valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #873 from Neo23x0/rule-devel

Browse Source 
fix: remove duplicate rules in sysmon (generic rule cleanup)
This commit is contained in:
Florian Roth 2020-07-01 11:29:04 +02:00 committed by GitHub
commit 61c3b2e0d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
89 changed files with 121 additions and 2730 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
rules/windows/file_event/sysmon_office_persistence.yml Normal file
View File

@ -0,0 +1,30 @@
title: Microsoft Office Add-In Loading
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: experimental
description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
- Internal Research
tags:
- attack.persistence
- attack.t1137
author: NVISO
date: 2020/05/11
logsource:
category: file_event
product: windows
detection:
wlldropped:
TargetFilename|contains: \Microsoft\Word\Startup\
TargetFilename|endswith: .wll
xlldropped:
TargetFilename|contains: \Microsoft\Excel\Startup\
TargetFilename|endswith: .xll
generic:
TargetFilename|contains: \Microsoft\Addins\
TargetFilename|endswith:
- .xlam
- .xla
condition: (wlldropped or xlldropped or generic)
falsepositives:
- Legitimate add-ins
level: high

33
rules/windows/image_load/sysmon_susp_fax_dll.yml Normal file
View File

@ -0,0 +1,33 @@
title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: experimental
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
- https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020/05/04
modified: 2020/07/01
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1073
- attack.t1038
- attack.t1112
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- fxssvc.exe
ImageLoaded|endswith:
- ualapi.dll
filter:
ImageLoaded|startswith:
- C:\Windows\WinSxS\
condition: selection and not filter
falsepositives:
- Unlikely
level: high

7
rules/windows/sysmon/sysmon_regsvr32_network_activity.yml → rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
View File

@ -13,15 +13,12 @@ tags:
author: Dmitriy Lifanov, oscd.community
status: experimental
date: 2019/10/25
modified: 2019/11/10
modified: 2020/07/01
logsource:
category: network_connection
product: windows
service: sysmon
detection:
selection:
EventID:
- 3
- 22
Image|endswith: '\regsvr32.exe'
condition: selection
fields:

0
rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml → rules/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml
View File

19
rules/windows/sysmon/sysmon_hack_wce.yml → rules/windows/process_creation/sysmon_hack_wce.yml
View File

@ -1,4 +1,3 @@
action: global
title: Windows Credential Editor
id: 7aa7009a-28b9-4344-8c1f-159489a390df
description: Detects the use of Windows Credential Editor (WCE)
@ -6,15 +5,11 @@ author: Florian Roth
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
date: 2019/12/31
modified: 2020/07/01
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.s0005
falsepositives:
- 'Another service that uses a single -s command line switch'
level: critical
---
logsource:
category: process_creation
product: windows
@ -27,12 +22,6 @@ detection:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
condition: 1 of them
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- 'Another service that uses a single -s command line switch'
level: critical

32
rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml → rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
View File

@ -1,4 +1,3 @@
action: global
title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: experimental
@ -12,11 +11,7 @@ tags:
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
---
modified: 2020/07/01
logsource:
category: process_creation
product: windows
@ -29,25 +24,10 @@ detection:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
---
logsource:
category: process_creation
product: windows
detection:
create_keywords_cli:
CommandLine: '*UserInitMprLogonScript*'
condition: create_keywords_cli
---
logsource:
product: windows
service: sysmon
detection:
create_selection_reg:
EventID:
- 12
- 13
- 14
create_keywords_reg:
TargetObject: '*UserInitMprLogonScript*'
condition: create_selection_reg and create_keywords_reg
condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high

5
rules/windows/sysmon/sysmon_cve-2020-1048.yml → rules/windows/registry_event/sysmon_cve-2020-1048.yml
View File

@ -11,13 +11,10 @@ tags:
- attack.persistence
- attack.execution
logsource:
service: sysmon
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
EventType:
- SetValue

3
rules/windows/sysmon/sysmon_etw_disabled.yml → rules/windows/registry_event/sysmon_etw_disabled.yml
View File

@ -19,10 +19,9 @@ tags:
- attack.t1112
logsource:
product: windows
service: sysmon
category: registry_event
detection:
selection:
EventID: 13
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
condition: selection

21
rules/windows/registry_event/sysmon_hack_wce.yml
View File

@ -1,4 +1,3 @@
action: global
title: Windows Credential Editor
id: 7aa7009a-28b9-4344-8c1f-159489a390df
description: Detects the use of Windows Credential Editor (WCE)
@ -10,23 +9,6 @@ tags:
- attack.credential_access
- attack.t1003
- attack.s0005
falsepositives:
- 'Another service that uses a single -s command line switch'
level: critical
---
logsource:
category: process_creation
product: windows
detection:
selection1:
Imphash:
- a53a02b997935fd8eedcb5f7abab9b9f
- e96a73c7bf33a464c510ede582318bf2
selection2:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
condition: 1 of them
---
logsource:
category: registry_event
product: windows
@ -34,3 +16,6 @@ detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- 'Another service that uses a single -s command line switch'
level: critical

25
rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml Normal file
View File

@ -0,0 +1,25 @@
title: Logon Scripts (UserInitMprLogonScript)
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
- attack.t1037.001
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
modified: 2020/07/01
logsource:
category: registry_event
product: windows
detection:
create_keywords_reg:
TargetObject: '*UserInitMprLogonScript*'
condition: create_keywords_reg
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high

13
rules/windows/sysmon/sysmon_reg_office_security.yml → rules/windows/registry_event/sysmon_reg_office_security.yml
View File

@ -4,21 +4,17 @@ status: experimental
description: Detects registry changes to Office macro settings
author: Trent Liffick (@tliffick)
date: 2020/05/22
modified: 2020/07/01
references:
- Internal Research
tags:
- attack.defense_evasion
- attack.t1112
falsepositives:
- Valid Macros and/or internal documents
level: high
logsource:
service: sysmon
category: registry_event
product: windows
detection:
sec_settings:
EventID:
- 12
- 13
TargetObject|endswith:
- '*\Security\Trusted Documents\TrustRecords'
- '*\Security\AccessVBOM'
@ -28,3 +24,6 @@ detection:
- DeleteValue
- CreateValue
condition: sec_settings
falsepositives:
- Valid Macros and/or internal documents
level: high

