mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
123
This commit is contained in:
parent
e3e0e9caff
commit
5440128979
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_av_exploiting
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a highly relevant Antivirus alert that reports a password dumper
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_av_password_dumper
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.originalFileName.keyword:(C\:\\Windows\\Temp\\* OR C\:\\Temp\\* OR *\\Client\\* OR C\:\\PerfLogs\\* OR C\:\\Users\\Public\\* OR C\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.sct OR *.vbe OR *.wsf OR *.wsh)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_av_relevant_files
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a highly relevant Antivirus alert that reports a web shell
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.signature.keyword:(PHP\/Backdoor* OR JSP\/Backdoor* OR ASP\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_av_webshell
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the presence of a registry key created during Azorult execution
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:("12" OR "13") AND data.win.eventdata.targetObject.keyword:(*SYSTEM\\*\\services\\localNETService))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_mal_azorult_reg
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:("4103" OR "400") AND ContextInfo.keyword:*) AND (NOT (ContextInfo:"powershell.exe" OR data.win.system.message:"powershell.exe")))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_alternate_powershell_hosts
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects keywords that could indicate clearing PowerShell history
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: "\\*.keyword:(*del\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *Set\\-PSReadlineOption\\ \u2013HistorySaveStyle\\ SaveNothing* OR *Remove\\-Item\\ \\(Get\\-PSReadlineOption\\).HistorySavePath* OR *rm\\ \\(Get\\-PSReadlineOption\\).HistorySavePath*)"
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_clear_powershell_history
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects creation of a local user via PowerShell
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*New\-LocalUser*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_create_local_user
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4104" AND keywords.keyword:*\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\-Archive*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_data_compressed
|
||||
priority: 4
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Dnscat exfiltration tool execution
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4104" AND ScriptBlockText.keyword:*Start\-Dnscat2*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_dnscat_execution
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:2.*) AND (NOT (powershell.host.version.keyword:2.*)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_downgrade_attack
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects PowerShell called from an executable by the version mismatch method
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"400" AND data.win.eventdata.engine Version.keyword:(2.* OR 4.* OR 5.*) AND powershell.host.version.keyword:3.*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_exe_calling_ps
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"4104" AND (ScriptBlockText:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR ScriptBlockText:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR ScriptBlockText:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR ScriptBlockText:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR ScriptBlockText:/\*mdr\*\W\s*\)\.Name/ OR ScriptBlockText:/\$VerbosePreference\.ToString\(/ OR ScriptBlockText:/\String\]\s*\$VerbosePreference/)) OR (data.win.system.eventID:"4103" AND (Payload:/\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[/ OR Payload:/\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[/ OR Payload:/\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[/ OR Payload:/\$env:ComSpec\[(\s*\d{1,3}\s*,){2}/ OR Payload:/\*mdr\*\W\s*\)\.Name/ OR Payload:/\$VerbosePreference\.ToString\(/ OR Payload:/\String\]\s*\$VerbosePreference/)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_invoke_obfuscation_obfuscated_iex
