mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
rule: improved Empire detection
This commit is contained in:
parent
7a63fd56da
commit
557e8b0faf
25
rules/proxy/proxy_empire_ua_uri_combos.yml
Normal file
25
rules/proxy/proxy_empire_ua_uri_combos.yml
Normal file
@ -0,0 +1,25 @@
|
||||
title: Empire UserAgent URI Combo
|
||||
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
|
||||
status: experimental
|
||||
description: Detects user agent and URI paths used by empire agents
|
||||
references:
|
||||
- https://github.com/BC-SECURITY/Empire
|
||||
author: Florian Roth
|
||||
date: 2020/07/13
|
||||
logsource:
|
||||
category: proxy
|
||||
detection:
|
||||
selection:
|
||||
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
|
||||
cs-uri-query:
|
||||
- '/admin/get.php'
|
||||
- '/news.php'
|
||||
- '/login/process.php'
|
||||
cs-method: 'POST'
|
||||
condition: selection
|
||||
fields:
|
||||
- c-uri
|
||||
- c-ip
|
||||
falsepositives:
|
||||
- Valid requests with this exact user agent to server scripts of the defined names
|
||||
level: high
|
@ -9,6 +9,7 @@ references:
|
||||
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
|
||||
author: Florian Roth
|
||||
date: 2019/04/20
|
||||
modified: 2020/07/13
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1086
|
||||
@ -18,9 +19,12 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine:
|
||||
- '* -NoP -sta -NonI -W Hidden -Enc *'
|
||||
- '* -noP -sta -w 1 -enc *'
|
||||
- '* -NoP -NonI -W Hidden -enc *'
|
||||
CommandLine|contains:
|
||||
- ' -NoP -sta -NonI -W Hidden -Enc '
|
||||
- ' -noP -sta -w 1 -enc '
|
||||
- ' -NoP -NonI -W Hidden -enc '
|
||||
- ' -noP -sta -w 1 -enc'
|
||||
- ' -enc SQB'
|
||||
- ' -nop -exec bypass -EncodedCommand SQB'
|
||||
condition: selection
|
||||
level: critical
|
||||
|
Loading…
Reference in New Issue
Block a user