6
rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml → rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
View File

@ -4,17 +4,15 @@ status: experimental
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
author: Florian Roth
date: 2019/10/16
modified: 2020/07/01
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
logsource:
category: registry_event
product: windows
service: sysmon
detection:
selection:
EventID:
- 12
- 13
TargetObject:
- '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'

3
rules/windows/sysmon/sysmon_susp_mic_cam_access.yml → rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
View File

@ -10,11 +10,10 @@ tags:
- attack.t1125
- attack.t1123
logsource:
category: sysmon
category: registry_event
product: windows
detection:
selection_1:
EventId: 13
TargetObject|contains:
- \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
selection_2:

36
rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml
View File

@ -1,36 +0,0 @@
title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
status: experimental
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
tags:
- attack.t1112
author: megan201296
date: 2019/04/14
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
# covers HKU\* and HKLM..
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
- 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
condition: selection
falsepositives:
- Unknown
level: critical

41
rules/windows/sysmon/sysmon_apt_pandemic.yml
View File

@ -1,41 +0,0 @@
action: global
title: Pandemic Registry Key
id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
status: experimental
description: Detects Pandemic Windows Implant
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
tags:
- attack.lateral_movement
- attack.t1105
author: Florian Roth
date: 2017/06/01
detection:
condition: 1 of them
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
TargetObject:
- 'HKLM\SYSTEM\CurrentControlSet\services\null\Instance*'
---
logsource:
category: process_creation
product: windows
detection:
selection2:
Command: 'loaddll -a *'

34
rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml
View File

@ -1,34 +0,0 @@
title: Autorun Keys Modification
id: 17f878b8-9968-4578-b814-c4217fc5768c
description: Detects modification of autostart extensibility point (ASEP) in registry
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
tags:
- attack.persistence
- attack.t1060
- attack.t1547.001
date: 2019/10/21
modified: 2019/11/10
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject|contains:
- '\software\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\RunOnce'
- '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- '\software\Microsoft\Windows\CurrentVersion\RunServices'
- '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
condition: selection
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium

57
rules/windows/sysmon/sysmon_creation_system_file.yml
View File

@ -1,57 +0,0 @@
title: File Created with System Process Name
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: experimental
description: Detects the creation of a executable with a sytem process name in a suspicious folder
references:
- https://attack.mitre.org/techniques/T1036/
author: Sander Wiebing
date: 2020/05/26
tags:
- attack.defense_evasion
- attack.t1036
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|endswith:
- '*\svchost.exe'
- '*\rundll32.exe'
- '*\services.exe'
- '*\powershell.exe'
- '*\regsvr32.exe'
- '*\spoolsv.exe'
- '*\lsass.exe'
- '*\smss.exe'
- '*\csrss.exe'
- '*\conhost.exe'
- '*\wininit.exe'
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- '*\taskhost.exe'
- '*\Taskmgr.exe'
- '*\taskmgr.exe'
- '*\sihost.exe'
- '*\RuntimeBroker.exe'
- '*\runtimebroker.exe'
- '*\smartscreen.exe'
- '*\dllhost.exe'
- '*\audiodg.exe'
- '*\wlanext.exe'
filter:
TargetFilename:
- 'C:\Windows\System32\\*'
- 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\SysWOW64\\*'
- 'C:\Windows\winsxs\\*'
- 'C:\Windows\WinSxS\\*'
- '\SystemRoot\System32\\*'
condition: selection and not filter
fields:
- Image
falsepositives:
- System processes copied outside the default folder
level: high

57
rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
View File

@ -1,57 +0,0 @@
title: Credentials Dumping Tools Accessing LSASS Memory
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
status: experimental
description: Detects process access LSASS memory which is typical for credentials dumping tools
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)
date: 2017/02/16
modified: 2019/11/08
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x40'
- '0x1000'
- '0x1400'
- '0x100000'
- '0x1410' # car.2019-04-004
- '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
filter:
ProcessName|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
- '\wmiprvse.exe'
- '\taskmgr.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\lsm.exe'
- '\csrss.exe'
- '\wininit.exe'
- '\vmtoolsd.exe'
condition: selection and not filter
fields:
- ComputerName
- User
- SourceImage
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: high

51
rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml
View File

@ -1,51 +0,0 @@
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
modified: 2019/11/13
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|contains:
- '\pwdump'
- '\kirbi'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- '\fgdump-log'
TargetFilename|endswith:
- '\test.pwd'
- '\lsremora64.dll'
- '\lsremora.dll'
- '\fgexec.exe'
- '\wceaux.dll'
- '\SAM.out'
- '\SECURITY.out'
- '\SYSTEM.out'
- '\NTDS.out'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\cachedump64.exe'
- '\cachedump.exe'
- '\pstgdump.exe'
- '\servpw.exe'
- '\servpw64.exe'
- '\pwdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
status: experimental

28
rules/windows/sysmon/sysmon_dhcp_calloutdll.yml
View File

@ -1,28 +0,0 @@
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: experimental
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
author: Dimitrios Slamaris
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1112
- attack.t1574.002
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\Services\DHCPServer\Parameters\CalloutDlls'
- '*\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- unknown
level: high

33
rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
View File

@ -1,33 +0,0 @@
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: experimental
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
product: windows
service: sysmon
detection:
selection:
- EventID: 12 # key create
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
- EventID: 14 # key rename
NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: high

40
rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml
View File

@ -1,40 +0,0 @@
action: global
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
(restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1073
detection:
condition: 1 of them
fields:
- EventID
- CommandLine
- ParentCommandLine
- Image
- User
- TargetObject
falsepositives:
- unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
dnsregmod:
EventID: 13
TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
---
logsource:
category: process_creation
product: windows
detection:
dnsadmin:
CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'

