valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
mlp1515 2021-07-07 08:25:04 +02:00 committed by GitHub
commit 29a6a2d5fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
114 changed files with 1123 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
rules/cloud/aws_securityhub_finding_evasion.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
author: Sittikorn S
date: 2021/06/28
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
tags:
- attack.defense_evasion
- attack.t1562
logsource:
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high

4
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
View File

@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
logsource:
product: linux
@ -21,4 +21,4 @@ falsepositives:
level: high
tags:
- attack.defense_evasion
- attack.t1574.006
- attack.t1574.006

2
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
View File

@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
logsource:
product: linux
service: auditd

2
rules/linux/auditd/lnx_auditd_user_discovery.yml
View File

@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
product: linux
service: auditd

8
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
logsource:
product: linux
service: auditd
@ -24,8 +24,8 @@ detection:
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
- Legitimate use of archiving tools by legitimate user.
level: low
tags:
- attack.exfiltration
- attack.t1560.001
- attack.t1560.001

4
rules/linux/auditd/lnx_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
product: linux
service: auditd
@ -24,7 +24,7 @@ detection:
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
- attack.credential_access

8
rules/linux/lnx_chattr_immutable_removal.yml
View File

@ -1,11 +1,11 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: experimental
description: Detects removing immutable file attribute
description: Detects removing immutable file attribute.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -16,8 +16,8 @@ detection:
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (for instance backups)
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.t1222.002

10
rules/linux/lnx_dd_delete_file.yml
View File

@ -1,11 +1,11 @@
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) the file
description: Detects overwriting (effectively wiping/deleting) of a file.
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
logsource:
product: linux
service: auditd
@ -18,10 +18,10 @@ detection:
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files
- Legitimate overwrite of files
- Appending null bytes to files.
- Legitimate overwrite of files.
level: low
tags:
- attack.impact
- attack.t1485
- attack.t1485

8
rules/linux/lnx_file_or_folder_permissions.yml
View File

@ -1,11 +1,11 @@
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
description: Detects file and folder permission changes
description: Detects file and folder permission changes.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -17,8 +17,8 @@ detection:
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour)
- User interacting with files permissions (normal/daily behaviour).
level: low
tags:
- attack.defense_evasion
- attack.t1222.002
- attack.t1222.002

10
rules/linux/lnx_pers_systemd_reload.yml
View File

@ -1,12 +1,12 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
description: Detects a reload or a start of a service
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://attack.mitre.org/techniques/T1543/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
logsource:
product: linux
service: auditd
@ -19,9 +19,9 @@ detection:
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
- Installation of legitimate service.
- Legitimate reconfiguration of service.
level: low
tags:
- attack.persistence
- attack.t1543.002
- attack.t1543.002

2
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -13,7 +13,7 @@ author: Patrick Bareiss
date: 2019/03/24
modified: 2020/07/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
- https://attack.mitre.org/techniques/T1070/003/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
logsource:

34
rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml Normal file
View File

@ -0,0 +1,34 @@
title: Pulse Connect Secure RCE Attack CVE-2021-22893
id: 5525edac-f599-4bfd-b926-3fa69860e766
status: stable
description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
author: Sittikorn S
date: 2021/06/29
references:
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection1:
c-uri|contains:
- '/dana-na/auth/'
- '/dana-ws/'
- '/dana-cached/'
selection2:
c-uri|contains:
- '?id='
- '?token='
- 'Secid_canceltoken.cgi'
- 'CGI::param'
- 'meeting'
- 'smb'
- 'namedusers'
- 'metric'
condition: selection1 and selection2
falsepositives:
- Vulnerability Scaning/Pentesting
level: high

4
rules/web/web_nginx_core_dump.yml
View File

@ -1,6 +1,6 @@
title: Nginx Core Dump
id: 59ec40bb-322e-40ab-808d-84fa690d7e56
description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts
description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
author: Florian Roth
date: 2021/05/31
references:
@ -17,4 +17,4 @@ falsepositives:
level: high
tags:
- attack.impact
- attack.t1499.004
- attack.t1499.004

40
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml Normal file
View File

@ -0,0 +1,40 @@
title: Possible CVE-2021-1675 Print Spooler Exploitation
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
author: Florian Roth, KevTheHermit, fuzzyf10w
status: experimental
level: high
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://twitter.com/fuzzyf10w/status/1410202370835898371
date: 2021/06/30
tags:
- attack.execution
- cve.2021-1675
logsource:
product: windows
service: printservice-admin
detection:
selection:
EventID:
- 808 # old id
- 4909 # new id
ErrorCode:
- '0x45A'
- '0x7e'
keywords:
- 'The print spooler failed to load a plug-in module'
# default file names used in PoC codes
- 'MyExploit.dll'
- 'evil.dll'
- '\addCube.dll'
- '\rev.dll'
- '\rev2.dll'
- '\main64.dll'
- '\mimilib.dll'
condition: selection or keywords
fields:
- PluginDllName
falsepositives:
- Problems with printer drivers

26
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml Normal file
View File

@ -0,0 +1,26 @@
title: CVE-2021-1675 Print Spooler Exploitation IPC Access
id: 8fe1c584-ee61-444b-be21-e9054b229694
description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
author: INIT_6
status: experimental
level: critical
references:
- https://twitter.com/INIT_3/status/1410662463641731075
date: 2021/07/02
tags:
- attack.execution
- cve.2021-1675
- cve.2021-34527
logsource:
product: windows
service: security
detection:
selection:
EventID: '5145'
ShareName: '\\\*\IPC$'
RelativeTargetName: 'spoolss'
AccessMask: '0x3'
ObjectType: 'File'
condition: selection
falsepositives:
- nothing observed so far

