valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

123

Browse Source
This commit is contained in:
joker2013 2020-12-16 12:18:24 +03:00
parent e3e0e9caff
commit 5440128979
838 changed files with 39 additions and 11296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

13
elastalert_rules/sigma_av_exploiting.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
filter:
- query:
query_string:
query: data.win.eventdata.signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)
index: wazuh-alerts-3.x-*
name: sigma_av_exploiting
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_av_password_dumper.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a highly relevant Antivirus alert that reports a password dumper
filter:
- query:
query_string:
query: data.win.eventdata.signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)
index: wazuh-alerts-3.x-*
name: sigma_av_password_dumper
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_av_relevant_files.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
filter:
- query:
query_string:
query: data.win.eventdata.originalFileName.keyword:(C\:\\Windows\\Temp\\* OR C\:\\Temp\\* OR *\\Client\\* OR C\:\\PerfLogs\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)
index: wazuh-alerts-3.x-*
name: sigma_av_relevant_files
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_av_webshell.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a highly relevant Antivirus alert that reports a web shell
filter:
- query:
query_string:
query: data.win.eventdata.signature.keyword:(PHP\/Backdoor* OR JSP\/Backdoor* OR ASP\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)
index: wazuh-alerts-3.x-*
name: sigma_av_webshell
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_mal_azorult_reg.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the presence of a registry key created during Azorult execution
filter:
- query:
query_string:
query: (data.win.system.eventID:("12" OR "13") AND data.win.eventdata.targetObject.keyword:(*SYSTEM\\*\\services\\localNETService))
index: wazuh-alerts-3.x-*
name: sigma_mal_azorult_reg
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_alternate_powershell_hosts.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
filter:
- query:
query_string:
query: ((data.win.system.eventID:("4103" OR "400") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:"powershell.exe" OR data.win.system.message:"powershell.exe")))
index: wazuh-alerts-3.x-*
name: sigma_powershell_alternate_powershell_hosts
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_clear_powershell_history.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects keywords that could indicate clearing PowerShell history
filter:
- query:
query_string:
query: "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)"
index: wazuh-alerts-3.x-*
name: sigma_powershell_clear_powershell_history
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_create_local_user.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects creation of a local user via PowerShell
filter:
- query:
query_string:
query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*New\-LocalUser*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_create_local_user
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_data_compressed.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
filter:
- query:
query_string:
query: (data.win.system.eventID:"4104" AND keywords.keyword:*\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\-Archive*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_data_compressed
priority: 4
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_dnscat_execution.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Dnscat exfiltration tool execution
filter:
- query:
query_string:
query: (data.win.system.eventID:"4104" AND ScriptBlockText.keyword:*Start\-Dnscat2*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_dnscat_execution
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_downgrade_attack.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
filter:
- query:
query_string:
query: ((data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:2.*) AND (NOT (powershell.host.version.keyword:2.*)))
index: wazuh-alerts-3.x-*
name: sigma_powershell_downgrade_attack
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_exe_calling_ps.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects PowerShell called from an executable by the version mismatch method
filter:
- query:
query_string:
query: (data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:(2.* OR 4.* OR 5.*) AND powershell.host.version.keyword:3.*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_exe_calling_ps
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_invoke_obfuscation_obfuscated_iex.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
filter:
- query:
query_string:
