valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
Cyb3rEng 2021-09-07 19:58:09 -06:00 committed by GitHub
commit 932b7cf2ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
181 changed files with 1871 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/cloud/aws/aws_sts_assumerole_misuse.yml
View File

@ -12,8 +12,7 @@ logsource:
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: AssumeRole
userIdentity.type: AssumedRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
level: low

4
rules/cloud/aws/aws_update_login_profile.yml
View File

@ -15,11 +15,11 @@ detection:
eventSource: iam.amazonaws.com
eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
userIdentity.arn|contains: requestParameters.userName
condition: selection_source and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName
- requestParameters.userName
- errorCode
- errorMessage
falsepositives:

21
rules/cloud/azure/azure_app_credential_modification.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
description: Identifies when a application credential is modified.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message: "Update application - Certificates and secrets management"
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application credential added may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_application_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Deleted
id: 410d2a41-1e6d-452f-85e5-abdd8257a823
description: Identifies when a application is deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Delete application
- Hard Delete application
condition: selection
level: medium
tags:
- attack.defense_evasion
falsepositives:
- Application being deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Device No Longer Managed or Compliant
id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
description: Identifies when a device in azure is no longer managed or compliant
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Device no longer compliant
- Device no longer managed
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Administrator may have forgotten to review the device.

25
rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
description: Identifies when a device or device configuration in azure is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Device or device configuration being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_federation_modified.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Domain Federation Settings Modified
id: 352a54e1-74ba-4929-9d47-8193d67aba1e
description: Identifies when an user or application modified the federation settings on the domain.
author: Austin Songer
status: experimental
date: 2021/09/06
references:
- https://attack.mitre.org/techniques/T1078
logsource:
service: azure.signinlogs
detection:
selection:
properties.message: Set federation settings on domain
condition: selection
level: medium
tags:
- attack.initial_access
- attack.t1078
falsepositives:
- Federation Settings being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

24
rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,24 @@
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
description: Identifies when a Firewall Policy is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Owner Removed From Application or Service Principal
id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
description: Identifies when a owner is was removed from a application or service principal in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- Remove owner from service principal
- Remove owner from application
condition: selection
level: medium
tags:
- attack.defense_evasion
falsepositives:
- Owner being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_service_principal_created.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Service Principal Created
id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
description: Identifies when a service principal is created in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
service: azure.activitylogs
detection:
selection:
properties.message: "Add service principal"
condition: selection
level: medium
tags:
- attack.defense_evasion
falsepositives:
- Service principal being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_service_principal_removed.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Service Principal Removed
id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
description: Identifies when a service principal was removed in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
service: azure.activitylogs
detection:
selection:
properties.message: Remove service principal
condition: selection
level: medium
tags:
- attack.defense_evasion
falsepositives:
- Service principal being removed may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

3
rules/compliance/cleartext_protocols.yml
View File

@ -1,6 +1,5 @@
action: global
title: Cleartext Protocol Usage
id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
status: stable
description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
@ -57,6 +56,7 @@ level: low
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
---
id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
logsource:
product: netflow
detection:
@ -80,6 +80,7 @@ detection:
- 5904
condition: selection
---
id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
logsource:
category: firewall
detection:

30
rules/linux/auditd/lnx_auditd_audio_capture.yml Normal file
View File

@ -0,0 +1,30 @@
title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
description: Detects attempts to record audio with arecord utility
#the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay
author: 'Pawel Mazur'
status: experimental
date: 2021/09/04
references:
- https://linux.die.net/man/1/arecord
- https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
- https://attack.mitre.org/techniques/T1123/
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0:
- arecord
a1:
- '-vv'
a2:
- '-fdat'
condition: selection
tags:
- attack.collection
- attack.t1123
falsepositives:
- None
level: low

3
rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
View File

@ -1,6 +1,5 @@
action: global
title: CVE-2021-3156 Exploitation Attempt
id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
status: experimental
description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
@ -21,6 +20,7 @@ logsource:
product: linux
service: auditd
---
id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
detection:
selection:
type: 'EXECVE'
@ -43,6 +43,7 @@ detection:
a4: '\'
condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50
---
id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2
detection:
selection:
type: 'SYSCALL'

33
rules/linux/auditd/lnx_auditd_hidden_files_directories.yml Normal file
View File

@ -0,0 +1,33 @@
title: Hidden Files and Directoriese
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
author: 'Pawel Mazur'
status: experimental
date: 2021/09/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://attack.mitre.org/techniques/T1564/001/
logsource:
product: linux
service: auditd
detection:
commands:
type: EXECVE
a0:
- mkdir
- touch
- vim
- nano
- vi
arguments:
- a1|contains: '/.'
- a1|startswith: '.'
- a2|contains: '/.'
- a2|startswith: '.'
condition: commands and arguments
tags:
- attack.defense_evasion
- attack.t1564.001
falsepositives:
- None
level: low

