SigmaHQ/rules/windows/sysmon/sysmon_ads_executable.yml

34 lines
867 B
YAML
Raw Normal View History

title: Executable in ADS
2019-11-12 22:12:27 +00:00
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: experimental
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
2018-07-19 21:36:13 +00:00
tags:
- attack.defense_evasion
2020-08-29 00:03:28 +00:00
- attack.t1027 # an old one
2018-07-19 21:36:13 +00:00
- attack.s0139
2020-08-29 00:03:28 +00:00
- attack.t1564.004
author: Florian Roth, @0xrawsec
date: 2018/06/03
2020-08-29 00:03:28 +00:00
modified: 2020/08/26
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
filter1:
Imphash: '00000000000000000000000000000000'
filter2:
Imphash: null
condition: selection and not 1 of filter*
fields:
- TargetFilename
- Image
falsepositives:
- unknown
level: critical