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.message.keyword:(*Invoke\-DllInjection* OR *Invoke\-Shellcode* OR *Invoke\-WmiCommand* OR *Get\-GPPPassword* OR *Get\-Keystrokes* OR *Get\-TimedScreenshot* OR *Get\-VaultCredential* OR *Invoke\-CredentialInjection* OR *Invoke\-Mimikatz* OR *Invoke\-NinjaCopy* OR *Invoke\-TokenManipulation* OR *Out\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\-ReflectivePEInjection* OR *Invoke\-UserHunter* OR *Find\-GPOLocation* OR *Invoke\-ACLScanner* OR *Invoke\-DowngradeAccount* OR *Get\-ServiceUnquoted* OR *Get\-ServiceFilePermission* OR *Get\-ServicePermission* OR *Invoke\-ServiceAbuse* OR *Install\-ServiceBinary* OR *Get\-RegAutoLogon* OR *Get\-VulnAutoRun* OR *Get\-VulnSchTask* OR *Get\-UnattendedInstallFile* OR *Get\-ApplicationHost* OR *Get\-RegAlwaysInstallElevated* OR *Get\-Unconstrained* OR *Add\-RegBackdoor* OR *Add\-ScrnSaveBackdoor* OR *Gupt\-Backdoor* OR *Invoke\-ADSBackdoor* OR *Enabled\-DuplicateToken* OR *Invoke\-PsUaCme* OR *Remove\-Update* OR *Check\-VM* OR *Get\-LSASecret* OR *Get\-PassHashes* OR *Show\-TargetScreen* OR *Port\-Scan* OR *Invoke\-PoshRatHttp* OR *Invoke\-PowerShellTCP* OR *Invoke\-PowerShellWMI* OR *Add\-Exfiltration* OR *Add\-Persistence* OR *Do\-Exfiltration* OR *Start\-CaptureServer* OR *Get\-ChromeDump* OR *Get\-ClipboardContents* OR *Get\-FoxDump* OR *Get\-IndexedItem* OR *Get\-Screenshot* OR *Invoke\-Inveigh* OR *Invoke\-NetRipper* OR *Invoke\-EgressCheck* OR *Invoke\-PostExfil* OR *Invoke\-PSInject* OR *Invoke\-RunAs* OR *MailRaider* OR *New\-HoneyHash* OR *Set\-MacAttribute* OR *Invoke\-DCSync* OR *Invoke\-PowerDump* OR *Exploit\-Jboss* OR *Invoke\-ThunderStruck* OR *Invoke\-VoiceTroll* OR *Set\-Wallpaper* OR *Invoke\-InveighRelay* OR *Invoke\-PsExec* OR *Invoke\-SSHCommand* OR *Get\-SecurityPackages* OR *Install\-SSP* OR *Invoke\-BackdoorLNK* OR *PowerBreach* OR *Get\-SiteListPassword* OR *Get\-System* OR *Invoke\-BypassUAC* OR *Invoke\-Tater* OR *Invoke\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\-RickAstley* OR *Find\-Fruit* OR *HTTP\-Login* OR *Find\-TrustedDocuments* OR *Invoke\-Paranoia* OR *Invoke\-WinEnum* OR *Invoke\-ARPScan* OR *Invoke\-PortScan* OR *Invoke\-ReverseDNSLookup* OR *Invoke\-SMBScanner* OR *Invoke\-Mimikittenz* OR *Invoke\-AllChecks*) AND (NOT \*.keyword:(*Get\-SystemDriveInfo*)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_malicious_commandlets
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects keywords from well-known PowerShell exploitation frameworks
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.system.message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_malicious_keywords
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Commandlet names and arguments from the Nishang exploitation framework
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: \*.keyword:(*Add\-ConstrainedDelegationBackdoor* OR *Set\-DCShadowPermissions* OR *DNS_TXT_Pwnage* OR *Execute\-OnTime* OR *HTTP\-Backdoor* OR *Set\-RemotePSRemoting* OR *Set\-RemoteWMI* OR *Invoke\-AmsiBypass* OR *Out\-CHM* OR *Out\-HTA* OR *Out\-SCF* OR *Out\-SCT* OR *Out\-Shortcut* OR *Out\-WebQuery* OR *Out\-Word* OR *Enable\-Duplication* OR *Remove\-Update* OR *Download\-Execute\-PS* OR *Download_Execute* OR *Execute\-Command\-MSSQL* OR *Execute\-DNSTXT\-Code* OR *Out\-RundllCommand* OR *Copy\-VSS* OR *FireBuster* OR *FireListener* OR *Get\-Information* OR *Get\-PassHints* OR *Get\-WLAN\-Keys* OR *Get\-Web\-Credentials* OR *Invoke\-CredentialsPhish* OR *Invoke\-MimikatzWDigestDowngrade* OR *Invoke\-SSIDExfil* OR *Invoke\-SessionGopher* OR *Keylogger* OR *Invoke\-Interceptor* OR *Create\-MultipleSessions* OR *Invoke\-NetworkRelay* OR *Run\-EXEonRemote* OR *Invoke\-Prasadhak* OR *Invoke\-BruteForce* OR *Password\-List* OR *Invoke\-JSRatRegsvr* OR *Invoke\-JSRatRundll* OR *Invoke\-PoshRatHttps* OR *Invoke\-PowerShellIcmp* OR *Invoke\-PowerShellUdp* OR *Invoke\-PSGcat* OR *Invoke\-PsGcatAgent* OR *Remove\-PoshRat* OR *Add\-Persistance* OR *ExetoText* OR *Invoke\-Decode* OR *Invoke\-Encode* OR *Parse_Keys* OR *Remove\-Persistence* OR *StringtoBase64* OR *TexttoExe* OR *Powerpreter* OR *Nishang* OR *DataToEncode* OR *LoggedKeys* OR *OUT\-DNSTXT* OR *Jitter* OR *ExfilOption* OR *Tamper* OR *DumpCerts* OR *DumpCreds* OR *Shellcode32* OR *Shellcode64* OR *NotAllNameSpaces* OR *exfill* OR *FakeDC*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_nishang_malicious_commandlets
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (\*.keyword:(*set\-content* OR *add\-content*) AND "\-stream")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_ntfs_ads_access
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects PowerShell calling a credential prompt
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4104" AND data.win.system.message.keyword:(*PromptForCredential*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_prompt_credentials
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the use of PSAttack PowerShell hack tool
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4103" AND "PS\ ATTACK\!\!\!")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_psattack