query: ((data.win.system.eventID:"4104" AND (ScriptBlockText:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ScriptBlockText:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ScriptBlockText:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ScriptBlockText:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ScriptBlockText:/\*mdr\*\W\s*\)\.Name/ OR ScriptBlockText:/\$VerbosePreference\.ToString\(/ OR ScriptBlockText:/\String\]\s*\$VerbosePreference/)) OR (data.win.system.eventID:"4103" AND (Payload:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR Payload:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR Payload:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR Payload:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR Payload:/\*mdr\*\W\s*\)\.Name/ OR Payload:/\$VerbosePreference\.ToString\(/ OR Payload:/\String\]\s*\$VerbosePreference/)))
index: wazuh-alerts-3.x-*
name: sigma_powershell_invoke_obfuscation_obfuscated_iex
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_malicious_commandlets.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
filter:
- query:
query_string:
query: (data.win.system.message.keyword:(*Invoke\-DllInjection* OR *Invoke\-Shellcode* OR *Invoke\-WmiCommand* OR *Get\-GPPPassword* OR *Get\-Keystrokes* OR *Get\-TimedScreenshot* OR *Get\-VaultCredential* OR *Invoke\-CredentialInjection* OR *Invoke\-Mimikatz* OR *Invoke\-NinjaCopy* OR *Invoke\-TokenManipulation* OR *Out\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\-ReflectivePEInjection* OR *Invoke\-UserHunter* OR *Find\-GPOLocation* OR *Invoke\-ACLScanner* OR *Invoke\-DowngradeAccount* OR *Get\-ServiceUnquoted* OR *Get\-ServiceFilePermission* OR *Get\-ServicePermission* OR *Invoke\-ServiceAbuse* OR *Install\-ServiceBinary* OR *Get\-RegAutoLogon* OR *Get\-VulnAutoRun* OR *Get\-VulnSchTask* OR *Get\-UnattendedInstallFile* OR *Get\-ApplicationHost* OR *Get\-RegAlwaysInstallElevated* OR *Get\-Unconstrained* OR *Add\-RegBackdoor* OR *Add\-ScrnSaveBackdoor* OR *Gupt\-Backdoor* OR *Invoke\-ADSBackdoor* OR *Enabled\-DuplicateToken* OR *Invoke\-PsUaCme* OR *Remove\-Update* OR *Check\-VM* OR *Get\-LSASecret* OR *Get\-PassHashes* OR *Show\-TargetScreen* OR *Port\-Scan* OR *Invoke\-PoshRatHttp* OR *Invoke\-PowerShellTCP* OR *Invoke\-PowerShellWMI* OR *Add\-Exfiltration* OR *Add\-Persistence* OR *Do\-Exfiltration* OR *Start\-CaptureServer* OR *Get\-ChromeDump* OR *Get\-ClipboardContents* OR *Get\-FoxDump* OR *Get\-IndexedItem* OR *Get\-Screenshot* OR *Invoke\-Inveigh* OR *Invoke\-NetRipper* OR *Invoke\-EgressCheck* OR *Invoke\-PostExfil* OR *Invoke\-PSInject* OR *Invoke\-RunAs* OR *MailRaider* OR *New\-HoneyHash* OR *Set\-MacAttribute* OR *Invoke\-DCSync* OR *Invoke\-PowerDump* OR *Exploit\-Jboss* OR *Invoke\-ThunderStruck* OR *Invoke\-VoiceTroll* OR *Set\-Wallpaper* OR *Invoke\-InveighRelay* OR *Invoke\-PsExec* OR *Invoke\-SSHCommand* OR *Get\-SecurityPackages* OR *Install\-SSP* OR *Invoke\-BackdoorLNK* OR *PowerBreach* OR *Get\-SiteListPassword* OR *Get\-System* OR *Invoke\-BypassUAC* OR *Invoke\-Tater* OR *Invoke\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\-RickAstley* OR *Find\-Fruit* OR *HTTP\-Login* OR *Find\-TrustedDocuments* OR *Invoke\-Paranoia* OR *Invoke\-WinEnum* OR *Invoke\-ARPScan* OR *Invoke\-PortScan* OR *Invoke\-ReverseDNSLookup* OR *Invoke\-SMBScanner* OR *Invoke\-Mimikittenz* OR *Invoke\-AllChecks*) AND (NOT \*.keyword:(*Get\-SystemDriveInfo*)))
index: wazuh-alerts-3.x-*
name: sigma_powershell_malicious_commandlets
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_malicious_keywords.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects keywords from well-known PowerShell exploitation frameworks
filter:
- query:
query_string:
query: data.win.system.message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_malicious_keywords
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_nishang_malicious_commandlets.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Commandlet names and arguments from the Nishang exploitation framework
filter:
- query:
query_string:
query: \*.keyword:(*Add\-ConstrainedDelegationBackdoor* OR *Set\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\-OnTime* OR *HTTP\-Backdoor* OR *Set\-RemotePSRemoting* OR *Set\-RemoteWMI* OR *Invoke\-AmsiBypass* OR *Out\-CHM* OR *Out\-HTA* OR *Out\-SCF* OR *Out\-SCT* OR *Out\-Shortcut* OR *Out\-WebQuery* OR *Out\-Word* OR *Enable\-Duplication* OR *Remove\-Update* OR *Download\-Execute\-PS* OR *Download_Execute* OR *Execute\-Command\-MSSQL* OR *Execute\-DNSTXT\-Code* OR *Out\-RundllCommand* OR *Copy\-VSS* OR *FireBuster* OR *FireListener* OR *Get\-Information* OR *Get\-PassHints* OR *Get\-WLAN\-Keys* OR *Get\-Web\-Credentials* OR *Invoke\-CredentialsPhish* OR *Invoke\-MimikatzWDigestDowngrade* OR *Invoke\-SSIDExfil* OR *Invoke\-SessionGopher* OR *Keylogger* OR *Invoke\-Interceptor* OR *Create\-MultipleSessions* OR *Invoke\-NetworkRelay* OR *Run\-EXEonRemote* OR *Invoke\-Prasadhak* OR *Invoke\-BruteForce* OR *Password\-List* OR *Invoke\-JSRatRegsvr* OR *Invoke\-JSRatRundll* OR *Invoke\-PoshRatHttps* OR *Invoke\-PowerShellIcmp* OR *Invoke\-PowerShellUdp* OR *Invoke\-PSGcat* OR *Invoke\-PsGcatAgent* OR *Remove\-PoshRat* OR *Add\-Persistance* OR *ExetoText* OR *Invoke\-Decode* OR *Invoke\-Encode* OR *Parse_Keys* OR *Remove\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *DataToEncode* OR *LoggedKeys* OR *OUT\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_nishang_malicious_commandlets
