valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth 2020-06-19 09:24:26 +02:00
commit b675c4c706
341 changed files with 3193 additions and 1786 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/sigma-test.yml vendored
View File

@ -35,3 +35,6 @@ jobs:
- name: Test Generated Elasticsearch Query Strings - name: Test Generated Elasticsearch Query Strings
run: | run: |
make test-backend-es-qs make test-backend-es-qs
- name: Test SQL(ite) Backend
run: |
make test-backend-sql

3
.gitignore vendored
View File

@ -95,3 +95,6 @@ settings.json
# VisualStudio # VisualStudio
.vs/ .vs/
.vscode/launch.json .vscode/launch.json
# sigma2attack
heatmap.json

26
CHANGELOG.md
View File

@ -6,15 +6,39 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0. from version 0.14.0.
## Unreleased ## 0.17.0 - 2020-06-12
### Added ### Added
* LOGIQ Backend (logiq) * LOGIQ Backend (logiq)
* CarbonBlack backend (carbonblack) and field mappings
* Elasticsearch detection rule backend (es-rule)
* ee-outliers backend
* CrowdStrike backend (crowdstrike)
* Humio backend (humio)
* Aggregations in SQL backend
* SQLite backend (sqlite)
* AWS Cloudtrail ECS mappings
* Overrides
* Zeek configurations for various backends
* Case-insensitive matching for Elasticsearch
* ECS proxy mappings
* RuleName field mapping for Winlogbeat
* sigma2attack tool
### Changed
* Improved usage of keyword fields for Elasticsearch-based backends
* Splunk XML backend rule titles from sigma rule instead of file name
* Moved backend option list to --help-backend
* Microsoft Defender ATP schema improvements
### Fixed ### Fixed
* Splunx XML rule name is now set to rule title * Splunx XML rule name is now set to rule title
* Backend list deduplicated
* Wrong escaping of wildcard at end of value when startswith modifier is used.
* Direct execution of tools on Windows systems by addition of script entry points
## 0.16.0 - 2020-02-25 ## 0.16.0 - 2020-02-25

17
Makefile
View File

@ -14,12 +14,13 @@ finish:
test-rules: test-rules:
yamllint rules yamllint rules
tests/test_rules.py tests/test_rules.py
tools/sigma-uuid -Ver rules/ tools/sigma_uuid -Ver rules/
test-sigmac: test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -h $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -h
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -l $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -l
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac --backend-help es-qs
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
@ -31,9 +32,10 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c sysmon -c winlogbeat -O case_insensitive_whitelist=* rules/windows/process_creation > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
@ -58,6 +60,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
@ -107,10 +110,14 @@ test-merge:
test-backend-es-qs: test-backend-es-qs:
tests/test-backend-es-qs.py tests/test-backend-es-qs.py
test-backend-sql:
cd tools && python3 setup.py install
cd tools && $(COVERAGE) run -m pytest tests/test_backend_sql.py tests/test_backend_sqlite.py
test-sigma2attack: test-sigma2attack:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigma2attack $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigma2attack
build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg build: tools/sigma/*.py tools/setup.py tools/setup.cfg
cd tools && python3 setup.py bdist_wheel sdist cd tools && python3 setup.py bdist_wheel sdist
upload-test: build upload-test: build

6
README.md
View File

@ -88,9 +88,9 @@ Sysmon: Web Shell Detection
Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
![sigma_rule example5](./images/Sigma_rule_example5.png) ![sigma_rule example5](./images/Sigma_rule_example5.png)
# Sigma Tools # Sigma Tools
## Sigmac ## Sigmac
Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@ -98,7 +98,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
### Usage ### Usage
``` ```bash
usage: sigmac [-h] [--recurse] [--filter FILTER] usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}] [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
[--target-list] [--config CONFIG] [--output OUTPUT] [--target-list] [--config CONFIG] [--output OUTPUT]

4
contrib/filter-uuid-patch
View File

@ -1,10 +1,10 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed # Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
# comments etc.) of sigma-uuid script. # comments etc.) of sigma_uuid script.
# #
# Usually used as follows: # Usually used as follows:
# 1. Add UUIDs to rules: # 1. Add UUIDs to rules:
# tools/sigma-uuid -er rules # tools/sigma_uuid -er rules
# 2. Generate and filter patch # 2. Generate and filter patch
# git diff | contrib/filter-uuid-patch > rule-uuid.diff # git diff | contrib/filter-uuid-patch > rule-uuid.diff
# 3. Reset to previous state # 3. Reset to previous state

2
other/godmode_sigma_rule.yml
View File

@ -104,7 +104,7 @@ logsource:
detection: detection:
selection_file_creation: selection_file_creation:
EventID: 11 EventID: 11
TargetFileName|contains: TargetFilename|contains:
- '.dmp' # dump process memory - '.dmp' # dump process memory
- 'Desktop\how' # Ransomware - 'Desktop\how' # Ransomware
- 'Desktop\decrypt' # Ransomware - 'Desktop\decrypt' # Ransomware

4
rules-unsupported/sysmon_process_reimaging.yml
View File

@ -5,7 +5,7 @@ description: Detects process reimaging defense evasion technique
# where # where
# selection1: ImageFileName != selection1: OriginalFileName # selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid # selection1: ParentProcessGuid = selection2: ProcessGuid
# selection1: Image = selection2: TargetFileName # selection1: Image = selection2: TargetFilename
# and new field ImageFileName is coming from enrichment # and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\<ImageFileName>$ # selection1: Image = ^.+\\<ImageFileName>$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec. # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
@ -45,4 +45,4 @@ detection:
EventID: 11 EventID: 11
fields: fields:
- ProcessGuid - ProcessGuid
- TargetFileName - TargetFilename

23
rules/cloud/aws_cloudtrail_disable_logging.yml
View File

@ -5,20 +5,21 @@ author: vitaliy0x1
date: 2020/01/21 date: 2020/01/21
description: Detects disabling, deleting and updating of a Trail description: Detects disabling, deleting and updating of a Trail
references: references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource: logsource:
service: cloudtrail service: cloudtrail
detection: detection:
selection_source: selection_source:
