valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'project-1'

Browse Source
This commit is contained in:
Thomas Patzke 2019-03-02 00:26:10 +01:00
commit 56a1ed1eac
131 changed files with 1603 additions and 2306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Makefile
View File

@ -15,7 +15,10 @@ test-rules:
tests/test_rules.py
test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac
coverage run -a --include=$(COVSCOPE) tools/sigmac -h
coverage run -a --include=$(COVSCOPE) tools/sigmac -l
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
@ -40,6 +43,7 @@ test-sigmac:
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
@ -49,10 +53,13 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null

33
rules/apt/apt_babyshark.yml
View File

@ -1,39 +1,20 @@
---
action: global
title: Baby Shark Activity
status: experimental
description: 'Detects activity that could be related to Baby Shark malware'
description: Detects activity that could be related to Baby Shark malware
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
logsource:
category: process_creation
product: windows
author: Florian Roth
date: 2019/02/24
detection:
selection:
CommandLine:
- reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
- powershell.exe mshta.exe http*
- cmd.exe /c taskkill /im cmd.exe
condition: selection
falsepositives:
- unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'powershell.exe mshta.exe http*'
- 'cmd.exe /c taskkill /im cmd.exe'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'powershell.exe mshta.exe http*'
- 'cmd.exe /c taskkill /im cmd.exe'

41
rules/apt/apt_bear_activity_gtr19.yml
View File

@ -1,44 +1,23 @@
---
action: global
title: Judgement Panda Exfil Activity
description: 'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
logsource:
product: windows
author: Florian Roth
date: 2019/02/21
tags:
- attack.credential_access
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: '*\xcopy.exe'
CommandLine: '* /S /E /C /Q /H \\*'
selection2:
Image: '*\adexplorer.exe'
CommandLine: '* -snapshot "" c:\users\\*'
condition: selection1 or selection2
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image: '*\xcopy.exe'
CommandLine: '* /S /E /C /Q /H \\*'
selection2:
EventID: 1
Image: '*\adexplorer.exe'
CommandLine: '* -snapshot "" c:\users\\*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
ProcessCommandLine: '*\xcopy.exe /S /E /C /Q /H \\*'
selection2:
EventID: 4688
NewProcessName: '*\adexplorer.exe'
ProcessCommandLine: '* -snapshot "" c:\users\\*'

42
rules/apt/apt_judgement_panda_gtr19.yml
View File

@ -1,11 +1,7 @@
---
action: global
title: Judgement Panda Exfil Activity
description: 'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'
description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
logsource:
product: windows
author: Florian Roth
date: 2019/02/21
tags:
@ -15,18 +11,11 @@ tags:
- attack.t1098
- attack.exfiltration
- attack.t1002
detection:
condition: selection1 or selection2
falsepositives:
- unknown
level: critical
---
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine:
- '*\ldifde.exe -f -n *'
- '*\7za.exe a 1.7z *'
@ -37,25 +26,8 @@ detection:
- '*copy .\1.7z \\*'
- '*copy \\client\c$\aaaa\*'
selection2:
EventID: 1
Image: 'C:\Users\Public\7za.exe'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
ProcessCommandLine:
- '*\ldifde.exe -f -n *'
- '*\7za.exe a 1.7z *'
- '* eprod.ldf'
- '*\aaaa\procdump64.exe*'
- '*\aaaa\netsess.exe*'
- '*\aaaa\7za.exe*'
- '*copy .\1.7z \\*'
- '*copy \\client\c$\aaaa\*'
selection2:
EventID: 4688
NewProcessName: 'C:\Users\Public\7za.exe'
Image: C:\Users\Public\7za.exe
condition: selection1 or selection2
falsepositives:
- unknown
level: critical

52
rules/windows/builtin/win_hack_rubeus.yml
View File

@ -1,52 +0,0 @@
---
action: global
title: Rubeus Hack Tool
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
detection:
condition: selection
falsepositives:
- unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'

35
rules/windows/builtin/win_netsh_port_fwd.yml
View File

@ -1,35 +0,0 @@
---
action: global
title: Netsh Port Forwarding
description: Detects netsh commands that configure a port forwarding
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
tags:
- attack.lateral_movement
status: experimental
author: Florian Roth
detection:
condition: selection
falsepositives:
- Legitimate administration
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'netsh interface portproxy add v4tov4 *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'netsh interface portproxy add v4tov4 *'

146
rules/windows/builtin/win_plugx_susp_exe_locations.yml
View File

@ -1,146 +0,0 @@
title: Executable used by PlugX in Uncommon Location
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
- 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
- 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
author: Florian Roth
date: 2017/06/12
tags:
- attack.s0013
logsource:
product: windows
service: security
detection:
# CamMute
selection_cammute:
EventID: 4688
CommandLine: '*\CamMute.exe'
filter_cammute:
EventID: 4688
CommandLine: '*\Lenovo\Communication Utility\\*'
# Chrome Frame Helper
selection_chrome_frame:
EventID: 4688
CommandLine: '*\chrome_frame_helper.exe'
filter_chrome_frame:
EventID: 4688
CommandLine: '*\Google\Chrome\application\\*'
# Microsoft Device Emulator
selection_devemu:
EventID: 4688
CommandLine: '*\dvcemumanager.exe'
filter_devemu:
EventID: 4688
CommandLine: '*\Microsoft Device Emulator\\*'
# Windows Media Player Gadget
selection_gadget:
EventID: 4688
CommandLine: '*\Gadget.exe'
filter_gadget:
EventID: 4688
CommandLine: '*\Windows Media Player\\*'
# HTML Help Workshop
selection_hcc:
EventID: 4688
CommandLine: '*\hcc.exe'
filter_hcc:
EventID: 4688
CommandLine: '*\HTML Help Workshop\\*'
# Hotkey Command Module for Intel Graphics Contollers
selection_hkcmd:
EventID: 4688
CommandLine: '*\hkcmd.exe'
filter_hkcmd:
EventID: 4688
CommandLine:
- '*\System32\\*'
- '*\SysNative\\*'
- '*\SysWowo64\\*'
# McAfee component
selection_mc:
EventID: 4688
CommandLine: '*\Mc.exe'
filter_mc:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
# MsMpEng - Microsoft Malware Protection Engine
selection_msmpeng:
EventID: 4688
CommandLine: '*\MsMpEng.exe'
filter_msmpeng:
EventID: 4688
CommandLine:
- '*\Microsoft Security Client\\*'
- '*\Windows Defender\\*'
- '*\AntiMalware\\*'
# Microsoft Security Center
selection_msseces:
EventID: 4688
CommandLine: '*\msseces.exe'
filter_msseces:
EventID: 4688
CommandLine: '*\Microsoft Security Center\\*'
# Microsoft Office 2003 OInfo
selection_oinfo:
EventID: 4688
CommandLine: '*\OInfoP11.exe'
filter_oinfo:
EventID: 4688
CommandLine: '*\Common Files\Microsoft Shared\\*'
# OLE View
selection_oleview:
EventID: 4688
CommandLine: '*\OleView.exe'
filter_oleview:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\\*'
# RC
selection_rc:
EventID: 4688
CommandLine: '*\rc.exe'
filter_rc:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\\*'
- '*\Microsoft.NET\\*'
condition: ( selection_cammute and not filter_cammute ) or
( selection_chrome_frame and not filter_chrome_frame ) or
( selection_devemu and not filter_devemu ) or
( selection_gadget and not filter_gadget ) or
( selection_hcc and not filter_hcc ) or
( selection_hkcmd and not filter_hkcmd ) or
( selection_mc and not filter_mc ) or
( selection_msmpeng and not filter_msmpeng ) or
( selection_msseces and not filter_msseces ) or
( selection_oinfo and not filter_oinfo ) or
( selection_oleview and not filter_oleview ) or
( selection_rc and not filter_rc )
falsepositives:
- Unknown
level: high

44
rules/windows/builtin/win_powershell_b64_shellcode.yml
View File

@ -1,44 +0,0 @@
action: global
title: PowerShell Base64 Encoded Shellcode
description: Detects Base64 encoded Shellcode
status: experimental
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: Florian Roth
date: 2018/11/17
tags:
- attack.defense_evasion
- attack.t1036
detection:
condition: selection1 and selection2
falsepositives:
- Unknown
level: critical
---
# Windows Audit Log
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
ProcessCommandLine: '*AAAAYInlM*'
selection2:
ProcessCommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*AAAAYInlM*'
selection2:
CommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'

39
rules/windows/builtin/win_spn_enum.yml
View File

@ -1,39 +0,0 @@
---
action: global
title: Possible SPN Enumeration
description: Detects Service Principal Name Enumeration used for Kerberoasting
status: experimental
references:
- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
author: Markus Neis, keepwatch
date: 2018/11/14
tags:
- attack.credential_access
- attack.t1208
detection:
selection_image:
Image: '*\setspn.exe'
selection_desc:
Description: '*Query or reset the computer* SPN attribute*'
cmd:
CommandLine: '*-q*'
condition: selection and (selection_image or selection_desc) and cmd
falsepositives:
- Administrator Activity
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688

39
rules/windows/builtin/win_susp_bcdedit.yml
View File

@ -1,39 +0,0 @@
---
action: global
title: Possible Ransomware or unauthorized MBR modifications
status: experimental
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
author: "@neu5ron"
date: 2019/02/07
detection:
condition: selection
level: medium
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\fsutil.exe'
ProcessCommandLine:
- '*delete*'
- '*deletevalue*'
- '*import*'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\fsutil.exe'
ProcessCommandLine:
- '*delete*'
- '*deletevalue*'
- '*import*'

41
rules/windows/builtin/win_susp_calc.yml
View File

@ -1,41 +0,0 @@
---
action: global
title: Suspicious Calculator Usage
description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
status: experimental
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth
date: 2019/02/09
detection:
condition: selection1 or ( selection2 and not filter2 )
falsepositives:
- Unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*\calc.exe *'
selection2:
EventID: 1
Image: '*\calc.exe'
filter2:
Image: '*\Windows\Sys*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
ProcessCommandLine: '*\calc.exe *'
selection2:
EventID: 1
Image: '*\calc.exe'
filter2:
Image: '*\Windows\Sys*'

43
rules/windows/builtin/win_susp_certutil_encode.yml
View File

@ -1,43 +0,0 @@
---
action: global
title: Certutil Encode
status: experimental
description: 'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
logsource:
product: windows
author: Florian Roth
date: 2019/02/24
detection:
condition: selection
falsepositives:
- unknown
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'certutil -f -encode *'
- 'certutil.exe -f -encode *'
- 'certutil -encode -f *'
- 'certutil.exe -encode -f *'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'certutil -f -encode *'
- 'certutil.exe -f -encode *'
- 'certutil -encode -f *'
- 'certutil.exe -encode -f *'

57
rules/windows/builtin/win_susp_cli_escape.yml
View File

@ -1,57 +0,0 @@
action: global
title: Suspicious Commandline Escape
description: Detects suspicious process that use escape characters
status: experimental
references:
- https://twitter.com/vysecurity/status/885545634958385153
- https://twitter.com/Hexacorn/status/885553465417756673
- https://twitter.com/Hexacorn/status/885570278637678592
- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
modified: 2018/12/11
tags:
- attack.defense_evasion
- attack.t1140
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'

73
rules/windows/builtin/win_susp_commands_recon_activity.yml
View File

@ -1,73 +0,0 @@
---
action: global
title: Reconnaissance Activity with Net Command
status: experimental
description: 'Detects a set of commands often used in recon stages by different attack groups'
references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
date: 2018/08/22
modified: 2018/12/11
tags:
- attack.discovery
- attack.t1073
- attack.t1012
detection:
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'tasklist'
- 'net time'
- 'systeminfo'
- 'whoami'
- 'nbtstat'
- 'net start'
- '*\net1 start'
- 'qprocess'
- 'nslookup'
- 'hostname.exe'
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'tasklist'
- 'net time'
- 'systeminfo'
- 'whoami'
- 'nbtstat'
- 'net start'
- '*\net1 start'
- 'qprocess'
- 'nslookup'
- 'hostname.exe'
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'

35
rules/windows/builtin/win_susp_gup.yml
View File

@ -1,35 +0,0 @@
---
action: global
title: Suspicious GUP Usage
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
status: experimental
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth
date: 2019/02/06
detection:
condition: selection and not filter
falsepositives:
- 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater'
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\GUP.exe'
filter:
Image: '*\updater\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\GUP.exe'
filter:
NewProcessName: '*\updater\*'

49
rules/windows/builtin/win_susp_procdump.yml
View File

@ -1,49 +0,0 @@
action: global
title: Suspicious Use of Procdump
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2018/10/30
tags:
- attack.defense_evasion
- attack.t1036
- attack.credential_access
- attack.t1003
detection:
condition: selection and selection1 and selection2
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
selection1:
ProcessCommandLine:
- "* -ma *"
selection2:
ProcessCommandLine:
- '* lsass.exe*'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
selection1:
CommandLine:
- "* -ma *"
selection2:
CommandLine:
- '* lsass.exe*'

147
rules/windows/builtin/win_susp_process_creations.yml
View File

@ -1,147 +0,0 @@
---
action: global
title: Suspicious Process Creation
description: Detects suspicious process starts on Windows systems based on keywords
status: experimental
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://twitter.com/subTee/status/872244674609676288
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
author: Florian Roth
modified: 2018/12/11
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- 'reg SAVE HKLM\SAM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\\*'
- 'attrib +S +H +R *\AppData\\*'
- 'schtasks* /create *\AppData\\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\\*'
- '*\Regasm *\AppData\\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- 'reg SAVE HKLM\SAM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\\*'
- 'attrib +S +H +R *\AppData\\*'
- 'schtasks* /create *\AppData\\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\\*'
- '*\Regasm *\AppData\\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
# Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger)
- '* /stext *'
- '* /scomma *'
- '* /stab *'
- '* /stabular *'
- '* /shtml *'
- '* /sverhtml *'
- '* /sxml *'

39
rules/windows/builtin/win_susp_ps_appdata.yml
View File

@ -1,39 +0,0 @@
---
action: global
title: PowerShell Script Run in AppData
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth
date: 2019/01/09
logsource:
product: windows
service: sysmon
detection:
condition: selection
falsepositives:
- Administrative scripts
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'

32
rules/windows/builtin/win_susp_rasdial_activity.yml
View File

@ -1,32 +0,0 @@
action: global
title: Suspicious RASdial Activity
description: Detects suspicious process related to rasdial.exe
status: experimental
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
detection:
selection:
CommandLine:
- 'rasdial'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1