31
rules/linux/auditd/lnx_auditd_system_info_discovery.yml Normal file
View File

@ -0,0 +1,31 @@
title: System Information Discovery
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
description: Detects System Information Discovery commands
author: 'Pawel Mazur'
status: experimental
date: 2021/09/03
references:
- https://attack.mitre.org/techniques/T1082/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name:
- /etc/lsb-release
- /etc/redhat-release
- /etc/issue
selection2:
type: EXECVE
a0:
- uname
- uptime
condition: selection or selection2
tags:
- attack.discovery
- attack.t1082
falsepositives:
- Legitimate administrative activity
level: low

3
rules/linux/lnx_network_service_scanning.yml
View File

@ -1,6 +1,5 @@
action: global
title: Linux Network Service Scanning
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: experimental
description: Detects enumeration of local or remote network services.
author: Alejandro Ortuno, oscd.community
@ -14,6 +13,7 @@ tags:
- attack.discovery
- attack.t1046
---
id: 3e102cd9-a70d-4a7a-9508-403963092f31
logsource:
category: process_creation
product: linux
@ -31,6 +31,7 @@ detection:
CommandLine|contains: 'l'
condition: (netcat and not netcat_listen_flag) or network_scanning_tools
---
id: 3761e026-f259-44e6-8826-719ed8079408
logsource:
product: linux
service: auditd

3
rules/linux/lnx_security_tools_disabling.yml
View File

@ -1,6 +1,5 @@
action: global
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
author: Ömer Günal, Alejandro Ortuno, oscd.community
@ -15,6 +14,7 @@ tags:
- attack.t1562.004
- attack.t1089 # an old one
---
id: e3a8a052-111f-4606-9aee-f28ebeb76776
logsource:
category: process_creation
product: linux
@ -84,6 +84,7 @@ detection:
- 'falcon-sensor'
condition: 1 of them
---
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
logsource:
product: linux
service: syslog

3
rules/linux/lnx_sudo_cve_2019_14287.yml
View File

@ -1,6 +1,5 @@
action: global
title: Sudo Privilege Escalation CVE-2019-14287
id: f74107df-b6c6-4e80-bf00-4170b658162b
status: experimental
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
author: Florian Roth
@ -21,11 +20,13 @@ tags:
- attack.t1169 # an old one
- attack.t1548.003
---
id: f74107df-b6c6-4e80-bf00-4170b658162b
detection:
selection_keywords:
- '* -u#*'
condition: selection_keywords
---
id: 7fcc54cb-f27d-4684-84b7-436af096f858
detection:
selection_user:
USER:

3
rules/linux/lnx_system_info_discovery.yml
View File

@ -1,6 +1,5 @@
action: global
title: System Information Discovery
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
status: stable
description: Detects system information discovery commands
author: Ömer Günal, oscd.community
@ -15,6 +14,7 @@ tags:
- attack.discovery
- attack.t1082
---
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
logsource:
product: linux
category: process_creation
@ -30,6 +30,7 @@ detection:
- '/lsmod'
condition: selection
---
id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
logsource:
product: linux
service: auditd

3
rules/network/net_high_dns_bytes_out.yml
View File

@ -1,6 +1,5 @@
action: global
title: High DNS Bytes Out
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
status: experimental
description: High DNS queries bytes amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
@ -14,6 +13,7 @@ tags:
- attack.t1048 # an old one
- attack.t1048.003
---
id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
logsource:
category: dns
detection:
@ -22,6 +22,7 @@ detection:
timeframe: 1m
condition: selection | sum(question_length) by src_ip > 300000
---
id: 3b6e327d-8649-4102-993f-d25786481589
logsource:
category: firewall
detection:

3
rules/network/net_high_dns_requests_rate.yml
View File

@ -1,6 +1,5 @@
action: global
title: High DNS Requests Rate
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
status: experimental
description: High DNS requests amount from host per short period of time
author: Daniil Yugoslavskiy, oscd.community
@ -17,6 +16,7 @@ tags:
- attack.t1071 # an old one
- attack.t1071.004
---
id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
logsource:
category: dns
detection:
@ -25,6 +25,7 @@ detection:
timeframe: 1m
condition: selection | count() by src_ip > 1000
---
id: 51186749-7415-46be-90e5-6914865c825a
logsource:
category: firewall
detection:

3
rules/network/net_susp_network_scan.yml
View File

@ -1,6 +1,5 @@
action: global
title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
status: experimental
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
@ -21,12 +20,14 @@ tags:
- attack.discovery
- attack.t1046
---
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
detection:
selection:
action: denied
timeframe: 24h
condition: selection | count(dst_port) by src_ip > 10
---
id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
detection:
selection:
action: denied

8
rules/network/zeek/zeek_dns_mining_pools.yml
View File

@ -7,9 +7,9 @@ date: 2021/08/19
modified: 2021/08/23
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
level: low
logsource:
service: dns
product: zeek
logsource:
service: dns
product: zeek
tags:
- attack.t1035 # an old one
- attack.t1569.002
@ -93,7 +93,7 @@ detection:
- "0.0.0.0"
exclude_rejected:
rejected: "true"
condition: selection and not (exclude_answers OR exclude_rejected)
condition: selection and not (exclude_answers or exclude_rejected)
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
fields:

2
rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
View File

@ -44,7 +44,7 @@ detection:
- '137'
- '138'
- '139'
condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios)
condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'

1
rules/proxy/proxy_ua_apt.yml
View File

@ -50,6 +50,7 @@ detection:
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
condition: selection
fields:
- ClientIP

2
rules/windows/builtin/win_apt_apt29_tor.yml
View File

@ -1,6 +1,5 @@
action: global
title: APT29 Google Update Service Install
id: c069f460-2b87-4010-8dcf-e45bab362624
description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
so the service names and executable locations used by APT29 are specific enough to be detected in log files.
references:
@ -26,6 +25,7 @@ falsepositives:
- Unknown
level: high
---
id: c069f460-2b87-4010-8dcf-e45bab362624
logsource:
category: process_creation
product: windows

2
rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
View File

@ -2,7 +2,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
author: Sreeman
date: 2020/13/03
date: 2020/03/13
modified: 2021/08/09
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

2
rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml
View File

@ -3,7 +3,7 @@ id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
status: experimental
description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
author: Sreeman
date: 2020/13/03
date: 2020/03/13
modified: 2021/06/11
tags:
- attack.t1218

3
rules/windows/builtin/win_av_relevant_match.yml
View File

@ -36,3 +36,6 @@ detection:
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
tags:
- attack.resource_development
- attack.t1588

3
rules/windows/builtin/win_cobaltstrike_service_installs.yml
View File

@ -1,6 +1,5 @@
action: global
title: CobaltStrike Service Installations
id: 5a105d34-05fc-401e-8553-272b45c1522d
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
author: Florian Roth, Wojciech Lesicki
references:
@ -34,6 +33,7 @@ falsepositives:
- Unknown
level: critical
---
id: 5a105d34-05fc-401e-8553-272b45c1522d
logsource:
product: windows
service: system
@ -41,6 +41,7 @@ detection:
selection_id:
EventID: 7045
---
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation CLIP+ Launcher
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
condition: selection and selection_eventid
---
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
logsource:
product: windows
service: security

6
rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
status: experimental
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
@ -17,11 +16,12 @@ detection:
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ImagePath|re: '\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: selection and selection_1
---
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
logsource:
product: windows
service: system
@ -29,6 +29,7 @@ detection:
selection:
EventID: 7045
---
id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
logsource:
product: windows
category: driver_load
@ -36,6 +37,7 @@ detection:
selection:
EventID: 6
---
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation STDIN+ Launcher
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
description: Detects Obfuscated use of stdin to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection and selection_eventid
---
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation VAR+ Launcher
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
description: Detects Obfuscated use of Environment Variables to execute PowerShell
status: experimental
author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: all of them
---
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
logsource:
product: windows
service: system
@ -28,10 +28,12 @@ detection:
selection_eventid:
EventID: 7045
---
id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
logsource:
product: windows
category: process_creation
---
id: dcf2db1f-f091-425b-a821-c05875b8925a
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 175997c5-803c-4b08-8bb0-70b099f47595
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
condition: selection and selection_eventid
---
id: 175997c5-803c-4b08-8bb0-70b099f47595
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: c70731dd-0097-40ff-b112-f7032f29c16c
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation RUNDLL LAUNCHER
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: experimental
author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
condition: selection and selection_eventid
---
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation Via Stdin
id: 487c7524-f892-4054-b263-8a0ace63fc25
description: Detects Obfuscated Powershell via Stdin in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
condition: selection and selection_eventid
---
id: 487c7524-f892-4054-b263-8a0ace63fc25
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 82b66143-53ee-4369-ab02-de2c70cd6352
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation Via Use Clip
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection and selection_eventid
---
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation Via Use MSHTA
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: selection and selection_eventid
---
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation Via Use Rundll32
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
condition: selection and selection_eventid
---
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
View File

@ -1,6 +1,5 @@
action: global
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
status: experimental
author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection and selection_eventid
---
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
selection_eventid:
EventID: 7045
---
id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
logsource:
product: windows
category: driver_load
@ -35,6 +36,7 @@ detection:
selection_eventid:
EventID: 6
---
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
logsource:
product: windows
service: security

5
rules/windows/builtin/win_mal_creddumper.yml
View File

@ -1,9 +1,7 @@
---
action: global
title: Credential Dumping Tools Service Execution
description: Detects well-known credential dumping tools execution via service execution events
author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
date: 2017/03/05
modified: 2021/03/18
references:
@ -44,6 +42,7 @@ falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
---
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
logsource:
product: windows
service: system
@ -51,10 +50,12 @@ detection:
selection:
EventID: 7045
---
id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
logsource:
product: windows
category: driver_load
---
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
logsource:
product: windows
service: security

3
rules/windows/builtin/win_mal_service_installs.yml
View File

@ -1,6 +1,5 @@
action: global
title: Malicious Service Installations
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date: 2017/03/27
@ -24,6 +23,7 @@ falsepositives:
- Penetration testing
level: critical
---
id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
logsource:
product: windows
service: system
@ -39,6 +39,7 @@ detection:
malsvc_apt29:
ServiceName: 'Java(TM) Virtual Machine Support Service'
---
id: cb062102-587e-4414-8efa-dbe3c7bf19c6
logsource:
product: windows
service: security

17
rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml
View File

@ -1,10 +1,9 @@
action: global
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
author: Bartlomiej Czyz, Relativity
date: 2021/01/21
modified: 2021/07/23
action: global
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
tags:
@ -32,6 +31,7 @@ falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
---
id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
logsource:
product: windows
service: system
@ -39,10 +39,11 @@ detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697

4
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@ -1,6 +1,5 @@
action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
@ -48,6 +47,7 @@ falsepositives:
- Highly unlikely
level: critical
---
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
logsource:
product: windows
service: system
@ -55,10 +55,12 @@ detection:
selection:
EventID: 7045
---
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
logsource:
product: windows
category: driver_load
---
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
logsource:
product: windows
service: security

3
rules/windows/builtin/win_moriya_rootkit.yml
View File

@ -1,6 +1,5 @@
action: global
title: Moriya Rootkit
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
status: experimental
author: Bhabesh Raj
@ -16,6 +15,7 @@ tags:
- attack.privilege_escalation
- attack.t1543.003
---
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
logsource:
product: windows
service: system
@ -25,6 +25,7 @@ detection:
ServiceName: ZzNetSvc
condition: selection
---
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
logsource:
product: windows
category: file_event

3
rules/windows/builtin/win_net_ntlm_downgrade.yml
View File

@ -1,6 +1,5 @@
action: global
title: NetNTLM Downgrade Attack
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
@ -18,6 +17,7 @@ falsepositives:
- Unknown
level: critical
---
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
logsource:
product: windows
category: registry_event
@ -34,6 +34,7 @@ detection:
---
# Windows Security Eventlog: Process Creation with Full Command Line
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
logsource:
product: windows
service: security

3
rules/windows/builtin/win_ntfs_vuln_exploit.yml
View File

@ -20,3 +20,6 @@ detection:
falsepositives:
- Unlikely
level: critical
tags:
- attack.impact
- attack.t1499.001

26
rules/windows/builtin/win_petitpotam_network_share.yml Normal file
View File

@ -0,0 +1,26 @@
title: Possible PetitPotam Coerce Authentication Attempt
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
description: Detect PetitPotam coerced authentication activity.
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
tags:
- attack.credential_access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName|startswith: '\\'
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
falsepositives:
- Unknown. Feedback welcomed.
level: high

33
rules/windows/builtin/win_petitpotam_susp_tgt_request.yml Normal file
View File

@ -0,0 +1,33 @@
title: PetitPotam Suspicious Kerberos TGT Request
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
certificate by abusing Active Directory Certificate Services in combination with
PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
like Rubeus. This request will generate a 4768 event with some unusual fields depending
on the environment. This analytic will require tuning, we recommend filtering Account_Name
to the Domain Controller computer accounts.
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
tags:
- attack.credential_access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
detection:
selection:
EventID: 4768
TargetUserName|endswith: '$'
CertThumbprint: '*'
filter_local:
IpAddress: '::1'
condition: selection and not filter_local
falsepositives:
- False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
level: high

4
rules/windows/builtin/win_powershell_script_installed_as_service.yml
View File

@ -1,6 +1,5 @@
action: global
title: PowerShell Scripts Installed as Services
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
description: Detects powershell script installed as a Service
status: experimental
author: oscd.community, Natalia Shornikova
@ -21,6 +20,7 @@ falsepositives:
- Unknown
level: high
---
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
logsource:
product: windows
service: system
@ -28,6 +28,7 @@ detection:
service_creation:
EventID: 7045
---
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
logsource:
product: windows
service: sysmon
@ -35,6 +36,7 @@ detection:
service_creation:
EventID: 6
---
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
logsource:
product: windows
service: security

5
rules/windows/powershell/win_powershell_web_request.yml → rules/windows/builtin/win_powershell_web_request.yml
View File

@ -1,8 +1,7 @@
action: global
title: Windows PowerShell Web Request
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
status: experimental
description: Detects the use of various web request methods (including aliases) via Windows PowerShell
description: Detects the use of various web request methods (including aliases) via Windows PowerShell command
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
@ -19,6 +18,7 @@ falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
---
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
logsource:
category: process_creation
product: windows
@ -32,6 +32,7 @@ detection:
- 'Net.WebClient'
- 'Start-BitsTransfer'
---
id: 1139d2e2-84b1-4226-b445-354492eba8ba
logsource:
product: windows
service: powershell