- eventSource: cloudtrail.amazonaws.com - eventSource: cloudtrail.amazonaws.com
events: events:
- eventName: - eventName:
- StopLogging - StopLogging
- UpdateTrail - UpdateTrail
- DeleteTrail - DeleteTrail
condition: selection_source AND events condition: selection_source AND events
level: medium level: medium
falsepositives: falsepositives:
- Valid change in a Trail - Valid change in a Trail
tags: tags:
- attack.t1089 - attack.t1089
- attack.t1562.001

19
rules/cloud/aws_config_disable_recording.yml
View File

@ -5,17 +5,18 @@ author: vitaliy0x1
date: 2020/01/21 date: 2020/01/21
description: Detects AWS Config Service disabling description: Detects AWS Config Service disabling
logsource: logsource:
service: cloudtrail service: cloudtrail
detection: detection:
selection_source: selection_source:
- eventSource: config.amazonaws.com - eventSource: config.amazonaws.com
events: events:
- eventName: - eventName:
- DeleteDeliveryChannel - DeleteDeliveryChannel
- StopConfigurationRecorder - StopConfigurationRecorder
condition: selection_source AND events condition: selection_source AND events
level: high level: high
falsepositives: falsepositives:
- Valid change in AWS Config Service - Valid change in AWS Config Service
tags: tags:
- attack.t1089 - attack.t1089
- attack.t1562.001

1
rules/cloud/aws_ec2_startup_script_change.yml
View File

@ -21,3 +21,4 @@ falsepositives:
- Valid changes to the startup script - Valid changes to the startup script
tags: tags:
- attack.t1064 - attack.t1064
- attack.t1059

1
rules/cloud/aws_guardduty_disruption.yml
View File

@ -19,3 +19,4 @@ falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners) - Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags: tags:
- attack.t1089 - attack.t1089
- attack.t1562.001

1
rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.s0003 - attack.s0003
- attack.t1156 - attack.t1156
- attack.persistence - attack.persistence
- attack.t1546.004
author: Peter Matkovski author: Peter Matkovski
logsource: logsource:
product: linux product: linux

1
rules/linux/auditd/lnx_auditd_auditing_config_change.yml
View File

@ -11,6 +11,7 @@ references:
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1054 - attack.t1054
- attack.t1562.006
author: Mikhail Larin, oscd.community author: Mikhail Larin, oscd.community
status: experimental status: experimental
date: 2019/10/25 date: 2019/10/25

1
rules/linux/auditd/lnx_auditd_logging_config_change.yml
View File

@ -10,6 +10,7 @@ references:
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1054 - attack.t1054
- attack.t1562.006
author: Mikhail Larin, oscd.community author: Mikhail Larin, oscd.community
status: experimental status: experimental
date: 2019/10/25 date: 2019/10/25

1
rules/linux/auditd/lnx_auditd_web_rce.yml
View File

@ -5,6 +5,7 @@ description: Detects posible command execution by web application/web shell
tags: tags:
- attack.persistence - attack.persistence
- attack.t1100 - attack.t1100
- attack.t1505.003
references: references:
- personal experience - personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community author: Ilyas Ochkov, Beyu Denis, oscd.community

4
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,8 +1,7 @@
title: Data Compressed title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
of data sent over the network
author: Timur Zinniatullin, oscd.community author: Timur Zinniatullin, oscd.community
date: 2019/10/21 date: 2019/10/21
modified: 2019/11/04 modified: 2019/11/04
@ -30,3 +29,4 @@ level: low
tags: tags:
- attack.exfiltration - attack.exfiltration
- attack.t1002 - attack.t1002
- attack.t1560

1
rules/linux/lnx_pers_systemd_reload.yml
View File

@ -5,6 +5,7 @@ status: experimental
tags: tags:
- attack.persistence - attack.persistence
- attack.t1501 - attack.t1501
- attack.t1543.002
author: Jakob Weinzettl, oscd.community author: Jakob Weinzettl, oscd.community
date: 2019/09/23 date: 2019/09/23
logsource: logsource:

12
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -2,19 +2,27 @@ title: Clear Command History
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: experimental status: experimental
description: Clear command history in linux which is used for defense evasion. description: Clear command history in linux which is used for defense evasion.
# Example config for this one (place it in .bash_profile):
# (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) &
# It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
# We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
# It has two advantages over the version suggested by Patrick Bareiss :
# - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
# - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
references: references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- https://attack.mitre.org/techniques/T1146/ - https://attack.mitre.org/techniques/T1146/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
author: Patrick Bareiss author: Patrick Bareiss
date: 2019/03/24 date: 2019/03/24
modified: 2020/05/28
logsource: logsource:
product: linux product: linux
detection: detection:
keywords: keywords:
- 'rm *bash_history' - 'rm *bash_history'
- 'echo "" > *bash_history' - 'echo "" > *bash_history'
- 'cat /dev/null > *bash_history' - 'cat /dev/null > *bash_history'
- 'ln -sf /dev/null *bash_history' - 'ln -sf /dev/null *bash_history'
- 'truncate -s0 *bash_history' - 'truncate -s0 *bash_history'
# - 'unset HISTFILE' # prone to false positives # - 'unset HISTFILE' # prone to false positives
@ -22,6 +30,7 @@ detection:
- 'history -c' - 'history -c'
- 'history -w' - 'history -w'
- 'shred *bash_history' - 'shred *bash_history'
- 'empty_bash_history'
condition: keywords condition: keywords
falsepositives: falsepositives:
- Unknown - Unknown
@ -29,3 +38,4 @@ level: high
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1146 - attack.t1146
- attack.t1551.003

2
rules/network/cisco/aaa/cisco_cli_clear_logs.yml
View File

@ -11,6 +11,8 @@ tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1146 - attack.t1146
- attack.t1070 - attack.t1070
- attack.t1551.003
- attack.t1551
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

1
rules/network/cisco/aaa/cisco_cli_collect_data.yml
View File

@ -17,6 +17,7 @@ tags:
- attack.t1003 - attack.t1003
- attack.t1081 - attack.t1081
- attack.t1005 - attack.t1005
- attack.t1552.001
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

2
rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
View File

@ -12,6 +12,8 @@ tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1130 - attack.t1130