27
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml Normal file
View File

@ -0,0 +1,27 @@
title: CVE-2021-1675 Print Spooler Exploitation
id: f34d942d-c8c4-4f1f-b196-22471aecf10a
description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
author: Florian Roth
status: experimental
level: critical
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
date: 2021/07/01
tags:
- attack.execution
- cve.2021-1675
logsource:
product: windows
service: printservice-operational
detection:
selection:
EventID: '316'
keywords:
- 'UNIDRV.DLL, kernelbase.dll, '
- ' 123 '
- ' 1234 '
condition: selection and keywords
fields:
- DriverAdded
falsepositives:
- Unknown

7
rules/windows/builtin/win_impacket_secretdump.yml
View File

@ -1,8 +1,9 @@
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
author: Samir Bousseaden, wagga
date: 2019/04/03
modified: 2021/06/27
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
@ -19,7 +20,9 @@ detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
RelativeTargetName: 'SYSTEM32\\*.tmp'
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- pentesting

14
rules/windows/builtin/win_mal_service_installs.yml
View File

@ -1,9 +1,13 @@
title: Malicious Service Installations
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
modified: 2021/05/27
modified: 2021/07/06
references:
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
tags:
- attack.persistence
- attack.privilege_escalation
@ -18,13 +22,17 @@ logsource:
service: system
detection:
selection:
EventID: 7045
EventID:
- 4697
- 7045
malsvc_paexec:
ServiceFileName|contains: '\PAExec'
malsvc_wannacry:
ServiceName: 'mssecsvc2.0'
malsvc_persistence:
ServiceFileName|contains: 'net user'
malsvc_apt29:
ServiceName: 'javamtsup'
condition: selection and 1 of malsvc_*
falsepositives:
- Penetration testing

9
rules/windows/builtin/win_net_ntlm_downgrade.yml
View File

@ -4,9 +4,9 @@ id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
author: Florian Roth, wagga
date: 2018/03/20
modified: 2021/02/24
modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1089 # an old one
@ -41,7 +41,10 @@ logsource:
detection:
selection:
EventID: 4657
ObjectName|startswith: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'

5
rules/windows/builtin/win_net_use_admin_share.yml
View File

@ -4,8 +4,9 @@ status: experimental
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga'
date: 2020/10/05
modified: 2021/06/27
tags:
- attack.lateral_movement
- attack.t1021.002
@ -19,7 +20,7 @@ detection:
- '\net1.exe'
CommandLine|contains|all:
- ' use '
- '\\\\*\*$*'
- '\\\*\\*$' # (Specs) If some wildcard after a backslash should be searched, the backslash has to be escaped: \\*
condition: selection
falsepositives:
- Administrators

4
rules/windows/builtin/win_smb_file_creation_admin_shares.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.t1021.002
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
- https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
logsource:
product: windows
service: security
@ -23,4 +23,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
level: high
level: high

27
rules/windows/builtin/win_susp_failed_guest_logon.yml Normal file
View File

@ -0,0 +1,27 @@
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
author: Florian Roth, KevTheHermit, fuzzyf10w
status: experimental
level: medium
references:
- https://twitter.com/KevTheHermit/status/1410203844064301056
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
date: 2021/06/30
modified: 2021/07/05
logsource:
product: windows
service: smbclient-security
detection:
selection:
EventID: 31017
Description|contains: 'Rejected an insecure guest logon'
UserName: ''
ServerName|startswith: '\1'
condition: selection
fields:
- Computer
- User
falsepositives:
- Account fallback reasons (after failed login with specific account)

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
View File

@ -1,8 +1,9 @@
title: Valid Users Failing to Authenticate From Single Source Using Kerberos
id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4771'
Failure_Code: '0x18'
filter:
Account_Name: '*$'
EventID: 4771
Status: '0x18'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
View File

@ -1,8 +1,9 @@
title: Disabled Users Failing To Authenticate From Source Using Kerberos
id: 4b6fe998-b69c-46d8-901b-13677c9fb663
description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4768'
Result_Code: '0x12'
filter:
Account_Name: '*$'
EventID: 4768
Status: '0x12'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

13
rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
View File

@ -1,8 +1,9 @@
title: Invalid Users Failing To Authenticate From Source Using Kerberos
id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
author: Mauricio Velazco
author: Mauricio Velazco, frack113
date: 2021/06/01
modified: 2021/07/06
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
tags:
@ -14,13 +15,13 @@ logsource:
service: security
detection:
selection:
EventID: '4768'
Result_Code: '0x6'
filter:
Account_Name: '*$'
EventID: 4768
Status: '0x6'
filter_computer:
TargetUserName|endswith: '$'
timeframe: 24h
condition:
- selection and not filter | count(Account_Name) by Client_Address > 10
- selection and not filter_computer | count(TargetUserName) by IpAddress > 10
falsepositives:
- Vulnerability scanners
- Missconfigured systems

8
rules/windows/builtin/win_susp_sdelete.yml
View File

@ -1,14 +1,14 @@
title: Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: experimental
description: Detects renaming of file while deletion with SDelete tool
description: Detects renaming of file while deletion with SDelete tool.
author: Thomas Patzke
date: 2017/06/14
modified: 2020/08/2
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
tags:
- attack.impact
- attack.defense_evasion
@ -33,5 +33,5 @@ detection:
- '.ZZZ'
condition: selection
falsepositives:
- Legitime usage of SDelete
- Legitimate usage of SDelete
level: medium

