mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
UUIDs + moved unsupported logic
* Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
This commit is contained in:
Thomas Patzke
parent
694d666539
commit
924e1feb54
@ -1,4 +1,5 @@
|
||||
title: High DNS subdomain requests rate per domain
|
||||
id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
|
||||
description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/21
|
||||
@ -1,4 +1,5 @@
|
||||
title: Large domain name request
|
||||
id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
|
||||
description: Detects large DNS domain names
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/21
|
||||
@ -1,4 +1,5 @@
|
||||
title: Possible DNS Rebinding
|
||||
id: ec5b8711-b550-4879-9660-568aaae2c3ea
|
||||
status: experimental
|
||||
description: 'Detects DNS-answer with TTL <10.'
|
||||
date: 2019/10/25
|
||||
@ -1,5 +1,6 @@
|
||||
action: global
|
||||
title: Defense evasion via process reimaging
|
||||
id: 7fa4f550-850e-4117-b543-428c86ebb849
|
||||
description: Detects process reimaging defense evasion technique
|
||||
# where
|
||||
# selection1: ImageFileName != selection1: OriginalFileName
|
||||
@ -1,4 +1,5 @@
|
||||
title: Dumping ntds.dit remotely via DCSync
|
||||
id: 51238c62-2b29-4539-ad75-e94575368a12
|
||||
description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/10/24
|
||||
@ -1,4 +1,5 @@
|
||||
title: Dumping ntds.dit remotely via NetSync
|
||||
id: 757b2a11-73e7-411a-bd46-141d906e0167
|
||||
description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/11/01
|
||||
@ -1,4 +1,5 @@
|
||||
title: Silence.Downloader V3
|
||||
id: 170901d1-de11-4de7-bccb-8fa13678d857
|
||||
status: experimental
|
||||
description: Detects Silence downloader. These commands are hardcoded into the binary.
|
||||
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Silence.EDA detection
|
||||
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
|
||||
status: experimental
|
||||
description: Detects Silence empireDNSagent
|
||||
author: Alina Stepchenkova, Group-IB, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Brute Force
|
||||
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
|
||||
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
|
||||
references:
|
||||
- None
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Auditing configuration changes on linux host
|
||||
id: 977ef627-4539-4875-adf4-ed8f780c4922
|
||||
description: Detect changes if auditd configuration files
|
||||
# Example config for this one (place it at the top of audit.rules)
|
||||
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Modification of ld.so.preload
|
||||
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
|
||||
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Logging configuration changes on linux host
|
||||
id: c830f15d-6f6e-430f-8074-6f73d6807841
|
||||
description: Detect changes of syslog daemons configuration files
|
||||
# Example config for this one (place it at the top of audit.rules)
|
||||
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Remove immutable file attribute
|
||||
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
|
||||
description: Detects removing immutable file attribute
|
||||
status: experimental
|
||||
tags:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Overwriting the file with dev zero or null
|
||||
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
|
||||
description: Detects overwriting (effectively wiping/deleting) the file
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
tags:
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
title: File or folder permissions change
|
||||
description: Detects
|
||||
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Systemd service reload or start
|
||||
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
|
||||
description: Detects a reload or a start of a service
|
||||
status: experimental
|
||||
tags:
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
action: global
|
||||
title: High DNS bytes out
|
||||
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
|
||||
description: High DNS queries bytes amount from host per short period of time
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
action: global
|
||||
title: High DNS requests rate
|
||||
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
|
||||
description: High DNS requests amount from host per short period of time
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: High NULL records requests rate
|
||||
id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
|
||||
description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: High TXT records requests rate
|
||||
id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
|
||||
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Suspicious reverse connect via HTTP proxy
|
||||
id: ef24fb9e-add2-4607-abd2-04ca3e9a590f
|
||||
status: experimental
|
||||
description: Detects auth on proxy-server by machine account (aka SYSTEM)
|
||||
author: Ilyas Ochkov, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1000 AD Object WriteDAC Access
|
||||
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
|
||||
description: Detects WRITE_DAC access to a domain object
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1003 Active Directory Replication from Non Machine Account
|
||||
id: 17d619c1-e020-4347-957e-1d1207455c93
|
||||
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
|
||||
status: experimental
|
||||
date: 2019/07/26
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1003 DPAPI Domain Backup Key Extraction
|
||||
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
|
||||
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
|
||||
status: experimental
|
||||
date: 2019/06/20
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1003 DPAPI Domain Master Key Backup Attempt
|
||||
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
|
||||
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
|
||||
status: experimental
|
||||
date: 2019/08/10
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
action: global
|
||||
title: Invoke-Obfuscation obfuscated IEX invocation
|
||||
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
|
||||
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
|
||||
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
|
||||
status: experimental
|
||||
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
|
||||
date: 2019/11/08
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1003 LSASS Access from Non System Account
|
||||
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
|
||||
description: Detects potential mimikatz-like tools accessing LSASS from non system account
|
||||
status: experimental
|
||||
date: 2019/06/20
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
action: global
|
||||
title: Meterpreter or Cobalt Strike getsystem service installation
|
||||
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
|
||||
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
|
||||
author: Teymur Kheirkhabarov
|
||||
date: 2019/10/26
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: New (or renamed) user account with '$' in attribute 'SamAccountName'.