- attack.t1145 - attack.t1145
- attack.t1553.004
- attack.t1552.004
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

1
rules/network/cisco/aaa/cisco_cli_disable_logging.yml
View File

@ -9,6 +9,7 @@ date: 2019/08/11
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1089 - attack.t1089
- attack.t1562.001
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

3
rules/network/cisco/aaa/cisco_cli_file_deletion.yml
View File

@ -14,6 +14,9 @@ tags:
- attack.t1107 - attack.t1107
- attack.t1488 - attack.t1488
- attack.t1487 - attack.t1487
- attack.t1561.002
- attack.t1551.004
- attack.t1561.001
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

1
rules/network/cisco/aaa/cisco_cli_input_capture.yml
View File

@ -12,6 +12,7 @@ tags:
- attack.credential_access - attack.credential_access
- attack.t1139 - attack.t1139
- attack.t1056 - attack.t1056
- attack.t1552.003
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

3
rules/network/cisco/aaa/cisco_cli_modify_config.yml
View File

@ -16,6 +16,9 @@ tags:
- attack.t1100 - attack.t1100
- attack.t1168 - attack.t1168
- attack.t1490 - attack.t1490
- attack.t1565.002
- attack.t1505
- attack.t1053
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

2
rules/network/cisco/aaa/cisco_cli_moving_data.yml
View File

@ -19,6 +19,8 @@ tags:
- attack.t1105 - attack.t1105
- attack.t1492 - attack.t1492
- attack.t1002 - attack.t1002
- attack.t1560
- attack.t1565.001
logsource: logsource:
product: cisco product: cisco
service: aaa service: aaa

11
rules/network/net_susp_dns_txt_exec_strings.yml
View File

@ -7,17 +7,18 @@ references:
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags: tags:
- attack.t1071 - attack.t1071
- attack.t1071.004
author: Markus Neis author: Markus Neis
date: 2018/08/08 date: 2018/08/08
logsource: logsource:
category: dns category: dns
detection: detection:
selection: selection:
record_type: 'TXT' record_type: 'TXT'
answer: answer:
- '*IEX*' - '*IEX*'
- '*Invoke-Expression*' - '*Invoke-Expression*'
- '*cmd.exe*' - '*cmd.exe*'
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown

78
rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
View File

@ -6,46 +6,48 @@ date: 2020/03/19
references: references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
tags: tags:
- attack.execution - attack.execution
- attack.t1035 - attack.t1035
- attack.t1047 - attack.t1047
- attack.t1053 - attack.t1053
- attack.t1053.002
- attack.t1569.002
logsource: logsource:
product: zeek product: zeek
service: dce_rpc service: dce_rpc
detection: detection:
op1: op1:
endpoint: 'JobAdd' endpoint: 'JobAdd'
operation: 'atsvc' operation: 'atsvc'
op2: op2:
endpoint: 'ITaskSchedulerService' endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask' operation: 'SchRpcEnableTask'
op3: op3:
endpoint: 'ITaskSchedulerService' endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask' operation: 'SchRpcRegisterTask'
op4: op4:
endpoint: 'ITaskSchedulerService' endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun' operation: 'SchRpcRun'
op5: op5:
endpoint: 'IWbemServices' endpoint: 'IWbemServices'
operation: 'ExecMethod' operation: 'ExecMethod'
op6: op6:
endpoint: 'IWbemServices' endpoint: 'IWbemServices'
operation: 'ExecMethodAsync' operation: 'ExecMethodAsync'
op7: op7:
endpoint: 'svcctl' endpoint: 'svcctl'
operation: 'CreateServiceA' operation: 'CreateServiceA'
op8: op8:
endpoint: 'svcctl' endpoint: 'svcctl'
operation: 'CreateServiceW' operation: 'CreateServiceW'
op9: op9:
endpoint: 'svcctl' endpoint: 'svcctl'
operation: 'StartServiceA' operation: 'StartServiceA'
op10: op10:
endpoint: 'svcctl' endpoint: 'svcctl'
operation: 'StartServiceW' operation: 'StartServiceW'
condition: 1 of them condition: 1 of them
falsepositives: falsepositives:
- 'Windows administrator tasks or troubleshooting' - 'Windows administrator tasks or troubleshooting'
- 'Windows management scripts or software' - 'Windows management scripts or software'
level: medium level: medium

45
rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
View File

@ -8,30 +8,31 @@ references:
tags: tags:
- attack.persistence - attack.persistence
- attack.t1004 - attack.t1004
- attack.t1547.004
logsource: logsource:
product: zeek product: zeek
service: dce_rpc service: dce_rpc
detection: detection:
op1: op1:
endpoint: 'spoolss' endpoint: 'spoolss'
operation: 'RpcAddMonitor' operation: 'RpcAddMonitor'
op2: op2:
endpoint: 'spoolss' endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor' operation: 'RpcAddPrintProcessor'
op3: op3:
endpoint: 'IRemoteWinspool' endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor' operation: 'RpcAsyncAddMonitor'
op4: op4:
endpoint: 'IRemoteWinspool' endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor' operation: 'RpcAsyncAddPrintProcessor'
op5: op5:
endpoint: 'ISecLogon' endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW' operation: 'SeclCreateProcessWithLogonW'
op6: op6:
endpoint: 'ISecLogon' endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW' operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of them condition: 1 of them
falsepositives: falsepositives:
- 'Windows administrator tasks or troubleshooting' - 'Windows administrator tasks or troubleshooting'
- 'Windows management scripts or software' - 'Windows management scripts or software'
level: medium level: medium

7
rules/network/zeek/zeek_http_executable_download_from_webdav.yml
View File

@ -8,9 +8,10 @@ references:
tags: tags:
- attack.command_and_control - attack.command_and_control
- attack.t1043 - attack.t1043
- attack.t1571
logsource: logsource:
product: zeek product: zeek
service: http service: http
date: 2020/05/01 date: 2020/05/01
detection: detection:
selection_webdav: selection_webdav:
@ -23,4 +24,4 @@ detection:
falsepositives: falsepositives:
- unknown - unknown
level: medium level: medium
status: experimental status: experimental

1
rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.t1053 - attack.t1053
- car.2013-05-004 - car.2013-05-004
- car.2015-04-001 - car.2015-04-001
- attack.t1053.002
logsource: logsource:
product: zeek product: zeek
service: smb_files service: smb_files

11
rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
View File

@ -8,14 +8,17 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource: logsource:
product: zeek product: zeek
service: smb_files service: smb_files
detection: detection:
selection: selection:
path: '\\*ADMIN$' path: '\\*ADMIN$'
name: '*SYSTEM32\\*.tmp' name: '*SYSTEM32\\*.tmp'
condition: selection condition: selection