7
rules/windows/builtin/win_vul_cve_2020_0688.yml
View File

@ -4,8 +4,10 @@ status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
author: Florian Roth, wagga
date: 2020/02/29
modified: 2021/06/27
tags:
- attack.initial_access
- attack.t1190
@ -18,7 +20,8 @@ detection:
Source: MSExchange Control Panel
Level: Error
selection2:
- '*&__VIEWSTATE=*'
Message|contains:
- '&__VIEWSTATE='
condition: selection1 and selection2
falsepositives:
- Unknown

4
rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
View File

@ -7,7 +7,7 @@ notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 2019/10/27
modified: 2020/08/28
modified: 2021/06/27
author: Perez Diego (@darkquassar), oscd.community
references:
- Personal research, statistical analysis
@ -64,7 +64,7 @@ detection:
- '\userinit.exe'
- '\vssadmin.exe'
- '\vssvc.exe'
- '\w3wp.exe*'
- '\w3wp.exe'
- '\winlogon.exe'
- '\winscp.exe'
- '\wmic.exe'

28
rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml Normal file
View File

@ -0,0 +1,28 @@
title: Windows Spooler Service Suspicious File Deletion
id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
status: experimental
description: Detect DLL deletions from Spooler Service driver folder
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
author: Bhabesh Raj
date: 2021/07/01
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021-1675
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith:
- 'spoolsv.exe'
TargetFilename|contains:
- 'C:\Windows\System32\spool\drivers\x64\3\'
condition: selection
falsepositives:
- Unknown
level: high

6
rules/windows/file_event/sysmon_susp_pfx_file_creation.yml
View File

@ -1,6 +1,6 @@
title: Suspicious PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file.
description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
status: experimental
date: 2020/05/02
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
@ -18,5 +18,5 @@ detection:
TargetFilename|endswith: '.pfx'
condition: selection
falsepositives:
- unknown
level: medium
- System administrators managing certififcates.
level: medium

29
rules/windows/file_event/win_cve_2021_1675_printspooler.yml Normal file
View File

@ -0,0 +1,29 @@
title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
author: Florian Roth
status: experimental
level: critical
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
date: 2021/06/29
modified: 2021/07/01
tags:
- attack.execution
- cve.2021-1675
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
- 'C:\Windows\System32\spool\drivers\x64\3\New\'
condition: selection
fields:
- ComputerName
- TargetFileName
falsepositives:
- Unknown

6
rules/windows/file_event/win_rclone_exec_file.yml
View File

@ -3,6 +3,7 @@ id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
description: Detects Rclone config file being created
status: experimental
date: 2021/05/26
modified: 2021/06/27
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
@ -18,6 +19,7 @@ logsource:
detection:
file_selection:
EventID: 11
TargetFilename:
- 'C:\Users\*\.config\rclone\*'
TargetFilename|contains|all:
- ':\Users\'
- '\.config\rclone\'
condition: file_selection

31
rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml Normal file
View File

@ -0,0 +1,31 @@
title: Windows Spooler Service Suspicious Binary Load
id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
status: experimental
description: Detect suspicious DLL Load from Spooler Service backup folder
references:
- https://github.com/hhlxf/PrintNightmare
author: FPT.EagleEye
date: 2021/06/29
modified: 2021/07/01
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021-1675
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- 'spoolsv.exe'
ImageLoaded|startswith:
- 'C:\Windows\System32\spool\drivers\x64\3\old\'
- 'C:\Windows\System32\spool\drivers\x64\3\'
ImageLoaded|endswith:
- '.dll'
condition: selection
falsepositives:
- Possible. Requires further testing.
level: high

4
rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.collection
- attack.t1056.002
references:
- https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
logsource:
@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- other legitimate processes loading those DLLs in your environment.
level: medium
level: medium

4
rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
View File

@ -8,7 +8,7 @@ tags:
- attack.defense_evasion
- attack.t1220
references:
- https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
logsource:
@ -23,4 +23,4 @@ detection:
condition: selection
falsepositives:
- Apparently, wmic os get lastboottuptime loads vbscript.dll
level: high
level: high

26
rules/windows/malware/av_printernightmare_cve_2021_34527.yml Normal file
View File

@ -0,0 +1,26 @@
title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
status: stable
description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
references:
- https://twitter.com/mvelazco/status/1410291741241102338
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
author: Sittikorn S, Nuttakorn T
date: 2021/07/01
tag:
- attack.privilege_escalation
- attack.t1055
logsource:
product: antivirus
detection:
selection:
FileName|contains: 'C:\Windows\System32\spool\drivers\x64\'
condition: selection
fields:
- Signature
- FileName
- ComputerName
falsepositives:
- Unlikely
level: critical

4
rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
View File

@ -1,6 +1,6 @@
title: Remote PowerShell Session
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
status: experimental
date: 2019/09/12
modified: 2020/08/24
@ -26,5 +26,5 @@ detection:
User: 'NT AUTHORITY\NETWORK SERVICE'
condition: selection and not filter
falsepositives:
- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
level: high

11
rules/windows/other/win_defender_disabled.yml
View File

@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
description: Detects disabling Windows Defender threat protection
date: 2020/07/28
modified: 2021/06/07
modified: 2021/07/05
author: Ján Trenčanský, frack113
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@ -44,3 +44,12 @@ detection:
TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
Details: 'DWORD (0x00000001)'
condition: tamper_registry
---
logsource:
product: windows
category: system
detection:
selection3:
EventID: 7036
Message: 'The Windows Defender Antivirus Service service entered the stopped state'
condition: selection3

26
rules/windows/other/win_defender_tamper_protection_trigger.yml Normal file
View File

@ -0,0 +1,26 @@
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
date: 2021/07/05
author: Bhabesh Raj
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
status: stable
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
falsepositives:
- Administrator actions
level: critical
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 5013
Value|endswith:
- '\Windows Defender\DisableAntiSpyware = 0x1()'
- '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
condition: selection

