mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
Updated to use the new process_creation logsource
This commit is contained in:
parent
ae1541242c
commit
45458121c6
@ -8,30 +8,26 @@ tags:
|
||||
- attack.command_and_control
|
||||
- attack.g0016
|
||||
- attack.t1172
|
||||
logsource:
|
||||
product: windows
|
||||
detection:
|
||||
service:
|
||||
EventID: 7045
|
||||
ServiceName: 'Google Update'
|
||||
timeframe: 5m
|
||||
condition: service | near process
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
---
|
||||
# Windows Audit Log
|
||||
logsource:
|
||||
service: system
|
||||
product: windows
|
||||
detection:
|
||||
process:
|
||||
EventID: 4688
|
||||
NewProcessName:
|
||||
- 'C:\Program Files(x86)\Google\GoogleService.exe'
|
||||
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
|
||||
service:
|
||||
EventID: 7045
|
||||
ServiceName: 'Google Update'
|
||||
---
|
||||
# Sysmon
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
process:
|
||||
EventID: 1
|
||||
Image:
|
||||
- 'C:\Program Files(x86)\Google\GoogleService.exe'
|
||||
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
|
||||
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
action: global
|
||||
title: Equation Group DLL_U Load
|
||||
author: Florian Roth
|
||||
description: Detects a specific tool and export used by EquationGroup
|
||||
references:
|
||||
- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
|
||||
@ -10,36 +9,16 @@ tags:
|
||||
- attack.execution
|
||||
- attack.g0020
|
||||
- attack.t1059
|
||||
author: Florian Roth
|
||||
date: 2018/03/10
|
||||
modified: 2018/12/11
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
Image: '*\rundll32.exe'
|
||||
CommandLine: '*,dll_u'
|
||||
selection2:
|
||||
CommandLine: '* -export dll_u *'
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection1:
|
||||
EventID: 1
|
||||
Image: '*\rundll32.exe'
|
||||
CommandLine: '*,dll_u'
|
||||
selection2:
|
||||
EventID: 1
|
||||
CommandLine: '* -export dll_u *'
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
||||
detection:
|
||||
selection1:
|
||||
EventID: 4688
|
||||
Image: '*\rundll32.exe'
|
||||
ProcessCommandLine: '*,dll_u'
|
||||
selection2:
|
||||
EventID: 4688
|
||||
ProcessCommandLine: '* -export dll_u *'
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
action: global
|
||||
title: Hurricane Panda Activity
|
||||
author: Florian Roth
|
||||
status: experimental
|
||||
description: Detects Hurricane Panda Activity
|
||||
references:
|
||||
@ -9,34 +8,16 @@ tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.g0009
|
||||
- attack.t1068
|
||||
author: Florian Roth
|
||||
date: 2018/02/25
|
||||
modified: 2018/12/11
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine:
|
||||
- '* localgroup administrators admin /add'
|
||||
- '*\Win64.exe*'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 1
|
||||
CommandLine:
|
||||
- '* localgroup administrators admin /add'
|
||||
- '*\Win64.exe*'
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4688
|
||||
ProcessCommandLine:
|
||||
- '* localgroup administrators admin /add'
|
||||
- '*\Win64.exe*'
|
||||
|
||||
|
||||
|
@ -1,29 +1,23 @@
|
||||
---
|
||||
action: global
|
||||
title: Defrag Deactivation
|
||||
author: Florian Roth
|
||||
description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
|
||||
references:
|
||||
- https://securelist.com/apt-slingshot/84312/
|
||||
tags:
|
||||
- attack.persistence
|
||||
author: Florian Roth
|
||||
date: 2018/03/10
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
|
||||
detection:
|
||||
condition: selection
|
||||
condition: 1 of them
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
---
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 1
|
||||
selection1:
|
||||
CommandLine:
|
||||
- '*schtasks* /delete *Defrag\ScheduledDefrag*'
|
||||
---
|
||||
@ -32,6 +26,6 @@ logsource:
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
|
||||
detection:
|
||||
selection:
|
||||
selection2:
|
||||
EventID: 4701
|
||||
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
action: global
|
||||
title: Sofacy Trojan Loader Activity
|
||||
author: Florian Roth
|
||||
status: experimental
|
||||
description: Detects Trojan loader acitivty as used by APT28
|
||||
references:
|
||||
@ -9,32 +8,15 @@ references:
|
||||
- https://twitter.com/ClearskySec/status/960924755355369472
|
||||
tags:
|
||||
- attack.g0007
|
||||
author: Florian Roth
|
||||
date: 2018/03/01
|
||||
modified: 2018/12/11
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine:
|
||||
- 'rundll32.exe %APPDATA%\\*.dat",*'
|
||||
- 'rundll32.exe %APPDATA%\\*.dll",#1'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 1
|
||||
CommandLine:
|
||||
- 'rundll32.exe %APPDATA%\\*.dat",*'
|
||||
- 'rundll32.exe %APPDATA%\\*.dll",#1'
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4688
|
||||
ProcessCommandLine:
|
||||
- 'rundll32.exe %APPDATA%\\*.dat",*'
|
||||
- 'rundll32.exe %APPDATA%\\*.dll",#1'
|
||||
|
@ -1,6 +1,5 @@
|
||||
---
|
||||
action: global
|
||||
title: Sofacy Zebrocy
|
||||
author: Florian Roth
|
||||
description: Detects Sofacy's Zebrocy malware execution
|
||||
references:
|
||||
- https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
|
||||
@ -8,27 +7,13 @@ tags:
|
||||
- attack.execution
|
||||
- attack.g0020
|
||||
- attack.t1059
|
||||
author: Florian Roth
|
||||
date: 2018/03/10
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 1
|
||||
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
|
||||
---
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4688
|
||||
ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
|
||||
|
@ -1,34 +1,17 @@
|
||||
action: global
|
||||
title: TropicTrooper Campaign November 2018
|
||||
author: "@41thexplorer, Windows Defender ATP"
|
||||
status: stable
|
||||
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
|
||||
references:
|
||||
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
|
||||
author: "@41thexplorer, Windows Defender ATP"
|
||||
date: 2018/11/30
|
||||
modified: 2018/12/11
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1085
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
||||
condition: selection
|
||||
level: high
|
||||
---
|
||||
# Windows Security Eventlog: Process Creation with Full Command Line
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4688
|
||||
ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
||||
---
|
||||
# Sysmon: Process Creation (ID 1)
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 1
|
||||
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
||||
level: high
|
Loading…
Reference in New Issue
Block a user