valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #128 from ntim/master

Browse Source 
Tagged windows powershell, other and malware rules.
This commit is contained in:
Thomas Patzke 2018-07-24 11:05:50 +02:00 committed by GitHub
commit 0fa914139c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/malware/sysmon_malware_notpetya.yml
View File

@ -5,6 +5,13 @@ author: Florian Roth, Tom Ueltschi
references:
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
tags:
- attack.execution
- attack.credential_access
- attack.defense_evasion
- attack.t1085
- attack.t1070
- attack.t1003
logsource:
product: windows
service: sysmon

3
rules/windows/other/win_rare_schtask_creation.yml
View File

@ -1,6 +1,9 @@
title: Rare Scheduled Task Creations
status: experimental
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
tags:
- attack.t1053
- attack.s0111
author: Florian Roth
logsource:
product: windows

4
rules/windows/other/win_tool_psexec.yml
View File

@ -5,6 +5,10 @@ author: Thomas Patzke
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
tags:
- attack.execution
- attack.t1035
- attack.s0029
logsource:
product: windows
detection:

4
rules/windows/other/win_wmi_persistence.yml
View File

@ -5,6 +5,10 @@ author: Florian Roth
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
tags:
- attack.execution
- attack.persistence
- attack.t1047
logsource:
product: windows
service: wmi

4
rules/windows/powershell/powershell_downgrade_attack.yml
View File

@ -3,6 +3,10 @@ status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Florian Roth (rule), Lee Holmes (idea)
logsource:
product: windows

4
rules/windows/powershell/powershell_exe_calling_ps.yml
View File

@ -3,6 +3,10 @@ status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
tags:
- attack.defense_evasion
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows

3
rules/windows/powershell/powershell_malicious_commandlets.yml
View File

@ -3,6 +3,9 @@ status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows

3
rules/windows/powershell/powershell_malicious_keywords.yml
View File

@ -3,6 +3,9 @@ status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows

4
rules/windows/powershell/powershell_prompt_credentials.yml
View File

@ -4,6 +4,10 @@ description: Detects PowerShell calling a credential prompt
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
tags:
- attack.execution
- attack.credential_access
- attack.t1086
author: John Lambert (idea), Florian Roth (rule)
logsource:
product: windows

3
rules/windows/powershell/powershell_psattack.yml
View File

@ -3,6 +3,9 @@ status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows

3
rules/windows/powershell/powershell_suspicious_download.yml
View File

@ -1,6 +1,9 @@
title: Suspicious PowerShell Download
status: experimental
description: Detects suspicious PowerShell download command
tags:
- attack.execution
- attack.t1086
author: Florian Roth
logsource:
product: windows

3
rules/windows/powershell/powershell_suspicious_invocation_generic.yml
View File

@ -1,6 +1,9 @@
title: Suspicious PowerShell Invocations - Generic
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows

3
rules/windows/powershell/powershell_suspicious_invocation_specific.yml
View File

@ -1,6 +1,9 @@
title: Suspicious PowerShell Invocations - Specific
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows