valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth 2020-06-19 09:24:26 +02:00
commit b675c4c706
341 changed files with 3193 additions and 1786 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/sigma-test.yml vendored
View File

@ -35,3 +35,6 @@ jobs:
- name: Test Generated Elasticsearch Query Strings
run: |
make test-backend-es-qs
- name: Test SQL(ite) Backend
run: |
make test-backend-sql

3
.gitignore vendored
View File

@ -95,3 +95,6 @@ settings.json
# VisualStudio
.vs/
.vscode/launch.json
# sigma2attack
heatmap.json

26
CHANGELOG.md
View File

@ -6,15 +6,39 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## Unreleased
## 0.17.0 - 2020-06-12
### Added
* LOGIQ Backend (logiq)
* CarbonBlack backend (carbonblack) and field mappings
* Elasticsearch detection rule backend (es-rule)
* ee-outliers backend
* CrowdStrike backend (crowdstrike)
* Humio backend (humio)
* Aggregations in SQL backend
* SQLite backend (sqlite)
* AWS Cloudtrail ECS mappings
* Overrides
* Zeek configurations for various backends
* Case-insensitive matching for Elasticsearch
* ECS proxy mappings
* RuleName field mapping for Winlogbeat
* sigma2attack tool
### Changed
* Improved usage of keyword fields for Elasticsearch-based backends
* Splunk XML backend rule titles from sigma rule instead of file name
* Moved backend option list to --help-backend
* Microsoft Defender ATP schema improvements
### Fixed
* Splunx XML rule name is now set to rule title
* Backend list deduplicated
* Wrong escaping of wildcard at end of value when startswith modifier is used.
* Direct execution of tools on Windows systems by addition of script entry points
## 0.16.0 - 2020-02-25

17
Makefile
View File

@ -14,12 +14,13 @@ finish:
test-rules:
yamllint rules
tests/test_rules.py
tools/sigma-uuid -Ver rules/
tools/sigma_uuid -Ver rules/
test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -h
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -l
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac --backend-help es-qs
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
@ -31,9 +32,10 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c sysmon -c winlogbeat -O case_insensitive_whitelist=* rules/windows/process_creation > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
@ -58,6 +60,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t humio -O rulecomment -c tools/config/humio.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
@ -107,10 +110,14 @@ test-merge:
test-backend-es-qs:
tests/test-backend-es-qs.py
test-backend-sql:
cd tools && python3 setup.py install
cd tools && $(COVERAGE) run -m pytest tests/test_backend_sql.py tests/test_backend_sqlite.py
test-sigma2attack:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigma2attack
build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
build: tools/sigma/*.py tools/setup.py tools/setup.cfg
cd tools && python3 setup.py bdist_wheel sdist
upload-test: build

6
README.md
View File

@ -88,9 +88,9 @@ Sysmon: Web Shell Detection
Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
![sigma_rule example5](./images/Sigma_rule_example5.png)
# Sigma Tools
# Sigma Tools
## Sigmac
## Sigmac
Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@ -98,7 +98,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
### Usage
```
```bash
usage: sigmac [-h] [--recurse] [--filter FILTER]
[--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
[--target-list] [--config CONFIG] [--output OUTPUT]

4
contrib/filter-uuid-patch
View File

@ -1,10 +1,10 @@
#!/usr/bin/env python3
# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
# comments etc.) of sigma-uuid script.
# comments etc.) of sigma_uuid script.
#
# Usually used as follows:
# 1. Add UUIDs to rules:
# tools/sigma-uuid -er rules
# tools/sigma_uuid -er rules
# 2. Generate and filter patch
# git diff | contrib/filter-uuid-patch > rule-uuid.diff
# 3. Reset to previous state

2
other/godmode_sigma_rule.yml
View File

@ -104,7 +104,7 @@ logsource:
detection:
selection_file_creation:
EventID: 11
TargetFileName|contains:
TargetFilename|contains:
- '.dmp' # dump process memory
- 'Desktop\how' # Ransomware
- 'Desktop\decrypt' # Ransomware