3
rules/windows/builtin/win_root_certificate_installed.yml
View File

@ -1,6 +1,5 @@
action: global
title: Root Certificate Installed
id: 42821614-9264-4761-acfc-5772c3286f76
status: experimental
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
@ -16,6 +15,7 @@ falsepositives:
detection:
condition: 1 of them
---
id: 42821614-9264-4761-acfc-5772c3286f76
logsource:
product: windows
service: powershell
@ -31,6 +31,7 @@ detection:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
---
id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
logsource:
category: process_creation
product: windows

3
rules/windows/builtin/win_scm_database_privileged_operation.yml
View File

@ -21,3 +21,6 @@ detection:
falsepositives:
- Unknown
level: critical
tags:
- attack.privilege_escalation
- attack.t1548

22
rules/windows/builtin/win_software_atera_rmm_agent_install.yml Normal file
View File

@ -0,0 +1,22 @@
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: experimental
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
date: 2021/09/01
author: Bhabesh Raj
level: high
logsource:
service: application
product: windows
tags:
- attack.t1219
detection:
selection:
EventID: 1033
Source: MsiInstaller
Message|contains: AteraAgent
condition: selection
falsepositives:
- Legitimate Atera agent installation

3
rules/windows/builtin/win_software_discovery.yml
View File

@ -1,6 +1,5 @@
action: global
title: Detected Windows Software Discovery
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
status: experimental
author: Nikita Nazarov, oscd.community
@ -17,6 +16,7 @@ falsepositives:
detection:
condition: 1 of them
---
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
logsource:
product: windows
service: powershell
@ -30,6 +30,7 @@ detection:
- 'select-object'
- 'format-table'
---
id: e13f668e-7f95-443d-98d2-1816a7648a7b
logsource:
category: process_creation
product: windows

4
rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml
View File

@ -1,6 +1,5 @@
action: global
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
status: experimental
author: frack113
date: 2021/07/13
@ -20,6 +19,7 @@ falsepositives:
- Unknown
level: medium
---
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
logsource:
product: windows
category: process_creation
@ -34,6 +34,7 @@ detection:
- '-RemoteFXvGPUDisablementFilePath'
condition: selection_cmd and selection_opt
---
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
logsource:
product: windows
service: powershell-classic
@ -49,6 +50,7 @@ detection:
- '-RemoteFXvGPUDisablementFilePath'
condition: selection_cmd and selection_opt
---
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
logsource:
product: windows
service: powershell

3
rules/windows/builtin/win_susp_eventlog_cleared.yml
View File

@ -1,6 +1,5 @@
action: global
title: Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsoletes
@ -21,6 +20,7 @@ falsepositives:
- System provisioning (system reset before the golden image creation)
level: high
---
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
logsource:
product: windows
service: security
@ -31,6 +31,7 @@ detection:
- 1102
condition: selection
---
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
logsource:
product: windows
service: system

3
rules/windows/builtin/win_susp_failed_guest_logon.yml
View File

@ -25,3 +25,6 @@ fields:
- User
falsepositives:
- Account fallback reasons (after failed login with specific account)
tags:
- attack.credential_access
- attack.t1110.001

3
rules/windows/builtin/win_susp_failed_logons_single_source.yml
View File

@ -1,6 +1,5 @@
action: global
title: Failed Logins with Different Accounts from Single Source System
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
date: 2017/01/10
@ -19,6 +18,7 @@ falsepositives:
- Workstations with frequently changing users
level: medium
---
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
detection:
selection1:
EventID:
@ -28,6 +28,7 @@ detection:
WorkstationName: '*'
condition: selection1 | count(TargetUserName) by WorkstationName > 3
---
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
detection:
selection2:
EventID: 4776

2
rules/windows/builtin/win_susp_msmpeng_crash.yml
View File

@ -25,7 +25,7 @@ detection:
keywords:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: 1 of selection* and keywords
condition: 1 of selection* and all of keywords
falsepositives:
- MsMpEng.exe can crash when C:\ is full
level: high

4
rules/windows/builtin/win_susp_zip_compress.yml
View File

@ -1,6 +1,5 @@
action: global
title: Zip A Folder With PowerShell For Staging In Temp
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
status: experimental
author: frack113
date: 2021/07/20
@ -14,6 +13,7 @@ falsepositives:
- Unknown
level: medium
---
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
logsource:
product: windows
category: process_creation
@ -26,6 +26,7 @@ detection:
- '$env:TEMP\'
condition: selection
---
id: 71ff406e-b633-4989-96ec-bc49d825a412
logsource:
product: windows
service: powershell-classic
@ -39,6 +40,7 @@ detection:
- '$env:TEMP\'
condition: selection
---
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
logsource:
product: windows
service: powershell