49
rules/windows/builtin/win_susp_svchost.yml
View File

@ -1,49 +0,0 @@
---
action: global
title: Suspicious Svchost Processes
description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
author: Florian Roth, @c_APT_ure
date: 2018/10/26
status: experimental
references:
- https://twitter.com/Moti_B/status/1002280132143394816
- https://twitter.com/Moti_B/status/1002280287840153601
falsepositives:
- Renamed %SystemRoot%s
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\svchost.exe'
filter1:
ParentImage:
- '*\services.exe'
- '*\MsMpEng.exe'
filter2:
CommandLine: '* -k *'
filter3:
Image: 'C:\Windows\S*' # \* is a reserved expression
condition: selection and not ( filter1 or filter2 or filter3 )
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\svchost.exe'
# Deactivated as long as some backends do not fully support the 'null' expression
# filter2:
# ProcessCommandLine:
# - null # Missing KB3004375 and Group Policy setting
# - '* -k *'
filter3:
NewProcessName: 'C:\Windows\S*' # \* is a reserved expression
condition: selection and not filter3

36
rules/windows/builtin/win_susp_whoami.yml
View File

@ -1,36 +0,0 @@
---
action: global
title: Whoami Execution
status: experimental
description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'
references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
author: Florian Roth
date: 2018/05/22
tags:
- attack.discovery
- attack.t1033
detection:
condition: selection
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: 'whoami'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\whoami.exe'

36
rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
View File

@ -1,36 +0,0 @@
---
action: global
title: WMI Persistence - Script Event Consumer
status: experimental
description: Detects WMI script event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018/03/07
tags:
- attack.execution
- attack.persistence
- attack.t1047
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
ParentImage: 'C:\Windows\System32\svchost.exe'
condition: selection
falsepositives:
- Legitimate event consumers
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688

67
rules/windows/malware/win_mal_wannacry.yml
View File

@ -1,67 +0,0 @@
action: global
title: WannaCry Ransomware
description: Detects WannaCry Ransomware Activity
status: experimental
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
author: Florian Roth
detection:
selection1:
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*'
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe' # Rare, but can be false positive
- '*\linuxnew.exe'
- '*\wannacry.exe'
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
Image:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe' # Rare, but can be false positive
- '*\linuxnew.exe'
- '*\wannacry.exe'

15
rules/windows/powershell/powershell_xor_commandline.yml → rules/windows/process_creation/powershell_xor_commandline.yml
View File

@ -1,4 +1,3 @@
action: global
title: Suspicious XOR Encoded PowerShell Command Line
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
@ -12,18 +11,6 @@ detection:
falsepositives:
- unknown
level: medium
---
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688

7
rules/windows/sysmon/sysmon_attrib_hiding_files.yml → rules/windows/process_creation/win_attrib_hiding_files.yml
View File

@ -3,19 +3,18 @@ status: experimental
description: Detects usage of attrib.exe to hide files from users.
author: Sami Ruohonen
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\attrib.exe'
CommandLine: '* +h *'
ini:
CommandLine: '*\desktop.ini *'
intel:
ParentImage: '*\cmd.exe'
CommandLine: '+R +H +S +A \\*.cui'
ParentCommandLine: 'C:\WINDOWS\system32\\*.bat'
CommandLine: +R +H +S +A \\*.cui
ParentCommandLine: C:\WINDOWS\system32\\*.bat
condition: selection and not (ini or intel)
fields:
- CommandLine

20
rules/windows/sysmon/sysmon_bypass_squiblytwo.yml → rules/windows/process_creation/win_bypass_squiblytwo.yml
View File

@ -12,25 +12,23 @@ falsepositives:
- Unknown
level: medium
logsource:
product: windows
service: sysmon
category: process_creation
product: windows
detection:
selection1:
EventID: 1
Image:
- '*\wmic.exe'
CommandLine:
- 'wmic * *format:\"http*'
- "wmic * /format:'http"
- 'wmic * /format:http*'
- wmic * *format:\"http*
- wmic * /format:'http
- wmic * /format:http*
selection2:
EventID: 1
Imphash:
- '1B1A3F43BF37B5BFE60751F2EE2F326E'
- '37777A96245A3C74EB217308F3546F4C'
- '9D87C9D67CE724033C0B40CC4CA1B206'
- 1B1A3F43BF37B5BFE60751F2EE2F326E
- 37777A96245A3C74EB217308F3546F4C
- 9D87C9D67CE724033C0B40CC4CA1B206
CommandLine:
- '* *format:\"http*'
- "* /format:'http"
- '* /format:''http'
- '* /format:http*'
condition: 1 of them

3
rules/windows/sysmon/sysmon_cmdkey_recon.yml → rules/windows/process_creation/win_cmdkey_recon.yml
View File

@ -6,11 +6,10 @@ references:
- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
author: jmallette
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\cmdkey.exe'
CommandLine: '* /list *'
condition: selection

8
rules/windows/sysmon/sysmon_cmstp_com_object_access.yml → rules/windows/process_creation/win_cmstp_com_object_access.yml
View File

@ -13,17 +13,15 @@ references:
- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://twitter.com/hFireF0X/status/897640081053364225
logsource:
category: process_creation
product: windows
service: sysmon
detection:
# CMSTP Spawning Child Process
selection1:
EventID: 1
ParentCommandLine: '*\DllHost.exe'
selection2:
ParentCommandLine:
- '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
- '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
- '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
- '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
condition: selection1 and selection2
fields:
- CommandLine

7
rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml → rules/windows/process_creation/win_exploit_cve_2015_1641.yml
View File

@ -2,16 +2,15 @@ title: Exploit for CVE-2015-1641
status: experimental
description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
references:
- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
author: Florian Roth
date: 2018/02/22
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\WINWORD.EXE'
Image: '*\MicroScMgmt.exe '
condition: selection

5
rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml → rules/windows/process_creation/win_exploit_cve_2017_0261.yml
View File

@ -2,15 +2,14 @@ title: Exploit for CVE-2017-0261
status: experimental
description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
references:
- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
author: Florian Roth
date: 2018/02/22
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\WINWORD.EXE'
Image: '*\FLTLDR.exe*'
condition: selection

3
rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml → rules/windows/process_creation/win_exploit_cve_2017_11882.yml
View File

@ -7,11 +7,10 @@ references:
author: Florian Roth
date: 2017/11/23
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\EQNEDT32.EXE'
condition: selection
fields:

7
rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml → rules/windows/process_creation/win_exploit_cve_2017_8759.yml
View File

@ -1,16 +1,15 @@
title: Exploit for CVE-2017-8759
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
references:
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
author: Florian Roth
date: 15.09.2017
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\WINWORD.EXE'
Image: '*\csc.exe'
condition: selection

29
rules/windows/process_creation/win_hack_rubeus.yml Normal file
View File

@ -0,0 +1,29 @@
title: Rubeus Hack Tool
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
condition: selection
falsepositives:
- unlikely
level: critical

3
rules/windows/sysmon/sysmon_lethalhta.yml → rules/windows/process_creation/win_lethalhta.yml
View File

@ -6,11 +6,10 @@ references:
author: Markus Neis
date: 2018/06/07
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\svchost.exe'
Image: '*\mshta.exe'
condition: selection

19
rules/windows/malware/win_mal_adwind.yml → rules/windows/process_creation/win_mal_adwind.yml
View File

@ -1,4 +1,3 @@
---
action: global
title: Adwind RAT / JRAT
status: experimental
@ -13,28 +12,15 @@ detection:
condition: selection
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
category: process_creation
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\AppData\Roaming\Oracle*\java*.exe *'
- '*cscript.exe *Retrive*.vbs *'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\AppData\Roaming\Oracle\bin\java*.exe'
---
# Sysmon: File Creation (ID 11)
logsource:
product: windows
service: sysmon
@ -45,12 +31,11 @@ detection:
- '*\AppData\Roaming\Oracle\bin\java*.exe'
- '*\Retrive*.vbs'
---
# Sysmon: Registry Value Set (ID 13)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
Details: '%AppData%\Roaming\Oracle\bin\\*'