falsepositives: falsepositives:
- 'unknown' - 'unknown'
level: high level: high

40
rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
View File

@ -1,14 +1,14 @@
title: First Time Seen Remote Named Pipe - Zeek title: First Time Seen Remote Named Pipe - Zeek
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
using named pipes
author: 'Samir Bousseaden, @neu5ron' author: 'Samir Bousseaden, @neu5ron'
date: 2020/04/02 date: 2020/04/02
references: references:
- https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1077 - attack.t1077
- attack.t1021.002
logsource: logsource:
product: zeek product: zeek
service: smb_files service: smb_files
@ -18,23 +18,23 @@ detection:
selection2: selection2:
path: \\*\IPC$ path: \\*\IPC$
name: name:
- 'atsvc' - 'atsvc'
- 'samr' - 'samr'
- 'lsarpc' - 'lsarpc'
- 'winreg' - 'winreg'
- 'netlogon' - 'netlogon'
- 'srvsvc' - 'srvsvc'
- 'protected_storage' - 'protected_storage'
- 'wkssvc' - 'wkssvc'
- 'browser' - 'browser'
- 'netdfs' - 'netdfs'
- 'svcctl' - 'svcctl'
- 'spoolss' - 'spoolss'
- 'ntsvcs' - 'ntsvcs'
- 'LSM_API_service' - 'LSM_API_service'
- 'HydraLsPipe' - 'HydraLsPipe'
- 'TermSrv_API_service' - 'TermSrv_API_service'
- 'MsFteWds' - 'MsFteWds'
condition: selection1 and not selection2 condition: selection1 and not selection2
falsepositives: falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe - update the excluded named pipe to filter out any newly observed legit named pipe

7
rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
View File

@ -8,6 +8,7 @@ references:
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1077 - attack.t1077
- attack.t1021.002
logsource: logsource:
product: zeek product: zeek
service: smb_files service: smb_files
@ -15,9 +16,9 @@ detection:
selection1: selection1:
path: \\*\IPC$ path: \\*\IPC$
name: name:
- '*-stdin' - '*-stdin'
- '*-stdout' - '*-stdout'
- '*-stderr' - '*-stderr'
selection2: selection2:
name: \\*\IPC$ name: \\*\IPC$
path: 'PSEXESVC*' path: 'PSEXESVC*'

37
rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
View File

@ -4,26 +4,29 @@ description: Transferring files with well-known filenames (sensitive files with
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020/04/02 date: 2020/04/02
references: references:
- https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource: logsource:
product: zeek product: zeek
service: smb_files service: smb_files
detection: detection:
selection: selection:
name: name:
- '\mimidrv' - '\mimidrv'
- '\lsass' - '\lsass'
- '\windows\minidump\' - '\windows\minidump\'
- '\hiberfil' - '\hiberfil'
- '\sqldmpr' - '\sqldmpr'
- '\sam' - '\sam'
- '\ntds.dit' - '\ntds.dit'
- '\security' - '\security'
condition: selection condition: selection
falsepositives: falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator - Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium level: medium
status: experimental status: experimental

1
rules/network/zeek/zeek_susp_kerberos_rc4.yml
View File

@ -8,6 +8,7 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1208 - attack.t1208
- attack.t1558.003
logsource: logsource:
product: zeek product: zeek
service: kerberos service: kerberos

3
rules/web/web_cve_2018_2894_weblogic_exploit.yml
View File

@ -13,7 +13,7 @@ logsource:
category: webserver category: webserver
detection: detection:
selection: selection:
c-uri: c-uri:
- '*/config/keystore/*.js*' - '*/config/keystore/*.js*'
condition: selection condition: selection
fields: fields:
@ -28,5 +28,6 @@ tags:
- attack.persistence - attack.persistence
- attack.privilege_escalation - attack.privilege_escalation
- cve.2018-2894 - cve.2018-2894
- attack.t1505
level: critical level: critical

1
rules/windows/builtin/win_GPO_scheduledtasks.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence - attack.persistence
- attack.lateral_movement - attack.lateral_movement
- attack.t1053 - attack.t1053
- attack.t1053.005
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_admin_share_access.yml
View File

@ -4,6 +4,7 @@ description: Detects access to $ADMIN share
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1077 - attack.t1077
- attack.t1021.002
status: experimental status: experimental
author: Florian Roth author: Florian Roth
date: 2017/03/04 date: 2017/03/04

7
rules/windows/builtin/win_alert_enable_weak_encryption.yml
View File

@ -9,6 +9,7 @@ date: 2017/07/30
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1089 - attack.t1089
- attack.t1562.001
logsource: logsource:
product: windows product: windows
service: security service: security
@ -18,9 +19,9 @@ detection:
EventID: 4738 EventID: 4738
keywords: keywords:
Message: Message:
- '*DES*' - '*DES*'
- '*Preauth*' - '*Preauth*'
- '*Encrypted*' - '*Encrypted*'
filters: filters:
Message: Message:
- '*Enabled*' - '*Enabled*'

1
rules/windows/builtin/win_alert_lsass_access.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
# Defender Attack Surface Reduction # Defender Attack Surface Reduction
- attack.t1003.001
logsource: logsource:
product: windows_defender product: windows_defender
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'

27
rules/windows/builtin/win_alert_mimikatz_keywords.yml
View File

@ -1,7 +1,6 @@
title: Mimikatz Use title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
threat groups)
author: Florian Roth author: Florian Roth
date: 2017/01/10 date: 2017/01/10
modified: 2019/10/11 modified: 2019/10/11
@ -12,21 +11,25 @@ tags:
- attack.credential_access - attack.credential_access
- car.2013-07-001 - car.2013-07-001
- car.2019-04-004 - car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource: logsource:
product: windows product: windows
detection: detection:
keywords: keywords:
Message: Message:
- "* mimikatz *" - "* mimikatz *"
- "* mimilib *" - "* mimilib *"
- "* <3 eo.oe *" - "* <3 eo.oe *"
- "* eo.oe.kiwi *" - "* eo.oe.kiwi *"
- "* privilege::debug *" - "* privilege::debug *"
- "* sekurlsa::logonpasswords *" - "* sekurlsa::logonpasswords *"
- "* lsadump::sam *" - "* lsadump::sam *"
- "* mimidrv.sys *" - "* mimidrv.sys *"
- "* p::d *" - "* p::d *"
- "* s::l *" - "* s::l *"
condition: keywords condition: keywords
falsepositives: falsepositives:
- Naughty administrators - Naughty administrators

9
rules/windows/builtin/win_alert_ruler.yml
View File

@ -17,18 +17,19 @@ tags:
- attack.t1075 - attack.t1075
- attack.t1114 - attack.t1114
- attack.t1059 - attack.t1059
- attack.t1550.002
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection1: selection1:
EventID: EventID:
- 4776 - 4776
Workstation: 'RULER' Workstation: 'RULER'
selection2: selection2:
EventID: EventID:
- 4624 - 4624
- 4625 - 4625
WorkstationName: 'RULER' WorkstationName: 'RULER'
condition: (1 of selection*) condition: (1 of selection*)
falsepositives: falsepositives:

1
rules/windows/builtin/win_apt_carbonpaper_turla.yml
View File

@ -7,6 +7,7 @@ tags:
- attack.persistence - attack.persistence
- attack.g0010 - attack.g0010
- attack.t1050 - attack.t1050
- attack.t1543.003
date: 2017/03/31 date: 2017/03/31
author: Florian Roth author: Florian Roth
logsource: logsource:

1
rules/windows/builtin/win_apt_stonedrill.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.persistence - attack.persistence
- attack.g0064 - attack.g0064
- attack.t1050 - attack.t1050
- attack.t1543.003
logsource: logsource:
product: windows product: windows
service: system service: system

1
rules/windows/builtin/win_apt_turla_service_png.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.persistence - attack.persistence
- attack.g0010 - attack.g0010
- attack.t1050 - attack.t1050
- attack.t1543.003
logsource: logsource:
product: windows product: windows
service: system service: system

1
rules/windows/builtin/win_atsvc_task.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.t1053 - attack.t1053
- car.2013-05-004 - car.2013-05-004
- car.2015-04-001 - car.2015-04-001
- attack.t1053.002
logsource: logsource:
product: windows product: windows
service: security service: security

5
rules/windows/builtin/win_dcsync.yml
View File

@ -12,18 +12,19 @@ tags:
- attack.credential_access - attack.credential_access
- attack.s0002 - attack.s0002
- attack.t1003 - attack.t1003
- attack.t1003.006
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection: selection:
EventID: 4662 EventID: 4662
Properties: Properties:
- '*Replicating Directory Changes All*' - '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
filter1: filter1:
SubjectDomainName: 'Window Manager' SubjectDomainName: 'Window Manager'
filter2: filter2:
SubjectUserName: SubjectUserName:
- 'NT AUTHORITY*' - 'NT AUTHORITY*'
- '*$' - '*$'

7
rules/windows/builtin/win_disable_event_logging.yml
View File

@ -1,15 +1,12 @@
title: Disabling Windows Event Auditing title: Disabling Windows Event Auditing
id: 69aeb277-f15f-4d2d-b32a-55e883609563 id: 69aeb277-f15f-4d2d-b32a-55e883609563
description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing"
via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note,
that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform
these modifications in Active Directory anyways.'
references: references:
- https://bit.ly/WinLogsZero2Hero - https://bit.ly/WinLogsZero2Hero
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1054 - attack.t1054
- attack.t1562.006
author: '@neu5ron' author: '@neu5ron'
date: 2017/11/19 date: 2017/11/19
logsource: logsource:

5
rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
View File

@ -9,11 +9,12 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.004
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection: selection:
EventID: 4662 EventID: 4662
ObjectType: 'SecretObject' ObjectType: 'SecretObject'
AccessMask: '0x2' AccessMask: '0x2'
@ -21,4 +22,4 @@ detection:
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

3
rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
View File

@ -9,11 +9,12 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.004
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection: selection:
EventID: 4692 EventID: 4692
condition: selection condition: selection
fields: fields:

4
rules/windows/builtin/win_hack_smbexec.yml
View File

@ -10,6 +10,8 @@ tags:
- attack.execution - attack.execution
- attack.t1077 - attack.t1077
- attack.t1035 - attack.t1035
- attack.t1021
- attack.t1569.002
logsource: logsource:
product: windows product: windows
service: system service: system
@ -25,4 +27,4 @@ fields:
falsepositives: falsepositives:
- Penetration Test - Penetration Test
- Unknown - Unknown
level: critical level: critical

3
rules/windows/builtin/win_impacket_secretdump.yml
View File

@ -8,6 +8,9 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource: logsource:
product: windows product: windows
service: security service: security

4
rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
View File

@ -12,7 +12,7 @@ falsepositives:
- Unknown - Unknown
level: high level: high
detection: detection:
selection: selection_1:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
@ -20,7 +20,7 @@ detection:
- ImagePath|re: '\*mdr\*\W\s*\)\.Name' - ImagePath|re: '\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference' - ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: selection condition: selection and selection_1
--- ---
logsource: logsource:
product: windows product: windows

38
rules/windows/builtin/win_lm_namedpipe.yml
View File

@ -1,7 +1,6 @@
title: First Time Seen Remote Named Pipe title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
using named pipes
author: Samir Bousseaden author: Samir Bousseaden
date: 2019/04/03 date: 2019/04/03
references: references:
@ -9,6 +8,7 @@ references:
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1077 - attack.t1077
- attack.t1021.002
logsource: logsource:
product: windows product: windows
service: security service: security
@ -21,23 +21,23 @@ detection:
EventID: 5145 EventID: 5145
ShareName: \\*\IPC$ ShareName: \\*\IPC$
RelativeTargetName: RelativeTargetName:
- 'atsvc' - 'atsvc'
- 'samr' - 'samr'
- 'lsarpc' - 'lsarpc'
- 'winreg' - 'winreg'
- 'netlogon' - 'netlogon'
- 'srvsvc' - 'srvsvc'
- 'protected_storage' - 'protected_storage'
- 'wkssvc' - 'wkssvc'
- 'browser' - 'browser'
- 'netdfs' - 'netdfs'
- 'svcctl' - 'svcctl'
- 'spoolss' - 'spoolss'
- 'ntsvcs' - 'ntsvcs'
- 'LSM_API_service' - 'LSM_API_service'
- 'HydraLsPipe' - 'HydraLsPipe'
- 'TermSrv_API_service' - 'TermSrv_API_service'
- 'MsFteWds' - 'MsFteWds'
condition: selection1 and not selection2 condition: selection1 and not selection2
falsepositives: falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe - update the excluded named pipe to filter out any newly observed legit named pipe

3
rules/windows/builtin/win_lsass_access_non_system_account.yml
View File

@ -10,11 +10,12 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.001
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection: selection:
EventID: EventID:
- 4663 - 4663
- 4656 - 4656

4
rules/windows/builtin/win_mal_service_installs.yml
View File

@ -11,6 +11,8 @@ tags:
- attack.t1035 - attack.t1035
- attack.t1050 - attack.t1050
- car.2013-09-005 - car.2013-09-005
- attack.t1543.003
- attack.t1569.002
logsource: logsource:
product: windows product: windows
service: system service: system
@ -24,6 +26,6 @@ detection:
malsvc_persistence: malsvc_persistence:
ServiceFileName|contains: 'net user' ServiceFileName|contains: 'net user'
condition: selection and 1 of malsvc_* condition: selection and 1 of malsvc_*
falsepositives: falsepositives:
- Penetration testing - Penetration testing
level: critical level: critical

4
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@ -12,7 +12,7 @@ tags:
- attack.privilege_escalation - attack.privilege_escalation
- attack.t1134 - attack.t1134
detection: detection:
selection: selection_1:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all: - ServiceFileName|contains|all:
- 'cmd' - 'cmd'
@ -30,7 +30,7 @@ detection:
- 'rundll32' - 'rundll32'
- '.dll,a' - '.dll,a'
- '/p:' - '/p:'
condition: selection condition: selection and selection_1
fields: fields:
- ComputerName - ComputerName
- SubjectDomainName - SubjectDomainName

28
rules/windows/builtin/win_mmc20_lateral_movement.yml
View File

@ -1,23 +1,25 @@
title: MMC20 Lateral Movement title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
author: '@2xxeformyshirt (Security Risk Advisors)' author: '@2xxeformyshirt (Security Risk Advisors)'
date: 2020/03/04 date: 2020/03/04
references: references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
tags: tags:
- attack.execution - attack.execution
- attack.t1175 - attack.t1175
- attack.t1021.003
- attack.t1559.001
logsource: logsource:
category: process_creation category: process_creation
product: windows product: windows
detection: detection:
selection: selection:
ParentImage: '*\svchost.exe' ParentImage: '*\svchost.exe'
Image: '*\mmc.exe' Image: '*\mmc.exe'
CommandLine: '*-Embedding*' CommandLine: '*-Embedding*'
condition: selection condition: selection
falsepositives: falsepositives:
- Unlikely - Unlikely
level: high level: high

1
rules/windows/builtin/win_overpass_the_hash.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1075 - attack.t1075
- attack.s0002 - attack.s0002
- attack.t1550.002
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_pass_the_hash.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1075 - attack.t1075
- car.2016-04-004 - car.2016-04-004
- attack.t1550.002
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_pass_the_hash_2.yml
View File

@ -11,6 +11,7 @@ date: 2019/06/14
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1075 - attack.t1075
- attack.t1550.002
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
View File

@ -8,6 +8,7 @@ modified: 2019/11/13
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
level: critical level: critical
logsource: logsource:
product: windows product: windows

1
rules/windows/builtin/win_rare_schtasks_creations.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence - attack.persistence
- attack.t1053 - attack.t1053
- car.2013-08-001 - car.2013-08-001
- attack.t1053.005
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_rare_service_installs.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.privilege_escalation - attack.privilege_escalation
- attack.t1050 - attack.t1050
- car.2013-09-005 - car.2013-09-005
- attack.t1543.003
logsource: logsource:
product: windows product: windows
service: system service: system

1
rules/windows/builtin/win_rdp_localhost_login.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1076 - attack.t1076
- car.2013-07-002 - car.2013-07-002
- attack.t1021
status: experimental status: experimental
author: Thomas Patzke author: Thomas Patzke
logsource: logsource:

1
rules/windows/builtin/win_rdp_reverse_tunnel.yml
View File

@ -14,6 +14,7 @@ tags:
- attack.t1076 - attack.t1076
- attack.t1090 - attack.t1090
- car.2013-07-002 - car.2013-07-002
- attack.t1021
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
View File

@ -8,6 +8,7 @@ tags:
- attack.lateral_movement - attack.lateral_movement
- attack.privilege_escalation - attack.privilege_escalation
- attack.t1208 - attack.t1208
- attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24 date: 2019/10/24
logsource: logsource:

3
rules/windows/builtin/win_remote_powershell_session.yml
View File

@ -9,11 +9,12 @@ references:
tags: tags:
- attack.execution - attack.execution
- attack.t1086 - attack.t1086
- attack.t1059.001
logsource: logsource:
product: windows product: windows
service: security service: security
detection: detection:
selection: selection:
EventID: 5156 EventID: 5156
DestPort: DestPort:
- 5985 - 5985

3
rules/windows/builtin/win_susp_add_sid_history.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence - attack.persistence
- attack.privilege_escalation - attack.privilege_escalation
- attack.t1178 - attack.t1178
- attack.t1134.005
logsource: logsource:
product: windows product: windows
service: security service: security
@ -25,7 +26,7 @@ detection:
- '-' - '-'
- '%%1793' - '%%1793'
filter_null: filter_null:
SidHistory: null SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null) condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives: falsepositives:
- Migration of an account into a new domain - Migration of an account into a new domain

1
rules/windows/builtin/win_susp_backup_delete.yml
View File

@ -10,6 +10,7 @@ date: 2017/05/12
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1107 - attack.t1107
- attack.t1551.004
logsource: logsource:
product: windows product: windows
service: application service: application

1
rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
View File

@ -7,6 +7,7 @@ date: 2019/12/03
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1009 - attack.t1009
- attack.t1027
logsource: logsource:
product: windows product: windows
service: security service: security

3
rules/windows/builtin/win_susp_dhcp_config.yml
View File

@ -11,6 +11,7 @@ author: Dimitrios Slamaris
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1073 - attack.t1073
- attack.t1574.002
logsource: logsource:
product: windows product: windows
service: system service: system
@ -19,6 +20,6 @@ detection:
EventID: 1033 EventID: 1033
Source: Microsoft-Windows-DHCP-Server Source: Microsoft-Windows-DHCP-Server
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

7
rules/windows/builtin/win_susp_dhcp_config_failed.yml
View File

@ -11,18 +11,19 @@ modified: 2019/07/17
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1073 - attack.t1073
- attack.t1574.002
author: "Dimitrios Slamaris, @atc_project (fix)" author: "Dimitrios Slamaris, @atc_project (fix)"