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_ntfs_ads_access.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
filter:
- query:
query_string:
query: (\*.keyword:(*set\-content* OR *add\-content*) AND "\-stream")
index: wazuh-alerts-3.x-*
name: sigma_powershell_ntfs_ads_access
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_prompt_credentials.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects PowerShell calling a credential prompt
filter:
- query:
query_string:
query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*PromptForCredential*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_prompt_credentials
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_psattack.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the use of PSAttack PowerShell hack tool
filter:
- query:
query_string:
query: (data.win.system.eventID:"4103" AND "PS\ ATTACK\!\!\!")
index: wazuh-alerts-3.x-*
name: sigma_powershell_psattack
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_remote_powershell_session.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects remote PowerShell sessions
filter:
- query:
query_string:
query: (data.win.system.eventID:("4103" OR "400") AND HostName:"ServerRemoteHost" AND HostApplication.keyword:*wsmprovhost.exe*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_remote_powershell_session
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_shellcode_b64.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Base64 encoded Shellcode
filter:
- query:
query_string:
query: ((data.win.system.eventID:"4104" AND "*AAAAYInlM*") AND \*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_shellcode_b64
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_suspicious_download.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspicious PowerShell download command
filter:
- query:
query_string:
query: (data.win.system.message.keyword:*System.Net.WebClient* AND (data.win.system.message.keyword:*.DownloadFile\(* OR data.win.system.message.keyword:*.DownloadString\(*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_suspicious_download
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_suspicious_invocation_generic.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspicious PowerShell invocation command parameters
filter:
- query:
query_string:
query: (\*.keyword:(*\ \-enc\ * OR *\ \-EncodedCommand\ *) AND \*.keyword:(*\ \-w\ hidden\ * OR *\ \-window\ hidden\ * OR *\ \-windowstyle\ hidden\ *) AND \*.keyword:(*\ \-noni\ * OR *\ \-noninteractive\ *))
index: wazuh-alerts-3.x-*
name: sigma_powershell_suspicious_invocation_generic
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_suspicious_invocation_specific.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspicious PowerShell invocation command parameters
filter:
- query:
query_string:
query: data.win.system.message.keyword:(*\ \-nop\ \-w\ hidden\ \-c\ *\ \[Convert\]\:\:FromBase64String* OR *\ \-w\ hidden\ \-noni\ \-nop\ \-c\ \"iex\(New\-Object* OR *\ \-w\ hidden\ \-ep\ bypass\ \-Enc* OR *powershell.exe\ reg\ add\ HKCU\\software\\microsoft\\windows\\currentversion\\run* OR *bypass\ \-noprofile\ \-windowstyle\ hidden\ \(new\-object\ system.net.webclient\).download* OR *iex\(New\-Object\ Net.WebClient\).Download*)
index: wazuh-alerts-3.x-*
name: sigma_powershell_suspicious_invocation_specific
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_suspicious_keywords.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
filter:
- query:
query_string:
query: data.win.system.message:("System.Reflection.Assembly.Load" OR "\[System.Reflection.Assembly\]\:\:Load" OR "\[Reflection.Assembly\]\:\:Load" OR "System.Reflection.AssemblyName" OR "Reflection.Emit.AssemblyBuilderAccess" OR "Runtime.InteropServices.DllImportAttribute" OR "SuspendThread")
index: wazuh-alerts-3.x-*
name: sigma_powershell_suspicious_keywords
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_suspicious_profile_create.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a change in profile.ps1 of the Powershell profile
filter:
- query:
query_string:
query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:*\\profile.ps1* AND (data.win.eventdata.targetFilename.keyword:*\\My\ Documents\\PowerShell\\* OR data.win.eventdata.targetFilename.keyword:*C\:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_suspicious_profile_create
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_winlogon_helper_dll.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