33
rules/windows/process_creation/win_mal_wannacry.yml Normal file
View File

@ -0,0 +1,33 @@
title: WannaCry Ransomware
description: Detects WannaCry Ransomware Activity
status: experimental
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
- '*bcdedit /set {default} recoveryenabled no*'
- '*wbadmin delete catalog -quiet*'
selection2:
Image:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
- '*\taskdl.exe'
- '*\WanaDecryptor*'
- '*\taskhsvc.exe'
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe'
- '*\linuxnew.exe'
- '*\wannacry.exe'
condition: 1 of them
falsepositives:
- Unknown
level: critical

28
rules/windows/malware/sysmon_malware_dridex.yml → rules/windows/process_creation/win_malware_dridex.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Dridex Process Pattern
status: experimental
description: Detects typical Dridex process patterns
@ -8,33 +6,17 @@ references:
author: Florian Roth
date: 2019/01/10
logsource:
category: process_creation
product: windows
service: sysmon
detection:
condition: 1 of them
falsepositives:
- Unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
selection2:
EventID: 1
ParentImage: '*\svchost.exe*'
CommandLine:
- '*whoami.exe /all'
- '*net.exe view'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
condition: 1 of them
falsepositives:
- Unlikely
level: critical

10
rules/windows/malware/sysmon_malware_notpetya.yml → rules/windows/process_creation/win_malware_notpetya.yml
View File

@ -1,6 +1,7 @@
title: NotPetya Ransomware Activity
status: experimental
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive
C is deleted and windows eventlogs are cleared using wevtutil
author: Florian Roth, Tom Ueltschi
references:
- https://securelist.com/schroedingers-petya/78870/
@ -13,22 +14,18 @@ tags:
- attack.t1070
- attack.t1003
logsource:
category: process_creation
product: windows
service: sysmon
detection:
fsutil_clean_journal:
EventID: 1
Image: '*\fsutil.exe'
CommandLine: '* deletejournal *'
pipe_com:
EventID: 1
CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*'
event_clean:
EventID: 1
Image: '*\wevtutil.exe'
CommandLine: '* cl *'
rundll32_dash1:
EventID: 1
Image: '*\rundll32.exe'
CommandLine: '*.dat,#1'
perfc_keyword:
@ -40,4 +37,3 @@ fields:
falsepositives:
- Admin activity
level: critical

5
rules/windows/sysmon/sysmon_malware_script_dropper.yml → rules/windows/process_creation/win_malware_script_dropper.yml
View File

@ -3,11 +3,10 @@ status: experimental
description: Detects wscript/cscript executions of scripts located in user directories
author: Margaritis Dimitrios (idea), Florian Roth (rule)
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\wscript.exe'
- '*\cscript.exe'
@ -24,7 +23,7 @@ detection:
- '* C:\ProgramData\\*.vbs *'
falsepositive:
ParentImage: '*\winzip*'
condition: selection
condition: selection and not falsepositive
fields:
- CommandLine
- ParentCommandLine

8
rules/windows/malware/sysmon_malware_wannacry.yml → rules/windows/process_creation/win_malware_wannacry.yml
View File

@ -5,11 +5,10 @@ references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image:
- '*\tasksche.exe'
- '*\mssecsvc.exe'
@ -19,11 +18,10 @@ detection:
- '*\taskse.exe'
- '*\111.exe'
- '*\lhdfrgui.exe'
- '*\diskpart.exe' # Rare, but can be false positive
- '*\diskpart.exe'
- '*\linuxnew.exe'
- '*\wannacry.exe'
selection2:
EventID: 1
CommandLine:
- '*vssadmin delete shadows*'
- '*icacls * /grant Everyone:F /T /C /Q*'
@ -37,5 +35,3 @@ fields:
falsepositives:
- Diskpart.exe usage to manage partitions on the local hard drive
level: critical

24
rules/windows/builtin/win_mavinject_proc_inj.yml → rules/windows/process_creation/win_mavinject_proc_inj.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: MavInject Process Injection
status: experimental
description: Detects process injection using the signed Windows tool Mavinject32.exe
@ -14,25 +12,13 @@ tags:
- attack.t1055
- attack.signed_binary_proxy_execution
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '* /INJECTRUNNING *'
condition: selection
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '* /INJECTRUNNING *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '* /INJECTRUNNING *'

4
rules/windows/sysmon/sysmon_mshta_spawn_shell.yml → rules/windows/process_creation/win_mshta_spawn_shell.yml
View File

@ -5,11 +5,10 @@ references:
- https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\mshta.exe'
Image:
- '*\cmd.exe'
@ -36,4 +35,3 @@ tags:
falsepositives:
- Printer software / driver installations
level: high

64
rules/windows/builtin/win_multiple_suspicious_cli.yml → rules/windows/process_creation/win_multiple_suspicious_cli.yml
View File

@ -1,4 +1,3 @@
action: global
title: Quick Execution of a Series of Suspicious Commands
description: Detects multiple suspicious process in a limited timeframe
status: experimental
@ -6,68 +5,11 @@ references:
- https://car.mitre.org/wiki/CAR-2013-04-002
author: juju4
modified: 2012/12/11
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
category: process_creation
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- arp.exe
- at.exe
- attrib.exe
- cscript.exe
- dsquery.exe
- hostname.exe
- ipconfig.exe
- mimikatz.exe
- nbstat.exe
- net.exe
- netsh.exe
- nslookup.exe
- ping.exe
- quser.exe
- qwinsta.exe
- reg.exe
- runas.exe
- sc.exe
- schtasks.exe
- ssh.exe
- systeminfo.exe
- taskkill.exe
- telnet.exe
- tracert.exe
- wscript.exe
- xcopy.exe
# others
- pscp.exe
- copy.exe
- robocopy.exe
- certutil.exe
- vssadmin.exe
- powershell.exe
- wevtutil.exe
- psexec.exe
- bcedit.exe
- wbadmin.exe
- icacls.exe
- diskpart.exe
timeframe: 5m
condition: selection | count() by MachineName > 5
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- arp.exe
- at.exe
@ -95,7 +37,6 @@ detection:
- tracert.exe
- wscript.exe
- xcopy.exe
# others
- pscp.exe
- copy.exe
- robocopy.exe
@ -110,3 +51,6 @@ detection:
- diskpart.exe
timeframe: 5m
condition: selection | count() by MachineName > 5
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low

20
rules/windows/process_creation/win_netsh_port_fwd.yml Normal file
View File

@ -0,0 +1,20 @@
title: Netsh Port Forwarding
description: Detects netsh commands that configure a port forwarding
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
tags:
- attack.lateral_movement
status: experimental
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- netsh interface portproxy add v4tov4 *
condition: selection
falsepositives:
- Legitimate administration
level: medium

27
rules/windows/builtin/win_netsh_port_fwd_3389.yml → rules/windows/process_creation/win_netsh_port_fwd_3389.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Netsh RDP Port Forwarding
description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
references:
@ -9,27 +7,14 @@ tags:
- attack.lateral_movement
status: experimental
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- netsh i* p*=3389 c*
condition: selection
falsepositives:
- Legitimate administration
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'netsh i* p*=3389 c*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'netsh i* p*=3389 c*'

