valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated to use the new process_creation logsource

Browse Source
This commit is contained in:
Tareq AlKhatib 2019-03-04 16:13:27 +03:00
parent ae1541242c
commit 45458121c6
7 changed files with 52 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/apt/apt_apt29_tor.yml
View File

@ -8,30 +8,26 @@ tags:
- attack.command_and_control
- attack.g0016
- attack.t1172
logsource:
product: windows
detection:
service:
EventID: 7045
ServiceName: 'Google Update'
timeframe: 5m
condition: service | near process
falsepositives:
- Unknown
level: high
---
# Windows Audit Log
logsource:
service: system
product: windows
detection:
process:
EventID: 4688
NewProcessName:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
service:
EventID: 7045
ServiceName: 'Google Update'
---
# Sysmon
logsource:
category: process_creation
product: windows
detection:
process:
EventID: 1
Image:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'

39
rules/apt/apt_equationgroup_dll_u_load.yml
View File

@ -1,6 +1,5 @@
---
action: global
title: Equation Group DLL_U Load
author: Florian Roth
description: Detects a specific tool and export used by EquationGroup
references:
- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
@ -10,36 +9,16 @@ tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2018/03/10
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
CommandLine: '* -export dll_u *'
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
EventID: 1
CommandLine: '* -export dll_u *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
Image: '*\rundll32.exe'
ProcessCommandLine: '*,dll_u'
selection2:
EventID: 4688
ProcessCommandLine: '* -export dll_u *'

35
rules/apt/apt_hurricane_panda.yml
View File

@ -1,6 +1,5 @@
---
action: global
title: Hurricane Panda Activity
author: Florian Roth
status: experimental
description: Detects Hurricane Panda Activity
references:
@ -9,34 +8,16 @@ tags:
- attack.privilege_escalation
- attack.g0009
- attack.t1068
author: Florian Roth
date: 2018/02/25
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
condition: selection
falsepositives:
- Unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'

16
rules/apt/apt_slingshot.yml
View File

@ -1,29 +1,23 @@
---
action: global
title: Defrag Deactivation
author: Florian Roth
description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
tags:
- attack.persistence
author: Florian Roth
date: 2018/03/10
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
condition: selection
condition: 1 of them
falsepositives:
- Unknown
level: medium
---
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
selection1:
CommandLine:
- '*schtasks* /delete *Defrag\ScheduledDefrag*'
---
@ -32,6 +26,6 @@ logsource:
service: security
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
selection2:
EventID: 4701
TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

34
rules/apt/apt_sofacy.yml
View File

@ -1,6 +1,5 @@
---
action: global
title: Sofacy Trojan Loader Activity
author: Florian Roth
status: experimental
description: Detects Trojan loader acitivty as used by APT28
references:
@ -9,32 +8,15 @@ references:
- https://twitter.com/ClearskySec/status/960924755355369472
tags:
- attack.g0007
author: Florian Roth
date: 2018/03/01
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'
condition: selection
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'

27
rules/apt/apt_sofacy_zebrocy.yml
View File

@ -1,6 +1,5 @@
---
action: global
title: Sofacy Zebrocy
author: Florian Roth
description: Detects Sofacy's Zebrocy malware execution
references:
- https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
@ -8,27 +7,13 @@ tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2018/03/10
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
condition: selection
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'

31
rules/apt/apt_tropictrooper.yml
View File

@ -1,34 +1,17 @@
action: global
title: TropicTrooper Campaign November 2018
author: "@41thexplorer, Windows Defender ATP"
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: "@41thexplorer, Windows Defender ATP"
date: 2018/11/30
modified: 2018/12/11
tags:
- attack.execution
- attack.t1085
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
condition: selection
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
level: high