4
rules/windows/builtin/win_tap_driver_installation.yml
View File

@ -1,6 +1,5 @@
action: global
title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
@ -16,6 +15,7 @@ detection:
ImagePath|contains: 'tap0901'
condition: selection
---
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
logsource:
product: windows
service: system
@ -23,10 +23,12 @@ detection:
selection:
EventID: 7045
---
id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
logsource:
product: windows
category: driver_load
---
id: 9c8afa4d-0022-48f0-9456-3712466f9701
logsource:
product: windows
service: security

3
rules/windows/file_event/sysmon_hack_dumpert.yml
View File

@ -1,6 +1,5 @@
action: global
title: Dumpert Process Dumper
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
author: Florian Roth
references:
@ -16,6 +15,7 @@ falsepositives:
- Very unlikely
level: critical
---
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
logsource:
category: process_creation
product: windows
@ -24,6 +24,7 @@ detection:
Imphash: '09D278F9DE118EF09163C6140255C690'
condition: selection
---
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
logsource:
category: file_event
product: windows

3
rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
View File

@ -15,3 +15,6 @@ detection:
falsepositives:
- unknown
level: high
tags:
- attack.command_and_control
- attack.t1219

25
rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml Normal file
View File

@ -0,0 +1,25 @@
title: UAC Bypass Using Cleanmgr Temp File Creation
id: 6a8a8a65-15ac-4722-adb7-c93c213c180a
description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Windows\system32\cleanmgr.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high

23
rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml Normal file
View File

@ -0,0 +1,23 @@
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
author: Christian Burkard
date: 2021/08/23
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high

23
rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml Normal file
View File

@ -0,0 +1,23 @@
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
condition: selection
falsepositives:
- Unknown
level: high

25
rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml Normal file
View File

@ -0,0 +1,25 @@
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high

23
rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml Normal file
View File

@ -0,0 +1,23 @@
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high

23
rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml Normal file
View File

@ -0,0 +1,23 @@
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
condition: selection
falsepositives:
- Unknown
level: high

25
rules/windows/file_event/sysmon_uac_bypass_winsat.yml Normal file
View File

@ -0,0 +1,25 @@
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith:
- '\AppData\Local\Temp\system32\winsat.exe'
- '\AppData\Local\Temp\system32\winmm.dll'
condition: selection
falsepositives:
- Unknown
level: high

26
rules/windows/file_event/sysmon_uac_bypass_wmp.yml Normal file
View File

@ -0,0 +1,26 @@
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
author: Christian Burkard
date: 2021/08/23
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high

4
rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
View File

@ -23,7 +23,7 @@ detection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
- '\svchost.exe'
@ -53,7 +53,7 @@ detection:
Signed: "FALSE"
filter:
Image|contains: 'Visual Studio'
condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
condition: (signedprocess and not filter) or (unsignedprocess and not filter)
fields:
- ComputerName
- User

3
rules/windows/image_load/sysmon_tttracer_mod_load.yml
View File

@ -1,6 +1,5 @@
action: global
title: Time Travel Debugging Utility Usage
id: e76c8240-d68f-4773-8880-5c6f63595aaf
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
@ -19,6 +18,7 @@ falsepositives:
- Legitimate usage by software developers/testers
level: high
---
id: e76c8240-d68f-4773-8880-5c6f63595aaf
logsource:
product: windows
category: image_load
@ -29,6 +29,7 @@ detection:
- '\ttdwriter.dll'
- '\ttdloader.dll'
---
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
logsource:
product: windows
category: process_creation

19
rules/windows/image_load/win_susp_svchost_clfsw32.yml Normal file
View File

@ -0,0 +1,19 @@
title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
status: experimental
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth
date: 2021/09/07
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\clfsw32.dll'
condition: selection
falsepositives:
- Rarely observed
level: high

2
rules/windows/malware/av_hacktool.yml
View File

@ -23,3 +23,5 @@ fields:
falsepositives:
- Unlikely
level: high
tags:
- attack.execution

3
rules/windows/malware/av_relevant_files.yml
View File

@ -72,3 +72,6 @@ fields:
falsepositives:
- Unlikely
level: high
tags:
- attack.resource_development
- attack.t1588

4
rules/windows/malware/win_mal_blue_mockingbird.yml
View File

@ -1,6 +1,5 @@
action: global
title: Blue Mockingbird
id: c3198a27-23a0-4c2c-af19-e5328d49680e
status: experimental
description: Attempts to detect system changes made by Blue Mockingbird
references:
@ -17,6 +16,7 @@ level: high
detection:
condition: 1 of them
---
id: c3198a27-23a0-4c2c-af19-e5328d49680e
logsource:
category: process_creation
product: windows
@ -27,6 +27,7 @@ detection:
- 'sc config'
- 'wercplsupporte.dll'
---
id: ce239692-aa94-41b3-b32f-9cab259c96ea
logsource:
category: process_creation
product: windows
@ -35,6 +36,7 @@ detection:
Image|endswith: '\wmic.exe'
CommandLine|endswith: 'COR_PROFILER'
---
id: 92b0b372-a939-44ed-a11b-5136cf680e27
logsource:
product: windows
category: registry_event