23
rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
View File

@ -1,23 +0,0 @@
title: Detection of SafetyKatz
id: e074832a-eada-4fd7-94a1-10642b130e16
status: experimental
description: Detects possible SafetyKatz Behaviour
references:
- https://github.com/GhostPack/SafetyKatz
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
author: Markus Neis
date: 2018/07/24
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename: '*\Temp\debug.bin'
condition: selection
falsepositives:
- Unknown
level: high

36
rules/windows/sysmon/sysmon_hack_dumpert.yml
View File

@ -1,36 +0,0 @@
action: global
title: Dumpert Process Dumper
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
author: Florian Roth
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
date: 2020/02/04
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: sysmon
falsepositives:
- Very unlikely
level: critical
---
logsource:
category: process_creation
product: windows
detection:
selection:
Imphash: '09D278F9DE118EF09163C6140255C690'
condition: selection
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename: C:\Windows\Temp\dumpert.dmp
condition: selection

47
rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
View File

@ -1,47 +0,0 @@
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity
C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN"
as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
tags:
- attack.privilege_escalation
- attack.t1055
logsource:
product: windows
service: sysmon
detection:
selection_01:
EventID: 10
CallTrace:
- "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)"
- "*UNKNOWN(*)|UNKNOWN(*)"
selection_02:
EventID: 10
CallTrace: "*UNKNOWN*"
granted_access:
GrantedAccess:
- "0x1F0FFF"
- "0x1F1FFF"
- "0x143A"
- "0x1410"
- "0x1010"
- "0x1F2FFF"
- "0x1F3FFF"
- "0x1FFFFF"
condition: selection_01 OR (selection_02 AND granted_access)
fields:
- ComputerName
- User
- SourceImage
- TargetImage
- CallTrace
level: critical
falsepositives:
- Low

36
rules/windows/sysmon/sysmon_in_memory_powershell.yml
View File

@ -1,36 +0,0 @@
title: In-memory PowerShell
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
status: experimental
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
author: Tom Kern, oscd.community
date: 2019/11/14
modified: 2019/11/30
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
tags:
- attack.t1086
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
ImageLoaded|endswith:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
filter:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\WINDOWS\System32\sdiagnhost.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives:
- Used by some .NET binaries, minimal on user workstation.
level: high
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw

27
rules/windows/sysmon/sysmon_invoke_phantom.yml
View File

@ -1,27 +0,0 @@
title: Suspect Svchost Memory Asccess
id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
status: experimental
description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
author: Tim Burrell
date: 2020/01/02
references:
- https://github.com/hlldz/Invoke-Phant0m
- https://twitter.com/timbmsft/status/900724491076214784
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: '*\windows\system32\svchost.exe'
GrantedAccess: '0x1f3fff'
CallTrace:
- '*unknown*'
condition: selection
falsepositives:
- unknown
level: high

28
rules/windows/sysmon/sysmon_lsass_memdump.yml
View File

@ -1,28 +0,0 @@
title: LSASS Memory Dump
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: experimental
description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
author: Samir Bousseaden
date: 2019/04/03
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
tags:
- attack.t1003
- attack.s0002
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess: '0x1fffff'
CallTrace:
- '*dbghelp.dll*'
- '*dbgcore.dll*'
condition: selection
falsepositives:
- unknown
level: high

28
rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
View File

@ -1,28 +0,0 @@
title: LSASS Memory Dump File Creation
id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
author: Teymur Kheirkhabarov, oscd.community
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
date: 2019/10/22
modified: 2019/11/13
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
fields:
- ComputerName
- TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
level: medium
status: experimental

99
rules/windows/sysmon/sysmon_malware_backconnect_ports.yml
View File

@ -1,99 +0,0 @@
title: Suspicious Typical Malware Back Connect Ports
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
status: experimental
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
tags:
- attack.command_and_control
- attack.t1043
- attack.t1571
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationPort:
- '4443'
- '2448'
- '8143'
- '1777'
- '1443'
- '243'
- '65535'
- '13506'
- '3360'
- '200'
- '198'
- '49180'
- '13507'
- '6625'
- '4444'
- '4438'
- '1904'
- '13505'
- '13504'
- '12102'
- '9631'
- '5445'
- '2443'
- '777'
- '13394'
- '13145'
- '12103'
- '5552'
- '3939'
- '3675'
- '666'
- '473'
- '5649'
- '4455'
- '4433'
- '1817'
- '100'
- '65520'
- '1960'
- '1515'
- '743'
- '700'
- '14154'
- '14103'
- '14102'
- '12322'
- '10101'
- '7210'
- '4040'
- '9943'
filter1:
Image: '*\Program Files*'
filter2:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.*'
DestinationIsIpv6: 'false'
condition: selection and not ( filter1 or filter2 )
falsepositives:
- unknown
level: medium

32
rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml
View File

@ -1,32 +0,0 @@
title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\\*'
CallTrace: '*|UNKNOWN*'
condition: selection and 1 of combination*
falsepositives:
- unknown
level: high

45
rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml
View File

@ -1,45 +0,0 @@
title: Mimikatz In-Memory
id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e
status: experimental
description: Detects certain DLL loads when Mimikatz gets executed
references:
- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
service: sysmon
date: 2017/03/13
detection:
selector:
EventID: 7
Image: 'C:\Windows\System32\rundll32.exe'
dllload1:
ImageLoaded: '*\vaultcli.dll'
dllload2:
ImageLoaded: '*\wlanapi.dll'
exclusion:
ImageLoaded:
- 'ntdsapi.dll'
- 'netapi32.dll'
- 'imm32.dll'
- 'samlib.dll'
- 'combase.dll'
- 'srvcli.dll'
- 'shcore.dll'
- 'ntasn1.dll'
- 'cryptdll.dll'
- 'logoncli.dll'
timeframe: 30s
condition: selector | near dllload1 and dllload2 and not exclusion
falsepositives:
- unknown
level: medium