8
rules/windows/powershell/powershell_data_compressed.yml
View File

@ -1,11 +1,11 @@
title: Data Compressed - Powershell
title: Data Compressed - PowerShell
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
logsource:
product: windows
service: powershell
@ -19,7 +19,7 @@ detection:
- 'Compress-Archive'
condition: selection
falsepositives:
- highly likely if archive ops are done via PS
- Highly likely if archive operations are done via PowerShell.
level: low
tags:
- attack.exfiltration

55
rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
View File

@ -1,12 +1,14 @@
title: Malicious PowerView PowerShell Commandlets
id: dcd74b95-3f36-4ed9-9598-0490951643aa
status: experimental
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
date: 2021/05/18
modified: 2021/07/02
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
tags:
- attack.execution
- attack.t1059.001
@ -14,13 +16,15 @@ author: Bhabesh Raj
logsource:
product: windows
service: powershell
definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
detection:
selection:
EventID: 4104
ScriptBlockText:
- Export-PowerViewCSV
- Get-IPAddress
- Resolve-IPAddress
- Convert-NameToSid
- ConvertTo-SID
- Convert-ADName
- ConvertFrom-UACValue
@ -28,41 +32,69 @@ detection:
- Remove-RemoteConnection
- Invoke-UserImpersonation
- Invoke-RevertToSelf
- Request-SPNTicket
- Get-DomainSPNTicket
- Invoke-Kerberoast
- Get-PathAcl
- Get-DNSZone
- Get-DomainDNSZone
- Get-DNSRecord
- Get-DomainDNSRecord
- Get-NetDomain
- Get-Domain
- Get-NetDomainController
- Get-DomainController
- Get-NetForest
- Get-Forest
- Get-NetForestDomain
- Get-ForestDomain
- Get-NetForestCatalog
- Get-ForestGlobalCatalog
- Find-DomainObjectPropertyOutlier
- Get-NetUser
- Get-DomainUser
- New-DomainUser
- Set-DomainUserPassword
- Get-UserEvent
- Get-DomainUserEvent
- Get-NetComputer
- Get-DomainComputer
- Get-ADObject
- Get-DomainObject
- Set-ADObject
- Set-DomainObject
- Get-ObjectAcl
- Get-DomainObjectAcl
- Add-ObjectAcl
- Add-DomainObjectAcl
- Invoke-ACLScanner
- Find-InterestingDomainAcl
- Get-NetOU
- Get-DomainOU
- Get-NetSite
- Get-DomainSite
- Get-NetSubnet
- Get-DomainSubnet
- Get-DomainSID
- Get-NetGroup
- Get-DomainGroup
- New-DomainGroup
- Find-ManagedSecurityGroups
- Get-DomainManagedSecurityGroup
- Get-NetGroupMember
- Get-DomainGroupMember
- Add-DomainGroupMember
- Get-NetFileServer
- Get-DomainFileServer
- Get-DFSshare
- Get-DomainDFSShare
- Get-NetGPO
- Get-DomainGPO
- Get-NetGPOGroup
- Get-DomainGPOLocalGroup
- Find-GPOLocation
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainGPOComputerLocalGroupMapping
- Get-DomainPolicy
- Get-NetLocalGroup
@ -70,27 +102,46 @@ detection:
- Get-NetShare
- Get-NetLoggedon
- Get-NetSession
- Get-LoggedOnLocal
- Get-RegLoggedOn
- Get-NetRDPSession
- Invoke-CheckLocalAdminAccess
- Test-AdminAccess
- Get-SiteName
- Get-NetComputerSiteName
- Get-Proxy
- Get-WMIRegProxy
- Get-LastLoggedOn
- Get-WMIRegLastLoggedOn
- Get-CachedRDPConnection
- Get-WMIRegCachedRDPConnection
- Get-RegistryMountedDrive
- Get-WMIRegMountedDrive
- Get-NetProcess
- Get-WMIProcess
- Find-InterestingFile
- Invoke-UserHunter
- Find-DomainUserLocation
- Invoke-ProcessHunter
- Find-DomainProcess
- Invoke-EventHunter
- Find-DomainUserEvent
- Invoke-ShareFinder
- Find-DomainShare
- Invoke-FileFinder
- Find-InterestingDomainShareFile
- Find-LocalAdminAccess
- Invoke-EnumerateLocalAdmin
- Find-DomainLocalGroupMember
- Get-NetDomainTrust
- Get-DomainTrust
- Get-NetForestTrust
- Get-ForestTrust
- Find-ForeignUser
- Get-DomainForeignUser
- Find-ForeignGroup
- Get-DomainForeignGroupMember
- Invoke-MapDomainTrust
- Get-DomainTrustMapping
condition: selection
falsepositives:

26
rules/windows/powershell/powershell_renamed_powershell.yml Normal file
View File

@ -0,0 +1,26 @@
title: Renamed Powershell
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
description: Detects renamed powershell
status: experimental
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020/06/29
modified: 2021/07/04
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: powershell-classic
detection:
selection:
EventID: 400
HostName: "ConsoleHost"
filter:
HostApplication|startswith:
- "powershell"
condition: selection and not filter
falsepositives:
- unknown
level: low

2
rules/windows/powershell/powershell_winlogon_helper_dll.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
logsource:
product: windows
service: powershell

4
rules/windows/process_access/sysmon_cmstp_execution.yml → rules/windows/process_access/sysmon_cmstp_execution_by_access.yml
View File

@ -14,7 +14,7 @@ tags:
- car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/12/23
modified: 2021/06/27
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
fields:
@ -30,5 +30,5 @@ logsource:
detection:
# Process Access Call Trace
selection:
CallTrace|contains: 'cmlua.dll*'
CallTrace|contains: 'cmlua.dll'
condition: selection