52
rules/windows/process_creation/win_office_shell.yml Normal file
View File

@ -0,0 +1,52 @@
title: Microsoft Office Product Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
- https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059
- attack.t1202
author: Michael Haag, Florian Roth, Markus Neis
date: 2018/04/06
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
- '*\POWERPNT.exe'
- '*\MSPUB.exe'
- '*\VISIO.exe'
- '*\OUTLOOK.EXE'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\scrcons.exe'
- '*\schtasks.exe'
- '*\regsvr32.exe'
- '*\hh.exe'
- '*\wmic.exe'
- '*\mshta.exe'
- '*\rundll32.exe'
- '*\msiexec.exe'
- '*\forfiles.exe'
- '*\scriptrunner.exe'
- '*\mftrace.exe'
- '*\AppVLP.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- unknown
level: high

88
rules/windows/process_creation/win_plugx_susp_exe_locations.yml Normal file
View File

@ -0,0 +1,88 @@
title: Executable used by PlugX in Uncommon Location - Sysmon Version
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
author: Florian Roth
date: 2017/06/12
logsource:
category: process_creation
product: windows
detection:
selection_cammute:
Image: '*\CamMute.exe'
filter_cammute:
Image: '*\Lenovo\Communication Utility\\*'
selection_chrome_frame:
Image: '*\chrome_frame_helper.exe'
filter_chrome_frame:
Image: '*\Google\Chrome\application\\*'
selection_devemu:
Image: '*\dvcemumanager.exe'
filter_devemu:
Image: '*\Microsoft Device Emulator\\*'
selection_gadget:
Image: '*\Gadget.exe'
filter_gadget:
Image: '*\Windows Media Player\\*'
selection_hcc:
Image: '*\hcc.exe'
filter_hcc:
Image: '*\HTML Help Workshop\\*'
selection_hkcmd:
Image: '*\hkcmd.exe'
filter_hkcmd:
Image:
- '*\System32\\*'
- '*\SysNative\\*'
- '*\SysWowo64\\*'
selection_mc:
Image: '*\Mc.exe'
filter_mc:
Image:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
selection_msmpeng:
Image: '*\MsMpEng.exe'
filter_msmpeng:
Image:
- '*\Microsoft Security Client\\*'
- '*\Windows Defender\\*'
- '*\AntiMalware\\*'
selection_msseces:
Image: '*\msseces.exe'
filter_msseces:
Image: '*\Microsoft Security Center\\*'
selection_oinfo:
Image: '*\OInfoP11.exe'
filter_oinfo:
Image: '*\Common Files\Microsoft Shared\\*'
selection_oleview:
Image: '*\OleView.exe'
filter_oleview:
Image:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\\*'
selection_rc:
Image: '*\rc.exe'
filter_rc:
Image:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\\*'
- '*\Microsoft.NET\\*'
condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu )
or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc
) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview
and not filter_oleview ) or ( selection_rc and not filter_rc )
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high

23
rules/windows/builtin/win_possible_applocker_bypass.yml → rules/windows/process_creation/win_possible_applocker_bypass.yml
View File

@ -1,4 +1,3 @@
action: global
title: Possible Applocker Bypass
description: Detects execution of executables that can be used to bypass Applocker whitelisting
status: experimental
@ -8,6 +7,9 @@ references:
author: juju4
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
@ -19,27 +21,8 @@ detection:
- '*\msbuild.exe*'
- '*\ieexec.exe*'
- '*\mshta.exe*'
# higher risk of false positives
# - '*\cscript.EXE*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
- Using installutil to add features for .NET applications (primarly would occur in developer environments)
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1

6
rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml → rules/windows/process_creation/win_powershell_amsi_bypass.yml
View File

@ -10,11 +10,10 @@ tags:
author: Markus Neis
date: 2018/08/17
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine:
- '*System.Management.Automation.AmsiUtils*'
selection2:
@ -22,6 +21,5 @@ detection:
- '*amsiInitFailed*'
condition: selection1 and selection2
falsepositives:
- Potential Admin Activity
- Potential Admin Activity
level: high

24
rules/windows/process_creation/win_powershell_b64_shellcode.yml Normal file
View File

@ -0,0 +1,24 @@
title: PowerShell Base64 Encoded Shellcode
description: Detects Base64 encoded Shellcode
status: experimental
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: Florian Roth
date: 2018/11/17
tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine: '*AAAAYInlM*'
selection2:
CommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: selection1 and selection2
falsepositives:
- Unknown
level: critical

5
rules/windows/sysmon/sysmon_powershell_dll_execution.yml → rules/windows/process_creation/win_powershell_dll_execution.yml
View File

@ -9,19 +9,16 @@ tags:
author: Markus Neis
date: 2018/08/25
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection1:
EventID: 1
Image:
- '*\rundll32.exe'
selection2:
EventID: 1
Description:
- '*Windows-Hostprozess (Rundll32)*'
selection3:
EventID: 1
CommandLine:
- '*Default.GetString*'
- '*FromBase64String*'

9
rules/windows/sysmon/sysmon_powershell_download.yml → rules/windows/process_creation/win_powershell_download.yml
View File

@ -6,18 +6,16 @@ tags:
- attack.t1086
- attack.execution
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\powershell.exe'
CommandLine:
- '*new-object system.net.webclient).downloadstring(*'
- '*new-object system.net.webclient).downloadfile(*'
- '*new-object net.webclient).downloadstring(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-2---bloodhound
- '*new-object net.webclient).downloadfile(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-3---obfuscation-tests
- '*new-object net.webclient).downloadstring(*'
- '*new-object net.webclient).downloadfile(*'
condition: selection
fields:
- CommandLine
@ -25,4 +23,3 @@ fields:
falsepositives:
- unknown
level: medium

3
rules/windows/sysmon/sysmon_powershell_renamed_ps.yml → rules/windows/process_creation/win_powershell_renamed_ps.yml
View File

@ -9,11 +9,10 @@ tags:
- attack.execution
author: Tom Ueltschi (@c_APT_ure)
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Description: Windows PowerShell
exclusion_1:
Image:

3
rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml → rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
View File

@ -8,13 +8,12 @@ tags:
- attack.t1086
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
Image:
- '*\Powershell.exe'
EventID: 1
CommandLine:
- ' -windowstyle h '
- ' -windowstyl h'

28
rules/windows/process_creation/win_process_creation_bitsadmin_download.yml Normal file
View File

@ -0,0 +1,28 @@
title: Bitsadmin Download
status: experimental
description: Detects usage of bitsadmin downloading a file
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- attack.s0190
author: Michael Haag
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\bitsadmin.exe'
CommandLine:
- '/transfer'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Some legitimate apps use this, but limited.
level: medium

6
rules/windows/builtin/win_psexesvc_start.yml → rules/windows/process_creation/win_psexesvc_start.yml
View File

@ -8,13 +8,11 @@ tags:
- attack.t1035
- attack.s0029
logsource:
category: process_creation
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
ProcessCommandLine: C:\Windows\PSEXESVC.exe
condition: selection
falsepositives:
- Administrative activity

11
rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml → rules/windows/process_creation/win_sdbinst_shim_persistence.yml
View File

@ -9,15 +9,14 @@ tags:
author: Markus Neis
date: 2018-08-03
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\sdbinst.exe'
CommandLine:
- '*\AppPatch\\*}.sdb*'
Image:
- '*\sdbinst.exe'
CommandLine:
- '*\AppPatch\\*}.sdb*'
condition: selection
falsepositives:
- Unknown

4
rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml → rules/windows/process_creation/win_shell_spawn_susp_program.yml
View File

@ -7,11 +7,10 @@ author: Florian Roth
date: 2018/04/06
modified: 2019/02/05
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\mshta.exe'
- '*\powershell.exe'
@ -36,4 +35,3 @@ falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high

