valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update global ID

Browse Source
This commit is contained in:
frack113 2021-09-02 21:16:55 +02:00
parent f90c7558a7
commit d02ee1eddd
13 changed files with 29 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/builtin/win_powershell_web_request.yml
View File

@ -1,6 +1,5 @@
action: global
title: Windows PowerShell Web Request
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
status: experimental
description: Detects the use of various web request methods (including aliases) via Windows PowerShell command
references:
@ -19,6 +18,7 @@ falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
---
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
logsource:
category: process_creation
product: windows
@ -32,6 +32,7 @@ detection:
- 'Net.WebClient'
- 'Start-BitsTransfer'
---
id: 1139d2e2-84b1-4226-b445-354492eba8ba
logsource:
product: windows
service: powershell

4
rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml
View File

@ -1,6 +1,5 @@
action: global
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
status: experimental
author: frack113
date: 2021/07/13
@ -20,6 +19,7 @@ falsepositives:
- Unknown
level: medium
---
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
logsource:
product: windows
category: process_creation
@ -34,6 +34,7 @@ detection:
- '-RemoteFXvGPUDisablementFilePath'
condition: selection_cmd and selection_opt
---
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
logsource:
product: windows
service: powershell-classic
@ -49,6 +50,7 @@ detection:
- '-RemoteFXvGPUDisablementFilePath'
condition: selection_cmd and selection_opt
---
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
logsource:
product: windows
service: powershell

4
rules/windows/builtin/win_tap_driver_installation.yml
View File

@ -1,6 +1,5 @@
action: global
title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
@ -16,6 +15,7 @@ detection:
ImagePath|contains: 'tap0901'
condition: selection
---
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
logsource:
product: windows
service: system
@ -23,10 +23,12 @@ detection:
selection:
EventID: 7045
---
id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
logsource:
product: windows
category: driver_load
---
id: 9c8afa4d-0022-48f0-9456-3712466f9701
logsource:
product: windows
service: security

4
rules/windows/malware/win_mal_blue_mockingbird.yml
View File

@ -1,6 +1,5 @@
action: global
title: Blue Mockingbird
id: c3198a27-23a0-4c2c-af19-e5328d49680e
status: experimental
description: Attempts to detect system changes made by Blue Mockingbird
references:
@ -17,6 +16,7 @@ level: high
detection:
condition: 1 of them
---
id: c3198a27-23a0-4c2c-af19-e5328d49680e
logsource:
category: process_creation
product: windows
@ -27,6 +27,7 @@ detection:
- 'sc config'
- 'wercplsupporte.dll'
---
id: ce239692-aa94-41b3-b32f-9cab259c96ea
logsource:
category: process_creation
product: windows
@ -35,6 +36,7 @@ detection:
Image|endswith: '\wmic.exe'
CommandLine|endswith: 'COR_PROFILER'
---
id: 92b0b372-a939-44ed-a11b-5136cf680e27
logsource:
product: windows
category: registry_event

3
rules/windows/powershell/powershell_alternate_powershell_hosts.yml
View File

@ -1,6 +1,5 @@
action: global
title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
@ -18,6 +17,7 @@ falsepositives:
- Citrix ConfigSync.ps1
level: medium
---
id: 64e8e417-c19a-475a-8d19-98ea705394cc
logsource:
product: windows
service: powershell
@ -30,6 +30,7 @@ detection:
ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
condition: selection and not filter
---
id: d7326048-328b-4d5e-98af-86e84b17c765
logsource:
product: windows
service: powershell-classic

3
rules/windows/powershell/powershell_powercat.yml
View File

@ -1,6 +1,5 @@
action: global
title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
status: experimental
author: frack113
date: 2021/07/21
@ -16,6 +15,7 @@ falsepositives:
- Unknown
level: medium
---
id: c5b20776-639a-49bf-94c7-84f912b91c15
logsource:
product: windows
service: powershell-classic
@ -28,6 +28,7 @@ detection:
- 'powercat.ps1'
condition: selection
---
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
logsource:
product: windows
service: powershell

3
rules/windows/powershell/powershell_remote_powershell_session.yml
View File

@ -1,6 +1,5 @@
action: global
title: Remote PowerShell Session
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
description: Detects remote PowerShell sessions
status: test
date: 2019/08/10
@ -19,6 +18,7 @@ falsepositives:
- Legitimate use remote PowerShell sessions
level: high
---
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
logsource:
product: windows
service: powershell
@ -31,6 +31,7 @@ detection:
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
condition: selection
---
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
logsource:
product: windows
service: powershell-classic

3
rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
View File

@ -1,6 +1,5 @@
action: global
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
(restart required)
@ -25,6 +24,7 @@ falsepositives:
- unknown
level: high
---
id: e61e8a88-59a9-451c-874e-70fcc9740d67
logsource:
product: windows
category: registry_event
@ -33,6 +33,7 @@ detection:
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: 1 of them
---
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
logsource:
category: process_creation
product: windows

3
rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
View File

@ -1,6 +1,5 @@
action: global
title: Sticky Key Like Backdoor Usage
id: baca5663-583c-45f9-b5dc-ea96a22ce542
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
screen
references:
@ -19,6 +18,7 @@ falsepositives:
- Unlikely
level: critical
---
id: baca5663-583c-45f9-b5dc-ea96a22ce542
logsource:
category: registry_event
product: windows
@ -33,6 +33,7 @@ detection:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
condition: 1 of them
---
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
logsource:
category: process_creation
product: windows

3
rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
View File

@ -1,6 +1,5 @@
action: global
title: Usage of Sysinternals Tools
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
@ -12,6 +11,7 @@ falsepositives:
- Programs that use the same Registry Key
level: low
---
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
logsource:
product: windows
category: registry_event
@ -20,6 +20,7 @@ detection:
TargetObject|endswith: '\EulaAccepted'
condition: 1 of them
---
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
logsource:
category: process_creation
product: windows

3
rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
View File

@ -1,6 +1,5 @@
action: global
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: experimental
description: Detects UAC bypass method using Windows event viewer
references:
@ -19,6 +18,7 @@ falsepositives:
- unknown
level: critical
---
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
logsource:
product: windows
category: registry_event
@ -28,6 +28,7 @@ detection:
TargetObject|endswith: '\mscfile\shell\open\command'
condition: methregistry
---
id: be344333-921d-4c4d-8bb8-e584cf584780
logsource:
category: process_creation
product: windows

3
rules/windows/sysmon/sysmon_config_modification.yml
View File

@ -1,6 +1,5 @@
action: global
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
description: Someone try to hide from Sysmon
status: experimental
author: frack113
@ -16,6 +15,7 @@ falsepositives:
- legitimate administrative action
level: high
---
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
logsource:
product: windows
category: sysmon_status
@ -26,6 +26,7 @@ detection:
- 'Sysmon config state changed'
condition: selection_stop or selection_conf
---
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
logsource:
product: windows
category: sysmon_error

3
rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
View File

@ -1,6 +1,5 @@
action: global
title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
status: experimental
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
author: Sittikorn S
@ -20,6 +19,7 @@ falsepositives:
- Unlikely
level: critical
---
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
logsource:
product: windows
category: file_event
@ -38,6 +38,7 @@ detection:
- 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
condition: selection
---
id: 32b5db62-cb5f-4266-9639-0fa48376ac00
logsource:
product: windows
category: registry_event