valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into master

Browse Source
This commit is contained in:
pbssubhash 2021-08-25 21:12:14 +05:30 committed by GitHub
commit d5d28cc85e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
156 changed files with 1414 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -23,7 +23,7 @@ from version 0.14.0.
* Elastic EQL backend
* Additional conversion selection filters
* Filter negation
* Specifiy table in SQL backend
* Specify table in SQL backend
* Generic registry event log source
* Chronicle backend

3
README.md
View File

@ -1,4 +1,4 @@
[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)
[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster)
![sigma_logo](./images/Sigma_0.3.png)
@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei
# Projects or Products that use Sigma
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018)
* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

3
rules/cloud/aws/aws_ec2_disable_encryption.yml
View File

@ -4,7 +4,7 @@ status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
modified: 2021/08/09
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
@ -17,7 +17,6 @@ detection:
selection:
eventSource: ec2.amazonaws.com
eventName: DisableEbsEncryptionByDefault
status: success
condition: selection
falsepositives:
- System Administrator Activities

4
rules/cloud/aws/aws_ec2_download_userdata.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
author: faloker
date: 2020/02/11
modified: 2021/08/09
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
logsource:
service: cloudtrail
detection:

2
rules/cloud/aws/aws_ec2_vm_export_failure.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
author: Diogo Braz
date: 2020/04/16
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
logsource:
@ -17,7 +18,6 @@ detection:
filter2:
errorCode: '*'
filter3:
eventName: 'ConsoleLogin'
responseElements|contains: 'Failure'
condition: selection and (filter1 or filter2 or filter3)
level: low

4
rules/cloud/aws/aws_iam_backdoor_users_keys.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
author: faloker
date: 2020/02/12
modified: 2021/08/09
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
logsource:
service: cloudtrail
detection:

4
rules/cloud/aws/aws_rds_change_master_password.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects the change of database master password. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2021/08/09
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:

4
rules/cloud/aws/aws_rds_public_db_restore.yml
View File

@ -4,9 +4,9 @@ status: experimental
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2021/08/09
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:

12
rules/cloud/aws/aws_sts_assumedrole_misuse.yml → rules/cloud/aws/aws_sts_assumerole_misuse.yml
View File

@ -1,9 +1,10 @@
title: AWS STS AssumedRole Misuse
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/20
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
@ -12,8 +13,8 @@ logsource:
detection:
selection:
eventSource: sts.amazonaws.com
eventName: AssumedRole
userIdentity.sessionContext: Role
eventName: AssumeRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
level: low
tags:
@ -23,5 +24,6 @@ tags:
- attack.t1550
- attack.t1550.001
falsepositives:
- AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.

20
rules/cloud/azure/azure_creating_number_of_resources_detection.yml Normal file
View File

@ -0,0 +1,20 @@
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

19
rules/cloud/azure/azure_granting_permission_detection.yml Normal file
View File

@ -0,0 +1,19 @@
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

25
rules/cloud/azure/azure_rare_operations.yml Normal file
View File

@ -0,0 +1,25 @@
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1003

23
rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml Normal file
View File

@ -0,0 +1,23 @@
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
description: Detects when an API access service account is granted domain authority.
author: Austin Songer
status: experimental
date: 2021/08/23
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
level: medium
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Unknown

25
rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
description: Detects when an a role is modified or deleted in Google Workspace.
author: Austin Songer
status: experimental
date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Unknown

22
rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
description: Detects when an a role privilege is deleted in Google Workspace.
author: Austin Songer
status: experimental
date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Unknown

24
rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml Normal file
View File

@ -0,0 +1,24 @@
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
description: Detects when an Google Workspace user is granted admin privileges.
author: Austin Songer
status: experimental
date: 2021/08/23
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
level: medium
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.