filter:
- query:
query_string:
query: (data.win.system.eventID:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*")
index: wazuh-alerts-3.x-*
name: sigma_powershell_winlogon_helper_dll
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_wmimplant.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects parameters used by WMImplant
filter:
- query:
query_string:
query: ScriptBlockText.keyword:(*WMImplant* OR *\ change_user\ * OR *\ gen_cli\ * OR *\ command_exec\ * OR *\ disable_wdigest\ * OR *\ disable_winrm\ * OR *\ enable_wdigest\ * OR *\ enable_winrm\ * OR *\ registry_mod\ * OR *\ remote_posh\ * OR *\ sched_job\ * OR *\ service_mod\ * OR *\ process_kill\ * OR *\ active_users\ * OR *\ basic_info\ * OR *\ power_off\ * OR *\ vacant_system\ * OR *\ logon_events\ *)
index: wazuh-alerts-3.x-*
name: sigma_powershell_wmimplant
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_powershell_xor_commandline.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
filter:
- query:
query_string:
query: (data.win.system.eventID:"400" AND HostName:"ConsoleHost" AND data.win.eventdata.commandLine.keyword:(*bxor* OR *join* OR *char*))
index: wazuh-alerts-3.x-*
name: sigma_powershell_xor_commandline
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_abusing_azure_browser_sso.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
filter:
- query:
query_string:
query: ((data.win.system.eventID:"7" AND data.win.eventdata.imageLoaded.keyword:*MicrosoftAccountTokenProvider.dll) AND (NOT (data.win.eventdata.image.keyword:(*BackgroundTaskHost.exe OR *devenv.exe OR *iexplore.exe OR *MicrosoftEdge.exe))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_abusing_azure_browser_sso
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_ads_executable.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
filter:
- query:
query_string:
query: (data.win.system.eventID:"15" AND (NOT ((hash_imphash:("00000000000000000000000000000000" OR "00000000000000000000000000000000")) OR (NOT _exists_:hash_imphash))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_ads_executable
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_alternate_powershell_hosts_pipe.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
filter:
- query:
query_string:
query: ((data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:\\PSHost*) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_alternate_powershell_hosts_pipe
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_apt_muddywater_dnstunnel.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detecting DNS tunnel activity for Muddywater actor
filter:
- query:
query_string:
query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powershell.exe) AND data.win.eventdata.parentImage.keyword:(*\\excel.exe) AND data.win.eventdata.commandLine.keyword:(*DataExchange.dll*))
index: wazuh-alerts-3.x-*
name: 36222790-0d43-4fe8-86e4-674b27809543_0
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_apt_oceanlotus_registry.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:(HKCR\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR HKU\\*_Classes\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon OR HKU\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\* OR HKU\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\* OR HKU\\*_Classes\\CLSID\\\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\*)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_apt_oceanlotus_registry
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_apt_pandemic1.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Pandemic Windows Implant
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_apt_pandemic
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_apt_pandemic2.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Pandemic Windows Implant
filter:
- query:
query_string:
query: data.win.eventdata.commandLine.keyword:*loaddll\ \-a\ *
index: wazuh-alerts-3.x-*
name: sigma_sysmon_apt_pandemic
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_apt_turla_namedpipes.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a named pipe used by Turla group samples
filter:
- query:
query_string:
query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName:("\\atctl" OR "\\userpipe" OR "\\iehelper" OR "\\sdlrpc" OR "\\comnap"))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_apt_turla_namedpipes
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_asep_reg_keys_modification.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects modification of autostart extensibility point (ASEP) in registry
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders*)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_asep_reg_keys_modification
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cactustorch.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects remote thread creation from CACTUSTORCH as described in references.