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects remote PowerShell sessions
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:("4103" OR "400") AND HostName:"ServerRemoteHost" AND HostApplication.keyword:*wsmprovhost.exe*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_remote_powershell_session
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Base64 encoded Shellcode
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"4104" AND "*AAAAYInlM*") AND \*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_shellcode_b64
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspicious PowerShell download command
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.message.keyword:*System.Net.WebClient* AND (data.win.system.message.keyword:*.DownloadFile\(* OR data.win.system.message.keyword:*.DownloadString\(*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_suspicious_download
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspicious PowerShell invocation command parameters
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (\*.keyword:(*\ \-enc\ * OR *\ \-EncodedCommand\ *) AND \*.keyword:(*\ \-w\ hidden\ * OR *\ \-window\ hidden\ * OR *\ \-windowstyle\ hidden\ *) AND \*.keyword:(*\ \-noni\ * OR *\ \-noninteractive\ *))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_suspicious_invocation_generic
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspicious PowerShell invocation command parameters
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.system.message.keyword:(*\ \-nop\ \-w\ hidden\ \-c\ *\ \[Convert\]\:\:FromBase64String* OR *\ \-w\ hidden\ \-noni\ \-nop\ \-c\ \"iex\(New\-Object* OR *\ \-w\ hidden\ \-ep\ bypass\ \-Enc* OR *powershell.exe\ reg\ add\ HKCU\\software\\microsoft\\windows\\currentversion\\run* OR *bypass\ \-noprofile\ \-windowstyle\ hidden\ \(new\-object\ system.net.webclient\).download* OR *iex\(New\-Object\ Net.WebClient\).Download*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_suspicious_invocation_specific
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.system.message:("System.Reflection.Assembly.Load" OR "\[System.Reflection.Assembly\]\:\:Load" OR "\[Reflection.Assembly\]\:\:Load" OR "System.Reflection.AssemblyName" OR "Reflection.Emit.AssemblyBuilderAccess" OR "Runtime.InteropServices.DllImportAttribute" OR "SuspendThread")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_suspicious_keywords
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a change in profile.ps1 of the Powershell profile
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"11" AND data.win.eventdata.targetFilename.keyword:*\\profile.ps1* AND (data.win.eventdata.targetFilename.keyword:*\\My\ Documents\\PowerShell\\* OR data.win.eventdata.targetFilename.keyword:*C\:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_suspicious_profile_create
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"4104" AND \*.keyword:(*Set\-ItemProperty* OR *New\-Item*) AND "*CurrentVersion\\Winlogon*")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_winlogon_helper_dll
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects parameters used by WMImplant
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ScriptBlockText.keyword:(*WMImplant* OR *\ change_user\ * OR *\ gen_cli\ * OR *\ command_exec\ * OR *\ disable_wdigest\ * OR *\ disable_winrm\ * OR *\ enable_wdigest\ * OR *\ enable_winrm\ * OR *\ registry_mod\ * OR *\ remote_posh\ * OR *\ sched_job\ * OR *\ service_mod\ * OR *\ process_kill\ * OR *\ active_users\ * OR *\ basic_info\ * OR *\ power_off\ * OR *\ vacant_system\ * OR *\ logon_events\ *)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_wmimplant
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"400" AND HostName:"ConsoleHost" AND data.win.eventdata.commandLine.keyword:(*bxor* OR *join* OR *char*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_powershell_xor_commandline
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"7" AND data.win.eventdata.imageLoaded.keyword:*MicrosoftAccountTokenProvider.dll) AND (NOT (data.win.eventdata.image.keyword:(*BackgroundTaskHost.exe OR *devenv.exe OR *iexplore.exe OR *MicrosoftEdge.exe))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_abusing_azure_browser_sso
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"15" AND (NOT ((hash_imphash:("00000000000000000000000000000000" OR "00000000000000000000000000000000")) OR (NOT _exists_:hash_imphash))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_ads_executable
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:\\PSHost*) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_alternate_powershell_hosts_pipe
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detecting DNS tunnel activity for Muddywater actor