24
rules/windows/process_creation/win_spn_enum.yml Normal file
View File

@ -0,0 +1,24 @@
title: Possible SPN Enumeration
description: Detects Service Principal Name Enumeration used for Kerberoasting
status: experimental
references:
- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
author: Markus Neis, keepwatch
date: 2018/11/14
tags:
- attack.credential_access
- attack.t1208
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image: '*\setspn.exe'
selection_desc:
Description: '*Query or reset the computer* SPN attribute*'
cmd:
CommandLine: '*-q*'
condition: (selection_image or selection_desc) and cmd
falsepositives:
- Administrator Activity
level: medium

19
rules/windows/process_creation/win_susp_bcdedit.yml Normal file
View File

@ -0,0 +1,19 @@
title: Possible Ransomware or unauthorized MBR modifications
status: experimental
description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
references:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
author: '@neu5ron'
date: 2019/02/07
logsource:
category: process_creation
product: windows
detection:
selection:
NewProcessName: '*\fsutil.exe'
ProcessCommandLine:
- '*delete*'
- '*deletevalue*'
- '*import*'
condition: selection
level: medium

23
rules/windows/process_creation/win_susp_calc.yml Normal file
View File

@ -0,0 +1,23 @@
title: Suspicious Calculator Usage
description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
status: experimental
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth
date: 2019/02/09
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*\calc.exe *'
selection2:
EventID: 1
Image: '*\calc.exe'
filter2:
Image: '*\Windows\Sys*'
condition: selection1 or ( selection2 and not filter2 )
falsepositives:
- Unknown
level: high

59
rules/windows/sysmon/sysmon_susp_certutil_command.yml → rules/windows/process_creation/win_susp_certutil_command.yml
View File

@ -1,8 +1,7 @@
---
action: global
title: Suspicious Certutil Command
status: experimental
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
the built-in certutil utility
author: Florian Roth, juju4, keepwatch
modified: 2019/01/22
references:
@ -13,27 +12,11 @@ references:
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
detection:
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1105
- attack.s0189
- attack.g0007
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
---
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* -decode *'
- '* /decode *'
@ -49,26 +32,16 @@ detection:
- '*certutil* /URL*'
- '*certutil* -ping*'
- '*certutil* /ping*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* -decode *'
- '* /decode *'
- '* -decodehex *'
- '* /decodehex *'
- '* -urlcache *'
- '* /urlcache *'
- '* -verifyctl *'
- '* /verifyctl *'
- '* -encode *'
- '* /encode *'
- '*certutil* -URL*'
- '*certutil* /URL*'
- '*certutil* -ping*'
- '*certutil* /ping*'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.t1140
- attack.t1105
- attack.s0189
- attack.g0007
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high

22
rules/windows/process_creation/win_susp_certutil_encode.yml Normal file
View File

@ -0,0 +1,22 @@
title: Certutil Encode
status: experimental
description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth
date: 2019/02/24
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- certutil -f -encode *
- certutil.exe -f -encode *
- certutil -encode -f *
- certutil.exe -encode -f *
condition: selection
falsepositives:
- unknown
level: medium

27
rules/windows/process_creation/win_susp_cli_escape.yml Normal file
View File

@ -0,0 +1,27 @@
title: Suspicious Commandline Escape
description: Detects suspicious process that use escape characters
status: experimental
references:
- https://twitter.com/vysecurity/status/885545634958385153
- https://twitter.com/Hexacorn/status/885553465417756673
- https://twitter.com/Hexacorn/status/885570278637678592
- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
modified: 2018/12/11
tags:
- attack.defense_evasion
- attack.t1140
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- <TAB>
- ^h^t^t^p
- h"t"t"p
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low

23
rules/windows/process_creation/win_susp_cmd_http_appdata.yml Normal file
View File

@ -0,0 +1,23 @@
title: Command Line Execution with suspicious URL and AppData Strings
status: experimental
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs
> powershell)
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- cmd.exe /c *http://*%AppData%
- cmd.exe /c *https://*%AppData%
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- High
level: medium

42
rules/windows/process_creation/win_susp_commands_recon_activity.yml Normal file
View File

@ -0,0 +1,42 @@
title: Reconnaissance Activity with Net Command
status: experimental
description: Detects a set of commands often used in recon stages by different attack groups
references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
date: 2018/08/22
modified: 2018/12/11
tags:
- attack.discovery
- attack.t1073
- attack.t1012
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- tasklist
- net time
- systeminfo
- whoami
- nbtstat
- net start
- '*\net1 start'
- qprocess
- nslookup
- hostname.exe
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- netstat -an
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium

3
rules/windows/sysmon/sysmon_susp_control_dll_load.yml → rules/windows/process_creation/win_susp_control_dll_load.yml
View File

@ -6,11 +6,10 @@ date: 2017/04/15
references:
- https://twitter.com/rikvduijn/status/853251879320662017
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\System32\control.exe'
CommandLine: '*\rundll32.exe *'
filter:

3
rules/windows/sysmon/sysmon_susp_csc.yml → rules/windows/process_creation/win_susp_csc.yml
View File

@ -9,11 +9,10 @@ tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\csc.exe*'
ParentImage:
- '*\wscript.exe'

35
rules/windows/process_creation/win_susp_exec_folder.yml Normal file
View File

@ -0,0 +1,35 @@
title: Executables Started in Suspicious Folder
status: experimental
description: Detects process starts of binaries from a suspicious folder
author: Florian Roth
date: 2017/10/14
modfied: 2019/02/21
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- C:\PerfLogs\\*
- C:\$Recycle.bin\\*
- C:\Intel\Logs\\*
- C:\Users\Default\\*
- C:\Users\Public\\*
- C:\Users\NetworkService\\*
- C:\Windows\Fonts\\*
- C:\Windows\Debug\\*
- C:\Windows\Media\\*
- C:\Windows\Help\\*
- C:\Windows\addins\\*
- C:\Windows\repair\\*
- C:\Windows\security\\*
- '*\RSA\MachineKeys\\*'
- C:\Windows\system32\config\systemprofile\\*
condition: selection
falsepositives:
- Unknown
level: high

3
rules/windows/sysmon/sysmon_susp_execution_path.yml → rules/windows/process_creation/win_susp_execution_path.yml
View File

@ -3,11 +3,10 @@ status: experimental
description: Detects a suspicious exection from an uncommon folder
author: Florian Roth
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\$Recycle.bin'
- '*\Users\All Users\\*'

3
rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml → rules/windows/process_creation/win_susp_execution_path_webserver.yml
View File

@ -3,11 +3,10 @@ status: experimental
description: Detects a suspicious program execution in a web service root folder (filter out false positives)
author: Florian Roth
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\wwwroot\\*'
- '*\wmpub\\*'

19
rules/windows/process_creation/win_susp_gup.yml Normal file
View File

@ -0,0 +1,19 @@
title: Suspicious GUP Usage
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
status: experimental
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth
date: 2019/02/06
logsource:
category: process_creation
product: windows
detection:
selection:
Image: '*\GUP.exe'
filter:
Image: '*\updater\*'
condition: selection and not filter
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high

27
rules/windows/builtin/win_susp_iss_module_install.yml → rules/windows/process_creation/win_susp_iss_module_install.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: IIS Native-Code Module Command Line Installation
description: Detects suspicious IIS native-code module installations via command line
status: experimental
@ -10,27 +8,14 @@ modified: 2012/12/11
tags:
- attack.persistence
- attack.t1100
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\APPCMD.EXE install module /name:*'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '*\APPCMD.EXE install module /name:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\APPCMD.EXE install module /name:*'

3
rules/windows/sysmon/sysmon_susp_mmc_source.yml → rules/windows/process_creation/win_susp_mmc_source.yml
View File