|
||||
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
|
||||
status: experimental
|
||||
description: Detects possible bypass EDR and SIEM via abnormal user account name.
|
||||
tags:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Possible DC Sync
|
||||
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
|
||||
description: Detects DC sync via create new SPN
|
||||
status: experimental
|
||||
author: Ilyas Ochkov, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1003 Protected Storage Service Access
|
||||
id: 45545954-4016-43c6-855e-eae8f1c369dc
|
||||
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
|
||||
status: experimental
|
||||
date: 2019/08/10
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
title: QuarksPwDump clearing access history
|
||||
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
|
||||
status: experimental
|
||||
description: Detects QuarksPwDump clearing access history in hive
|
||||
author: Florian Roth
|
||||
date: 2017/05/15
|
||||
modified: 2019/11/13
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1003
|
||||
- attack.credential_access
|
||||
- attack.t1003
|
||||
level: critical
|
||||
logsource:
|
||||
product: windows
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Register new logon process by Rubeus
|
||||
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
|
||||
description: Detects potential use of Rubeus via registered new trusted logon process
|
||||
status: experimental
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Remote PowerShell Sessions
|
||||
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
|
||||
description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Remote registry management using REG utility
|
||||
id: 68fcba0d-73a5-475e-a915-e8b4c576827e
|
||||
description: Remote registry management using REG utility from non-admin workstation
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1012 SAM Registry Hive Handle Request
|
||||
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
|
||||
description: Detects handles requested to SAM registry hive
|
||||
status: experimental
|
||||
date: 2019/08/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1000 SCM Database Handle Failure
|
||||
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
|
||||
description: Detects non-system users failing to get a handle of the SCM database.
|
||||
status: experimental
|
||||
date: 2019/08/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1000 SCM Database Privileged Operation
|
||||
id: dae8171c-5ec6-4396-b210-8466585b53e9
|
||||
description: Detects non-system users performing privileged operation os the SCM database
|
||||
status: experimental
|
||||
date: 2019/08/15
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Generic Password Dumper Activity on LSASS
|
||||
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
|
||||
description: Detects process handle on LSASS process with certain access mask
|
||||
status: experimental
|
||||
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Suspicious outbound Kerberos connection
|
||||
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
|
||||
status: experimental
|
||||
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1012 SysKey Registry Keys Access
|
||||
id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
|
||||
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
|
||||
status: experimental
|
||||
date: 2019/08/12
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
action: global
|
||||
title: Tap driver installation
|
||||
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
|
||||
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Transferring files with credential data via network shares
|
||||
id: 910ab938-668b-401b-b08c-b596e80fdca5
|
||||
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
title: User couldn't call a privileged service 'LsaRegisterLogonProcess'
|
||||
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
|
||||
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
|
||||
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege
|
||||
privilege set. Possible Rubeus tries to get a handle to LSA.
|
||||
status: experimental
|
||||
references:
|
||||
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Alternate PowerShell Hosts
|
||||
id: 64e8e417-c19a-475a-8d19-98ea705394cc
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
status: experimental
|
||||
date: 2019/08/11
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Clear PowerShell History
|
||||
id: dfba4ce1-e0ea-495f-986e-97140f31af2d
|
||||
status: experimental
|
||||
description: Detects keywords that could indicate clearing PowerShell history
|
||||
date: 2019/10/25
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Dnscat execution
|
||||
id: a6d67db4-6220-436d-8afc-f3842fe05d43
|
||||
description: Dnscat exfiltration tool execution
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
title: Invoke-Obfuscation obfuscated IEX invocation
|
||||
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
|
||||
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
|
||||
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
|
||||
status: experimental
|
||||
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
|
||||
date: 2019/11/08
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Remote PowerShell Session
|
||||
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
|
||||
description: Detects remote PowerShell sessions
|
||||
status: experimental
|
||||
date: 2019/08/10
|
||||
|
||||
@ -16,14 +16,15 @@ logsource:
|
||||
service: powershell
|
||||
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
|
||||
detection:
|
||||
Message:
|
||||
- "System.Reflection.Assembly.Load"
|
||||
- "[System.Reflection.Assembly]::Load"
|
||||
- "[Reflection.Assembly]::Load"
|
||||
- "System.Reflection.AssemblyName"
|
||||
- "Reflection.Emit.AssemblyBuilderAccess"
|
||||
- "Runtime.InteropServices.DllImportAttribute"
|
||||
- "SuspendThread"
|
||||
keywords:
|
||||
Message:
|
||||
- "System.Reflection.Assembly.Load"
|
||||
- "[System.Reflection.Assembly]::Load"
|
||||
- "[Reflection.Assembly]::Load"
|
||||
- "System.Reflection.AssemblyName"
|
||||
- "Reflection.Emit.AssemblyBuilderAccess"
|
||||
- "Runtime.InteropServices.DllImportAttribute"
|
||||
- "SuspendThread"
|
||||
condition: keywords
|
||||
falsepositives:
|
||||
- Penetration tests
|
||||