3
rules/windows/malware/win_mal_darkside.yml
View File

@ -26,3 +26,6 @@ falsepositives:
- Unknown
- UAC bypass method used by other malware
level: critical
tags:
- attack.execution
- attack.t1204

3
rules/windows/malware/win_mal_ryuk.yml
View File

@ -24,3 +24,6 @@ detection:
falsepositives:
- Unlikely
level: critical
tags:
- attack.execution
- attack.t1204

3
rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
View File

@ -1,6 +1,5 @@
action: global
title: Regsvr32 Network Activity
id: c7e91a02-d771-4a6d-a700-42587e0b1095
description: Detects network connections and DNS queries initiated by Regsvr32.exe
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
@ -31,10 +30,12 @@ falsepositives:
- unknown
level: high
---
id: c7e91a02-d771-4a6d-a700-42587e0b1095
logsource:
category: network_connection
product: windows
---
id: 36e037c4-c228-4866-b6a3-48eb292b9955
logsource:
category: dns_query
product: windows

3
rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
View File

@ -31,3 +31,6 @@ detection:
falsepositives:
- unknown
level: high
tags:
- attack.command_and_control
- attack.t1105

5
rules/windows/other/win_defender_amsi_trigger.yml
View File

@ -17,4 +17,7 @@ detection:
condition: selection
falsepositives:
- unlikely
level: high
level: high
tags:
- attack.execution
- attack.t1059

6
rules/windows/other/win_defender_disabled.yml
View File

@ -1,6 +1,5 @@
action: global
title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
description: Detects disabling Windows Defender threat protection
date: 2020/07/28
modified: 2021/07/05
@ -16,7 +15,8 @@ tags:
falsepositives:
- Administrator actions
level: high
---
---
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
logsource:
product: windows
service: windefend
@ -35,6 +35,7 @@ detection:
Details: 'DWORD (0x00000001)'
condition: 1 of them
---
id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
logsource:
product: windows
category: registry_event
@ -45,6 +46,7 @@ detection:
Details: 'DWORD (0x00000001)'
condition: tamper_registry
---
id: 6c0a7755-6d31-44fa-80e1-133e57752680
logsource:
product: windows
category: system

15
rules/windows/other/win_defender_exclusions.yml
View File

@ -1,6 +1,5 @@
action: global
title: Windows Defender Exclusions Added
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
description: Detects the Setting of Windows Defender Exclusions
date: 2021/07/06
author: Christian Burkard
@ -15,24 +14,22 @@ falsepositives:
- Administrator actions
level: medium
---
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
logsource:
product: windows
service: windefend
detection:
selection1:
EventID:
- 5007
New Value|contains:
- '\Microsoft\Windows Defender\Exclusions'
EventID: 5007
New Value|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection1
---
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
logsource:
product: windows
category: registry_event
detection:
selection2:
EventID:
- 13
TargetObject|contains:
- '\Microsoft\Windows Defender\Exclusions'
EventID: 13
TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection2

3
rules/windows/other/win_defender_threat.yml
View File

@ -20,3 +20,6 @@ detection:
falsepositives:
- unlikely
level: high
tags:
- attack.execution
- attack.t1059

23
rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml Normal file
View File

@ -0,0 +1,23 @@
title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: experimental
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard
date: 2021/08/27
logsource:
service: msexchange-management
product: windows
detection:
command:
- 'Remove-MailboxExportRequest'
- ' -Identity '
- ' -Confirm "False"'
condition: all of command
falsepositives:
- unknown
level: high
tags:
- attack.defense_evasion
- attack.t1070

5
rules/windows/other/win_tool_psexec.yml
View File

@ -1,6 +1,5 @@
action: global
title: PsExec Tool Execution
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
author: Thomas Patzke
@ -28,6 +27,7 @@ falsepositives:
- unknown
level: low
---
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
logsource:
product: windows
service: system
@ -40,6 +40,7 @@ detection:
EventID: 7036
ServiceName: 'PSEXESVC'
---
id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
logsource:
category: process_creation
product: windows
@ -50,6 +51,7 @@ detection:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
---
id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
logsource:
category: pipe_created
product: windows
@ -57,6 +59,7 @@ detection:
sysmon_pipecreated:
PipeName: '\PSEXESVC'
---
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
logsource:
category: file_event
product: windows

3
rules/windows/other/win_wmi_persistence.yml
View File

@ -1,6 +1,5 @@
action: global
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: experimental
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
@ -18,6 +17,7 @@ falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium
---
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
logsource:
product: windows
service: wmi #native windows detection
@ -34,6 +34,7 @@ detection:
EventID: 5859
condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration)
---
id: f033f3f3-fd24-4995-97d8-a3bb17550a88
logsource:
product: windows
service: security