logsource: logsource:
product: windows product: windows
service: system service: system
detection: detection:
selection: selection:
EventID: EventID:
- 1031 - 1031
- 1032 - 1032
- 1034 - 1034
Source: Microsoft-Windows-DHCP-Server Source: Microsoft-Windows-DHCP-Server
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

5
rules/windows/builtin/win_susp_dns_config.yml
View File

@ -10,17 +10,18 @@ references:
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1073 - attack.t1073
- attack.t1574.002
author: Florian Roth author: Florian Roth
logsource: logsource:
product: windows product: windows
service: dns-server service: dns-server
detection: detection:
selection: selection:
EventID: EventID:
- 150 - 150
- 770 - 770
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown
level: critical level: critical

1
rules/windows/builtin/win_susp_eventlog_cleared.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1070 - attack.t1070
- car.2016-04-002 - car.2016-04-002
- attack.t1551
logsource: logsource:
product: windows product: windows
service: system service: system

1
rules/windows/builtin/win_susp_lsass_dump.yml
View File

@ -8,6 +8,7 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.001
logsource: logsource:
product: windows product: windows
service: security service: security

3
rules/windows/builtin/win_susp_lsass_dump_generic.yml
View File

@ -12,6 +12,7 @@ tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- car.2019-04-004 - car.2019-04-004
- attack.t1003.001
logsource: logsource:
product: windows product: windows
service: security service: security
@ -40,7 +41,7 @@ detection:
- '4484' - '4484'
- '4416' - '4416'
filter: filter:
ProcessName|endswith: ProcessName|endswith:
- '\wmiprvse.exe' - '\wmiprvse.exe'
- '\taskmgr.exe' - '\taskmgr.exe'
- '\procexp64.exe' - '\procexp64.exe'

1
rules/windows/builtin/win_susp_msmpeng_crash.yml
View File

@ -5,6 +5,7 @@ tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1089 - attack.t1089
- attack.t1211 - attack.t1211
- attack.t1562.001
status: experimental status: experimental
date: 2017/05/09 date: 2017/05/09
references: references:

1
rules/windows/builtin/win_susp_ntlm_auth.yml
View File

@ -10,6 +10,7 @@ date: 2018/06/08
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1075 - attack.t1075
- attack.t1550.002
logsource: logsource:
product: windows product: windows
service: ntlm service: ntlm

10
rules/windows/builtin/win_susp_psexec.yml
View File

@ -1,7 +1,6 @@
title: Suspicious PsExec Execution title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
uses a different psexec client other than sysinternal one
author: Samir Bousseaden author: Samir Bousseaden
date: 2019/04/03 date: 2019/04/03
references: references:
@ -9,6 +8,7 @@ references:
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1077 - attack.t1077
- attack.t1021.002
logsource: logsource:
product: windows product: windows
service: security service: security
@ -18,9 +18,9 @@ detection:
EventID: 5145 EventID: 5145
ShareName: \\*\IPC$ ShareName: \\*\IPC$
RelativeTargetName: RelativeTargetName:
- '*-stdin' - '*-stdin'
- '*-stdout' - '*-stdout'
- '*-stderr' - '*-stderr'
selection2: selection2:
EventID: 5145 EventID: 5145
ShareName: \\*\IPC$ ShareName: \\*\IPC$

1
rules/windows/builtin/win_susp_rc4_kerberos.yml
View File

@ -7,6 +7,7 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1208 - attack.t1208
- attack.t1558.003
description: Detects service ticket requests using RC4 encryption type description: Detects service ticket requests using RC4 encryption type
author: Florian Roth author: Florian Roth
date: 2017/02/06 date: 2017/02/06

1
rules/windows/builtin/win_susp_rottenpotato.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.privilege_escalation - attack.privilege_escalation
- attack.credential_access - attack.credential_access
- attack.t1171 - attack.t1171
- attack.t1557.001
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_susp_sam_dump.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious SAM dump activity as cause by QuarksPwDump and o
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
author: Florian Roth author: Florian Roth
date: 2018/01/27 date: 2018/01/27
logsource: logsource:

2
rules/windows/builtin/win_susp_sdelete.yml
View File

@ -13,6 +13,8 @@ tags:
- attack.t1107 - attack.t1107
- attack.t1066 - attack.t1066
- attack.s0195 - attack.s0195
- attack.t1551.004
- attack.t1027
logsource: logsource:
product: windows product: windows
service: security service: security

1
rules/windows/builtin/win_susp_security_eventlog_cleared.yml
View File

@ -5,6 +5,7 @@ tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1070 - attack.t1070
- car.2016-04-002 - car.2016-04-002
- attack.t1551
author: Florian Roth author: Florian Roth
date: 2017/02/19 date: 2017/02/19
logsource: logsource:

1
rules/windows/builtin/win_susp_time_modification.yml
View File

@ -11,6 +11,7 @@ midified: 2020/01/27
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1099 - attack.t1099
- attack.t1551.006
logsource: logsource:
product: windows product: windows
service: security service: security

3
rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
View File

@ -10,6 +10,7 @@ modified: 2019/11/13
tags: tags:
- attack.lateral_movement - attack.lateral_movement
- attack.t1208 - attack.t1208
- attack.t1558.003
logsource: logsource:
product: windows product: windows
service: security service: security
@ -23,7 +24,7 @@ detection:
- '\opera.exe' - '\opera.exe'
- '\chrome.exe' - '\chrome.exe'
- '\firefox.exe' - '\firefox.exe'
condition: selection and not filter condition: selection and not filter
falsepositives: falsepositives:
- Other browsers - Other browsers
level: high level: high

4
rules/windows/builtin/win_tap_driver_installation.yml
View File

@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation - Legitimate OpenVPN TAP insntallation
level: medium level: medium
detection: detection:
selection: selection_1:
ImagePath|contains: 'tap0901' ImagePath|contains: 'tap0901'
condition: selection condition: selection and selection_1
--- ---
logsource: logsource:
product: windows product: windows

3
rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
View File

@ -8,6 +8,9 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource: logsource:
product: windows product: windows
service: security service: security

6
rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
View File

@ -1,7 +1,6 @@
title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
privilege set. Possible Rubeus tries to get a handle to LSA.