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"1" AND data.win.eventdata.image.keyword:(*\\powershell.exe) AND data.win.eventdata.parentImage.keyword:(*\\excel.exe) AND data.win.eventdata.commandLine.keyword:(*DataExchange.dll*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: 36222790-0d43-4fe8-86e4-674b27809543_0
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:(HKCR\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR HKU\\*_Classes\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application OR *\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application OR *\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application OR *\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon OR HKU\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\* OR HKU\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\* OR HKU\\*_Classes\\CLSID\\\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_apt_oceanlotus_registry
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Pandemic Windows Implant
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_apt_pandemic
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Pandemic Windows Implant
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.commandLine.keyword:*loaddll\ \-a\ *
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_apt_pandemic
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a named pipe used by Turla group samples
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName:("\\atctl" OR "\\userpipe" OR "\\iehelper" OR "\\sdlrpc" OR "\\comnap"))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_apt_turla_namedpipes
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects modification of autostart extensibility point (ASEP) in registry
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:(*\\software\\Microsoft\\Windows\\CurrentVersion\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Userinit* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\Shell* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_DLLs* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Load* OR *\\software\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\Run* OR *\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_asep_reg_keys_modification
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects remote thread creation from CACTUSTORCH as described in references.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"8" AND process_path.keyword:(*\\System32\\cscript.exe OR *\\System32\\wscript.exe OR *\\System32\\mshta.exe OR *\\winword.exe OR *\\excel.exe) AND data.win.eventdata.targetImage.keyword:*\\SysWOW64\\* AND NOT _exists_:thread_start_module)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cactustorch
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"12" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe* AND data.win.eventdata.eventType:"CreateKey") OR (data.win.system.eventID:"13" AND data.win.eventdata.targetObject.keyword:*\\cmmgr32.exe*) OR (data.win.system.eventID:"10" AND data.win.eventdata.callTrace.keyword:*cmlua.dll*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cmstp_execution
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.parentImage.keyword:*\\cmstp.exe
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cmstp_execution
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"8" AND thread_start_address.keyword:(*0B80 OR *0C7C OR *0C88))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cobaltstrike_process_injection
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject:("HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute") AND data.win.eventdata.eventType:("SetValue"))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_comhijack_sdclt
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"8" AND thread_start_module.keyword:*\\kernel32.dll AND thread_start_function:"LoadLibraryA")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_createremotethread_loadlibrary
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the creation of a executable with a system process name in a suspicious folder
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetFilename.keyword:(*\\svchost.exe OR *\\rundll32.exe OR *\\services.exe OR *\\powershell.exe OR *\\regsvr32.exe OR *\\spoolsv.exe OR *\\lsass.exe OR *\\smss.exe OR *\\csrss.exe OR *\\conhost.exe OR *\\wininit.exe OR *\\lsm.exe OR *\\winlogon.exe OR *\\explorer.exe OR *\\taskhost.exe OR *\\Taskmgr.exe OR *\\taskmgr.exe OR *\\sihost.exe OR *\\RuntimeBroker.exe OR *\\runtimebroker.exe OR *\\smartscreen.exe OR *\\dllhost.exe OR *\\audiodg.exe OR *\\wlanext.exe) AND (NOT (data.win.eventdata.targetFilename.keyword:(C\:\\Windows\\System32\\* OR C\:\\Windows\\system32\\* OR C\:\\Windows\\SysWow64\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\winsxs\\* OR C\:\\Windows\\WinSxS\\* OR \\SystemRoot\\System32\\*))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_creation_system_file