4
rules-unsupported/sysmon_process_reimaging.yml
View File

@ -5,7 +5,7 @@ description: Detects process reimaging defense evasion technique
# where
# selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid
# selection1: Image = selection2: TargetFileName
# selection1: Image = selection2: TargetFilename
# and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\<ImageFileName>$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
@ -45,4 +45,4 @@ detection:
EventID: 11
fields:
- ProcessGuid
- TargetFileName
- TargetFilename

23
rules/cloud/aws_cloudtrail_disable_logging.yml
View File

@ -5,20 +5,21 @@ author: vitaliy0x1
date: 2020/01/21
description: Detects disabling, deleting and updating of a Trail
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
service: cloudtrail
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
level: medium
falsepositives:
- Valid change in a Trail
tags:
- attack.t1089
- attack.t1089
- attack.t1562.001

19
rules/cloud/aws_config_disable_recording.yml
View File

@ -5,17 +5,18 @@ author: vitaliy0x1
date: 2020/01/21
description: Detects AWS Config Service disabling
logsource:
service: cloudtrail
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
level: high
falsepositives:
- Valid change in AWS Config Service
tags:
- attack.t1089
- attack.t1089
- attack.t1562.001

1
rules/cloud/aws_ec2_startup_script_change.yml
View File

@ -21,3 +21,4 @@ falsepositives:
- Valid changes to the startup script
tags:
- attack.t1064
- attack.t1059

1
rules/cloud/aws_guardduty_disruption.yml
View File

@ -19,3 +19,4 @@ falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
tags:
- attack.t1089
- attack.t1562.001

1
rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.s0003
- attack.t1156
- attack.persistence
- attack.t1546.004
author: Peter Matkovski
logsource:
product: linux

1
rules/linux/auditd/lnx_auditd_auditing_config_change.yml
View File

@ -11,6 +11,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25

1
rules/linux/auditd/lnx_auditd_logging_config_change.yml
View File

@ -10,6 +10,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.006
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25

1
rules/linux/auditd/lnx_auditd_web_rce.yml
View File

@ -5,6 +5,7 @@ description: Detects posible command execution by web application/web shell
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
references:
- personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community

4
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,8 +1,7 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
@ -30,3 +29,4 @@ level: low
tags:
- attack.exfiltration
- attack.t1002
- attack.t1560

1
rules/linux/lnx_pers_systemd_reload.yml
View File

@ -5,6 +5,7 @@ status: experimental
tags:
- attack.persistence
- attack.t1501
- attack.t1543.002
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:

12
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -2,19 +2,27 @@ title: Clear Command History
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: experimental
description: Clear command history in linux which is used for defense evasion.
# Example config for this one (place it in .bash_profile):
# (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) &
# It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
# We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
# It has two advantages over the version suggested by Patrick Bareiss :
# - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
# - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
- https://attack.mitre.org/techniques/T1146/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
author: Patrick Bareiss
date: 2019/03/24
modified: 2020/05/28
logsource:
product: linux
detection:
keywords:
- 'rm *bash_history'
- 'echo "" > *bash_history'
- 'cat /dev/null > *bash_history'
- 'cat /dev/null > *bash_history'
- 'ln -sf /dev/null *bash_history'
- 'truncate -s0 *bash_history'
# - 'unset HISTFILE' # prone to false positives
@ -22,6 +30,7 @@ detection:
- 'history -c'
- 'history -w'
- 'shred *bash_history'
- 'empty_bash_history'
condition: keywords
falsepositives:
- Unknown
@ -29,3 +38,4 @@ level: high
tags:
- attack.defense_evasion
- attack.t1146
- attack.t1551.003

2
rules/network/cisco/aaa/cisco_cli_clear_logs.yml
View File

@ -11,6 +11,8 @@ tags:
- attack.defense_evasion
- attack.t1146
- attack.t1070
- attack.t1551.003
- attack.t1551
logsource:
product: cisco
service: aaa

1
rules/network/cisco/aaa/cisco_cli_collect_data.yml
View File

@ -17,6 +17,7 @@ tags:
- attack.t1003
- attack.t1081
- attack.t1005
- attack.t1552.001
logsource:
product: cisco
service: aaa