28
rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml
View File

@ -1,28 +0,0 @@
title: Mimikatz through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
status: stable
author: Patryk Prauze - ING Tech
date: 2019/05/20
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
condition: selection
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1028
- attack.s0005
- attack.t1003.001
- attack.t1021.006
falsepositives:
- low
level: high

28
rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml
View File

@ -1,28 +0,0 @@
title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
description: Detects abusing Windows 10 Narrator's Feedback-Hub
references:
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
tags:
- attack.persistence
- attack.t1060
- attack.t1547.001
author: Dmitriy Lifanov, oscd.community
status: experimental
date: 2019/10/25
modified: 2019/11/10
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 12
EventType: DeleteValue
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
selection2:
EventID: 13
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
condition: 1 of them
falsepositives:
- unknown
level: high

35
rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
View File

@ -1,35 +0,0 @@
title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: experimental
description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
tags:
- attack.persistence
- attack.t1182
- attack.t1546.009
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
product: windows
service: sysmon
detection:
selection:
- EventID:
- 12 # key create
- 13 # value set
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
- EventID: 14 # key rename
NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: medium

37
rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
View File

@ -1,37 +0,0 @@
title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: experimental
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
tags:
- attack.persistence
- attack.t1103
- attack.t1546.010
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
product: windows
service: sysmon
detection:
selection:
- EventID:
- 12 # key create
- 13 # value set
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- EventID: 14 # key rename
NewName:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
condition: selection
fields:
- EventID
- Image
- TargetObject
- NewName
falsepositives:
- Unkown
level: medium

25
rules/windows/sysmon/sysmon_notepad_network_connection.yml
View File

@ -1,25 +0,0 @@
title: Notepad Making Network Connection
id: e81528db-fc02-45e8-8e98-4e84aba1f10b
status: experimental
description: Detects suspicious network connection by Notepad
references:
- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
tags:
- attack.command_and_control
- attack.execution
author: EagleEye Team
logsource:
product: windows
service: sysmon
date: 2020/05/14
detection:
selection:
EventID: 3
Image: '*\notepad.exe'
filter:
DestinationPort: '9100'
condition: selection and not filter
falsepositives:
- None observed so far
level: high

32
rules/windows/sysmon/sysmon_office_persistence.yml
View File

@ -1,32 +0,0 @@
title: Microsoft Office Add-In Loading
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: experimental
description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
- Internal research
tags:
- attack.persistence
- attack.t1137
author: NVISO
date: 2020/05/11
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11 #FileCreate
wlldropped:
TargetFilename|contains: \Microsoft\Word\Startup\
TargetFilename|endswith: .wll
xlldropped:
TargetFilename|contains: \Microsoft\Excel\Startup\
TargetFilename|endswith: .xll
generic:
TargetFilename|contains: \Microsoft\Addins\
TargetFilename|endswith:
- .xlam
- .xla
condition: selection and (wlldropped or xlldropped or generic)
falsepositives:
- Legitimate add-ins
level: high

33
rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
View File

@ -1,33 +0,0 @@
title: Possible Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
tags:
- attack.privilege_escalation
- attack.t1058
- attack.t1574.011
status: experimental
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2019/11/11
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
IntegrityLevel: 'Medium'
TargetObject|contains: '\services\'
TargetObject|endswith:
- '\ImagePath'
- '\FailureCommand'
- '\Parameters\ServiceDll'
condition: selection
falsepositives:
- Unknown
level: high
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw

30
rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml
View File

@ -1,30 +0,0 @@
title: PowerShell Execution
id: 867613fb-fa60-4497-a017-a82df74a172c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
logsource:
product: windows
service: sysmon
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
detection:
selection:
EventID: 7
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
condition: selection
fields:
- ComputerName
- Image
- ProcessID
- ImageLoaded
falsepositives:
- Unknown
level: medium