status: experimental status: experimental
references: references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@ -9,6 +8,7 @@ tags:
- attack.lateral_movement - attack.lateral_movement
- attack.privilege_escalation - attack.privilege_escalation
- attack.t1208 - attack.t1208
- attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24 date: 2019/10/24
logsource: logsource:
@ -18,7 +18,7 @@ detection:
selection: selection:
- EventID: 4673 - EventID: 4673
Service: 'LsaRegisterLogonProcess()' Service: 'LsaRegisterLogonProcess()'
Keywords: '0x8010000000000000' #failure Keywords: '0x8010000000000000' #failure
condition: selection condition: selection
falsepositives: falsepositives:
- Unkown - Unkown

1
rules/windows/builtin/win_user_driver_loaded.yml
View File

@ -8,6 +8,7 @@ references:
tags: tags:
- attack.t1089 - attack.t1089
- attack.defense_evasion - attack.defense_evasion
- attack.t1562.001
date: 2019/04/08 date: 2019/04/08
author: xknow (@xknow_infosec), xorxes (@xor_xes) author: xknow (@xknow_infosec), xorxes (@xor_xes)
logsource: logsource:

5
rules/windows/malware/av_password_dumper.yml
View File

@ -9,11 +9,14 @@ references:
tags: tags:
- attack.credential_access - attack.credential_access
- attack.t1003 - attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource: logsource:
product: antivirus product: antivirus
detection: detection:
selection: selection:
Signature: Signature:
- "*DumpCreds*" - "*DumpCreds*"
- "*Mimikatz*" - "*Mimikatz*"
- "*PWCrack*" - "*PWCrack*"

3
rules/windows/malware/av_webshell.yml
View File

@ -9,11 +9,12 @@ references:
tags: tags:
- attack.persistence - attack.persistence
- attack.t1100 - attack.t1100
- attack.t1505.003
logsource: logsource:
product: antivirus product: antivirus
detection: detection:
selection: selection:
Signature: Signature:
- "PHP/Backdoor*" - "PHP/Backdoor*"
- "JSP/Backdoor*" - "JSP/Backdoor*"
- "ASP/Backdoor*" - "ASP/Backdoor*"

28
rules/windows/malware/win_mal_flowcloud.yml Normal file
View File

@ -0,0 +1,28 @@
title: FlowCloud Malware
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: experimental
description: Detects FlowCloud malware from threat group TA410.
references:
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
tags:
- attack.persistence
- attack.t1112
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12 # key create
- 13 # value set
TargetObject:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
condition: selection
falsepositives:
- Unknown
level: critical

25
rules/windows/malware/win_mal_octopus_scanner.yml Normal file
View File

@ -0,0 +1,25 @@
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: experimental
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
tags:
- attack.t1195
- attack.t1195.001
author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
falsepositives:
- Unknown
level: high

5
rules/windows/other/win_defender_bypass.yml
View File

@ -6,6 +6,7 @@ references:
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1089 - attack.t1089
- attack.t1562.001
author: "@BarryShooshooga" author: "@BarryShooshooga"
date: 2019/10/26 date: 2019/10/26
logsource: logsource:
@ -14,13 +15,13 @@ logsource:
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection: detection:
selection: selection:
EventID: EventID:
- 4657 - 4657
- 4656 - 4656
- 4660 - 4660
- 4663 - 4663
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection condition: selection
falsepositives: falsepositives:
- Intended inclusions by administrator - Intended inclusions by administrator
level: high level: high

4
rules/windows/other/win_rare_schtask_creation.yml
View File

@ -1,12 +1,12 @@
title: Rare Scheduled Task Creations title: Rare Scheduled Task Creations
id: b20f6158-9438-41be-83da-a5a16ac90c2b id: b20f6158-9438-41be-83da-a5a16ac90c2b
status: experimental status: experimental
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
function selects tasks with rare names.
tags: tags:
- attack.persistence - attack.persistence
- attack.t1053 - attack.t1053
- attack.s0111 - attack.s0111
- attack.t1053.005
author: Florian Roth author: Florian Roth
date: 2017/03/17 date: 2017/03/17
logsource: logsource:

3
rules/windows/powershell/powershell_alternate_powershell_hosts.yml
View File

@ -10,11 +10,12 @@ references:
tags: tags:
- attack.execution - attack.execution
- attack.t1086 - attack.t1086
- attack.t1059.001
logsource: logsource:
product: windows product: windows
service: powershell service: powershell
detection: detection:
selection: selection:
EventID: EventID:
- 4103 - 4103
- 400 - 400

Some files were not shown because too many files have changed in this diff Show More