2
rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
View File

@ -12,6 +12,8 @@ tags:
- attack.defense_evasion
- attack.t1130
- attack.t1145
- attack.t1553.004
- attack.t1552.004
logsource:
product: cisco
service: aaa

1
rules/network/cisco/aaa/cisco_cli_disable_logging.yml
View File

@ -9,6 +9,7 @@ date: 2019/08/11
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
logsource:
product: cisco
service: aaa

3
rules/network/cisco/aaa/cisco_cli_file_deletion.yml
View File

@ -14,6 +14,9 @@ tags:
- attack.t1107
- attack.t1488
- attack.t1487
- attack.t1561.002
- attack.t1551.004
- attack.t1561.001
logsource:
product: cisco
service: aaa

1
rules/network/cisco/aaa/cisco_cli_input_capture.yml
View File

@ -12,6 +12,7 @@ tags:
- attack.credential_access
- attack.t1139
- attack.t1056
- attack.t1552.003
logsource:
product: cisco
service: aaa

3
rules/network/cisco/aaa/cisco_cli_modify_config.yml
View File

@ -16,6 +16,9 @@ tags:
- attack.t1100
- attack.t1168
- attack.t1490
- attack.t1565.002
- attack.t1505
- attack.t1053
logsource:
product: cisco
service: aaa

2
rules/network/cisco/aaa/cisco_cli_moving_data.yml
View File

@ -19,6 +19,8 @@ tags:
- attack.t1105
- attack.t1492
- attack.t1002
- attack.t1560
- attack.t1565.001
logsource:
product: cisco
service: aaa

11
rules/network/net_susp_dns_txt_exec_strings.yml
View File

@ -7,17 +7,18 @@ references:
- https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
tags:
- attack.t1071
- attack.t1071.004
author: Markus Neis
date: 2018/08/08
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
record_type: 'TXT'
answer:
- '*IEX*'
- '*Invoke-Expression*'
- '*cmd.exe*'
condition: selection
falsepositives:
- Unknown

78
rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml
View File

@ -6,46 +6,48 @@ date: 2020/03/19
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
tags:
- attack.execution
- attack.t1035
- attack.t1047
- attack.t1053
- attack.execution
- attack.t1035
- attack.t1047
- attack.t1053
- attack.t1053.002
- attack.t1569.002
logsource:
product: zeek
service: dce_rpc
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'JobAdd'
operation: 'atsvc'
op2:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask'
op3:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask'
op4:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun'
op5:
endpoint: 'IWbemServices'
operation: 'ExecMethod'
op6:
endpoint: 'IWbemServices'
operation: 'ExecMethodAsync'
op7:
endpoint: 'svcctl'
operation: 'CreateServiceA'
op8:
endpoint: 'svcctl'
operation: 'CreateServiceW'
op9:
endpoint: 'svcctl'
operation: 'StartServiceA'
op10:
endpoint: 'svcctl'
operation: 'StartServiceW'
condition: 1 of them
op1:
endpoint: 'JobAdd'
operation: 'atsvc'
op2:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask'
op3:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask'
op4:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun'
op5:
endpoint: 'IWbemServices'
operation: 'ExecMethod'
op6:
endpoint: 'IWbemServices'
operation: 'ExecMethodAsync'
op7:
endpoint: 'svcctl'
operation: 'CreateServiceA'
op8:
endpoint: 'svcctl'
operation: 'CreateServiceW'
op9:
endpoint: 'svcctl'
operation: 'StartServiceA'
op10:
endpoint: 'svcctl'
operation: 'StartServiceW'
condition: 1 of them
falsepositives:
- 'Windows administrator tasks or troubleshooting'
- 'Windows management scripts or software'
level: medium
level: medium

