mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
commit
0cc3139176
23
rules/windows/sysmon/sysmon_mshta_spawn_shell.yml
Normal file
23
rules/windows/sysmon/sysmon_mshta_spawn_shell.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
title: MSHTA Spawning Windows Shell
|
||||||
|
status: experimental
|
||||||
|
description: Detects a Windows command line executable started from MSHTA.
|
||||||
|
reference: https://www.trustedsec.com/july-2015/malicious-htas/
|
||||||
|
author: Michael Haag
|
||||||
|
logsource:
|
||||||
|
product: sysmon
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
EventID: 1
|
||||||
|
ParentImage:
|
||||||
|
- '*\mshta.exe'
|
||||||
|
Image:
|
||||||
|
- '*\cmd.exe'
|
||||||
|
- '*\powershell.exe'
|
||||||
|
- '*\wscript.exe'
|
||||||
|
- '*\cscript.exe'
|
||||||
|
- '*\sh.exe'
|
||||||
|
- '*\bash.exe'
|
||||||
|
condition: selection
|
||||||
|
falsepositives:
|
||||||
|
- Minimal FPs.
|
||||||
|
level: high
|
28
rules/windows/sysmon/sysmon_office_shell.yml
Normal file
28
rules/windows/sysmon/sysmon_office_shell.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
title: Microsoft Office Product Spawning Windows Shell
|
||||||
|
status: experimental
|
||||||
|
description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
|
||||||
|
reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
|
||||||
|
author: Michael Haag
|
||||||
|
logsource:
|
||||||
|
product: sysmon
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
EventID: 1
|
||||||
|
ParentImage:
|
||||||
|
- '*\WINWORD.EXE'
|
||||||
|
- '*\EXCEL.EXE'
|
||||||
|
- '*\POWERPNT.exe'
|
||||||
|
- '*\MSPUB.exe'
|
||||||
|
- '*\VISIO.exe'
|
||||||
|
Image:
|
||||||
|
- '*\cmd.exe'
|
||||||
|
- '*\powershell.exe'
|
||||||
|
- '*\wscript.exe'
|
||||||
|
- '*\cscript.exe'
|
||||||
|
- '*\sh.exe'
|
||||||
|
- '*\bash.exe'
|
||||||
|
- '*\scrcons.exe'
|
||||||
|
condition: selection
|
||||||
|
falsepositives:
|
||||||
|
- unknown
|
||||||
|
level: high
|
22
rules/windows/sysmon/sysmon_susp_file_execution.yml
Normal file
22
rules/windows/sysmon/sysmon_susp_file_execution.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
title: WSF, JSE, JS, VBA and VBE file execution
|
||||||
|
status: experimental
|
||||||
|
description: Detects suspicious file execution by wscript and cscript.
|
||||||
|
author: Michael Haag
|
||||||
|
logsource:
|
||||||
|
product: sysmon
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
EventID: 1
|
||||||
|
Image:
|
||||||
|
- '*\wscript.exe'
|
||||||
|
- '*\cscript.exe'
|
||||||
|
CommandLine:
|
||||||
|
- '*.jse'
|
||||||
|
- '*.vbe'
|
||||||
|
- '*.js'
|
||||||
|
- '*.vba'
|
||||||
|
- '*.vbe'
|
||||||
|
condition: selection
|
||||||
|
falsepositives:
|
||||||
|
- Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.
|
||||||
|
level: medium
|
@ -9,12 +9,16 @@ detection:
|
|||||||
ParentImage:
|
ParentImage:
|
||||||
- '*\apache*'
|
- '*\apache*'
|
||||||
- '*\tomcat*'
|
- '*\tomcat*'
|
||||||
|
- '*\w3wp.exe'
|
||||||
|
- '*\php-cgi.exe'
|
||||||
|
- '*\nginx.exe'
|
||||||
|
- '*\httpd.exe'
|
||||||
CommandLine:
|
CommandLine:
|
||||||
- 'whoami'
|
- 'whoami'
|
||||||
- 'net user'
|
- 'net user'
|
||||||
- 'ping -n'
|
- 'ping -n'
|
||||||
|
- 'systeminfo'
|
||||||
condition: selection
|
condition: selection
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- unknown
|
- unknown
|
||||||
level: high
|
level: high
|
||||||
|
|
||||||
|
@ -11,10 +11,12 @@ detection:
|
|||||||
- '*\w3wp.exe'
|
- '*\w3wp.exe'
|
||||||
- '*\httpd.exe'
|
- '*\httpd.exe'
|
||||||
- '*\nginx.exe'
|
- '*\nginx.exe'
|
||||||
|
- '*\php-cgi.exe'
|
||||||
Image:
|
Image:
|
||||||
- '*\cmd.exe'
|
- '*\cmd.exe'
|
||||||
- '*\sh.exe'
|
- '*\sh.exe'
|
||||||
- '*\bash.exe'
|
- '*\bash.exe'
|
||||||
|
- '*\powershell.exe'
|
||||||
condition: selection
|
condition: selection
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- Particular web applications may spawn a shell process legitimately
|
- Particular web applications may spawn a shell process legitimately
|
||||||
|
Loading…
Reference in New Issue
Block a user