valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ilyas ochkov contribution

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2019-10-29 03:44:22 +03:00
parent a5ec6722a1
commit 4251d9f490
13 changed files with 396 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/network/net_possible_dns_rebinding.yml Normal file
View File

@ -0,0 +1,22 @@
title: Possible DNS Rebinding
status: experimental
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: dns
detection:
selection:
answer: '*'
filter1:
ttl: '>0'
filter2:
ttl: '<10'
timeframe: 30s
condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
level: medium

18
rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml Normal file
View File

@ -0,0 +1,18 @@
title: Suspicious reverse connect via HTTP proxy
status: experimental
description: Detects auth on proxy-server by machine account (aka SYSTEM)
author: Ilyas Ochkov, oscd.community
references:
- https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
tags:
- attack.command_and_control
- attack.t1043
logsource:
category: proxy
detection:
selection:
username|re: '\S+\$$'
condition: selection
falsepositives:
- Update OS or other softs which start by SYSTEM
- User account with $ in attribute "SamAccountName"

33
rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml Normal file
View File

@ -0,0 +1,33 @@
title: New (or renamed) user account with '$' in attribute 'SamAccountName'.
status: experimental
description: Detects possible bypass EDR and SIEM via abnormal user account name.
tags:
- attack.defense_evasion
- attack.t1036
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
detection:
condition: 1 of them
fields:
- EventID
- UserName
- SubjectAccountName
falsepositives:
- Unkown
level: medium
---
logsource:
product: windows
service: security
detection:
create_user:
EventID: 4720
UserName: '*$*' #SamAccountName
---
logsource:
product: windows
service: security
detection:
rename_user:
EventID: 4781
UserName: '*$*' #NewTargetUserName

24
rules/windows/builtin/win_possible_dc_sync.yml Normal file
View File

@ -0,0 +1,24 @@
title: Possible DC Sync
description: Detects DC sync via create new SPN
status: experimental
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://jsecurity101.com/2019/Syncing-into-the-Shadows/
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4742
ServicePrincipalNames: '*GC/*'
condition: selection
falsepositives:
- Unkown
level: high

23
rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml Normal file
View File

@ -0,0 +1,23 @@
title: Register new logon process by Rubeus
description: Detects potential use of Rubeus via registered new trusted logon process
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
product: windows
service: security
definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end
detection:
selection:
- EventID: 4611
LogonProcessName: 'User32LogonProcesss'
condition: selection
falsepositives:
- Unkown
level: high

27
rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml Normal file
View File

@ -0,0 +1,27 @@
title: Suspicious outbound Kerberos connection
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
tags:
- attack.lateral_movement
- attack.t1208
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestinationPort: 88
filter:
Image:
- '*\lsass.exe'
- '*\opera.exe'
- '*\chrome.exe'
- '*\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high

23
rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml Normal file
View File

@ -0,0 +1,23 @@
title: User couldn't call a privileged service 'LsaRegisterLogonProcess'
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
product: windows
service: security
detection:
selection:
- EventID: 4673
Service: 'LsaRegisterLogonProcess()'
Keywords: '0x8010000000000000' #failure
condition: selection
falsepositives:
- Unkown
level: high

23
rules/windows/powershell/powershell_clear_powershell_history.yml Normal file
View File

@ -0,0 +1,23 @@
title: Clear PowerShell History
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
- attack.defense_evasion
- attack.t1146
logsource:
product: windows
service: powershell
detection:
keywords:
- 'del (Get-PSReadlineOption).HistorySavePath'
- 'Set-PSReadlineOption HistorySaveStyle SaveNothing'
- 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- 'rm (Get-PSReadlineOption).HistorySavePath'
condition: keywords
falsepositives:
- some PS-scripts
level: medium

38
rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml Normal file
View File

@ -0,0 +1,38 @@
title: Disable security events logging adding reg key MiniNt
status: experimental
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
tags:
- attack.defense_evasion
- attack.t1089
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
detection:
condition: 1 of them
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: high
---
logsource:
product: windows
service: sysmon
detection:
key_create:
EventID: 12
TargetObject:
- '*\SYSTEM\*\Control\MiniNt'
---
logsource:
product: windows
service: sysmon
detection:
key_rename:
EventID: 14
NewName:
- '*\SYSTEM\*\Control\MiniNt'

48
rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml Normal file
View File

@ -0,0 +1,48 @@
title: New DLL added to AppCertDlls registry key
status: experimental
description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
tags:
- attack.persistence
- attack.t1182
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
detection:
condition: 1 of them
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: medium
---
logsource:
product: windows
service: sysmon
detection:
key_create:
EventID: 12
TargetObject:
- '*\SYSTEM\*\Control\Session Manager\AppCertDlls'
---
logsource:
product: windows
service: sysmon
detection:
value_set:
EventID: 13
TargetObject:
- '*\SYSTEM\*\Control\Session Manager\AppCertDlls'
---
logsource:
product: windows
service: sysmon
detection:
key_rename:
EventID: 14
NewName:
- '*\SYSTEM\*\Control\Session Manager\AppCertDlls'

47
rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml Normal file
View File

@ -0,0 +1,47 @@
title: New DLL added to AppInit_DLLs registry key
status: experimental
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
tags:
- attack.persistence
- attack.t1103
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
detection:
condition: 1 of them
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: medium
---
logsource:
product: windows
service: sysmon
detection:
key_create:
EventID: 12
TargetObject:
- '*\SOFTWARE\*\Windows\AppInit_Dlls'
---
logsource:
product: windows
service: sysmon
detection:
value_set:
EventID: 13
TargetObject:
- '*\SOFTWARE\*\Windows\AppInit_Dlls'
---
logsource:
product: windows
service: sysmon
detection:
key_rename:
EventID: 14
NewName:
- '*\SOFTWARE\*\Windows\AppInit_Dlls'

42
rules/windows/sysmon/sysmon_possible_dns_rebinding.yml Normal file
View File

@ -0,0 +1,42 @@
title: Possible DNS Rebinding
status: experimental
description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: windows
service: sysmon
detection:
dns_answer:
EventID: 22
QueryName: '*'
QueryStatus: '0'
filter_int_ip:
QueryResults:
- '(::ffff:)?10.*'
- '(::ffff:)?192.168.*'
- '(::ffff:)?172.16.*'
- '(::ffff:)?172.17.*'
- '(::ffff:)?172.18.*'
- '(::ffff:)?172.19.*'
- '(::ffff:)?172.20.*'
- '(::ffff:)?172.21.*'
- '(::ffff:)?172.22.*'
- '(::ffff:)?172.23.*'
- '(::ffff:)?172.24.*'
- '(::ffff:)?172.25.*'
- '(::ffff:)?172.26.*'
- '(::ffff:)?172.27.*'
- '(::ffff:)?172.28.*'
- '(::ffff:)?172.29.*'
- '(::ffff:)?172.30.*'
- '(::ffff:)?172.31.*'
- '(::ffff:)?127.*'
timeframe: 30s
condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
level: medium

28
rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml Normal file
View File

@ -0,0 +1,28 @@
title: Suspicious outbound Kerberos connection
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
tags:
- attack.lateral_movement
- attack.t1208
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort: 88
Initiated: 'true'
filter:
Image:
- '*\lsass.exe'
- '*\opera.exe'
- '*\chrome.exe'
- '*\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high