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects process access LSASS memory which is typical for credentials dumping tools
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.grantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (data.win.eventdata.processName.keyword:(*\\wmiprvse.exe OR *\\taskmgr.exe OR *\\procexp64.exe OR *\\procexp.exe OR *\\lsm.exe OR *\\csrss.exe OR *\\wininit.exe OR *\\vmtoolsd.exe))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cred_dump_lsass_access
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetFilename.keyword:(*\\pwdump* OR *\\kirbi* OR *\\pwhashes* OR *\\wce_ccache* OR *\\wce_krbtkts* OR *\\fgdump\-log*) AND data.win.eventdata.targetFilename.keyword:(*\\test.pwd OR *\\lsremora64.dll OR *\\lsremora.dll OR *\\fgexec.exe OR *\\wceaux.dll OR *\\SAM.out OR *\\SECURITY.out OR *\\SYSTEM.out OR *\\NTDS.out OR *\\DumpExt.dll OR *\\DumpSvc.exe OR *\\cachedump64.exe OR *\\cachedump.exe OR *\\pstgdump.exe OR *\\servpw.exe OR *\\servpw64.exe OR *\\pwdump.exe OR *\\procdump64.exe))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cred_dump_tools_dropped_files
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects well-known credential dumping tools execution via specific named pipes
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"17" AND data.win.eventdata.pipeName.keyword:(*\\lsadump* OR *\\cachedump* OR *\\wceservicepipe*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cred_dump_tools_named_pipes
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Ports* AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue") AND Details.keyword:(*.dll* OR *.exe* OR *.bat* OR *.com* OR *C\:*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_cve-2020-1048
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:(*\\Services\\DHCPServer\\Parameters\\CalloutDlls OR *\\Services\\DHCPServer\\Parameters\\CalloutEnabled)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_dhcp_calloutdll
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" AND data.win.eventdata.eventType:"CreateKey") OR NewName:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_disable_security_events_logging_adding_reg_key_minint
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects Dllhost that communicates with public IP addresses
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.image.keyword:*\\dllhost.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_dllhost_net_connections
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*\\services\\DNS\\Parameters\\ServerLevelPluginDll
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_dns_serverlevelplugindll
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.commandLine.keyword:dnscmd.exe\ \/config\ \/serverlevelplugindll\ *
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_dns_serverlevelplugindll
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled AND Details:"DWORD\ \(0x00000000\)")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_etw_disabled
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects possible SafetyKatz Behaviour
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetFilename.keyword:*\\Temp\\debug.bin
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_ghostpack_safetykatz
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: hash_imphash:("09D278F9DE118EF09163C6140255C690" OR "09d278f9de118ef09163c6140255c690")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_hack_dumpert
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetFilename:"C\:\\Windows\\Temp\\dumpert.dmp"
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_hack_dumpert
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the use of Windows Credential Editor (WCE)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"1" AND (hash_imphash:("a53a02b997935fd8eedcb5f7abab9b9f" OR "A53A02B997935FD8EEDCB5F7ABAB9B9F" OR "e96a73c7bf33a464c510ede582318bf2" OR "E96A73C7BF33A464C510EDE582318BF2") OR (data.win.eventdata.commandLine.keyword:*.exe\ \-S AND data.win.eventdata.parentImage.keyword:*\\services.exe)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: 7aa7009a-28b9-4344-8c1f-159489a390df_0
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the use of Windows Credential Editor (WCE)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*Services\\WCESERVICE\\Start*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_hack_wce_reg
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.callTrace.keyword:(C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*|UNKNOWN\(*\) OR *UNKNOWN\(*\)|UNKNOWN\(*\)) OR (data.win.eventdata.callTrace.keyword:*UNKNOWN* AND data.win.eventdata.grantedAccess:("0x1F0FFF" OR "0x1F1FFF" OR "0x143A" OR "0x1410" OR "0x1010" OR "0x1F2FFF" OR "0x1F3FFF" OR "0x1FFFFF")))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_in_memory_assembly_execution