119
rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml
View File

@ -1,119 +0,0 @@
title: Malicious PowerShell Commandlet Names
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
status: experimental
description: Detects the creation of known powershell scripts for exploitation
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
author: Markus Neis
date: 2018/04/07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
- '*\Get-GPPPassword.ps1'
- '*\Get-Keystrokes.ps1'
- '*\Get-VaultCredential.ps1'
- '*\Invoke-CredentialInjection.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Invoke-NinjaCopy.ps1'
- '*\Invoke-TokenManipulation.ps1'
- '*\Out-Minidump.ps1'
- '*\VolumeShadowCopyTools.ps1'
- '*\Invoke-ReflectivePEInjection.ps1'
- '*\Get-TimedScreenshot.ps1'
- '*\Invoke-UserHunter.ps1'
- '*\Find-GPOLocation.ps1'
- '*\Invoke-ACLScanner.ps1'
- '*\Invoke-DowngradeAccount.ps1'
- '*\Get-ServiceUnquoted.ps1'
- '*\Get-ServiceFilePermission.ps1'
- '*\Get-ServicePermission.ps1'
- '*\Invoke-ServiceAbuse.ps1'
- '*\Install-ServiceBinary.ps1'
- '*\Get-RegAutoLogon.ps1'
- '*\Get-VulnAutoRun.ps1'
- '*\Get-VulnSchTask.ps1'
- '*\Get-UnattendedInstallFile.ps1'
- '*\Get-WebConfig.ps1'
- '*\Get-ApplicationHost.ps1'
- '*\Get-RegAlwaysInstallElevated.ps1'
- '*\Get-Unconstrained.ps1'
- '*\Add-RegBackdoor.ps1'
- '*\Add-ScrnSaveBackdoor.ps1'
- '*\Gupt-Backdoor.ps1'
- '*\Invoke-ADSBackdoor.ps1'
- '*\Enabled-DuplicateToken.ps1'
- '*\Invoke-PsUaCme.ps1'
- '*\Remove-Update.ps1'
- '*\Check-VM.ps1'
- '*\Get-LSASecret.ps1'
- '*\Get-PassHashes.ps1'
- '*\Show-TargetScreen.ps1'
- '*\Port-Scan.ps1'
- '*\Invoke-PoshRatHttp.ps1'
- '*\Invoke-PowerShellTCP.ps1'
- '*\Invoke-PowerShellWMI.ps1'
- '*\Add-Exfiltration.ps1'
- '*\Add-Persistence.ps1'
- '*\Do-Exfiltration.ps1'
- '*\Start-CaptureServer.ps1'
- '*\Invoke-ShellCode.ps1'
- '*\Get-ChromeDump.ps1'
- '*\Get-ClipboardContents.ps1'
- '*\Get-FoxDump.ps1'
- '*\Get-IndexedItem.ps1'
- '*\Get-Screenshot.ps1'
- '*\Invoke-Inveigh.ps1'
- '*\Invoke-NetRipper.ps1'
- '*\Invoke-EgressCheck.ps1'
- '*\Invoke-PostExfil.ps1'
- '*\Invoke-PSInject.ps1'
- '*\Invoke-RunAs.ps1'
- '*\MailRaider.ps1'
- '*\New-HoneyHash.ps1'
- '*\Set-MacAttribute.ps1'
- '*\Invoke-DCSync.ps1'
- '*\Invoke-PowerDump.ps1'
- '*\Exploit-Jboss.ps1'
- '*\Invoke-ThunderStruck.ps1'
- '*\Invoke-VoiceTroll.ps1'
- '*\Set-Wallpaper.ps1'
- '*\Invoke-InveighRelay.ps1'
- '*\Invoke-PsExec.ps1'
- '*\Invoke-SSHCommand.ps1'
- '*\Get-SecurityPackages.ps1'
- '*\Install-SSP.ps1'
- '*\Invoke-BackdoorLNK.ps1'
- '*\PowerBreach.ps1'
- '*\Get-SiteListPassword.ps1'
- '*\Get-System.ps1'
- '*\Invoke-BypassUAC.ps1'
- '*\Invoke-Tater.ps1'
- '*\Invoke-WScriptBypassUAC.ps1'
- '*\PowerUp.ps1'
- '*\PowerView.ps1'
- '*\Get-RickAstley.ps1'
- '*\Find-Fruit.ps1'
- '*\HTTP-Login.ps1'
- '*\Find-TrustedDocuments.ps1'
- '*\Invoke-Paranoia.ps1'
- '*\Invoke-WinEnum.ps1'
- '*\Invoke-ARPScan.ps1'
- '*\Invoke-PortScan.ps1'
- '*\Invoke-ReverseDNSLookup.ps1'
- '*\Invoke-SMBScanner.ps1'
- '*\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
level: high

47
rules/windows/sysmon/sysmon_powershell_network_connection.yml
View File

@ -1,47 +0,0 @@
title: PowerShell Network Connections
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: experimental
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')
author: Florian Roth
date: 2017/03/13
references:
- https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\powershell.exe'
Initiated: 'true'
filter:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not filter
falsepositives:
- Administrative scripts
level: low

25
rules/windows/sysmon/sysmon_quarkspw_filedump.yml
View File

@ -1,25 +0,0 @@
title: QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: experimental
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth
date: 2018/02/10
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
level: critical
logsource:
product: windows
service: sysmon
detection:
selection:
# Sysmon: File Creation (ID 11)
EventID: 11
TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
condition: selection
falsepositives:
- Unknown

31
rules/windows/sysmon/sysmon_rdp_registry_modification.yml
View File

@ -1,31 +0,0 @@
title: RDP Registry Modification
id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md
tags:
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject|endswith:
- '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
- '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
Details: 'DWORD (0x00000000)'
condition: selection
fields:
- ComputerName
- Image
- EventType
- TargetObject
falsepositives:
- Unknown
level: high

30
rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml
View File

@ -1,30 +0,0 @@
title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1076
- car.2013-07-002
- attack.t1021
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\svchost.exe'
Initiated: 'true'
SourcePort: 3389
DestinationIp:
- '127.*'
- '::1'
condition: selection
falsepositives:
- unknown
level: high

23
rules/windows/sysmon/sysmon_rdp_settings_hijack.yml
View File

@ -1,23 +0,0 @@
title: RDP Sensitive Settings Changed
id: 171b67e1-74b4-460e-8d55-b331f3e32d67
description: Detects changes to RDP terminal service sensitive settings
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
date: 2019/04/03
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
detection:
selection_reg:
EventID: 13
TargetObject:
- '*\services\TermService\Parameters\ServiceDll*'
- '*\Control\Terminal Server\fSingleSessionPerUser*'
- '*\Control\Terminal Server\fDenyTSConnections*'
condition: selection_reg
tags:
- attack.defense_evasion
falsepositives:
- unknown
level: high

25
rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
View File

@ -1,25 +0,0 @@
title: Windows Registry Persistence COM Key Linking
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: experimental
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019/10/23
modified: 2019/11/07
tags:
- attack.persistence
- attack.t1122
- attack.t1546.015
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 12
EventType: 'CreateKey' # don't want DeleteKey events
TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
condition: selection
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compability
level: medium

30
rules/windows/sysmon/sysmon_registry_persistence_search_order.yml
View File

@ -1,30 +0,0 @@
title: Windows Registry Persistence COM Search Order Hijacking
id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
status: experimental
description: Detects potential COM object hijacking leveraging the COM Search Order
references:
- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/04/14
tags:
- attack.persistence
- attack.t1038
- attack.t1574.001
logsource:
product: windows
service: sysmon
detection:
selection: # Detect new COM servers in the user hive
EventID: 13
TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
filter:
Details: # Exclude privileged directories and observed FPs
- '%%systemroot%%\system32\\*'
- '%%systemroot%%\SysWow64\\*'
- '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll'
- '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll'
- '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll'
condition: selection and not filter
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
level: medium

25
rules/windows/sysmon/sysmon_registry_trust_record_modification.yml
View File

@ -1,25 +0,0 @@
title: Windows Registry Trust Record Modification
id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
status: experimental
description: Alerts on trust record modification within the registry, indicating usage of macros
references:
- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
author: Antonlovesdnb
date: 2020/02/19
modified: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 12
TargetObject|contains: 'TrustRecords'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: medium