filter:
- query:
query_string:
query: (data.win.system.eventID:"8" AND process_path.keyword:(*\\System32\\cscript.exe OR *\\System32\\wscript.exe OR *\\System32\\mshta.exe OR *\\winword.exe OR *\\excel.exe) AND data.win.eventdata.targetImage.keyword:*\\SysWOW64\\* AND NOT _exists_:thread_start_module)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cactustorch
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cmstp_execution1.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
filter:
- query:
query_string:
query: ((data.win.system.eventID:"12" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe* AND data.win.eventdata.eventType:"CreateKey") OR (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe*) OR (data.win.system.eventID:"10" AND data.win.eventdata.callTrace.keyword:*cmlua.dll*))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cmstp_execution
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cmstp_execution2.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
filter:
- query:
query_string:
query: data.win.eventdata.parentImage.keyword:*\\cmstp.exe
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cmstp_execution
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cobaltstrike_process_injection.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
filter:
- query:
query_string:
query: (data.win.system.eventID:"8" AND thread_start_address.keyword:(*0B80 OR *0C7C OR *0C88))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cobaltstrike_process_injection
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_comhijack_sdclt.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject:("HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute") AND data.win.eventdata.eventType:("SetValue"))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_comhijack_sdclt
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_createremotethread_loadlibrary.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
filter:
- query:
query_string:
query: (data.win.system.eventID:"8" AND thread_start_module.keyword:*\\kernel32.dll AND thread_start_function:"LoadLibraryA")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_createremotethread_loadlibrary
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_creation_system_file.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the creation of a executable with a system process name in a suspicious folder
filter:
- query:
query_string:
query: (data.win.eventdata.targetFilename.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\runtimebroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (data.win.eventdata.targetFilename.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_creation_system_file
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cred_dump_lsass_access.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects process access LSASS memory which is typical for credentials dumping tools
filter:
- query:
query_string:
query: ((data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.grantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (data.win.eventdata.processName.keyword:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cred_dump_lsass_access
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cred_dump_tools_dropped_files.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
filter:
- query:
query_string:
query: (data.win.eventdata.targetFilename.keyword:(*\\pwdump* OR *\\kirbi* OR *\\pwhashes* OR *\\wce_ccache* OR *\\wce_krbtkts* OR *\\fgdump\-log*) AND data.win.eventdata.targetFilename.keyword:(*\\test.pwd OR *\\lsremora64.dll OR *\\lsremora.dll OR *\\fgexec.exe OR *\\wceaux.dll OR *\\SAM.out OR *\\SECURITY.out OR *\\SYSTEM.out OR *\\NTDS.out OR *\\DumpExt.dll OR *\\DumpSvc.exe OR *\\cachedump64.exe OR *\\cachedump.exe OR *\\pstgdump.exe OR *\\servpw.exe OR *\\servpw64.exe OR *\\pwdump.exe OR *\\procdump64.exe))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cred_dump_tools_dropped_files
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cred_dump_tools_named_pipes.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects well-known credential dumping tools execution via specific named pipes
filter:
- query:
query_string:
query: (data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:(*\\lsadump* OR *\\cachedump* OR *\\wceservicepipe*))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cred_dump_tools_named_pipes
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_cve-2020-1048.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Ports* AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue") AND Details.keyword:(*.dll* OR *.exe* OR *.bat* OR *.com* OR *C\:*))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_cve-2020-1048
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_dhcp_calloutdll.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:(*\\Services\\DHCPServer\\Parameters\\CalloutDlls OR *\\Services\\DHCPServer\\Parameters\\CalloutEnabled)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_dhcp_calloutdll
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_disable_security_events_logging_adding_reg_key_minint.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
filter:
- query:
query_string:
query: ((data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" AND data.win.eventdata.eventType:"CreateKey") OR NewName:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_disable_security_events_logging_adding_reg_key_minint
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_dllhost_net_connections.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects Dllhost that communicates with public IP addresses
filter:
- query:
query_string:
query: ((data.win.eventdata.image.keyword:*\\dllhost.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_dllhost_net_connections
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_dns_serverlevelplugindll1.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*\\services\\DNS\\Parameters\\ServerLevelPluginDll
index: wazuh-alerts-3.x-*
name: sigma_sysmon_dns_serverlevelplugindll
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_dns_serverlevelplugindll2.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
filter:
- query:
query_string:
query: data.win.eventdata.commandLine.keyword:dnscmd.exe\ \/config\ \/serverlevelplugindll\ *
index: wazuh-alerts-3.x-*
name: sigma_sysmon_dns_serverlevelplugindll