@ -4,11 +4,10 @@ description: Processes started by MMC could be a sign of lateral movement using
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\mmc.exe'
Image: '*\cmd.exe'
exclusion:

27
rules/windows/builtin/win_susp_msiexec_web_install.yml → rules/windows/process_creation/win_susp_msiexec_web_install.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: MsiExec Web Install
status: experimental
description: Detects suspicious msiexec proess starts with web addreses as parameter
@ -8,27 +6,14 @@ references:
author: Florian Roth
date: 2018/02/09
modified: 2012/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* msiexec*:\/\/*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* msiexec*:\/\/*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* msiexec*:\/\/*'

4
rules/windows/sysmon/sysmon_susp_net_execution.yml → rules/windows/process_creation/win_susp_net_execution.yml
View File

@ -8,13 +8,11 @@ tags:
- attack.s0039
- attack.lateral_movement
- attack.discovery
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\net.exe'
- '*\net1.exe'

24
rules/windows/builtin/win_susp_ntdsutil.yml → rules/windows/process_creation/win_susp_ntdsutil.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
status: experimental
@ -9,25 +7,13 @@ author: Thomas Patzke
tags:
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*\ntdsutil*'
condition: selection
falsepositives:
- NTDS maintenance
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*\ntdsutil*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\ntdsutil*'

11
rules/windows/sysmon/sysmon_susp_outlook.yml → rules/windows/process_creation/win_susp_outlook.yml
View File

@ -11,18 +11,15 @@ tags:
author: Markus Neis
date: 2018/12/27
logsource:
category: process_creation
product: windows
service: sysmon
detection:
clientMailRules:
EventID: 1
CommandLine: '*EnableUnsafeClientMailRules*' # EnableUnsafeClientMailRules used for Script Execution from Outlook
CommandLine: '*EnableUnsafeClientMailRules*'
outlookExec:
EventID: 1
ParentImage: '*\outlook.exe'
CommandLine: '\\\\*\\*.exe' # UNC Path required for Execution
condition: clientMailRules OR outlookExec
CommandLine: \\\\*\\*.exe
condition: clientMailRules or outlookExec
falsepositives:
- unknown
level: high

4
rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml → rules/windows/process_creation/win_susp_ping_hex_ip.yml
View File

@ -6,11 +6,10 @@ references:
author: Florian Roth
date: 2018/03/23
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '*\ping.exe 0x*'
- '*\ping 0x*'
@ -20,4 +19,3 @@ fields:
falsepositives:
- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high

27
rules/windows/builtin/win_susp_powershell_enc_cmd.yml → rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Suspicious Encoded PowerShell Command Line
description: Detects suspicious powershell process starts with base64 encoded commands
status: experimental
@ -7,19 +5,18 @@ references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth, Markus Neis
date: 2018/09/03
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
# Command starts with '$' symbol
- '* -e JAB*'
- '* -enc JAB*'
- '* -encodedcommand JAB*'
- '* BA^J e-' # reversed base64 and dosfuscation
# Google Rapid Response
- '* BA^J e-'
falsepositive1:
Image: '*\GRR\\*'
# PowerSponse deployments
falsepositive2:
CommandLine: '* -ExecutionPolicy remotesigned *'
condition: selection and not 1 of falsepositive*
@ -27,19 +24,3 @@ falsepositives:
- GRR powershell hacks
- PowerSponse Deployments
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688

14
rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml → rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
View File

@ -8,74 +8,62 @@ tags:
- attack.t1086
author: John Lambert (rule)
logsource:
category: process_creation
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
encoded:
EventID: 4688
Image: '*\powershell.exe'
CommandLine: '* hidden *'
selection:
EventID: 4688
CommandLine:
# bitsadmin transfer
- '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
- '*aXRzYWRtaW4gL3RyYW5zZmVy*'
- '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
- '*JpdHNhZG1pbiAvdHJhbnNmZX*'
- '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
- '*Yml0c2FkbWluIC90cmFuc2Zlc*'
# chunk_size
- '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
- '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
- '*JGNodW5rX3Npem*'
- '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
- '*RjaHVua19zaXpl*'
- '*Y2h1bmtfc2l6Z*'
# IO.Compression
- '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
- '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
- '*lPLkNvbXByZXNzaW9u*'
- '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
- '*SU8uQ29tcHJlc3Npb2*'
- '*Ty5Db21wcmVzc2lvb*'
# IO.MemoryStream
- '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
- '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
- '*lPLk1lbW9yeVN0cmVhb*'
- '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
- '*SU8uTWVtb3J5U3RyZWFt*'
- '*Ty5NZW1vcnlTdHJlYW*'
# GetChunk
- '*4ARwBlAHQAQwBoAHUAbgBrA*'
- '*5HZXRDaHVua*'
- '*AEcAZQB0AEMAaAB1AG4Aaw*'
- '*LgBHAGUAdABDAGgAdQBuAGsA*'
- '*LkdldENodW5r*'
- '*R2V0Q2h1bm*'
# THREAD INFO64
- '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
- '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
- '*RIUkVBRF9JTkZPNj*'
- '*SFJFQURfSU5GTzY0*'
- '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
- '*VEhSRUFEX0lORk82N*'
# CreateRemoteThread
- '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
- '*cmVhdGVSZW1vdGVUaHJlYW*'
- '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
- '*NyZWF0ZVJlbW90ZVRocmVhZ*'
- '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
- '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
# memmove
- '*0AZQBtAG0AbwB2AGUA*'
- '*1lbW1vdm*'
- '*AGUAbQBtAG8AdgBlA*'
- '*bQBlAG0AbQBvAHYAZQ*'
- '*bWVtbW92Z*'
- '*ZW1tb3Zl*'
condition: encoded and selection
falsepositives:
- Penetration tests

3
rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml → rules/windows/process_creation/win_susp_powershell_parent_combo.yml
View File

@ -8,11 +8,10 @@ tags:
- attack.execution
- attack.t1086
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\wscript.exe'
- '*\cscript.exe'

28
rules/windows/process_creation/win_susp_procdump.yml Normal file
View File

@ -0,0 +1,28 @@
title: Suspicious Use of Procdump
description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This
way we're also able to catch cases in which the attacker has renamed the procdump executable.
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2018/10/30
tags:
- attack.defense_evasion
- attack.t1036
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '* -ma *'
selection2:
CommandLine:
- '* lsass.exe*'
condition: selection1 and selection2
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses the command line switches of Procdump
level: medium

76
rules/windows/process_creation/win_susp_process_creations.yml Normal file
View File

@ -0,0 +1,76 @@
# Sigma rule: rules/windows/builtin/win_susp_process_creations.yml
action: global
title: Suspicious Process Creation
description: Detects suspicious process starts on Windows systems based on keywords
status: experimental
references:
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://twitter.com/subTee/status/872244674609676288
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
author: Florian Roth
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- vssadmin.exe delete shadows*
- vssadmin delete shadows*
- vssadmin create shadow /for=C:*
- copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*
- copy \\?\GLOBALROOT\Device\\*\config\SAM*
- reg SAVE HKLM\SYSTEM *
- reg SAVE HKLM\SAM *
- '* sekurlsa:*'
- net localgroup adminstrators * /add
- net group "Domain Admins" * /ADD /DOMAIN
- certutil.exe *-urlcache* http*
- certutil.exe *-urlcache* ftp*
- netsh advfirewall firewall *\AppData\\*
- attrib +S +H +R *\AppData\\*
- schtasks* /create *\AppData\\*
- schtasks* /sc minute*
- '*\Regasm.exe *\AppData\\*'
- '*\Regasm *\AppData\\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- icacls * /grant Everyone:F /T /C /Q
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*'
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
- '*\fodhelper.exe'
- '*waitfor*/s*'
- '*waitfor*/si persist*'
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
- '*AddInProcess*'
- '* /stext *'
- '* /scomma *'
- '* /stab *'
- '* /stabular *'
- '* /shtml *'
- '* /sverhtml *'
- '* /sxml *'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium

4
rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml → rules/windows/process_creation/win_susp_prog_location_process_starts.yml
View File

@ -6,13 +6,11 @@ references:
author: Florian Roth
date: 2019/01/15
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
# - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- '*\$Recycle.bin'
- '*\Users\Public\\*'
- 'C:\Perflogs\\*'

20
rules/windows/process_creation/win_susp_ps_appdata.yml Normal file
View File

@ -0,0 +1,20 @@
title: PowerShell Script Run in AppData
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth
date: 2019/01/09
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
condition: selection
falsepositives:
- Administrative scripts
level: medium

17
rules/windows/process_creation/win_susp_rasdial_activity.yml Normal file
View File

@ -0,0 +1,17 @@
title: Suspicious RASdial Activity
description: Detects suspicious process related to rasdial.exe
status: experimental
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- rasdial
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium

7
rules/windows/sysmon/sysmon_susp_recon_activity.yml → rules/windows/process_creation/win_susp_recon_activity.yml
View File

@ -3,14 +3,13 @@ status: experimental
description: Detects suspicious command line activity on Windows systems
author: Florian Roth
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'net group "domain admins" /domain'
- 'net localgroup administrators'
- net group "domain admins" /domain
- net localgroup administrators
condition: selection
fields:
- CommandLine

15
rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml → rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
View File

@ -9,35 +9,24 @@ tags:
- attack.defense_evasion
- attack.execution
logsource:
category: process_creation
product: windows
service: sysmon
detection:
# Loads from Temp folder
selection1:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine: '*\Temp\\*'
# Loaded by powershell
selection2:
EventID: 1
Image: '*\regsvr32.exe'
ParentImage: '*\powershell.exe'
# Regsvr32.exe used with http(s) address
selection3:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine:
- '*/i:http* scrobj.dll'
- '*/i:ftp* scrobj.dll'
# Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
# https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
selection4:
EventID: 1
Image: '*\wscript.exe'
ParentImage: '*\regsvr32.exe'
# https://twitter.com/danielhbohannon/status/974321840385531904
selection5:
EventID: 1
Image: '*\EXCEL.EXE'
CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
condition: 1 of them
@ -47,5 +36,3 @@ fields:
falsepositives:
- Unknown
level: high

21
rules/windows/builtin/win_susp_run_locations.yml → rules/windows/process_creation/win_susp_run_locations.yml
View File

@ -1,4 +1,3 @@
action: global
title: Suspicious Process Start Locations
description: Detects suspicious process run from unusual locations
status: experimental
@ -8,6 +7,9 @@ author: juju4
tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
@ -19,20 +21,3 @@ detection:
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1

22
rules/windows/builtin/win_susp_rundll32_activity.yml → rules/windows/process_creation/win_susp_rundll32_activity.yml
View File

@ -1,4 +1,3 @@
action: global
title: Suspicious Rundll32 Activity
description: Detects suspicious process related to rundll32 based on arguments
status: experimental
@ -11,10 +10,12 @@ tags:
- attack.execution
- attack.t1085
author: juju4
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
# match with or without rundll32.exe to try to catch evasion
- '*\rundll32.exe* url.dll,*OpenURL *'
- '*\rundll32.exe* url.dll,*OpenURLA *'
- '*\rundll32.exe* url.dll,*FileProtocolHandler *'
@ -31,21 +32,4 @@ detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
level: medium

5
rules/windows/sysmon/sysmon_susp_schtask_creation.yml → rules/windows/process_creation/win_susp_schtask_creation.yml
View File

@ -3,15 +3,14 @@ status: experimental
description: Detects the creation of scheduled tasks in user session
author: Florian Roth
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\schtasks.exe'
CommandLine: '* /create *'
filter:
User: 'NT AUTHORITY\SYSTEM'
User: NT AUTHORITY\SYSTEM
condition: selection and not filter
fields:
- CommandLine

3
rules/windows/sysmon/sysmon_susp_script_execution.yml → rules/windows/process_creation/win_susp_script_execution.yml
View File

@ -3,11 +3,10 @@ status: experimental
description: Detects suspicious file execution by wscript and cscript
author: Michael Haag
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\wscript.exe'
- '*\cscript.exe'

3
rules/windows/sysmon/sysmon_susp_svchost.yml → rules/windows/process_creation/win_susp_svchost.yml
View File

@ -4,11 +4,10 @@ description: Detects a suspicious svchost process start
author: Florian Roth
date: 2017/08/15
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\svchost.exe'
filter:
ParentImage:

30
rules/windows/builtin/win_susp_sysprep_appdata.yml → rules/windows/process_creation/win_susp_sysprep_appdata.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Sysprep on AppData Folder
status: experimental
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
@ -9,29 +7,15 @@ references:
author: Florian Roth
date: 2018/06/22
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\sysprep.exe *\AppData\\*'
- sysprep.exe *\AppData\\*
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '*\sysprep.exe *\AppData\\*'
- 'sysprep.exe *\AppData\\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\sysprep.exe *\AppData\\*'
- 'sysprep.exe *\AppData\\*'

24
rules/windows/builtin/win_susp_sysvol_access.yml → rules/windows/process_creation/win_susp_sysvol_access.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Suspicious SYSVOL Domain Group Policy Access
status: experimental
description: Detects Access to Domain Group Policies stored in SYSVOL
@ -12,25 +10,13 @@ modified: 2018/12/11
tags:
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*\SYSVOL\\*\policies\\*'
condition: selection
falsepositives:
- administrative activity
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*\SYSVOL\\*\policies\\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\SYSVOL\\*\policies\\*'

5
rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml → rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
View File

@ -4,12 +4,11 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS
author: Florian Roth
date: 2018/03/18
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
User: 'NT AUTHORITY\SYSTEM'
User: NT AUTHORITY\SYSTEM
Image: '*\taskmgr.exe'
condition: selection
falsepositives:

7
rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml → rules/windows/process_creation/win_susp_taskmgr_parent.yml
View File

@ -4,16 +4,15 @@ description: Detects the creation of a process from Windows task manager
author: Florian Roth
date: 2018/03/13
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\taskmgr.exe'
filter:
Image:
- 'resmon.exe'
- 'mmc.exe'
- resmon.exe
- mmc.exe
condition: selection and not filter
fields:
- Image

5
rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml → rules/windows/process_creation/win_susp_tscon_localsystem.yml
View File

@ -7,12 +7,11 @@ references:
author: Florian Roth
date: 2018/03/17
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection:
EventID: 1
User: 'NT AUTHORITY\SYSTEM'
User: NT AUTHORITY\SYSTEM
Image: '*\tscon.exe'
condition: selection
falsepositives:

24
rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml → rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
View File

@ -1,5 +1,3 @@
---
action: global
title: Suspicious RDP Redirect Using TSCON
status: experimental
description: Detects a suspicious RDP session redirect using tscon.exe
@ -9,25 +7,13 @@ references:
author: Florian Roth
date: 2018/03/17
modified: 2018/12/11
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '* /dest:rdp-tcp:*'
condition: selection
falsepositives:
- Unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '* /dest:rdp-tcp:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '* /dest:rdp-tcp:*'

Some files were not shown because too many files have changed in this diff Show More