23
rules/cloud/m365/microsoft365_activity_by_terminated_user.yml Normal file
View File

@ -0,0 +1,23 @@
title: Activity Performed by Terminated User
id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
status: experimental
description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity performed by terminated user"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.impact

24
rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
status: experimental
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from anonymous IP addresses"
status: success
condition: selection
falsepositives:
- User using a VPN or Proxy
level: medium
tags:
- attack.command_and_control
- attack.t1573

24
rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
status: experimental
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from infrequent country"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.command_and_control
- attack.t1573

24
rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml Normal file
View File

@ -0,0 +1,24 @@
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: experimental
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Data exfiltration to unsanctioned apps"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.exfiltration
- attack.t1537

24
rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
status: experimental
description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatDetection
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from suspicious IP addresses"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.command_and_control
- attack.t1573

24
rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml Normal file
View File

@ -0,0 +1,24 @@
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: experimental
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Log on from a risky IP address"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.initial_access
- attack.t1078

24
rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml Normal file
View File

@ -0,0 +1,24 @@
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: experimental
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
author: Austin Songer @austinsonger
date: 2021/08/22
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Suspicious inbox forwarding"
status: success
condition: selection
falsepositives:
- Unknown
level: low
tags:
- attack.exfiltration
- attack.t1020

23
rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml Normal file
View File

@ -0,0 +1,23 @@
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
status: experimental
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Suspicious OAuth app file download activities"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.exfiltration

86
rules/compliance/cleartext_protocols.yml
View File

@ -13,49 +13,49 @@ references:
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
# tags:
# - CSC4
# - CSC4.5
# - CSC14
# - CSC14.4
# - CSC16
# - CSC16.5
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.DS-1
# - NIST CSF 1.1 PR.DS-2
# - ISO 27002-2013 A.9.2.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - ISO 27002-2013 A.8.3.1
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.10.1.1
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
# - PCI DSS 3.2 8.8
# - PCI DSS 3.2 1.3
# - PCI DSS 3.2 1.4
# - PCI DSS 3.2 4.3
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
---
logsource:
product: netflow

52
rules/compliance/default_credentials_usage.yml
View File

@ -81,29 +81,29 @@ detection:
falsepositives:
- unknown
level: medium
tags:
- CSC4
- CSC4.2
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
# tags:
# - CSC4
# - CSC4.2
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7

52
rules/compliance/group_modification_logging.yml
View File

@ -33,29 +33,29 @@ detection:
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
# tags:
# - CSC4
# - CSC4.8
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7

24
rules/compliance/host_without_firewall.yml
View File

@ -17,15 +17,15 @@ detection:
host.scan.vuln_name: Firewall Product Not Detected*
condition: selection
level: low
tags:
- CSC9
- CSC9.4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 DE.AE-1
- ISO 27002-2013 A.9.1.2
- ISO 27002-2013 A.13.2.1
- ISO 27002-2013 A.13.2.2
- ISO 27002-2013 A.14.1.2
- PCI DSS 3.2 1.4
# tags:
# - CSC9
# - CSC9.4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 DE.AE-1
# - ISO 27002-2013 A.9.1.2
# - ISO 27002-2013 A.13.2.1
# - ISO 27002-2013 A.13.2.2
# - ISO 27002-2013 A.14.1.2
# - PCI DSS 3.2 1.4

48
rules/compliance/workstation_was_locked.yml
View File

@ -21,27 +21,27 @@ detection:
falsepositives:
- unknown
level: low
tags:
- CSC16
- CSC16.11
- ISO27002-2013 A.9.1.1
- ISO27002-2013 A.9.2.1
- ISO27002-2013 A.9.2.2
- ISO27002-2013 A.9.2.3
- ISO27002-2013 A.9.2.4
- ISO27002-2013 A.9.2.5
- ISO27002-2013 A.9.2.6
- ISO27002-2013 A.9.3.1
- ISO27002-2013 A.9.4.1
- ISO27002-2013 A.9.4.3
- ISO27002-2013 A.11.2.8
- PCI DSS 3.1 7.1
- PCI DSS 3.1 7.2
- PCI DSS 3.1 7.3
- PCI DSS 3.1 8.7
- PCI DSS 3.1 8.8
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.PT-3
# tags:
# - CSC16
# - CSC16.11
# - ISO27002-2013 A.9.1.1
# - ISO27002-2013 A.9.2.1
# - ISO27002-2013 A.9.2.2
# - ISO27002-2013 A.9.2.3
# - ISO27002-2013 A.9.2.4
# - ISO27002-2013 A.9.2.5
# - ISO27002-2013 A.9.2.6
# - ISO27002-2013 A.9.3.1
# - ISO27002-2013 A.9.4.1
# - ISO27002-2013 A.9.4.3
# - ISO27002-2013 A.11.2.8
# - PCI DSS 3.1 7.1
# - PCI DSS 3.1 7.2
# - PCI DSS 3.1 7.3
# - PCI DSS 3.1 8.7
# - PCI DSS 3.1 8.8
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.PT-3

