valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1932 from mlp1515/french_user

Browse Source 
Add French user
This commit is contained in:
frack113 2021-08-26 17:12:39 +02:00 committed by GitHub
commit 59000b993d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/windows/other/win_tool_psexec.yml
View File

@ -5,7 +5,7 @@ status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
author: Thomas Patzke
date: 2017/06/12
modified: 2021/08/06
modified: 2021/08/26
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
@ -46,7 +46,9 @@ logsource:
detection:
sysmon_processcreation:
Image|endswith: '\PSEXESVC.exe'
User: 'NT AUTHORITY\SYSTEM'
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
---
logsource:
category: pipe_created

4
rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
View File

@ -28,7 +28,9 @@ detection:
- '\powershell.exe'
- '\cmd.exe'
selection3:
User: 'NT AUTHORITY\SYSTEM'
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
filter:
CommandLine|contains|all:
- ' route '

7
rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
View File

@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh
status: experimental
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
modified: 2021/08/26
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
tags:
@ -16,7 +17,9 @@ detection:
integrity_level:
IntegrityLevel: 'System'
user:
User: 'NT AUTHORITY\SYSTEM'
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
image_1:
Image|contains|all:
- '\Windows\Installer\'
@ -34,4 +37,4 @@ fields:
falsepositives:
- System administrator Usage
- Penetration test
level: medium
level: medium

5
rules/windows/process_creation/win_exploit_cve_2019_1388.yml
View File

@ -7,6 +7,7 @@ references:
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth
date: 2019/11/20
modified: 2021/08/26
tags:
- attack.privilege_escalation
- attack.t1068
@ -21,7 +22,9 @@ detection:
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
User: 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings
User|startswith:
- 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings
- 'AUTORITE NT\Sys' # French language settings
condition: selection and ( rights1 or rights2 )
falsepositives:
- Unknown

5
rules/windows/process_creation/win_susp_schtask_creation.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detects the creation of scheduled tasks in user session
author: Florian Roth
date: 2019/01/16
modified: 2021/08/26
logsource:
category: process_creation
product: windows
@ -12,7 +13,9 @@ detection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter:
User: NT AUTHORITY\SYSTEM
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
condition: selection and not filter
fields:
- CommandLine

5
rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
View File

@ -7,12 +7,15 @@ tags:
- attack.t1036
author: Florian Roth
date: 2018/03/18
modified: 2021/08/26
logsource:
category: process_creation
product: windows
detection:
selection:
User: NT AUTHORITY\SYSTEM
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:

5
rules/windows/process_creation/win_susp_tscon_localsystem.yml
View File

@ -7,6 +7,7 @@ references:
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
author: Florian Roth
date: 2018/03/17
modified: 2021/08/26
tags:
- attack.command_and_control
- attack.t1219
@ -15,7 +16,9 @@ logsource:
product: windows
detection:
selection:
User: NT AUTHORITY\SYSTEM
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
Image|endswith: '\tscon.exe'
condition: selection
falsepositives:

6
rules/windows/process_creation/win_whoami_as_system.yml
View File

@ -6,7 +6,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov
date: 2019/10/23
modified: 2019/11/11
modified: 2021/08/26
tags:
- attack.privilege_escalation
- attack.discovery
@ -16,7 +16,9 @@ logsource:
product: windows
detection:
selection:
User: 'NT AUTHORITY\SYSTEM'
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
Image|endswith: '\whoami.exe'
condition: selection
falsepositives:

6
rules/windows/process_creation/win_wmiprvse_spawning_process.yml
View File

@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
description: Detects wmiprvse spawning processes
status: experimental
date: 2019/08/15
modified: 2021/02/24
modified: 2021/08/26
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
@ -23,7 +23,9 @@ detection:
- SubjectLogonId:
- '0x3e7' # LUID 999 for SYSTEM
- 'null' # too many false positives
- User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
- User|startswith:
- 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
- 'AUTORITE NT\Sys' # French language settings
- Image|endswith:
- '\WmiPrvSE.exe'
- '\WerFault.exe'