SigmaHQ/rules/windows/builtin/win_susp_process_creations.yml

88 lines
3.4 KiB
YAML
Raw Normal View History

---
action: global
2018-01-27 09:57:30 +00:00
title: Suspicious Process Creation
2018-07-29 14:22:39 +00:00
description: Detects suspicious process starts on Windows systems based on keywords
status: experimental
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
2017-07-30 15:09:24 +00:00
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://twitter.com/subTee/status/872244674609676288
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
2017-08-13 20:18:13 +00:00
- https://twitter.com/vector_sec/status/896049052642533376
author: Florian Roth
detection:
selection:
CommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\*'
- 'attrib +S +H +R *\AppData\*'
- 'schtasks* /create *\AppData\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\*'
- '*\Regasm *\AppData\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
2017-03-27 20:30:26 +00:00
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
2017-05-13 08:40:41 +00:00
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
2017-07-30 15:09:24 +00:00
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
condition: selection
2017-11-01 09:00:35 +00:00
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688