users\Contacts\\*' - - '*\Users\Searches\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - SELECTION_3: - Image: - - '*\$Recycle.bin' - SELECTION_4: - Image: - - C:\Perflogs\\* - condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4)) -falsepositives: -- unknown -id: 7b434893-c57d-4f41-908d-6a17bf1ae98f -level: high -logsource: - category: network_connection - definition: Use the following config to generate the necessary Event ID 3 Network - Connection events - product: windows -references: -- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -status: experimental -tags: -- attack.command_and_control -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_rdp.yml b/rules/sigma/network_connection/sysmon_susp_rdp.yml deleted file mode 100644 index 5113f650..00000000 --- a/rules/sigma/network_connection/sysmon_susp_rdp.yml +++ /dev/null @@ -1,54 +0,0 @@ - -title: Suspicious Outbound RDP Connections -author: Markus Neis - Swisscom -date: 2019/05/15 -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible - lateral movement -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 3389 - SELECTION_3: - Initiated: 'true' - SELECTION_4: - Image: - - '*\mstsc.exe' - - '*\RTSApp.exe' - - '*\RTS2App.exe' - - '*\RDCMan.exe' - - '*\ws_TunnelService.exe' - - '*\RSSensor.exe' - - '*\RemoteDesktopManagerFree.exe' - - '*\RemoteDesktopManager.exe' - - '*\RemoteDesktopManager64.exe' - - '*\mRemoteNG.exe' - - '*\mRemote.exe' - - '*\Terminals.exe' - - '*\spiceworks-finder.exe' - - '*\FSDiscovery.exe' - - '*\FSAssessment.exe' - - '*\MobaRTE.exe' - - '*\chrome.exe' - - '*\System32\dns.exe' - - '*\thor.exe' - - '*\thor64.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other Remote Desktop RDP tools -- domain controller using dns.exe -id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 -status: experimental -tags: -- attack.lateral_movement -- attack.t1021.001 -- attack.t1076 -- car.2013-07-002 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml deleted file mode 100644 index 1ea0e858..00000000 --- a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ /dev/null @@ -1,39 +0,0 @@ - -title: Suspicious Outbound Kerberos Connection -author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationPort: 88 - SELECTION_3: - Initiated: 'true' - SELECTION_4: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' - condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not (SELECTION_4)) -falsepositives: -- Other browsers -id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://github.com/GhostPack/Rubeus -status: experimental -tags: -- attack.credential_access -- attack.t1558 -- attack.t1208 -- attack.lateral_movement -- attack.t1550.003 -- attack.t1097 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml deleted file mode 100644 index 8c594e4a..00000000 --- a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Microsoft Binary Github Communication -author: Michael Haag (idea), Florian Roth (rule) -date: 2017/08/24 -description: Detects an executable in the Windows folder accessing github.com -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationHostname: - - '*.github.com' - - '*.githubusercontent.com' - SELECTION_4: - Image: C:\Windows\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -- '@subTee in your network' -id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 -level: high -logsource: - category: network_connection - product: windows -modified: 2020/08/24 -references: -- https://twitter.com/M_haggis/status/900741347035889665 -- https://twitter.com/M_haggis/status/1032799638213066752 -- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 -status: experimental -tags: -- attack.lateral_movement -- attack.t1105 -- attack.exfiltration -- attack.t1567.001 -- attack.t1048 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml deleted file mode 100644 index cd1b5e3e..00000000 --- a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml +++ /dev/null @@ -1,33 +0,0 @@ - -title: Microsoft Binary Suspicious Communication Endpoint -author: Florian Roth -date: 2018/08/30 -description: Detects an executable in the Windows folder accessing suspicious domains -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Initiated: 'true' - SELECTION_3: - DestinationHostname: - - '*dl.dropboxusercontent.com' - - '*.pastebin.com' - - '*.githubusercontent.com' - SELECTION_4: - Image: C:\Windows\\* - condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) -falsepositives: -- Unknown -id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 -level: high -logsource: - category: network_connection - product: windows -references: -- https://twitter.com/M_haggis/status/900741347035889665 -- https://twitter.com/M_haggis/status/1032799638213066752 -status: experimental -tags: -- attack.lateral_movement -- attack.t1105 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml deleted file mode 100644 index ebb03586..00000000 --- a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml +++ /dev/null @@ -1,28 +0,0 @@ - -title: Wuauclt Network Connection -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to - proxy execute code and making a network connections. One could easily make the DLL - spawn a new process and inject to it to proxy the network connection and bypass - this rule. -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - Image: '*wuauclt*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate use of wuauclt.exe over the network. -id: c649a6c7-cd8c-4a78-9c04-000fc76df954 -level: medium -logsource: - category: network_connection - product: windows -references: -- https://dtm.uk/wuauclt/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1218 -ruletype: SIGMA diff --git a/rules/sigma/network_connection/win_net_crypto_mining.yml b/rules/sigma/network_connection/win_net_crypto_mining.yml deleted file mode 100644 index 51a5bf04..00000000 --- a/rules/sigma/network_connection/win_net_crypto_mining.yml +++ /dev/null @@ -1,47 +0,0 @@ - -title: Windows Crypto Mining Pool Connections -author: Florian Roth -date: 2021/10/26 -description: Detects process connections to a Monero crypto mining pool -detection: - SELECTION_1: - EventID: 3 - SELECTION_2: - DestinationHostname: - - pool.minexmr.com - - fr.minexmr.com - - de.minexmr.com - - sg.minexmr.com - - ca.minexmr.com - - us-west.minexmr.com - - pool.supportxmr.com - - mine.c3pool.com - - xmr-eu1.nanopool.org - - xmr-eu2.nanopool.org - - xmr-us-east1.nanopool.org - - xmr-us-west1.nanopool.org - - xmr-asia1.nanopool.org - - xmr-jp1.nanopool.org - - xmr-au1.nanopool.org - - xmr.2miners.com - - xmr.hashcity.org - - xmr.f2pool.com - - xmrpool.eu - - pool.hashvault.pro - - moneroocean.stream - - monerocean.stream - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Legitimate use of crypto miners -id: fa5b1358-b040-4403-9868-15f7d9ab6329 -level: high -logsource: - category: network_connection - product: windows -references: -- https://www.poolwatch.io/coin/monero -status: stable -tags: -- attack.impact -- attack.t1496 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_amsi_trigger.yml b/rules/sigma/other/win_defender_amsi_trigger.yml deleted file mode 100644 index ceb96d3e..00000000 --- a/rules/sigma/other/win_defender_amsi_trigger.yml +++ /dev/null @@ -1,26 +0,0 @@ - -title: Windows Defender AMSI Trigger Detected -author: Bhabesh Raj -date: 2020/09/14 -description: Detects triggering of AMSI by Windows Defender. -detection: - SELECTION_1: - EventID: 1116 - SELECTION_2: - Source_Name: AMSI - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- unlikely -id: ea9bf0fa-edec-4fb8-8b78-b119f2528186 -level: high -logsource: - product: windows - service: windefend -modified: 2021/10/13 -references: -- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -status: stable -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_bypass.yml b/rules/sigma/other/win_defender_bypass.yml deleted file mode 100644 index 934a7dfd..00000000 --- a/rules/sigma/other/win_defender_bypass.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: Windows Defender Exclusion Set -author: '@BarryShooshooga' -date: 2019/10/26 -description: Detects scenarios where an windows defender exclusion was added in registry - where an entity would want to bypass antivirus scanning from windows defender -detection: - SELECTION_1: - EventID: 4657 - SELECTION_2: - EventID: 4656 - SELECTION_3: - EventID: 4660 - SELECTION_4: - EventID: 4663 - SELECTION_5: - ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*' - condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) -falsepositives: -- Intended inclusions by administrator -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d -level: high -logsource: - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit - Policy, Registry System Access Control (SACL): Auditing/User' - product: windows - service: security -references: -- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ -status: experimental -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_disabled.yml b/rules/sigma/other/win_defender_disabled.yml deleted file mode 100644 index 5f668850..00000000 --- a/rules/sigma/other/win_defender_disabled.yml +++ /dev/null @@ -1,32 +0,0 @@ - -title: Windows Defender Threat Detection Disabled -author: Ján Trenčanský, frack113 -date: 2020/07/28 -description: Detects disabling Windows Defender threat protection -detection: - SELECTION_1: - EventID: 5001 - SELECTION_2: - EventID: 5010 - SELECTION_3: - EventID: 5012 - SELECTION_4: - EventID: 5101 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) -falsepositives: -- Administrator actions -id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 -level: high -logsource: - product: windows - service: windefend -modified: 2021/09/21 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_exclusions.yml b/rules/sigma/other/win_defender_exclusions.yml deleted file mode 100644 index 392ae2b0..00000000 --- a/rules/sigma/other/win_defender_exclusions.yml +++ /dev/null @@ -1,27 +0,0 @@ - -title: Windows Defender Exclusions Added -author: Christian Burkard -date: 2021/07/06 -description: Detects the Setting of Windows Defender Exclusions -detection: - SELECTION_1: - EventID: 5007 - SELECTION_2: - New_Value: '*\Microsoft\Windows Defender\Exclusions*' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Administrator actions -id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f -level: medium -logsource: - product: windows - service: windefend -modified: 2021/10/13 -references: -- https://twitter.com/_nullbind/status/1204923340810543109 -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_history_delete.yml b/rules/sigma/other/win_defender_history_delete.yml deleted file mode 100644 index f91be5ee..00000000 --- a/rules/sigma/other/win_defender_history_delete.