45
rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
View File

@ -8,30 +8,31 @@ references:
tags:
- attack.persistence
- attack.t1004
- attack.t1547.004
logsource:
product: zeek
service: dce_rpc
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'spoolss'
operation: 'RpcAddMonitor'
op2:
endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor'
op3:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor'
op4:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor'
op5:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW'
op6:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of them
op1:
endpoint: 'spoolss'
operation: 'RpcAddMonitor'
op2:
endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor'
op3:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor'
op4:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor'
op5:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW'
op6:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of them
falsepositives:
- 'Windows administrator tasks or troubleshooting'
- 'Windows management scripts or software'
level: medium
level: medium

7
rules/network/zeek/zeek_http_executable_download_from_webdav.yml
View File

@ -8,9 +8,10 @@ references:
tags:
- attack.command_and_control
- attack.t1043
- attack.t1571
logsource:
product: zeek
service: http
product: zeek
service: http
date: 2020/05/01
detection:
selection_webdav:
@ -23,4 +24,4 @@ detection:
falsepositives:
- unknown
level: medium
status: experimental
status: experimental

1
rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
logsource:
product: zeek
service: smb_files

11
rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
View File

@ -8,14 +8,17 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\*ADMIN$'
name: '*SYSTEM32\\*.tmp'
condition: selection
selection:
path: '\\*ADMIN$'
name: '*SYSTEM32\\*.tmp'
condition: selection
falsepositives:
- 'unknown'
level: high

40
rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
View File

@ -1,14 +1,14 @@
title: First Time Seen Remote Named Pipe - Zeek
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
using named pipes
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: 'Samir Bousseaden, @neu5ron'
date: 2020/04/02
references:
- https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
tags:
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
logsource:
product: zeek
service: smb_files
@ -18,23 +18,23 @@ detection:
selection2:
path: \\*\IPC$
name:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe

7
rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
View File

@ -8,6 +8,7 @@ references:
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
logsource:
product: zeek
service: smb_files
@ -15,9 +16,9 @@ detection:
selection1:
path: \\*\IPC$
name:
- '*-stdin'
- '*-stdout'
- '*-stderr'
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2:
name: \\*\IPC$
path: 'PSEXESVC*'

37
rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
View File

@ -4,26 +4,29 @@ description: Transferring files with well-known filenames (sensitive files with
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020/04/02
references:
- https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
- https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
tags:
- attack.credential_access
- attack.t1003
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: zeek
service: smb_files
product: zeek
service: smb_files
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
status: experimental
status: experimental

1
rules/network/zeek/zeek_susp_kerberos_rc4.yml
View File

@ -8,6 +8,7 @@ references:
tags:
- attack.credential_access
- attack.t1208
- attack.t1558.003
logsource:
product: zeek
service: kerberos

3
rules/web/web_cve_2018_2894_weblogic_exploit.yml
View File

@ -13,7 +13,7 @@ logsource:
category: webserver
detection:
selection:
c-uri:
c-uri:
- '*/config/keystore/*.js*'
condition: selection
fields:
@ -28,5 +28,6 @@ tags:
- attack.persistence
- attack.privilege_escalation
- cve.2018-2894
- attack.t1505
level: critical

1
rules/windows/builtin/win_GPO_scheduledtasks.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence
- attack.lateral_movement
- attack.t1053
- attack.t1053.005
logsource:
product: windows
service: security

1
rules/windows/builtin/win_admin_share_access.yml
View File

@ -4,6 +4,7 @@ description: Detects access to $ADMIN share
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
status: experimental
author: Florian Roth
date: 2017/03/04

7
rules/windows/builtin/win_alert_enable_weak_encryption.yml
View File

@ -9,6 +9,7 @@ date: 2017/07/30
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
logsource:
product: windows
service: security
@ -18,9 +19,9 @@ detection:
EventID: 4738
keywords:
Message:
- '*DES*'
- '*Preauth*'
- '*Encrypted*'
- '*DES*'
- '*Preauth*'
- '*Encrypted*'
filters:
Message:
- '*Enabled*'

1
rules/windows/builtin/win_alert_lsass_access.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.credential_access
- attack.t1003
# Defender Attack Surface Reduction
- attack.t1003.001
logsource:
product: windows_defender
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'