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_etw_disabled.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled AND Details:"DWORD\ \(0x00000000\)")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_etw_disabled
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_ghostpack_safetykatz.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects possible SafetyKatz Behaviour
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename.keyword:*\\Temp\\debug.bin
index: wazuh-alerts-3.x-*
name: sigma_sysmon_ghostpack_safetykatz
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_hack_dumpert1.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
filter:
- query:
query_string:
query: hash_imphash:("09D278F9DE118EF09163C6140255C690" OR "09d278f9de118ef09163c6140255c690")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_hack_dumpert
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_hack_dumpert2.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename:"C\:\\Windows\\Temp\\dumpert.dmp"
index: wazuh-alerts-3.x-*
name: sigma_sysmon_hack_dumpert
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_hack_wce.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the use of Windows Credential Editor (WCE)
filter:
- query:
query_string:
query: (data.win.system.eventID:"1" AND (hash_imphash:("a53a02b997935fd8eedcb5f7abab9b9f" OR "A53A02B997935FD8EEDCB5F7ABAB9B9F" OR "e96a73c7bf33a464c510ede582318bf2" OR "E96A73C7BF33A464C510EDE582318BF2") OR (data.win.eventdata.commandLine.keyword:*.exe\ \-S AND data.win.eventdata.parentImage.keyword:*\\services.exe)))
index: wazuh-alerts-3.x-*
name: 7aa7009a-28b9-4344-8c1f-159489a390df_0
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_hack_wce_reg.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the use of Windows Credential Editor (WCE)
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*Services\\WCESERVICE\\Start*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_hack_wce_reg
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_in_memory_assembly_execution.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
filter:
- query:
query_string:
query: (data.win.eventdata.callTrace.keyword:(C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*|UNKNOWN\(*\) OR *UNKNOWN\(*\)|UNKNOWN\(*\)) OR (data.win.eventdata.callTrace.keyword:*UNKNOWN* AND data.win.eventdata.grantedAccess:("0x1F0FFF" OR "0x1F1FFF" OR "0x143A" OR "0x1410" OR "0x1010" OR "0x1F2FFF" OR "0x1F3FFF" OR "0x1FFFFF")))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_in_memory_assembly_execution
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_in_memory_powershell.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
filter:
- query:
query_string:
query: (ImageLoaded.keyword:(*\\System.Management.Automation.Dll OR *\\System.Management.Automation.ni.Dll) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\WINDOWS\\System32\\sdiagnhost.exe OR *\\mscorsvw.exe OR *\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_in_memory_powershell
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_invoke_phantom.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
filter:
- query:
query_string:
query: (data.win.eventdata.targetImage.keyword:*\\windows\\system32\\svchost.exe AND data.win.eventdata.grantedAccess:"0x1f3fff" AND data.win.eventdata.callTrace.keyword:(*unknown*))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_invoke_phantom
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_lazagne_cred_dump_lsass_access.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects LSASS process access by LaZagne for credential dumping.
filter:
- query:
query_string:
query: (data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.callTrace.keyword:C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*_ctypes.pyd\+*python27.dll\+* AND data.win.eventdata.grantedAccess:"0x1FFFFF")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_lazagne_cred_dump_lsass_access
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_proc.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects creation or execution of UserInitMprLogonScript persistence method
filter:
- query:
query_string:
query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (data.win.eventdata.image.keyword:*\\explorer.exe))) AND (NOT (data.win.eventdata.commandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR data.win.eventdata.commandLine.keyword:*UserInitMprLogonScript*))
index: wazuh-alerts-3.x-*
name: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458_0
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_logon_scripts_userinitmprlogonscript_reg.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects creation or execution of UserInitMprLogonScript persistence method
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*UserInitMprLogonScript*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_logon_scripts_userinitmprlogonscript_reg
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_lsass_memdump.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
filter:
- query:
query_string:
query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:"0x1fffff" AND data.win.eventdata.callTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_lsass_memdump
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_lsass_memory_dump_file_creation.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
filter:
- query:
query_string:
query: (data.win.eventdata.targetFilename.keyword:*lsass* AND data.win.eventdata.targetFilename.keyword:*dmp)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_lsass_memory_dump_file_creation
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_mal_namedpipes.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the creation of a named pipe used by known APT malware
filter:
- query:
query_string:
query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName.keyword:(\\isapi_http OR \\isapi_dg OR \\isapi_dg2 OR \\sdlrpc OR \\ahexec OR \\winsession OR \\lsassw OR \\46a676ab7f179e511e30dd2dc41bd388 OR \\9f81f59bc58452127884ce513865ed20 OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\rpchlp_3 OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\msagent_* OR \\gruntsvc))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_mal_namedpipes
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_malware_backconnect_ports.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