27
rules/windows/sysmon/sysmon_remote_powershell_session_network.yml
View File

@ -1,27 +0,0 @@
title: Remote PowerShell Session
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
description: Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort:
- 5985
- 5986
filter:
User: 'NT AUTHORITY\NETWORK SERVICE'
condition: selection and not filter
falsepositives:
- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.
level: high

46
rules/windows/sysmon/sysmon_rundll32_net_connections.yml
View File

@ -1,46 +0,0 @@
title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: experimental
description: Detects a rundll32 that communicates with public IP addresses
references:
- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth
date: 2017/11/04
tags:
- attack.t1085
- attack.defense_evasion
- attack.execution
- attack.t1218
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image: '*\rundll32.exe'
Initiated: 'true'
filter:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.*'
condition: selection and not filter
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium

28
rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml
View File

@ -1,28 +0,0 @@
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: experimental
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://attack.mitre.org/techniques/T1101/
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
tags:
- attack.persistence
- attack.t1011
author: iwillkeepwatch
date: 2019/01/18
logsource:
product: windows
service: sysmon
detection:
selection_registry:
EventID: 13
TargetObject:
- 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
- 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
exclusion_images:
- Image: C:\Windows\system32\msiexec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
condition: selection_registry and not exclusion_images
falsepositives:
- Unlikely
level: critical

50
rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml
View File

@ -1,50 +0,0 @@
action: global
title: Sticky Key Like Backdoor Usage
id: baca5663-583c-45f9-b5dc-ea96a22ce542
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1015
- car.2014-11-003
- car.2014-11-008
author: Florian Roth, @twjackomo
date: 2018/03/15
detection:
condition: 1 of them
falsepositives:
- Unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection_registry:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
EventType: 'SetValue'
---
logsource:
category: process_creation
product: windows
detection:
selection_process:
ParentImage:
- '*\winlogon.exe'
CommandLine:
- '*cmd.exe sethc.exe *'
- '*cmd.exe utilman.exe *'
- '*cmd.exe osk.exe *'
- '*cmd.exe Magnify.exe *'
- '*cmd.exe Narrator.exe *'
- '*cmd.exe DisplaySwitch.exe *'

30
rules/windows/sysmon/sysmon_susp_adsi_cache_usage.yml
View File

@ -1,30 +0,0 @@
title: Suspicious ADSI-Cache Usage By Unknown Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
description: detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
status: experimental
date: 2019/03/24
author: xknow @xknow_infosec
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
tags:
- attack.t1041
- attack.persistence
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 11
TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch'
selection_2:
Image|contains:
- 'C:\windows\system32\svchost.exe'
- 'C:\windows\system32\dllhost.exe'
- 'C:\windows\system32\mmc.exe'
- 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: high

28
rules/windows/sysmon/sysmon_susp_desktop_ini.yml
View File

@ -1,28 +0,0 @@
title: Suspicious desktop.ini Action
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: experimental
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/19
tags:
- attack.persistence
- attack.t1023
- attack.t1547.009
logsource:
product: windows
service: sysmon
detection:
filter:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\mmc.exe'
selection:
EventID: 11
TargetFilename|endswith: '\desktop.ini'
condition: selection and not filter
falsepositives:
- Operations performed through Windows SCCM or equivalent
level: medium

27
rules/windows/sysmon/sysmon_susp_download_run_key.yml
View File

@ -1,27 +0,0 @@
title: Suspicious RUN Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: experimental
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
author: Florian Roth
date: 2019/10/01
tags:
- attack.persistence
- attack.t1060
- attack.t1547.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
Image:
- '*\Downloads\\*'
- '*\Temporary Internet Files\Content.Outlook\\*'
- '*\Local Settings\Temporary Internet Files\\*'
TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
condition: selection
falsepositives:
- Software installers downloaded and used by users
level: high

20
rules/windows/sysmon/sysmon_susp_driver_load.yml
View File

@ -1,20 +0,0 @@
title: Suspicious Driver Load from Temp
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
description: Detects a driver load from a temporary directory
author: Florian Roth
date: 2017/02/12
tags:
- attack.persistence
- attack.t1050
- attack.t1543.003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
ImageLoaded: '*\Temp\\*'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the environment
level: medium

33
rules/windows/sysmon/sysmon_susp_fax_dll.yml
View File

@ -1,33 +0,0 @@
title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: experimental
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
- https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020/05/04
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1073
- attack.t1038
- attack.t1112
- attack.t1574.001
- attack.t1574.002
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7 #ImageLoaded
Image|endswith:
- fxssvc.exe
ImageLoaded|endswith:
- ualapi.dll
filter:
ImageLoaded|startswith:
- C:\Windows\WinSxS\
condition: selection and not filter
falsepositives:
- Unlikely
level: high

27
rules/windows/sysmon/sysmon_susp_image_load.yml
View File

@ -1,27 +0,0 @@
title: Possible Process Hollowing Image Loading
id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
status: experimental
description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
references:
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
author: Markus Neis
date: 2018/01/07
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\notepad.exe'
ImageLoaded:
- '*\samlib.dll'
- '*\WinSCard.dll'
condition: selection
falsepositives:
- Very likely, needs more tuning
level: high

29
rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml
View File

@ -1,29 +0,0 @@
title: dotNET DLL Loaded Via Office Applications
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: experimental
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- 'C:\Windows\assembly\\*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

29
rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml
View File

@ -1,29 +0,0 @@
title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: experimental
description: Detects CLR DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\clr.dll*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

29
rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml
View File

@ -1,29 +0,0 @@
title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: experimental
description: Detects any GAC DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

29
rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml
View File

@ -1,29 +0,0 @@
title: Active Directory Parsing DLL Loaded Via Office Applications
id: a2a3b925-7bb0-433b-b508-db9003263cc4
status: experimental
description: Detects DSParse DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\dsparse.dll*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

29
rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
View File

@ -1,29 +0,0 @@
title: Active Directory Kerberos DLL Loaded Via Office Applications
id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
status: experimental
description: Detects Kerberos DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\kerberos.dll'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

