Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd

2024-11-07 17:58:52 +00:00 · 2019-11-10 21:40:15 +03:00 · 2019-11-10 21:40:15 +03:00 · 86d315598b
commit 86d315598b
parent 6f2243efc4 e5e44e2ade
4 changed files with 128 additions and 0 deletions
--- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
+++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
@ -0,0 +1,38 @@
+title: Direct autorun keys modification
+description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/25
+modified: 2019/11/10
+author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        Image|endswith: '*\reg.exe'
+        CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
+    selection_2:
+        CommandLine|contains:       # need to improve this list, there are plenty of ASEP reg keys
+            - '\software\Microsoft\Windows\CurrentVersion\Run'
+            - '\software\Microsoft\Windows\CurrentVersion\RunOnce'
+            - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
+            - '\software\Microsoft\Windows\CurrentVersion\RunServices'
+            - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
+            - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
+            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
+    condition: selection_1 and selection_2
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+    - Legitimate administrator sets up autorun keys for legitimate reason
+level: high
--- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
+++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
@ -0,0 +1,27 @@
+title: Suspicious netsh Dll persistence
+description: Detects pesitence via netsh helper
+status: test
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/25
+modified: 2019/10/25
+author: Victor Sergeev, oscd.community
+logsource:
+    category: process_creation
+    product: windows   
+detection:
+    selection:
+        Image|endswith: '\netsh.exe'
+        CommandLine|contains|all:
+            - 'add'
+            - 'helper'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unkown
+level: high
--- a/rules/windows/process_creation/win_susp_service_path_modification.yml
+++ b/rules/windows/process_creation/win_susp_service_path_modification.yml
@ -0,0 +1,31 @@
+title: Suspicious service path modification
+description: Detects service path modification to powershell/cmd
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
+tags:
+    - attack.persistence
+    - attack.t1031
+date: 2019/10/21
+modified: 2019/11/10
+author: Victor Sergeev, oscd.community
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        Image|endswith: '\sc.exe'
+        CommandLine|contains|all:
+            - 'config'
+            - 'binpath'
+    selection_2:
+        CommandLine|contains:
+            - 'powershell'
+            - 'cmd'
+    condition: selection_1 and selection_2
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high
--- a/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml
+++ b/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml
@ -0,0 +1,32 @@
+title: Autorun keys modification
+description: Detects modification of autostart extensibility point (ASEP) in registry
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/21
+modified: 2019/11/10
+author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetObject|contains:
+            - '\software\Microsoft\Windows\CurrentVersion\Run'
+            - '\software\Microsoft\Windows\CurrentVersion\RunOnce'
+            - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
+            - '\software\Microsoft\Windows\CurrentVersion\RunServices'
+            - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
+            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
+            - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
+    condition: selection
+falsepositives:
+    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
+    - Legitimate administrator sets up autorun keys for legitimate reason
+level: medium