27
rules/windows/builtin/win_alert_mimikatz_keywords.yml
View File

@ -1,7 +1,6 @@
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different
threat groups)
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
date: 2017/01/10
modified: 2019/10/11
@ -12,21 +11,25 @@ tags:
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
Message:
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
- "* p::d *"
- "* s::l *"
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
- "* p::d *"
- "* s::l *"
condition: keywords
falsepositives:
- Naughty administrators

9
rules/windows/builtin/win_alert_ruler.yml
View File

@ -17,18 +17,19 @@ tags:
- attack.t1075
- attack.t1114
- attack.t1059
- attack.t1550.002
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4776
EventID:
- 4776
Workstation: 'RULER'
selection2:
EventID:
- 4624
- 4625
- 4624
- 4625
WorkstationName: 'RULER'
condition: (1 of selection*)
falsepositives:

1
rules/windows/builtin/win_apt_carbonpaper_turla.yml
View File

@ -7,6 +7,7 @@ tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
date: 2017/03/31
author: Florian Roth
logsource:

1
rules/windows/builtin/win_apt_stonedrill.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.persistence
- attack.g0064
- attack.t1050
- attack.t1543.003
logsource:
product: windows
service: system

1
rules/windows/builtin/win_apt_turla_service_png.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.persistence
- attack.g0010
- attack.t1050
- attack.t1543.003
logsource:
product: windows
service: system

1
rules/windows/builtin/win_atsvc_task.yml
View File

@ -11,6 +11,7 @@ tags:
- attack.t1053
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
logsource:
product: windows
service: security

5
rules/windows/builtin/win_dcsync.yml
View File

@ -12,18 +12,19 @@ tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties:
Properties:
- '*Replicating Directory Changes All*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
filter2:
SubjectUserName:
- 'NT AUTHORITY*'
- '*$'

7
rules/windows/builtin/win_disable_event_logging.yml
View File

@ -1,15 +1,12 @@
title: Disabling Windows Event Auditing
id: 69aeb277-f15f-4d2d-b32a-55e883609563
description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass
local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing"
via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note,
that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform
these modifications in Active Directory anyways.'
description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
references:
- https://bit.ly/WinLogsZero2Hero
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.006
author: '@neu5ron'
date: 2017/11/19
logsource:

5
rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
View File

@ -9,11 +9,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
selection:
EventID: 4662
ObjectType: 'SecretObject'
AccessMask: '0x2'
@ -21,4 +22,4 @@ detection:
condition: selection
falsepositives:
- Unknown
level: critical
level: critical

3
rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
View File

@ -9,11 +9,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
selection:
EventID: 4692
condition: selection
fields:

4
rules/windows/builtin/win_hack_smbexec.yml
View File

@ -10,6 +10,8 @@ tags:
- attack.execution
- attack.t1077
- attack.t1035
- attack.t1021
- attack.t1569.002
logsource:
product: windows
service: system
@ -25,4 +27,4 @@ fields:
falsepositives:
- Penetration Test
- Unknown
level: critical
level: critical

3
rules/windows/builtin/win_impacket_secretdump.yml
View File

@ -8,6 +8,9 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security

4
rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
View File

@ -12,7 +12,7 @@ falsepositives:
- Unknown
level: high
detection:
selection:
selection_1:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
@ -20,7 +20,7 @@ detection:
- ImagePath|re: '\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: selection
condition: selection and selection_1
---
logsource:
product: windows

38
rules/windows/builtin/win_lm_namedpipe.yml
View File

@ -1,7 +1,6 @@
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
using named pipes
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
author: Samir Bousseaden
date: 2019/04/03
references:
@ -9,6 +8,7 @@ references:
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
logsource:
product: windows
service: security
@ -21,23 +21,23 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection1 and not selection2
falsepositives:
- update the excluded named pipe to filter out any newly observed legit named pipe

3
rules/windows/builtin/win_lsass_access_non_system_account.yml
View File

@ -10,11 +10,12 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
selection:
EventID:
- 4663
- 4656