0
rules/windows/process_creation/sysmon_cmstp_execution.yml → rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
View File

16
rules/windows/process_creation/sysmon_rclone_execution.yml
View File

@ -5,12 +5,14 @@ description: Detects execution of RClone utility for exfiltration as used by var
tags:
- attack.exfiltration
- attack.t1567.002
author: Bhabesh Raj
author: Bhabesh Raj, Sittikorn S
date: 2021/05/10
modified: 2021/06/29
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
fields:
- CommandLine
- ParentCommandLine
@ -29,4 +31,16 @@ detection:
- '--config '
- '--no-check-certificate '
- ' copy '
selection3:
Image|endswith:
- '\rclone.exe'
CommandLine|contains:
- 'mega'
- 'pcloud'
- 'ftp'
- '--progress'
- '--ignore-existing'
- '--auto-confirm'
- '--transfers'
- '--multi-thread-streams'
condition: 1 of them

5
rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml
View File

@ -8,6 +8,7 @@ tags:
- attack.g0032
author: Bhabesh Raj
date: 2021/04/20
modified: 2021/06/27
logsource:
category: process_creation
product: windows
@ -22,8 +23,8 @@ detection:
Image:
- 'C:\Windows\System32\mshta.exe'
selection3:
ParentImage:
- 'C:\Users\Public\*'
ParentImage|contains:
- ':\Users\Public\'
Image:
- 'C:\Windows\System32\rundll32.exe'
condition: 1 of them

3
rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.g0032
author: Florian Roth
date: 2020/12/23
modified: 2021/06/27
logsource:
category: process_creation
product: windows
@ -30,7 +31,7 @@ detection:
# Network share discovery
selection4:
CommandLine|contains:
- '.255 10 C:\ProgramData\\'
- '.255 10 C:\ProgramData\'
condition: 1 of them
falsepositives:
- Overlap with legitimate process activity in some cases (especially selection 3 and 4)

9
rules/windows/process_creation/win_apt_lazarus_loader.yml
View File

@ -7,8 +7,9 @@ references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
tags:
- attack.g0032
author: Florian Roth
author: Florian Roth, wagga
date: 2020/12/23
modified: 2021/06/27
logsource:
category: process_creation
product: windows
@ -19,12 +20,12 @@ detection:
- ' -p 0x'
selection_cmd2:
CommandLine|contains:
- 'C:\ProgramData\\'
- 'C:\RECYCLER\\'
- 'C:\ProgramData\'
- 'C:\RECYCLER\'
selection_rundll1:
CommandLine|contains|all:
- 'rundll32.exe '
- 'C:\ProgramData\\'
- 'C:\ProgramData\'
selection_rundll2:
CommandLine|contains:
- '.bin,'

45
rules/windows/process_creation/win_apt_revil_kaseya.yml Normal file
View File

@ -0,0 +1,45 @@
title: REvil Kaseya Incident Malware Patterns
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
status: experimental
description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
references:
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
author: Florian Roth
date: 2021/07/03
modified: 2021/07/05
tags:
- attack.execution
- attack.g0115
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'C:\Windows\cert.exe'
- 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled'
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
- 'del /s /q /f %SystemDrive%\\*.log'
- 'c:\kworking1\agent.exe'
- 'c:\kworking1\agent.crt'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'
- 'C:\Windows\cert.exe'
- 'C:\kworking\agent.exe'
- 'C:\kworking1\agent.exe'
selection3:
CommandLine|contains|all:
- 'del /s /q /f'
- 'WebPages\Errors\webErrorLog.txt'
condition: selection1 and selection2
falsepositives:
- Unknown
level: critical

3
rules/windows/process_creation/win_apt_unc2452_cmds.yml
View File

@ -11,6 +11,7 @@ tags:
- unc2452
author: Florian Roth
date: 2021/01/22
modified: 2021/06/27
logsource:
category: process_creation
product: windows
@ -32,7 +33,7 @@ detection:
CommandLine|contains: 'cmd.exe /C '
selection4:
CommandLine|contains|all:
- 'rundll32 c:\windows\\'
- 'rundll32 c:\windows\'
- '.dll '
specific1:
ParentImage|endswith: '\rundll32.exe'

2
rules/windows/process_creation/win_bootconf_mod.yml
View File

@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
tags:
- attack.impact

2
rules/windows/process_creation/win_change_default_file_association.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
logsource:
category: process_creation
product: windows

4
rules/windows/process_creation/win_crime_maze_ransomware.yml
View File

@ -8,7 +8,7 @@ references:
- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
author: Florian Roth
date: 2020/05/08
modified: 2020/08/29
modified: 2021/06/27
tags:
- attack.execution
- attack.t1204.002
@ -25,7 +25,7 @@ detection:
ParentImage|endswith:
- '\WINWORD.exe'
Image|endswith:
- '*.tmp'
- '.tmp'
# Binary Execution
selection2:
Image|endswith: '\wmic.exe'

6
rules/windows/process_creation/win_data_compressed_with_rar.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed - rar.exe
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019/10/21
modified: 2020/08/29
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
logsource:
category: process_creation
@ -25,7 +25,7 @@ fields:
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- highly likely if rar is default archiver in the monitored environment
- Highly likely if rar is a default archiver in the monitored environment.
level: low
tags:
- attack.exfiltration # an old one

6
rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml
View File

@ -1,9 +1,9 @@
title: Domain Trust Discovery
id: 77815820-246c-47b8-9741-e0def3f57308
status: experimental
description: Detects a discovery of domain trusts
description: Detects a discovery of domain trusts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
@ -23,5 +23,5 @@ detection:
CommandLine|contains: 'domain_trusts'
condition: selection
falsepositives:
- Administration of systems
- Administration of systems.
level: medium