29
rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
View File

@ -1,29 +0,0 @@
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
status: experimental
date: 2019/04/08
author: xknow (@xknow_infosec), xorxes (@xor_xes)
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 11
TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
selection_2:
Image|contains:
- '*\procexp64.exe'
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium

32
rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
View File

@ -1,32 +0,0 @@
title: Suspicious Program Location with Network Connections
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: experimental
description: Detects programs with network connections running in suspicious files system locations
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
EventID: 3
Image:
# - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
- '*\$Recycle.bin'
- '*\Users\All Users\\*'
- '*\Users\Default\\*'
- '*\Users\Public\\*'
- '*\Users\Contacts\\*'
- '*\Users\Searches\\*'
- 'C:\Perflogs\\*'
- '*\config\systemprofile\\*'
- '*\Windows\Fonts\\*'
- '*\Windows\IME\\*'
- '*\Windows\addins\\*'
condition: selection
falsepositives:
- unknown
level: high

45
rules/windows/sysmon/sysmon_susp_rdp.yml
View File

@ -1,45 +0,0 @@
title: Suspicious Outbound RDP Connections
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: experimental
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis - Swisscom
date: 2019/05/15
tags:
- attack.lateral_movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort: 3389
Initiated: 'true'
filter:
Image:
- '*\mstsc.exe'
- '*\RTSApp.exe'
- '*\RTS2App.exe'
- '*\RDCMan.exe'
- '*\ws_TunnelService.exe'
- '*\RSSensor.exe'
- '*\RemoteDesktopManagerFree.exe'
- '*\RemoteDesktopManager.exe'
- '*\RemoteDesktopManager64.exe'
- '*\mRemoteNG.exe'
- '*\mRemote.exe'
- '*\Terminals.exe'
- '*\spiceworks-finder.exe'
- '*\FSDiscovery.exe'
- '*\FSAssessment.exe'
- '*\MobaRTE.exe'
- '*\chrome.exe'
- '*\thor.exe'
- '*\thor64.exe'
condition: selection and not filter
falsepositives:
- Other Remote Desktop RDP tools
level: high

36
rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml
View File

@ -1,36 +0,0 @@
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: experimental
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
author: Florian Roth
date: 2018/07/18
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details:
- 'C:\Windows\Temp\\*'
- 'C:\ProgramData\\*'
- '*\AppData\\*'
- 'C:\$Recycle.bin\\*'
- 'C:\Temp\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
condition: selection
tags:
- attack.persistence
- attack.t1060
- capec.270
- attack.t1547.001
fields:
- Image
- ParentImage
falsepositives:
- Unknown
level: high

38
rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
View File

@ -1,38 +0,0 @@
title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth, Markus Neis, Sander Wiebing
tags:
- attack.persistence
- attack.t1060
- attack.t1547.001
date: 2018/08/25
modified: 2020/05/24
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
Details:
- '*C:\Windows\Temp\\*'
- '*C:\$Recycle.bin\\*'
- '*C:\Temp\\*'
- '*C:\Users\Public\\*'
- '%Public%\\*'
- '*C:\Users\Default\\*'
- '*C:\Users\Desktop\\*'
- 'wscript*'
- 'cscript*'
condition: selection
fields:
- Image
falsepositives:
- Software using weird folders for updates
level: high

34
rules/windows/sysmon/sysmon_susp_service_installed.yml
View File

@ -1,34 +0,0 @@
title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
status: experimental
date: 2019/04/08
author: xknow (@xknow_infosec), xorxes (@xor_xes)
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 13
TargetObject:
- 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
selection_2:
Image|contains:
- '*\procexp64.exe'
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
selection_3:
Details|contains:
- '*\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection_1 and not selection_2 and not selection_3
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
level: medium

31
rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml
View File

@ -1,31 +0,0 @@
title: VBA DLL Loaded Via Microsoft Word
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020/02/19
tags:
- attack.initial_access
- attack.t1193
- attack.t1566.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\VBE7.DLL'
- '*\VBEUI.DLL'
- '*\VBE7INTL.DLL'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high

34
rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml
View File

@ -1,34 +0,0 @@
title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
id: a457f232-7df9-491d-898f-b5aabd2cbe2f
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
author: Michael R. (@nahamike01)
date: 2019/12/26
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\wmiutils.dll'
- '*\wbemcomn.dll'
- '*\wbemprox.dll'
- '*\wbemdisp.dll'
- '*\wbemsvc.dll'
condition: selection
falsepositives:
- Possible. Requires further testing.
level: high

64
rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml
View File

@ -1,64 +0,0 @@
title: Load of dbghelp/dbgcore DLL from Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
status: experimental
description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
date: 2019/10/27
modified: 2020/05/23
author: Perez Diego (@darkquassar), oscd.community, Ecco
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
signedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
- '\svchost.exe'
- '\rundll32.exe'
- '\powershell.exe'
- '\word.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
# - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\dnx.exe'
- '\regsvcs.exe'
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
EventID: 7
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: "FALSE"
filter:
Image|contains: 'Visual Studio'
condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Penetration tests
level: high

28
rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml
View File

@ -1,28 +0,0 @@
title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth
date: 2019/10/12
modified: 2019/10/15
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
EventID: 13
TargetObject:
- '*\Keyboard Layout\Preload\\*'
- '*\Keyboard Layout\Substitutes\\*'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
- 0000042a # Vietnamese
condition: selection_registry
falsepositives:
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium

31
rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml
View File

@ -1,31 +0,0 @@
title: Suspicious Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
- attack.t1558.003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort: 88
Initiated: 'true'
filter:
Image|endswith:
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high

35
rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
View File

@ -1,35 +0,0 @@
title: Svchost DLL Search Order Hijack
id: 602a1f13-c640-4d73-b053-be9a2fa58b77
status: experimental
description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
references:
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
author: SBousseaden
date: 2019/10/28
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1073
- attack.t1038
- attack.t1112
- attack.t1574.002
- attack.t1574.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\svchost.exe'
ImageLoaded:
- '*\tsmsisrv.dll'
- '*\tsvipsrv.dll'
- '*\wlbsctrl.dll'
filter:
ImageLoaded:
- 'C:\Windows\WinSxS\\*'
condition: selection and not filter
falsepositives:
- Pentest
level: high