4
rules/windows/builtin/win_mal_service_installs.yml
View File

@ -11,6 +11,8 @@ tags:
- attack.t1035
- attack.t1050
- car.2013-09-005
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
@ -24,6 +26,6 @@ detection:
malsvc_persistence:
ServiceFileName|contains: 'net user'
condition: selection and 1 of malsvc_*
falsepositives:
falsepositives:
- Penetration testing
level: critical

4
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@ -12,7 +12,7 @@ tags:
- attack.privilege_escalation
- attack.t1134
detection:
selection:
selection_1:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
@ -30,7 +30,7 @@ detection:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection
condition: selection and selection_1
fields:
- ComputerName
- SubjectDomainName

28
rules/windows/builtin/win_mmc20_lateral_movement.yml
View File

@ -1,23 +1,25 @@
title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
author: '@2xxeformyshirt (Security Risk Advisors)'
date: 2020/03/04
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
tags:
- attack.execution
- attack.t1175
- attack.execution
- attack.t1175
- attack.t1021.003
- attack.t1559.001
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\svchost.exe'
Image: '*\mmc.exe'
CommandLine: '*-Embedding*'
condition: selection
selection:
ParentImage: '*\svchost.exe'
Image: '*\mmc.exe'
CommandLine: '*-Embedding*'
condition: selection
falsepositives:
- Unlikely
- Unlikely
level: high

1
rules/windows/builtin/win_overpass_the_hash.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.lateral_movement
- attack.t1075
- attack.s0002
- attack.t1550.002
logsource:
product: windows
service: security

1
rules/windows/builtin/win_pass_the_hash.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.lateral_movement
- attack.t1075
- car.2016-04-004
- attack.t1550.002
logsource:
product: windows
service: security

1
rules/windows/builtin/win_pass_the_hash_2.yml
View File

@ -11,6 +11,7 @@ date: 2019/06/14
tags:
- attack.lateral_movement
- attack.t1075
- attack.t1550.002
logsource:
product: windows
service: security

1
rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
View File

@ -8,6 +8,7 @@ modified: 2019/11/13
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
level: critical
logsource:
product: windows

1
rules/windows/builtin/win_rare_schtasks_creations.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence
- attack.t1053
- car.2013-08-001
- attack.t1053.005
logsource:
product: windows
service: security

1
rules/windows/builtin/win_rare_service_installs.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.privilege_escalation
- attack.t1050
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system

1
rules/windows/builtin/win_rdp_localhost_login.yml
View File

@ -9,6 +9,7 @@ tags:
- attack.lateral_movement
- attack.t1076
- car.2013-07-002
- attack.t1021
status: experimental
author: Thomas Patzke
logsource:

1
rules/windows/builtin/win_rdp_reverse_tunnel.yml
View File

@ -14,6 +14,7 @@ tags:
- attack.t1076
- attack.t1090
- car.2013-07-002
- attack.t1021
logsource:
product: windows
service: security

1
rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
View File

@ -8,6 +8,7 @@ tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
- attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:

3
rules/windows/builtin/win_remote_powershell_session.yml
View File

@ -9,11 +9,12 @@ references:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
selection:
EventID: 5156
DestPort:
- 5985

3
rules/windows/builtin/win_susp_add_sid_history.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1178
- attack.t1134.005
logsource:
product: windows
service: security
@ -25,7 +26,7 @@ detection:
- '-'
- '%%1793'
filter_null:
SidHistory: null
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain

1
rules/windows/builtin/win_susp_backup_delete.yml
View File

@ -10,6 +10,7 @@ date: 2017/05/12
tags:
- attack.defense_evasion
- attack.t1107
- attack.t1551.004
logsource:
product: windows
service: application

1
rules/windows/builtin/win_susp_codeintegrity_check_failure.yml
View File

@ -7,6 +7,7 @@ date: 2019/12/03
tags:
- attack.defense_evasion
- attack.t1009
- attack.t1027
logsource:
product: windows
service: security

3
rules/windows/builtin/win_susp_dhcp_config.yml
View File

@ -11,6 +11,7 @@ author: Dimitrios Slamaris
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
logsource:
product: windows
service: system
@ -19,6 +20,6 @@ detection:
EventID: 1033
Source: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
falsepositives:
- Unknown
level: critical