filter:
- query:
query_string:
query: ((Initiated:"true" AND data.win.eventdata.destinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((data.win.eventdata.image.keyword:*\\Program\ Files* OR (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_malware_backconnect_ports
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_malware_verclsid_shellcode.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
filter:
- query:
query_string:
query: ((data.win.eventdata.targetImage.keyword:*\\verclsid.exe AND data.win.eventdata.grantedAccess:"0x1FFFFF") AND (data.win.eventdata.callTrace.keyword:*|UNKNOWN\(*VBE7.DLL* OR (process_path.keyword:*\\Microsoft\ Office\\* AND data.win.eventdata.callTrace.keyword:*|UNKNOWN*)))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_malware_verclsid_shellcode
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_mimikatz_detection_lsass.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
filter:
- query:
query_string:
query: (data.win.system.eventID:"10" AND data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:("0x1410" OR "0x1010"))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_mimikatz_detection_lsass
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_mimikatz_trough_winrm.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
filter:
- query:
query_string:
query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND process_path:"C\:\\Windows\\system32\\wsmprovhost.exe")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_mimikatz_trough_winrm
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_narrator_feedback_persistance.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects abusing Windows 10 Narrator's Feedback-Hub
filter:
- query:
query_string:
query: ((data.win.eventdata.eventType:"DeleteValue" AND data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute) OR data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\\(Default\))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_narrator_feedback_persistance
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_new_dll_added_to_appcertdlls_registry_key.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\AppCertDlls" OR NewName:"HKLM\\SYSTEM\\CurentControlSet\\Control\\Session\ Manager\\AppCertDlls")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_new_dll_added_to_appcertdlls_registry_key
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls) OR NewName.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_notepad_network_connection.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects suspicious network connection by Notepad
filter:
- query:
query_string:
query: (data.win.eventdata.image.keyword:*\\notepad.exe AND (NOT (data.win.eventdata.destinationPort:"9100")))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_notepad_network_connection
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_office_persistence.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
filter:
- query:
query_string:
query: (((data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Word\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.wll) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Excel\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.xll)) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Addins\\* AND data.win.eventdata.targetFilename.keyword:(*.xlam OR *.xla)))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_office_persistence
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_password_dumper_lsass.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
filter:
- query:
query_string:
query: (data.win.system.eventID:"8" AND data.win.eventdata.targetImage:"C\:\\Windows\\System32\\lsass.exe" AND thread_start_module:"")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_password_dumper_lsass
priority: 2
realert:
minutes: 0
type: any

20
elastalert_rules/sigma_sysmon_possible_dns_rebinding.yml
View File

@ -1,20 +0,0 @@
alert:
- debug
buffer_time:
seconds: 30
description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
doc_type: doc
filter:
- query:
query_string:
query: (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0" AND QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*) AND (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0") AND (NOT (QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*))))
index: wazuh-alerts-3.x-*
max_threshold: 3
metric_agg_key: QueryName.keyword
metric_agg_type: cardinality
name: sigma_sysmon_possible_dns_rebinding
priority: 3
query_key: data.win.system.computer.keyword
realert:
minutes: 0
type: metric_aggregation

13
elastalert_rules/sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
filter:
- query:
query_string:
query: (IntegrityLevel:"Medium" AND data.win.eventdata.targetObject.keyword:*\\services\\* AND data.win.eventdata.targetObject.keyword:(*\\ImagePath OR *\\FailureCommand OR *\\Parameters\\ServiceDll))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_powershell_execution_moduleload.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects execution of PowerShell
filter:
- query:
query_string:
query: (data.win.eventdata.description:"system.management.automation" AND ImageLoaded.keyword:*system.management.automation*)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_powershell_execution_moduleload
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_powershell_exploit_scripts.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects the creation of known powershell scripts for exploitation
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_powershell_exploit_scripts
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_powershell_network_connection.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')
filter:
- query:
query_string:
query: ((data.win.eventdata.image.keyword:*\\powershell.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND user_account:"NT\ AUTHORITY\\SYSTEM")))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_powershell_network_connection
priority: 4
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_quarkspw_filedump.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a dump file written by QuarksPwDump password dumper
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename.keyword:*\\AppData\\Local\\Temp\\SAM\-*.dmp*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_quarkspw_filedump