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: Windows Defender Malware Detection History Deletion -author: Cian Heasley -date: 2020/08/13 -description: Windows Defender logs when the history of detected infections is deleted. - Log file will contain the message "Windows Defender Antivirus has removed history - of malware and other potentially unwanted software". -detection: - SELECTION_1: - EventID: 1013 - SELECTION_2: - EventType: 4 - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Deletion of Defender malware detections history for legitimate reasons -fields: -- EventID -- EventType -id: 2afe6582-e149-11ea-87d0-0242ac130003 -level: high -logsource: - product: windows - service: windefend -modified: 2021/05/30 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus -status: experimental -tags: -- attack.defense_evasion -- attack.t1070.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_psexec_wmi_asr.yml b/rules/sigma/other/win_defender_psexec_wmi_asr.yml deleted file mode 100644 index 7f411ec9..00000000 --- a/rules/sigma/other/win_defender_psexec_wmi_asr.yml +++ /dev/null @@ -1,35 +0,0 @@ - -title: PSExec and WMI Process Creations Block -author: Bhabesh Raj -date: 2020/07/14 -description: Detects blocking of process creations originating from PSExec and WMI - commands -detection: - SELECTION_1: - EventID: 1121 - SELECTION_2: - ProcessName: - - '*\wmiprvse.exe' - - '*\psexesvc.exe' - condition: (SELECTION_1 and SELECTION_2) -falsepositives: -- Unknown -id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003 -level: high -logsource: - definition: 'Requirements:Enabled Block process creations originating from PSExec - and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' - product: windows - service: windefend -modified: 2021/11/13 -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands -- https://twitter.com/duff22b/status/1280166329660497920 -status: experimental -tags: -- attack.execution -- attack.lateral_movement -- attack.t1047 -- attack.t1035 -- attack.t1569.002 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_tamper_protection_trigger.yml b/rules/sigma/other/win_defender_tamper_protection_trigger.yml deleted file mode 100644 index ddd5ea17..00000000 --- a/rules/sigma/other/win_defender_tamper_protection_trigger.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Microsoft Defender Tamper Protection Trigger -author: Bhabesh Raj -date: 2021/07/05 -description: Detects block of attempt to disable real time protection of Microsoft - Defender by tamper protection -detection: - SELECTION_1: - EventID: 5013 - SELECTION_2: - Value: - - '*\Windows Defender\DisableAntiSpyware = 0x1()' - - '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)' - condition: ((SELECTION_1) and SELECTION_2) -falsepositives: -- Administrator actions -id: 49e5bc24-8b86-49f1-b743-535f332c2856 -level: critical -logsource: - product: windows - service: windefend -references: -- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -status: stable -tags: -- attack.defense_evasion -- attack.t1089 -- attack.t1562.001 -ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_threat.yml b/rules/sigma/other/win_defender_threat.yml deleted file mode 100644 index 1ba96d93..00000000 --- a/rules/sigma/other/win_defender_threat.yml +++ /dev/null @@ -1,29 +0,0 @@ - -title: Windows Defender Threat Detected -author: Ján Trenčanský -date: 2020/07/28 -description: Detects all actions taken by Windows Defender malware detection engines -detection: - SELECTION_1: - EventID: 1006 - SELECTION_2: - EventID: 1116 - SELECTION_3: - EventID: 1015 - SELECTION_4: - EventID: 1117 - condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) -falsepositives: -- unlikely -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 -level: high -logsource: - product: windows - service: windefend -references: -- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -status: stable -tags: -- attack.execution -- attack.t1059 -ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_cve_2021_42321.yml b/rules/sigma/other/win_exchange_cve_2021_42321.yml deleted file mode 100644 index e17e37cf..00000000 --- a/rules/sigma/other/win_exchange_cve_2021_42321.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Possible Exploitation of Exchange RCE CVE-2021-42321 -author: Florian Roth, @testanull -date: 2021/11/18 -description: Detects log entries that appear in exploitation attempts against MS Exchange - RCE CVE-2021-42321 -detection: - condition: 'Cmdlet failed. Cmdlet Get-App, ' -falsepositives: -- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues -id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb -level: critical -logsource: - product: windows - service: msexchange-management -references: -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 -status: experimental -tags: -- attack.lateral_movement -- attack.t1210 -ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml deleted file mode 100644 index 7d698702..00000000 --- a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml +++ /dev/null @@ -1,31 +0,0 @@ - -title: ProxyLogon MSExchange OabVirtualDirectory -author: Florian Roth -date: 2021/08/09 -description: Detects specific patterns found after a successful ProxyLogon exploitation - in relation to a Commandlet invocation of Set-OabVirtualDirectory -detection: - SELECTION_1: - - OabVirtualDirectory - SELECTION_2: - - ' -ExternalUrl ' - SELECTION_3: - - eval(request - - http://f/