SigmaHQ/rules/windows/builtin/win_susp_process_creations.yml

title: Detects Suspicious Process Creations
description: Detects suspicious process starts on Windows systems bsed on keywords
status: experimental
reference: 
    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
    - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
author: Florian Roth
logsource:
    product: windows
    service: security
    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
        ProcessCommandLine: 
            # Hacking activity
            - 'vssadmin.exe delete shadows*'
            - 'vssadmin delete shadows*'
            - 'certutil.exe -decode *'
            - 'vssadmin create shadow /for=C:*'
            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
            - 'reg SAVE HKLM\SYSTEM *'
            - '* sekurlsa:*'
            - 'net localgroup adminstrators * /add'
            - 'net group "Domain Admins" * /ADD /DOMAIN'
            # Malware
            - 'netsh advfirewall firewall *\AppData\*'
            - 'attrib +S +H +R *\AppData\*'
            - 'schtasks* /create *\AppData\*'
            - 'schtasks* /sc minute*'
            - '*\Regasm.exe *\AppData\*'
            - '*\Regasm *\AppData\*'
            - '*\bitsadmin* /transfer*'
            - '*\certutil.exe * -decode *'
            - '*\certutil.exe * -decodehex *'
            # Scripts
            - '*\wscript.exe *.jse'
            - '*\wscript.exe *.js'
            - '*\wscript.exe *.vba'
            - '*\wscript.exe *.vbe'
            - '*\cscript.exe *.jse'
            - '*\cscript.exe *.js'
            - '*\cscript.exe *.vba'
            - '*\cscript.exe *.vbe'
    condition: selection
falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`title: Detects Suspicious Process Creations`
			`description: Detects suspicious process starts on Windows systems bsed on keywords`
			`status: experimental`
			`reference:`
			`- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/`
			`- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: security`
			`description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'`
			`detection:`
Windows Supicious Process Creation - Bugfix in selection name - New keyword expressions 2017-03-26 21:25:47 +00:00			`selection:`
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`EventID: 4688`
			`ProcessCommandLine:`
			`# Hacking activity`
Windows Supicious Process Creation - Bugfix in selection name - New keyword expressions 2017-03-26 21:25:47 +00:00			`- 'vssadmin.exe delete shadows*'`
			`- 'vssadmin delete shadows*'`
			`- 'certutil.exe -decode *'`
			`- 'vssadmin create shadow /for=C:*'`
			`- 'copy \\?\GLOBALROOT\Device\\windows\ntds\ntds.dit'`
			`- 'copy \\?\GLOBALROOT\Device\\config\SAM'`
			`- 'reg SAVE HKLM\SYSTEM *'`
			`- '* sekurlsa:*'`
			`- 'net localgroup adminstrators * /add'`
			`- 'net group "Domain Admins" * /ADD /DOMAIN'`
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`# Malware`
Windows Supicious Process Creation - Bugfix in selection name - New keyword expressions 2017-03-26 21:25:47 +00:00			`- 'netsh advfirewall firewall \AppData\'`
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`- 'attrib +S +H +R \AppData\'`
Windows Supicious Process Creation - Bugfix in selection name - New keyword expressions 2017-03-26 21:25:47 +00:00			`- 'schtasks* /create \AppData\'`
Schtasks frequency - minute 2017-04-28 15:03:35 +00:00			`- 'schtasks* /sc minute*'`
Rule adjustment Added wilcards cause the field can contain a full path 2017-03-26 21:41:38 +00:00			`- '\Regasm.exe \AppData\*'`
			`- '\Regasm \AppData\*'`
			`- '\bitsadmin /transfer*'`
Improved certutil.exe rules 2017-03-27 20:30:26 +00:00			`- '\certutil.exe -decode *'`
			`- '\certutil.exe -decodehex *'`
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`# Scripts`
Rule adjustment Added wilcards cause the field can contain a full path 2017-03-26 21:41:38 +00:00			`- '\wscript.exe .jse'`
			`- '\wscript.exe .js'`
			`- '\wscript.exe .vba'`
			`- '\wscript.exe .vbe'`
			`- '\cscript.exe .jse'`
			`- '\cscript.exe .js'`
			`- '\cscript.exe .vba'`
			`- '\cscript.exe .vbe'`
Rule: Windows 4688 process creation rule 2017-03-26 00:26:34 +00:00			`condition: selection`
			`falsepositives:`
			`- False positives depend on scripts and administrative tools used in the monitored environment`
			`level: medium`