30
rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
View File

@ -1,30 +0,0 @@
action: global
title: Usage of Sysinternals Tools
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2017/08/28
author: Markus Neis
detection:
condition: 1 of them
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
TargetObject: '*\EulaAccepted'
---
logsource:
category: process_creation
product: windows
detection:
selection2:
CommandLine: '* -accepteula*'

18
rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
View File

@ -1,18 +0,0 @@
title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: experimental
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
Image: '*\mstsc.exe'
TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
condition: selection
falsepositives:
- unknown
level: high

34
rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
View File

@ -1,34 +0,0 @@
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: experimental
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth
date: 2017/03/19
logsource:
product: windows
service: sysmon
detection:
methregistry:
EventID: 13
TargetObject: 'HKU\\*\mscfile\shell\open\command'
methprocess:
EventID: 1 # Migration to process_creation requires multipart YAML
ParentImage: '*\eventvwr.exe'
filterprocess:
Image: '*\mmc.exe'
condition: methregistry or ( methprocess and not filterprocess )
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
- attack.t1548.002
falsepositives:
- unknown
level: critical

26
rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml
View File

@ -1,26 +0,0 @@
title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: experimental
description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
author: Omer Yampel
date: 2017/03/17
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
# usrclass.dat is mounted on HKU\USERSID_Classes\...
TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand'
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
- attack.t1548.002
falsepositives:
- unknown
level: high

25
rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
View File

@ -1,25 +0,0 @@
title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
description: Loading unsigned image (DLL, EXE) into LSASS process
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2019/11/13
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives:
- Valid user connecting using RDP
status: experimental
level: medium

48
rules/windows/sysmon/sysmon_webshell_creation_detect.yml
View File

@ -1,48 +0,0 @@
title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
description: Possible webshell file creation on a static web site
references:
- PT ESC rule and personal experience
author: Beyu Denis, oscd.community
date: 2019/10/22
modified: 2020/05/18
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
level: critical
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 11
selection_2:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_3:
TargetFilename|contains:
- '.asp'
- '.ashx'
- '.ph'
selection_4:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_5:
TargetFilename|contains: '.ph'
selection_6:
- TargetFilename|endswith: '.jsp'
- TargetFilename|contains|all:
- '\cgi-bin\'
- '.pl'
false_positives: # false positives when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
# kind of ugly but sigmac seems not to handle double parenthesis "(("
# we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives)
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder

28
rules/windows/sysmon/sysmon_win_binary_github_com.yml
View File

@ -1,28 +0,0 @@
title: Microsoft Binary Github Communication
id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
status: experimental
description: Detects an executable in the Windows folder accessing github.com
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
author: Michael Haag (idea), Florian Roth (rule)
date: 2017/08/24
tags:
- attack.lateral_movement
- attack.t1105
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationHostname:
- '*.github.com'
- '*.githubusercontent.com'
Image: 'C:\Windows\\*'
condition: selection
falsepositives:
- 'Unknown'
- '@subTee in your network'
level: high

29
rules/windows/sysmon/sysmon_win_binary_susp_com.yml
View File

@ -1,29 +0,0 @@
title: Microsoft Binary Suspicious Communication Endpoint
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
status: experimental
description: Detects an executable in the Windows folder accessing suspicious domains
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
author: Florian Roth
date: 2018/08/30
tags:
- attack.lateral_movement
- attack.t1105
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Initiated: 'true'
DestinationHostname:
- '*dl.dropboxusercontent.com'
- '*.pastebin.com'
- '*.githubusercontent.com' # includes both gists and github repositories
Image: 'C:\Windows\\*'
condition: selection
falsepositives:
- 'Unknown'
level: high

29
rules/windows/sysmon/sysmon_win_reg_persistence.yml
View File

@ -1,29 +0,0 @@
title: Registry Persistence Mechanisms
id: 36803969-5421-41ec-b92f-8500f79c23b0
description: Detects persistence registry keys
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
author: Karneades
logsource:
product: windows
service: sysmon
detection:
selection_reg1:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
EventType: SetValue
condition: selection_reg1
tags:
- attack.privilege_escalation
- attack.persistence
- attack.defense_evasion
- attack.t1183
- car.2013-01-002
- attack.t1546.012
falsepositives:
- unknown
level: critical

49
rules/windows/sysmon/sysmon_wmi_module_load.yml
View File

@ -1,49 +0,0 @@
title: WMI Modules Loaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
description: Detects non wmiprvse loading WMI modules
status: experimental
date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
ImageLoaded|endswith:
- '\wmiclnt.dll'
- '\WmiApRpl.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\WMINet_Utils.dll'
- '\wbemsvc.dll'
- '\fastprox.dll'
filter:
Image|endswith:
- '\WmiPrvSe.exe'
- '\WmiAPsrv.exe'
- '\svchost.exe'
- '\DeviceCensus.exe'
- '\CompatTelRunner.exe'
- '\sdiagnhost.exe'
- '\SIHClient.exe'
- '\msfeedssync.exe'
- '\mmc.exe'
- '\MoUsoCoreWorker.exe' # in system32, seen on a win10 pro 2004 machine
condition: selection and not filter
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Unknown
level: high

24
rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
View File

@ -1,24 +0,0 @@
title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: experimental
description: Detects WMI command line event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018/03/07
tags:
- attack.t1084
- attack.persistence
- attack.t1546.003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high

23
rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml
View File

@ -1,23 +0,0 @@
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: experimental
description: Detects file writes of WMI script event consumer
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018/03/07
tags:
- attack.t1084
- attack.persistence
- attack.t1546.003
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high

4
tools/config/generic/sysmon.yml
View File

@ -13,7 +13,9 @@ logsources:
category: network_connection
product: windows
conditions:
EventID: 3
EventID:
- 3
- 22
rewrite:
product: windows
service: sysmon