9
rules/windows/process_creation/win_file_permission_modifications.yml
View File

@ -1,15 +1,16 @@
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: experimental
description: Detects a file or folder permissions modifications
description: Detects a file or folder's permissions being modified.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001
- attack.t1222 # an old one
logsource:
category: process_creation
product: windows
@ -28,5 +29,5 @@ fields:
- User
- CommandLine
falsepositives:
- Users interacting with the files on their own (unlikely unless power users)
- Users interacting with the files on their own (unlikely unless privileged users).
level: medium

2
rules/windows/process_creation/win_hh_chm.yml
View File

@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
date: 2019/10/24
modified: 2019/11/11

8
rules/windows/process_creation/win_indirect_cmd.yml
View File

@ -1,10 +1,10 @@
title: Indirect Command Execution
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
date: 2019/10/24
modified: 2019/11/11
@ -26,6 +26,6 @@ fields:
- ParentCommandLine
- CommandLine
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
- Legitimate usage of scripts.
level: low

4
rules/windows/process_creation/win_interactive_at.yml
View File

@ -1,10 +1,10 @@
title: Interactive AT Job
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
description: Detect an interactive AT job, which may be used as a form of privilege escalation
description: Detect an interactive AT job, which may be used as a form of privilege escalation.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
date: 2019/10/24
modified: 2019/11/11

4
rules/windows/process_creation/win_local_system_owner_account_discovery.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2020/09/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
category: process_creation
product: windows
@ -46,7 +46,7 @@ detection:
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)
condition: (selection_1 and not filter_1) or (selection_2 and not filter_2)
fields:
- Image
- CommandLine

2
rules/windows/process_creation/win_lsass_dump.yml
View File

@ -8,7 +8,7 @@ modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
tags:
- attack.credential_access
- attack.t1003.001

4
rules/windows/process_creation/win_mal_adwind.yml
View File

@ -8,7 +8,7 @@ references:
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2020/09/01
modified: 2021/06/27
tags:
- attack.execution
- attack.t1059.005
@ -50,4 +50,4 @@ logsource:
detection:
selection:
TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Details|startswith: '%AppData%\Roaming\Oracle\bin\\'
Details|startswith: '%AppData%\Roaming\Oracle\bin\'

4
rules/windows/process_creation/win_mshta_javascript.yml
View File

@ -1,13 +1,13 @@
title: Mshta JavaScript Execution
id: 67f113fa-e23d-4271-befa-30113b3e08b1
description: Identifies suspicious mshta.exe commands
description: Identifies suspicious mshta.exe commands.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2020/09/01
references:
- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
tags:
- attack.defense_evasion
- attack.t1170 # an old one

2
rules/windows/process_creation/win_net_enum.yml
View File

@ -4,7 +4,7 @@ status: stable
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018/10/30
modified: 2019/11/11

10
rules/windows/process_creation/win_net_user_add.yml
View File

@ -1,11 +1,11 @@
title: Net.exe User Account Creation
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
status: experimental
description: Identifies creation of local users via the net.exe command
description: Identifies creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018/10/30
modified: 2020/09/01
tags:
@ -29,6 +29,6 @@ fields:
- User
- CommandLine
falsepositives:
- Legit user creation
- Better use event ids for user creation rather than command line rules
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium

2
rules/windows/process_creation/win_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_new_service_creation.yml
View File

@ -1,7 +1,7 @@
title: New Service Creation
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
status: experimental
description: Detects creation of a new service
description: Detects creation of a new service.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
@ -11,7 +11,7 @@ tags:
- attack.t1050 # an old one
- attack.t1543.003
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
logsource:
category: process_creation
product: windows
@ -25,5 +25,5 @@ detection:
CommandLine|contains: 'new-service'
condition: selection
falsepositives:
- Legitimate administrator or user creates a service for legitimate reason
- Legitimate administrator or user creates a service for legitimate reasons.
level: low

2
rules/windows/process_creation/win_non_interactive_powershell.yml
View File

@ -24,4 +24,4 @@ detection:
condition: selection and not filter
falsepositives:
- Legitimate programs executing PowerShell scripts
level: medium
level: low

6
rules/windows/process_creation/win_powershell_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
description: Detects audio capture via PowerShell Cmdlet
description: Detects audio capture via PowerShell Cmdlet.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
tags:
- attack.collection
@ -16,7 +16,7 @@ detection:
CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium
logsource:
category: process_creation

9
rules/windows/process_creation/win_powershell_reverse_shell_connection.yml
View File

@ -2,11 +2,12 @@ title: Powershell Reverse Shell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: experimental
description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
author: FPT.EagleEye
author: FPT.EagleEye, wagga
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
modified: 2021/06/27
tags:
- attack.execution
- attack.t1086
@ -16,9 +17,9 @@ logsource:
product: windows
detection:
selection:
Image: '*\powershell.exe'
CommandLine:
- '*new-object system.net.sockets.tcpclient*'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'new-object system.net.sockets.tcpclient'
condition: selection
fields:
- CommandLine

3
rules/windows/process_creation/win_purplesharp_indicators.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detect
author: Florian Roth
date: 2021/06/18
modified: 2021/07/06
references:
- https://github.com/mvelazc0/PurpleSharp
logsource:
@ -15,7 +16,7 @@ detection:
- xyz123456.exe
- PurpleSharp
selection2:
OriginalFilename:
OriginalFileName:
- 'PurpleSharp.exe'
condition: selection1 or selection2
falsepositives:

2
rules/windows/process_creation/win_query_registry.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
logsource:
category: process_creation
product: windows