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (ImageLoaded.keyword:(*\\System.Management.Automation.Dll OR *\\System.Management.Automation.ni.Dll) AND (NOT (data.win.eventdata.image.keyword:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\WINDOWS\\System32\\sdiagnhost.exe OR *\\mscorsvw.exe OR *\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_in_memory_powershell
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetImage.keyword:*\\windows\\system32\\svchost.exe AND data.win.eventdata.grantedAccess:"0x1f3fff" AND data.win.eventdata.callTrace.keyword:(*unknown*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_invoke_phantom
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects LSASS process access by LaZagne for credential dumping.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetImage.keyword:*\\lsass.exe AND data.win.eventdata.callTrace.keyword:C\:\\Windows\\SYSTEM32\\ntdll.dll\+*|C\:\\Windows\\System32\\KERNELBASE.dll\+*_ctypes.pyd\+*python27.dll\+* AND data.win.eventdata.grantedAccess:"0x1FFFFF")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_lazagne_cred_dump_lsass_access
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects creation or execution of UserInitMprLogonScript persistence method
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"1" AND ((data.win.system.eventID:"1" AND (data.win.eventdata.parentImage.keyword:*\\userinit.exe AND (NOT (data.win.eventdata.image.keyword:*\\explorer.exe))) AND (NOT (data.win.eventdata.commandLine.keyword:(*netlogon.bat* OR *UsrLogon.cmd*)))) OR data.win.eventdata.commandLine.keyword:*UserInitMprLogonScript*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458_0
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects creation or execution of UserInitMprLogonScript persistence method
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*UserInitMprLogonScript*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_logon_scripts_userinitmprlogonscript_reg
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:"0x1fffff" AND data.win.eventdata.callTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_lsass_memdump
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetFilename.keyword:*lsass* AND data.win.eventdata.targetFilename.keyword:*dmp)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_lsass_memory_dump_file_creation
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the creation of a named pipe used by known APT malware
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:("17" OR "18") AND data.win.eventdata.pipeName.keyword:(\\isapi_http OR \\isapi_dg OR \\isapi_dg2 OR \\sdlrpc OR \\ahexec OR \\winsession OR \\lsassw OR \\46a676ab7f179e511e30dd2dc41bd388 OR \\9f81f59bc58452127884ce513865ed20 OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\rpchlp_3 OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\msagent_* OR \\gruntsvc))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_mal_namedpipes
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((Initiated:"true" AND data.win.eventdata.destinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((data.win.eventdata.image.keyword:*\\Program\ Files* OR (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_malware_backconnect_ports
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.targetImage.keyword:*\\verclsid.exe AND data.win.eventdata.grantedAccess:"0x1FFFFF") AND (data.win.eventdata.callTrace.keyword:*|UNKNOWN\(*VBE7.DLL* OR (process_path.keyword:*\\Microsoft\ Office\\* AND data.win.eventdata.callTrace.keyword:*|UNKNOWN*)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_malware_verclsid_shellcode
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"10" AND data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND data.win.eventdata.grantedAccess:("0x1410" OR "0x1010"))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_mimikatz_detection_lsass
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetImage:"C\:\\windows\\system32\\lsass.exe" AND process_path:"C\:\\Windows\\system32\\wsmprovhost.exe")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_mimikatz_trough_winrm
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects abusing Windows 10 Narrator's Feedback-Hub
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.eventType:"DeleteValue" AND data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute) OR data.win.eventdata.targetObject.keyword:*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\\(Default\))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_narrator_feedback_persistance