|
||||
@ -1,25 +1,27 @@
|
||||
title: Modification of Boot Configuration
|
||||
description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
|
||||
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
|
||||
description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive
|
||||
technique.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1490
|
||||
detection:
|
||||
selection1:
|
||||
Image|endswith: '\bcdedit.exe'
|
||||
CommandLine: 'set'
|
||||
Image|endswith: \bcdedit.exe
|
||||
CommandLine: set
|
||||
selection2:
|
||||
- CommandLine|contains|all:
|
||||
- 'bootstatuspolicy'
|
||||
- 'ignoreallfailures'
|
||||
- CommandLine|contains|all:
|
||||
- 'recoveryenabled'
|
||||
- CommandLine|contains|all:
|
||||
- bootstatuspolicy
|
||||
- ignoreallfailures
|
||||
- CommandLine|contains|all:
|
||||
- recoveryenabled
|
||||
- 'no'
|
||||
condition: selection1 and selection2
|
||||
falsepositives:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Copying sensitive files with credential data
|
||||
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
|
||||
description: Files with well-known filenames (sensitive files with credential data) copying
|
||||
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: DNS exfiltration tools execution
|
||||
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
|
||||
description: Well-known DNS Exfiltration tools execution
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Domain Trust Discovery
|
||||
id: 77815820-246c-47b8-9741-e0def3f57308
|
||||
status: experimental
|
||||
description: Detects a discovery of domain trusts
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Exfiltration and tunneling tools execution
|
||||
id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
|
||||
description: Execution of well known tools for data exfiltration and tunneling
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: File or folder permissions modifications
|
||||
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
|
||||
status: experimental
|
||||
description: Detects a file or folder permissions modifications
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Grabbing sensitive hives via reg utility
|
||||
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
|
||||
description: Dump sam, system or security hives using REG.exe utility
|
||||
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: HH.exe execution
|
||||
id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
|
||||
description: Identifies usage of hh.exe executing recently modified .chm files.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Indirect Command Execution
|
||||
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
|
||||
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Interactive AT Job
|
||||
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
|
||||
description: Detect an interactive AT job, which may be used as a form of privilege escalation
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
title: Invoke-Obfuscation obfuscated IEX invocation
|
||||
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
|
||||
id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
|
||||
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
|
||||
status: experimental
|
||||
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
|
||||
date: 2019/11/08
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
title: LSASS Memory Dumping
|
||||
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
|
||||
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
|
||||
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe
|
||||
to export the memory space of lsass.exe which contains sensitive credentials.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
date: 2019/10/24
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Meterpreter or Cobalt Strike getsystem service start
|
||||
id: 15619216-e993-4721-b590-4c520615a67d
|
||||
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
|
||||
author: Teymur Kheirkhabarov
|
||||
date: 2019/10/26
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Mimikatz command line
|
||||
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
|
||||
description: Detection well-known mimikatz command line arguments
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Mshta Network Connections
|
||||
id: 67f113fa-e23d-4271-befa-30113b3e08b1
|
||||
description: Identifies suspicious mshta.exe commands
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Windows Network Enumeration
|
||||
id: 62510e69-616b-4078-b371-847da438cc03
|
||||
status: stable
|
||||
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Net.exe User Account Creation
|
||||
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
|
||||
status: experimental
|
||||
description: Identifies creation of local users via the net.exe command
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: New service creation
|
||||
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
|
||||
status: experimental
|
||||
description: Detects creation if a new service
|
||||
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Non Interactive PowerShell
|
||||
id: f4bbd493-b796-416e-bbf2-121235348529
|
||||
description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM
|
||||
id: 6c5808ee-85a2-4e56-8137-72e5876a5096
|
||||
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Audio Capture via PowerShell
|
||||
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
|
||||
description: Detects audio capture via PowerShell Cmdlet
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Suspicious Bitsadmin Job via PowerShell
|
||||
id: f67dbfce-93bc-440d-86ad-a95ae8858c90
|
||||
status: experimental
|
||||
description: Detect download by BITS jobs via PowerShell
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Remote PowerShell Session
|
||||
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
|
||||
description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn)
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
title: Discovery of a system time
|
||||
description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
|
||||
id: b243b280-65fe-48df-ba07-6ddea7646427
|
||||
description: "Identifies use of various commands to query a system\u2019s time. This technique may be used before executing a scheduled task or to discover the time\
|
||||
\ zone of a target system."