7
rules/windows/builtin/win_susp_dhcp_config_failed.yml
View File

@ -11,18 +11,19 @@ modified: 2019/07/17
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
author: "Dimitrios Slamaris, @atc_project (fix)"
logsource:
product: windows
service: system
detection:
selection:
EventID:
EventID:
- 1031
- 1032
- 1034
Source: Microsoft-Windows-DHCP-Server
Source: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
falsepositives:
- Unknown
level: critical

5
rules/windows/builtin/win_susp_dns_config.yml
View File

@ -10,17 +10,18 @@ references:
tags:
- attack.defense_evasion
- attack.t1073
- attack.t1574.002
author: Florian Roth
logsource:
product: windows
service: dns-server
detection:
selection:
EventID:
EventID:
- 150
- 770
condition: selection
falsepositives:
falsepositives:
- Unknown
level: critical

1
rules/windows/builtin/win_susp_eventlog_cleared.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
- attack.t1551
logsource:
product: windows
service: system

1
rules/windows/builtin/win_susp_lsass_dump.yml
View File

@ -8,6 +8,7 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
logsource:
product: windows
service: security

3
rules/windows/builtin/win_susp_lsass_dump_generic.yml
View File

@ -12,6 +12,7 @@ tags:
- attack.credential_access
- attack.t1003
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: security
@ -40,7 +41,7 @@ detection:
- '4484'
- '4416'
filter:
ProcessName|endswith:
ProcessName|endswith:
- '\wmiprvse.exe'
- '\taskmgr.exe'
- '\procexp64.exe'

1
rules/windows/builtin/win_susp_msmpeng_crash.yml
View File

@ -5,6 +5,7 @@ tags:
- attack.defense_evasion
- attack.t1089
- attack.t1211
- attack.t1562.001
status: experimental
date: 2017/05/09
references:

1
rules/windows/builtin/win_susp_ntlm_auth.yml
View File

@ -10,6 +10,7 @@ date: 2018/06/08
tags:
- attack.lateral_movement
- attack.t1075
- attack.t1550.002
logsource:
product: windows
service: ntlm

10
rules/windows/builtin/win_susp_psexec.yml
View File

@ -1,7 +1,6 @@
title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker
uses a different psexec client other than sysinternal one
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
author: Samir Bousseaden
date: 2019/04/03
references:
@ -9,6 +8,7 @@ references:
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002
logsource:
product: windows
service: security
@ -18,9 +18,9 @@ detection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
- '*-stdin'
- '*-stdout'
- '*-stderr'
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2:
EventID: 5145
ShareName: \\*\IPC$

1
rules/windows/builtin/win_susp_rc4_kerberos.yml
View File

@ -7,6 +7,7 @@ references:
tags:
- attack.credential_access
- attack.t1208
- attack.t1558.003
description: Detects service ticket requests using RC4 encryption type
author: Florian Roth
date: 2017/02/06

1
rules/windows/builtin/win_susp_rottenpotato.yml
View File

@ -10,6 +10,7 @@ tags:
- attack.privilege_escalation
- attack.credential_access
- attack.t1171
- attack.t1557.001
logsource:
product: windows
service: security

1
rules/windows/builtin/win_susp_sam_dump.yml
View File

@ -5,6 +5,7 @@ description: Detects suspicious SAM dump activity as cause by QuarksPwDump and o
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
author: Florian Roth
date: 2018/01/27
logsource:

2
rules/windows/builtin/win_susp_sdelete.yml
View File

@ -13,6 +13,8 @@ tags:
- attack.t1107
- attack.t1066
- attack.s0195
- attack.t1551.004
- attack.t1027
logsource:
product: windows
service: security

1
rules/windows/builtin/win_susp_security_eventlog_cleared.yml
View File

@ -5,6 +5,7 @@ tags:
- attack.defense_evasion
- attack.t1070
- car.2016-04-002
- attack.t1551
author: Florian Roth
date: 2017/02/19
logsource:

1
rules/windows/builtin/win_susp_time_modification.yml
View File

@ -11,6 +11,7 @@ midified: 2020/01/27
tags:
- attack.defense_evasion
- attack.t1099
- attack.t1551.006
logsource:
product: windows
service: security

3
rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
View File

@ -10,6 +10,7 @@ modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
- attack.t1558.003
logsource:
product: windows
service: security
@ -23,7 +24,7 @@ detection:
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
condition: selection and not filter
condition: selection and not filter
falsepositives:
- Other browsers
level: high

4
rules/windows/builtin/win_tap_driver_installation.yml
View File

@ -12,9 +12,9 @@ falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
selection:
selection_1:
ImagePath|contains: 'tap0901'
condition: selection
condition: selection and selection_1
---
logsource:
product: windows

3
rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
View File

@ -8,6 +8,9 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security

6
rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
View File

@ -1,7 +1,6 @@
title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege
privilege set. Possible Rubeus tries to get a handle to LSA.
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@ -9,6 +8,7 @@ tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
- attack.t1558.003
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
@ -18,7 +18,7 @@ detection:
selection:
- EventID: 4673
Service: 'LsaRegisterLogonProcess()'
Keywords: '0x8010000000000000' #failure
Keywords: '0x8010000000000000' #failure
condition: selection
falsepositives:
- Unkown

1
rules/windows/builtin/win_user_driver_loaded.yml
View File

@ -8,6 +8,7 @@ references:
tags:
- attack.t1089
- attack.defense_evasion
- attack.t1562.001
date: 2019/04/08
author: xknow (@xknow_infosec), xorxes (@xor_xes)
logsource:

5
rules/windows/malware/av_password_dumper.yml
View File

@ -9,11 +9,14 @@ references:
tags:
- attack.credential_access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
product: antivirus
detection:
selection:
Signature:
Signature:
- "*DumpCreds*"
- "*Mimikatz*"
- "*PWCrack*"

3
rules/windows/malware/av_webshell.yml
View File

@ -9,11 +9,12 @@ references:
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
logsource:
product: antivirus
detection:
selection:
Signature:
Signature:
- "PHP/Backdoor*"
- "JSP/Backdoor*"
- "ASP/Backdoor*"

28
rules/windows/malware/win_mal_flowcloud.yml Normal file
View File

@ -0,0 +1,28 @@
title: FlowCloud Malware
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: experimental
description: Detects FlowCloud malware from threat group TA410.
references:
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
tags:
- attack.persistence
- attack.t1112
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12 # key create
- 13 # value set
TargetObject:
- 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- 'HKLM\SYSTEM\Setup\PrintResponsor\\*'
condition: selection
falsepositives:
- Unknown
level: critical

25
rules/windows/malware/win_mal_octopus_scanner.yml Normal file
View File

@ -0,0 +1,25 @@
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: experimental
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
tags:
- attack.t1195
- attack.t1195.001
author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
falsepositives:
- Unknown
level: high

5
rules/windows/other/win_defender_bypass.yml
View File

@ -6,6 +6,7 @@ references:
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
author: "@BarryShooshooga"
date: 2019/10/26
logsource:
@ -14,13 +15,13 @@ logsource:
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection:
selection:
EventID:
EventID:
- 4657
- 4656
- 4660
- 4663
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection
falsepositives:
falsepositives:
- Intended inclusions by administrator
level: high

4
rules/windows/other/win_rare_schtask_creation.yml
View File

@ -1,12 +1,12 @@
title: Rare Scheduled Task Creations
id: b20f6158-9438-41be-83da-a5a16ac90c2b
status: experimental
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count
function selects tasks with rare names.
description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
tags:
- attack.persistence
- attack.t1053
- attack.s0111
- attack.t1053.005
author: Florian Roth
date: 2017/03/17
logsource:

3
rules/windows/powershell/powershell_alternate_powershell_hosts.yml
View File

@ -10,11 +10,12 @@ references:
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
logsource:
product: windows
service: powershell
detection:
selection:
selection:
EventID:
- 4103
- 400

Some files were not shown because too many files have changed in this diff Show More