2
rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
View File

@ -16,7 +16,7 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection_MSSE:
PipeName|contains|all:

48
rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
View File

@ -6,7 +6,7 @@ references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
date: 2021/07/30
modifed: 2021/08/26
modified: 2021/09/02
author: Florian Roth
tags:
- attack.defense_evasion
@ -15,34 +15,28 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection:
- PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
- PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}'
- PipeName|re: '\\wkssvc[0-9a-f]{2}'
- PipeName|re: '\\wkssvc_[0-9a-f]{2}'
- PipeName|re: '\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\mypipe\-f[0-9a-f]{2}'
- PipeName|re: '\\mypipe\-h[0-9a-f]{2}'
- PipeName|re: '\\windows\.update\.manager[0-9a-f]{2}'
- PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}'
- PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\scerpc_[0-9a-f]{2}'
- PipeName|re: '\\scerpc[0-9a-f]{2}'
- PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
- PipeName|re: '\\MsFteWds[0-9a-f]{2}'
- PipeName|re: '\\f4c3[0-9a-f]{2}'
- PipeName|re: '\\fullduplex_[0-9a-f]{2}'
- PipeName|re: '\\msrpc_[0-9a-f]{4}'
- PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
- PipeName|re: '\\f53f[0-9a-f]{2}'
- PipeName|re: '\\rpc_[0-9a-f]{2}'
- PipeName|re: '\\spoolss_[0-9a-f]{2}'
- PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}'
- PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
- PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
- PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}'
- PipeName|re: '\\\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}'
- PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\\\scerpc_?[0-9a-f]{2}'
- PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}'
- PipeName|re: '\\\\MsFteWds[0-9a-f]{2}'
- PipeName|re: '\\\\f4c3[0-9a-f]{2}'
- PipeName|re: '\\\\fullduplex_[0-9a-f]{2}'
- PipeName|re: '\\\\msrpc_[0-9a-f]{4}'
- PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}'
- PipeName|re: '\\\\f53f[0-9a-f]{2}'
- PipeName|re: '\\\\rpc_[0-9a-f]{2}'
- PipeName|re: '\\\\spoolss_[0-9a-f]{2}'
- PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'
condition: selection
falsepositives:
- Unknown

1
rules/windows/pipe_created/sysmon_mal_namedpipes.yml
View File

@ -34,6 +34,7 @@ detection:
- '\Posh*' #PoshC2 default
- '\jaccdpqnvbrrxlaf' #PoshC2 default
- '\csexecsvc' #CSEXEC default
- '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake
condition: selection
tags:
- attack.defense_evasion

2
rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
View File

@ -15,7 +15,7 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection_malleable_profiles:
- PipeName|startswith:

19
rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml Normal file
View File

@ -0,0 +1,19 @@
title: WMI Event Consumer Created Named Pipe
id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
status: experimental
description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
references:
- https://github.com/RiccardoAncarani/LiquidSnake
date: 2021/09/01
author: Florian Roth
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection:
Image|endswith: '\scrcons.exe'
condition: selection
falsepositives:
- Unknown
level: high

3
rules/windows/powershell/powershell_alternate_powershell_hosts.yml
View File

@ -1,6 +1,5 @@
action: global
title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
@ -18,6 +17,7 @@ falsepositives:
- Citrix ConfigSync.ps1
level: medium
---
id: 64e8e417-c19a-475a-8d19-98ea705394cc
logsource:
product: windows
service: powershell
@ -30,6 +30,7 @@ detection:
ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
condition: selection and not filter
---
id: d7326048-328b-4d5e-98af-86e84b17c765
logsource:
product: windows
service: powershell-classic

7
rules/windows/powershell/powershell_invoke_nightmare.yml
View File

@ -1,8 +1,9 @@
title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: experimental
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
date: 2021/08/09
modified: 2021/08/31
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
@ -13,8 +14,10 @@ logsource:
detection:
selection:
EventID: 4104
ScriptBlockText: Invoke-Nightmare
ScriptBlockText|contains: Invoke-Nightmare
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.privilege_escalation

4
rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml
View File

@ -23,7 +23,7 @@ detection:
- ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
- ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
- ScriptBlockText|re: '\$VerbosePreference\.ToString\('
- ScriptBlockText|re: '\String\]\s*\$VerbosePreference'
selection_3:
@ -33,7 +33,7 @@ detection:
- Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- Payload|re: '\*mdr\*\W\s*\)\.Name'
- Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
- Payload|re: '\$VerbosePreference\.ToString\('
- Payload|re: '\String\]\s*\$VerbosePreference'
condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )

1
rules/windows/powershell/powershell_ntfs_ads_access.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
tags:
- attack.defense_evasion
- attack.t1564.004

Some files were not shown because too many files have changed in this diff Show More