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
date: 2019/10/24
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Run PowerShell script from ADS
|
||||
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
|
||||
status: experimental
|
||||
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Stop windows service
|
||||
id: eb87818d-db5d-49cc-a987-d5da331fbd90
|
||||
description: Detects a windows service to be stopped
|
||||
status: experimental
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Shadow copies access via symlink
|
||||
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
|
||||
description: Shadow Copies storage symbolic link creation using operating systems utilities
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Shadow copies creation using operating systems utilities
|
||||
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
|
||||
description: Shadow Copies creation using operating systems utilities, possible credential access
|
||||
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Shadow copies deletion using operating systems utilities
|
||||
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
|
||||
description: Shadow Copies deletion using operating systems utilities
|
||||
author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
|
||||
date: 2019/10/22
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Audio Capture via SoundRecorder
|
||||
id: 83865853-59aa-449e-9600-74b9d89a6d6e
|
||||
description: Detect attacker collecting audio via SoundRecorder application
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Direct autorun keys modification
|
||||
id: 24357373-078f-44ed-9ac4-6d334a668a11
|
||||
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
|
||||
status: experimental
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Suspicious netsh Dll persistence
|
||||
id: 56321594-9087-49d9-bf10-524fe8479452
|
||||
description: Detects pesitence via netsh helper
|
||||
status: test
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Suspicious service path modification
|
||||
id: 138d3531-8793-4f50-a2cd-f291b2863d78
|
||||
description: Detects service path modification to powershell/cmd
|
||||
status: experimental
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Tap installer execution
|
||||
id: 99793437-3e16-439b-be0f-078782cf953d
|
||||
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
|
||||
status: experimental
|
||||
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Domain Trust Discovery
|
||||
id: 3bad990e-4848-4a78-9530-b427d854aac0
|
||||
description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Bypass UAC via CMSTP
|
||||
id: e66779cc-383e-4224-a3a4-267eeb585c40
|
||||
description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Bypass UAC via Fodhelper.exe
|
||||
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
|
||||
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Bypass UAC via WSReset.exe
|
||||
id: d797268e-28a9-49a7-b9a8-2f5039011c5c
|
||||
description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
title: Possible privilege escalation via weak service permissions
|
||||
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
|
||||
id: d937b75f-a665-4480-88a5-2f20e9f9b22a
|
||||
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
|
||||
references:
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
|
||||
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Run whoami as SYSTEM
|
||||
id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
|
||||
status: experimental
|
||||
description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1047 Wmiprvse Spawning Process
|
||||
id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
|
||||
description: Detects wmiprvse spawning processes
|
||||
status: experimental
|
||||
date: 2019/08/15
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Alternate PowerShell Hosts
|
||||
id: f67f6c57-257d-4919-a416-69cd31f9aac3
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1086 Alternate PowerShell Hosts
|
||||
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
|
||||
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
||||
status: experimental
|
||||
date: 2019/09/12
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Autorun keys modification
|
||||
id: 17f878b8-9968-4578-b814-c4217fc5768c
|
||||
description: Detects modification of autostart extensibility point (ASEP) in registry
|
||||
status: experimental
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: T1055 CreateRemoteThread API and LoadLibrary
|
||||
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
|
||||
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
|
||||
status: experimental
|
||||
date: 2019/08/11
|
||||
|
||||
@ -1,7 +1,9 @@
|
||||
title: Credentials Dumping tools accessing LSASS memory
|
||||
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
|
||||
status: experimental
|
||||
description: Detects process access LSASS memory which is typical for credentials dumping tools
|
||||
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)
|
||||
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
|
||||
oscd.community (update)
|
||||
date: 2017/02/16
|
||||
modified: 2019/11/08
|
||||
references:
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Cred dump tools dropped files
|
||||
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
|
||||
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/11/01
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Cred dump-tools named pipes
|
||||
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
|
||||
description: Detects well-known credential dumping tools execution via specific named pipes
|
||||
author: Teymur Kheirkhabarov, oscd.community
|
||||
date: 2019/11/01
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
title: Disable security events logging adding reg key MiniNt
|
||||
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
|
||||
status: experimental
|
||||
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
|
||||
references:
|
||||
|
||||
@ -1,5 +1,10 @@
|
||||
title: Suspicious In-Memory Module Execution
|
||||
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
|
||||
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
|
||||
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity
|
||||
C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN"
|
||||
as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such
|
||||
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
|
||||
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
|
||||
status: experimental
|
||||
date: 27/10/2019
|
||||
author: Perez Diego (@darkquassar), oscd.community
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user