CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
acaae4b328b88174cdfd02d46ff15c0f7d9562c8
hayabusa/rules/sigma/create_stream_hash/sysmon_ads_executable.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

36 lines
858 B
YAML
Raw Blame History

title: Executable in ADS
ruletype: Sigma
author: Florian Roth, @0xrawsec
date: 2018/06/03
description: Detects the creation of an ADS data stream that contains an executable
(non-empty imphash)
detection:
SELECTION_1:
EventID: 15
SELECTION_2:
Hashes: '*IMPHASH=*'
SELECTION_3:
Hashes: '*IMPHASH=00000000000000000000000000000000*'
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
falsepositives:
- unknown
fields:
- TargetFilename
- Image
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
level: critical
logsource:
category: create_stream_hash
definition: 'Requirements: Sysmon config with Imphash logging activated'
product: windows
modified: 2021/12/08
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
status: test
tags:
- attack.defense_evasion
- attack.t1027
- attack.s0139
- attack.t1564.004
Reference in New Issue View Git Blame Copy Permalink