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session\ Manager\\AppCertDlls" OR NewName:"HKLM\\SYSTEM\\CurentControlSet\\Control\\Session\ Manager\\AppCertDlls")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_new_dll_added_to_appcertdlls_registry_key
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls) OR NewName.keyword:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls OR *\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows\\AppInit_Dlls))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_new_dll_added_to_appinit_dlls_registry_key
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects suspicious network connection by Notepad
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.image.keyword:*\\notepad.exe AND (NOT (data.win.eventdata.destinationPort:"9100")))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_notepad_network_connection
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (((data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Word\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.wll) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Excel\\Startup\\* AND data.win.eventdata.targetFilename.keyword:*.xll)) OR (data.win.eventdata.targetFilename.keyword:*\\Microsoft\\Addins\\* AND data.win.eventdata.targetFilename.keyword:(*.xlam OR *.xla)))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_office_persistence
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"8" AND data.win.eventdata.targetImage:"C\:\\Windows\\System32\\lsass.exe" AND thread_start_module:"")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_password_dumper_lsass
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,20 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
buffer_time:
|
||||
seconds: 30
|
||||
description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
|
||||
doc_type: doc
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0" AND QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*) AND (data.win.system.eventID:"22" AND QueryName.keyword:* AND QueryStatus:"0") AND (NOT (QueryResults.keyword:(\(\:\:ffff\:\)?10.* OR \(\:\:ffff\:\)?192.168.* OR \(\:\:ffff\:\)?172.16.* OR \(\:\:ffff\:\)?172.17.* OR \(\:\:ffff\:\)?172.18.* OR \(\:\:ffff\:\)?172.19.* OR \(\:\:ffff\:\)?172.20.* OR \(\:\:ffff\:\)?172.21.* OR \(\:\:ffff\:\)?172.22.* OR \(\:\:ffff\:\)?172.23.* OR \(\:\:ffff\:\)?172.24.* OR \(\:\:ffff\:\)?172.25.* OR \(\:\:ffff\:\)?172.26.* OR \(\:\:ffff\:\)?172.27.* OR \(\:\:ffff\:\)?172.28.* OR \(\:\:ffff\:\)?172.29.* OR \(\:\:ffff\:\)?172.30.* OR \(\:\:ffff\:\)?172.31.* OR \(\:\:ffff\:\)?127.*))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
max_threshold: 3
|
||||
metric_agg_key: QueryName.keyword
|
||||
metric_agg_type: cardinality
|
||||
name: sigma_sysmon_possible_dns_rebinding
|
||||
priority: 3
|
||||
query_key: data.win.system.computer.keyword
|
||||
realert:
|
||||
minutes: 0
|
||||
type: metric_aggregation
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (IntegrityLevel:"Medium" AND data.win.eventdata.targetObject.keyword:*\\services\\* AND data.win.eventdata.targetObject.keyword:(*\\ImagePath OR *\\FailureCommand OR *\\Parameters\\ServiceDll))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects execution of PowerShell
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.description:"system.management.automation" AND ImageLoaded.keyword:*system.management.automation*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_powershell_execution_moduleload
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects the creation of known powershell scripts for exploitation
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetFilename.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_powershell_exploit_scripts
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.image.keyword:*\\powershell.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND user_account:"NT\ AUTHORITY\\SYSTEM")))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_powershell_network_connection
|
||||
priority: 4
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a dump file written by QuarksPwDump password dumper
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetFilename.keyword:*\\AppData\\Local\\Temp\\SAM\-*.dmp*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_quarkspw_filedump
|
||||
priority: 1
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Raw disk access using illegitimate tools, possible defence evasion
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.system.eventID:"9" AND (NOT (data.win.eventdata.deviceName.keyword:*floppy*))) AND (NOT (data.win.eventdata.image.keyword:(*\\wmiprvse.exe OR *\\sdiagnhost.exe OR *\\searchindexer.exe OR *\\csrss.exe OR *\\defrag.exe OR *\\smss.exe OR *\\vssvc.exe OR *\\compattelrunner.exe OR *\\wininit.exe OR *\\autochk.exe OR *\\taskhost.exe OR *\\dfsrs.exe OR *\\vds.exe OR *\\lsass.exe))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_raw_disk_access_using_illegitimate_tools