priority: 1
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_raw_disk_access_using_illegitimate_tools.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Raw disk access using illegitimate tools, possible defence evasion
filter:
- query:
query_string:
query: ((data.win.system.eventID:"9" AND (NOT (data.win.eventdata.deviceName.keyword:*floppy*))) AND (NOT (data.win.eventdata.image.keyword:(*\\wmiprvse.exe OR *\\sdiagnhost.exe OR *\\searchindexer.exe OR *\\csrss.exe OR *\\defrag.exe OR *\\smss.exe OR *\\vssvc.exe OR *\\compattelrunner.exe OR *\\wininit.exe OR *\\autochk.exe OR *\\taskhost.exe OR *\\dfsrs.exe OR *\\vds.exe OR *\\lsass.exe))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_raw_disk_access_using_illegitimate_tools
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_rdp_registry_modification.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:(*\\CurrentControlSet\\Control\\Terminal\ Server\\WinStations\\RDP\-Tcp\\UserAuthentication OR *\\CurrentControlSet\\Control\\Terminal\ Server\\fDenyTSConnections) AND Details:"DWORD\ \(0x00000000\)")
index: wazuh-alerts-3.x-*
name: sigma_sysmon_rdp_registry_modification
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_rdp_reverse_tunnel.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
filter:
- query:
query_string:
query: (data.win.eventdata.image.keyword:*\\svchost.exe AND Initiated:"true" AND data.win.eventdata.sourcePort:"3389" AND data.win.eventdata.destinationIp.keyword:(127.* OR \:\:1))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_rdp_reverse_tunnel
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_rdp_settings_hijack.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects changes to RDP terminal service sensitive settings
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:(*\\services\\TermService\\Parameters\\ServiceDll* OR *\\Control\\Terminal\ Server\\fSingleSessionPerUser* OR *\\Control\\Terminal\ Server\\fDenyTSConnections*)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_rdp_settings_hijack
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_redmimicry_winnti_filedrop.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects actions caused by the RedMimicry Winnti playbook
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename.keyword:(*gthread\-3.6.dll* OR *sigcmm\-2.4.dll* OR *\\Windows\\Temp\\tmp.bat*)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_redmimicry_winnti_filedrop
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_redmimicry_winnti_reg.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects actions caused by the RedMimicry Winnti playbook
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_redmimicry_winnti_reg
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_reg_office_security.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects registry changes to Office macro settings
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:(*\\Security\\Trusted\ Documents\\TrustRecords OR *\\Security\\AccessVBOM OR *\\Security\\VBAWarnings) AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue"))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_reg_office_security
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_registry_persistence_key_linking.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects COM object hijacking via TreatAs subkey
filter:
- query:
query_string:
query: (data.win.eventdata.eventType:"CreateKey" AND data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\TreatAs)
index: wazuh-alerts-3.x-*
name: sigma_sysmon_registry_persistence_key_linking
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_registry_persistence_search_order.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects potential COM object hijacking leveraging the COM Search Order
filter:
- query:
query_string:
query: (data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\InProcServer32\\\(Default\) AND (NOT (Details.keyword:(%%systemroot%%\\system32\\* OR %%systemroot%%\\SysWow64\\* OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileCoAuthLib64.dll OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileSyncShell64.dll OR *\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\*\\Microsoft.Teams.AddinLoader.dll))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_registry_persistence_search_order
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_registry_trust_record_modification.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Alerts on trust record modification within the registry, indicating usage of macros
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:*TrustRecords*
index: wazuh-alerts-3.x-*
name: sigma_sysmon_registry_trust_record_modification
priority: 3
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_regsvr32_network_activity1.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects network connections and DNS queries initiated by Regsvr32.exe
filter:
- query:
query_string:
query: data.win.eventdata.image.keyword:*\\regsvr32.exe
index: wazuh-alerts-3.x-*
name: sigma_sysmon_regsvr32_network_activity
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_regsvr32_network_activity2.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects network connections and DNS queries initiated by Regsvr32.exe
filter:
- query:
query_string:
query: data.win.eventdata.image.keyword:*\\regsvr32.exe
index: wazuh-alerts-3.x-*
name: sigma_sysmon_regsvr32_network_activity
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_remote_powershell_session_network.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
filter:
- query:
query_string:
query: (data.win.eventdata.destinationPort:("5985" OR "5986") AND (NOT (user_account:"NT\ AUTHORITY\\NETWORK\ SERVICE")))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_remote_powershell_session_network
priority: 2
realert:
minutes: 0
type: any

13
elastalert_rules/sigma_sysmon_rundll32_net_connections.yml
View File

@ -1,13 +0,0 @@
alert:
- debug
description: Detects a rundll32 that communicates with public IP addresses
filter:
- query:
query_string:
query: ((data.win.eventdata.image.keyword:*\\rundll32.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
index: wazuh-alerts-3.x-*
name: sigma_sysmon_rundll32_net_connections
priority: 3
realert:
minutes: 0
type: any

Some files were not shown because too many files have changed in this diff Show More