22
rules/windows/process_creation/win_reg_add_run_key.yml Normal file
View File

@ -0,0 +1,22 @@
title: Reg Add RUN Key
id: de587dce-915e-4218-aac4-835ca6af6f70
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
status: experimental
date: 2021/06/28
author: Florian Roth
references:
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
- https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'reg'
- ' ADD '
- 'Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection
falsepositives:
- Unknown
level: medium

9
rules/windows/process_creation/win_renamed_powershell.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects the execution of a renamed PowerShell often used by attackers or malware
references:
- https://twitter.com/christophetd/status/1164506034720952320
author: Florian Roth
author: Florian Roth, frack113
date: 2019/08/22
modified: 2020/09/06
modified: 2021/07/03
tags:
- car.2013-05-009
- attack.defense_evasion
@ -17,12 +17,15 @@ logsource:
category: process_creation
detection:
selection:
Description: 'Windows PowerShell'
Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
Company: 'Microsoft Corporation'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
condition: selection and not filter
falsepositives:
- Unknown

37
rules/windows/process_creation/win_run_virtualbox.yml Normal file
View File

@ -0,0 +1,37 @@
title: Detect Virtualbox Driver Installation OR Starting Of VMs
id: bab049ca-7471-4828-9024-38279a4c04da
status: experimental
description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
references:
- https://attack.mitre.org/techniques/T1564/006/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
author: Janantha Marasinghe
date: 2020/09/26
modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1564.006
- attack.t1564
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'VBoxRT.dll,RTR3Init'
- 'VBoxC.dll'
- 'VBoxDrv.sys'
selection_2:
CommandLine|contains:
- 'startvm'
- 'controlvm'
condition: selection_1 or selection_2
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
falsepositives:
- This may have false positives on hosts where Virtualbox is legitimately being used for operations
level: low

6
rules/windows/process_creation/win_service_execution.yml
View File

@ -1,12 +1,12 @@
title: Service Execution
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: experimental
description: Detects manual service execution (start) via system utilities
description: Detects manual service execution (start) via system utilities.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
logsource:
category: process_creation
product: windows
@ -18,7 +18,7 @@ detection:
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
- Legitimate administrator or user executes a service for legitimate reasons.
level: low
tags:
- attack.execution

33
rules/windows/process_creation/win_shell_spawn_mshta.yml Normal file
View File

@ -0,0 +1,33 @@
title: Mshta Spawning Windows Shell
id: 772bb24c-8df2-4be0-9157-ae4dfa794037
status: experimental
description: Detects a suspicious child process of a mshta.exe process
references:
- https://app.any.run/tasks/f0fac90f-84ac-4faa-b5b2-f4353c388969/#
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
author: Florian Roth
date: 2021/06/28
tags:
- attack.execution
- attack.defense_evasion
- attack.t1064 # an old one
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mshta.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\WScript.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high

6
rules/windows/process_creation/win_soundrec_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
description: Detect attacker collecting audio via SoundRecorder application
description: Detect attacker collecting audio via SoundRecorder application.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
tags:
- attack.collection
@ -20,5 +20,5 @@ detection:
CommandLine|contains: '/FILE'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium

3
rules/windows/process_creation/win_susp_conhost.yml
View File

@ -6,6 +6,7 @@ references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020/10/25
modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1202
@ -14,7 +15,7 @@ logsource:
product: windows
detection:
selection:
ParentImage: '*\conhost.exe'
ParentImage|endswith: '\conhost.exe'
condition: selection
fields:
- Image

6
rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
View File

@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
tags:
- attack.persistence
- attack.t1547.001
@ -35,6 +35,6 @@ fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
level: medium

21
rules/windows/process_creation/win_susp_disable_eventlog.yml
View File

@ -1,21 +1,32 @@
title: Disable Windows Eventlog
title: Disable or Delete Windows Eventlog
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: experimental
description: Detects command that is used to disable Windows eventlog
description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
tags:
- attack.defense_evasion
- attack.t1562.001
- attack.t1070.001
author: Florian Roth
date: 2021/02/11
modified: 2021/06/21
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'logman stop EventLog-System'
condition: selection
selection_tools:
CommandLine|contains:
- 'logman '
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- EventLog-System
condition: all of them
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation

4
rules/windows/process_creation/win_susp_eventlog_clear.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Eventlog Clear or Configuration Using Wevtutil
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, Daniil Yugoslavskiy, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
date: 2019/09/26
modified: 2019/11/11

4
rules/windows/process_creation/win_susp_file_characteristics.yml
View File

@ -7,7 +7,7 @@ references:
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018/11/22
modified: 2020/05/26
modified: 2021/06/27
tags:
- attack.execution
- attack.t1059.006
@ -27,7 +27,7 @@ detection:
Description: '\?'
Company: '\?'
folder:
Image|contains: '\Downloads\\'
Image|contains: '\Downloads\'
condition: (selection1 or selection2 or selection3) and folder
fields:
- CommandLine

4
rules/windows/process_creation/win_susp_fsutil_usage.yml
View File

@ -1,13 +1,13 @@
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, E.M. Anhaus, oscd.community
date: 2019/09/26
modified: 2019/11/11
level: high
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
tags:
- attack.defense_evasion

3
rules/windows/process_creation/win_susp_outlook_temp.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth
date: 2019/10/01
modified: 2021/06/27
tags:
- attack.initial_access
- attack.t1566.001
@ -13,7 +14,7 @@ logsource:
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\\'
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
fields:
- CommandLine

3
rules/windows/process_creation/win_susp_renamed_paexec.yml
View File

@ -6,6 +6,7 @@ references:
- https://www.poweradmin.com/paexec/
author: Florian Roth
date: 2021/05/22
modified: 2021/07/06
logsource:
category: process_creation
product: windows
@ -13,7 +14,7 @@ detection:
selection1:
Description: 'PAExec Application'
selection2:
OriginalFilename: 'PAExec.exe'
OriginalFileName: 'PAExec.exe'
filter:
Image|endswith:
- '\PAexec.exe'