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:(*\\CurrentControlSet\\Control\\Terminal\ Server\\WinStations\\RDP\-Tcp\\UserAuthentication OR *\\CurrentControlSet\\Control\\Terminal\ Server\\fDenyTSConnections) AND Details:"DWORD\ \(0x00000000\)")
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_rdp_registry_modification
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.image.keyword:*\\svchost.exe AND Initiated:"true" AND data.win.eventdata.sourcePort:"3389" AND data.win.eventdata.destinationIp.keyword:(127.* OR \:\:1))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_rdp_reverse_tunnel
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects changes to RDP terminal service sensitive settings
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:(*\\services\\TermService\\Parameters\\ServiceDll* OR *\\Control\\Terminal\ Server\\fSingleSessionPerUser* OR *\\Control\\Terminal\ Server\\fDenyTSConnections*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_rdp_settings_hijack
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects actions caused by the RedMimicry Winnti playbook
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetFilename.keyword:(*gthread\-3.6.dll* OR *sigcmm\-2.4.dll* OR *\\Windows\\Temp\\tmp.bat*)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_redmimicry_winnti_filedrop
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects actions caused by the RedMimicry Winnti playbook
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_redmimicry_winnti_reg
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects registry changes to Office macro settings
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:(*\\Security\\Trusted\ Documents\\TrustRecords OR *\\Security\\AccessVBOM OR *\\Security\\VBAWarnings) AND data.win.eventdata.eventType:("SetValue" OR "DeleteValue" OR "CreateValue"))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_reg_office_security
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects COM object hijacking via TreatAs subkey
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.eventType:"CreateKey" AND data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\TreatAs)
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_registry_persistence_key_linking
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects potential COM object hijacking leveraging the COM Search Order
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.targetObject.keyword:HKU\\*_Classes\\CLSID\\*\\InProcServer32\\\(Default\) AND (NOT (Details.keyword:(%%systemroot%%\\system32\\* OR %%systemroot%%\\SysWow64\\* OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileCoAuthLib64.dll OR *\\AppData\\Local\\Microsoft\\OneDrive\\*\\FileSyncShell64.dll OR *\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\*\\Microsoft.Teams.AddinLoader.dll))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_registry_persistence_search_order
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Alerts on trust record modification within the registry, indicating usage of macros
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.targetObject.keyword:*TrustRecords*
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_registry_trust_record_modification
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects network connections and DNS queries initiated by Regsvr32.exe
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.image.keyword:*\\regsvr32.exe
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_regsvr32_network_activity
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects network connections and DNS queries initiated by Regsvr32.exe
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: data.win.eventdata.image.keyword:*\\regsvr32.exe
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_regsvr32_network_activity
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: (data.win.eventdata.destinationPort:("5985" OR "5986") AND (NOT (user_account:"NT\ AUTHORITY\\NETWORK\ SERVICE")))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_remote_powershell_session_network
|
||||
priority: 2
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
@ -1,13 +0,0 @@
|
||||
alert:
|
||||
- debug
|
||||
description: Detects a rundll32 that communicates with public IP addresses
|
||||
filter:
|
||||
- query:
|
||||
query_string:
|
||||
query: ((data.win.eventdata.image.keyword:*\\rundll32.exe AND Initiated:"true") AND (NOT (data.win.eventdata.destinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
|
||||
index: wazuh-alerts-3.x-*
|
||||
name: sigma_sysmon_rundll32_net_connections
|
||||
priority: 3
|
||||
realert:
|
||||
minutes: 0
|
||||
type: any
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user