4
rules/windows/process_creation/win_susp_service_path_modification.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
description: Detects service path modification to powershell/cmd
description: Detects service path modification to PowerShell or cmd.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
tags:
- attack.persistence
- attack.privilege_escalation

17
rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
View File

@ -2,8 +2,9 @@ title: Suspicious Shells Spawn by SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
status: experimental
author: FPT.EagleEye Team
author: FPT.EagleEye Team, wagga
date: 2020/12/11
modified: 2021/06/27
tags:
- attack.t1100
- attack.t1190
@ -15,12 +16,12 @@ logsource:
product: windows
detection:
selection:
ParentImage: '*\sqlservr.exe'
Image:
- '*\cmd.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\powershell.exe'
- '*\bitsadmin.exe'
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\bitsadmin.exe'
condition: selection
level: critical

5
rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.defense_evasion
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020/10/14
modified: 2021/07/06
logsource:
category: process_creation
product: windows
@ -18,9 +19,9 @@ detection:
selection:
ParentImage|endswith: '\vsjitdebugger.exe'
reduction1:
ChildImage|endswith: '\vsimmersiveactivatehelper*.exe'
Image|endswith: '\vsimmersiveactivatehelper*.exe'
reduction2:
ChildImage|endswith: '\devenv.exe'
Image|endswith: '\devenv.exe'
condition: selection and not (reduction1 or reduction2)
falsepositives:
- the process spawned by vsjitdebugger.exe is uncommon.

3
rules/windows/process_creation/win_susp_userinit_child.yml
View File

@ -6,6 +6,7 @@ references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
modified: 2021/06/27
logsource:
category: process_creation
product: windows
@ -13,7 +14,7 @@ detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter1:
CommandLine|contains: '\\netlogon\\'
CommandLine|contains: '\netlogon\'
filter2:
Image|endswith: '\explorer.exe'
condition: selection and not filter1 and not filter2

10
rules/windows/process_creation/win_xsl_script_processing.yml
View File

@ -1,13 +1,13 @@
title: XSL Script Processing
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
logsource:
category: process_creation
product: windows
@ -18,8 +18,8 @@ detection:
- Image|endswith: '\msxsl.exe'
condition: selection
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
- msxsl.exe is not installed by default so unlikely.
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
level: medium
tags:
- attack.defense_evasion

0
rules/windows/registry_event/sysmon_cmstp_execution.yml → rules/windows/registry_event/sysmon_cmstp_execution_by_registry.yml
View File

37
rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml Normal file
View File

@ -0,0 +1,37 @@
title: CobaltStrike Service Installations in Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
status: experimental
date: 2021/06/29
author: Wojciech Lesicki
tags:
- attack.execution
- attack.privilege_escalation
- attack.lateral_movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
logsource:
category: registry_event
product: windows
detection:
selection1:
EventType: SetValue
TargetObject|contains: 'HKLM\System\CurrentControlSet\Services'
selection2:
Details|contains|all:
- 'ADMIN$'
- '.exe'
selection3:
Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: selection1 and (selection2 or selection3)
falsepositives:
- unknown
level: critical

23
rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml Normal file
View File

@ -0,0 +1,23 @@
title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: experimental
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
- https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth
date: 2020/07/01
tags:
- cve.2021-1675
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\Print\Environments\Windows x64\Drivers'
- '\Manufacturer'
Details: '(Empty)'
condition: selection
falsepositives:
- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high

1
rules/windows/registry_event/win_portproxy_registry_key.yml
View File

@ -22,4 +22,5 @@ detection:
condition: selection_registry
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium

31
rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml Normal file
View File

@ -0,0 +1,31 @@
title: Printnightmare Mimimkatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
status: experimental
description: Detects static QMS 810 driver name used by Mimikatz
references:
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
author: Markus Neis, @markus_neis, Florian Roth
tags:
- attack.execution
- cve.2021-1675
- cve.2021-34527
date: 2021/07/04
modified: 2021/07/05
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|startswith:
-'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
selection_alt:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
condition: selection or selection_alt
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical

9
rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
View File

@ -3,7 +3,8 @@ id: e554f142-5cf3-4e55-ace9-a1b59e0def65
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
status: experimental
date: 2020/10/12
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
modified: 2021/06/27
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
tags:
- attack.lateral_movement
- attack.t1021.002
@ -17,11 +18,11 @@ detection:
selection_one:
EventID: 11
Image: System
TargetFilename: '*\Internet Explorer\iertutil.dll'
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
selection_two:
EventID: 7
Image: '*\Internet Explorer\iexplore.exe'
ImageLoaded: '*\Internet Explorer\iertutil.dll'
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection_one or selection_two
falsepositives:
- Unknown

15
tools/config/elk-windows.yml
View File

@ -47,4 +47,19 @@ logsources:
service: msexchange-management
conditions:
EventLog: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
EventLog: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: logstash-*

15
tools/config/elk-winlogbeat-sp.yml
View File

@ -47,6 +47,21 @@ logsources:
service: msexchange-management
conditions:
log_name: 'MSExchange Management'
windows-printservice-admin:
product: windows
service: printservice-admin
conditions:
log_name: 'Microsoft-Windows-PrintService/Admin'
windows-printservice-operational:
product: windows
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
conditions:
log_name: 'Microsoft-Windows-SmbClient/Security'
defaultindex: <winlogbeat-{now/d}>
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'

Some files were not shown because too many files have changed in this diff Show More