2
rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
View File

@ -10,13 +10,13 @@ date: 2021/02/01
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
- https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
- https://nvd.nist.gov/vuln/detail/cve-2021-3156
falsepositives:
- Unknown
level: critical
tags:
- attack.privilege_escalation
- attack.t1068
- cve.2021-3156
logsource:
product: linux
service: auditd

2
rules/linux/lnx_security_tools_disabling.yml
View File

@ -13,7 +13,7 @@ level: medium
tags:
- attack.defense_evasion
- attack.t1562.004
- attack.t1089
- attack.t1089 # an old one
---
logsource:
category: process_creation

3
rules/linux/lnx_sudo_cve_2019_14287.yml
View File

@ -18,7 +18,8 @@ level: critical
tags:
- attack.privilege_escalation
- attack.t1068
- attack.t1169
- attack.t1169 # an old one
- attack.t1548.003
---
detection:
selection_keywords:

37
rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml Normal file
View File

@ -0,0 +1,37 @@
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021/08/17
references:
- https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
tags:
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
efs_operation:
operation|startswith:
- 'Efs'
- 'efs'
condition: efs_operation
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
fields:
- id.orig_h
- id.resp_h
- id.resp_p
- operation
- endpoint
- named_pipe
- uid

44
rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml Normal file
View File

@ -0,0 +1,44 @@
title: Possible PrintNightmare Print Driver Install
id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
description: |
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
author: '@neu5ron (Nate Guagenti)'
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
- https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://github.com/corelight/CVE-2021-1675
- https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
- https://old.zeek.org/zeekweek2019/slides/bzar.pdf
- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-1678
tags:
- attack.execution
logsource:
product: zeek
service: dce_rpc
detection:
printer_operation:
operation:
- "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
- "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
- "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e
- "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59
- "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09
- "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
condition: printer_operation
falsepositives:
- Legitimate remote alteration of a printer driver.
level: medium
fields:
- id.orig_h
- id.resp_h
- id.resp_p
- operation
- endpoint
- named_pipe
- uid
status: stable

11
rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml
View File

@ -1,7 +1,7 @@
title: First Time Seen Remote Named Pipe - Zeek
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
author: OTR (Open Threat Research)
author: OTR (Open Threat Research), @neu5ron
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
@ -10,14 +10,15 @@ tags:
- attack.lateral_movement
- attack.t1021.002
date: 2018/11/28
modified: 2021/08/23
logsource:
product: zeek
service: smb_files
detection:
selection:
path: \\*\IPC$
path|endswith: IPC$
name: spoolss
condition: selection
falsepositives:
- 'Domain Controllers acting as printer servers too? :)'
level: medium
- Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
level: medium

3
rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
View File

@ -3,6 +3,7 @@ id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
author: Bhabesh Raj
date: 2021/06/23
modified: 2021/08/24
references:
- https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
tags:
@ -13,7 +14,7 @@ logsource:
service: x509
detection:
selection:
certificate.serial: 8bb00ee
certificate.serial: 8BB00EE
condition: selection
fields:
- san.dns

105
rules/network/zeek/zeek_dns_mining_pools.yml Normal file
View File

@ -0,0 +1,105 @@
title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
date: 2021/08/19
modified: 2021/08/23
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
level: low
logsource:
service: dns
product: zeek
tags:
- attack.t1035 # an old one
- attack.t1569.002
- attack.t1496
detection:
selection:
query|endswith:
- "monerohash.com"
- "do-dear.com"
- "xmrminerpro.com"
- "secumine.net"
- "xmrpool.com"
- "minexmr.org"
- "hashanywhere.com"
- "xmrget.com"
- "mininglottery.eu"
- "minergate.com"
- "moriaxmr.com"
- "multipooler.com"
- "moneropools.com"
- "xmrpool.eu"
- "coolmining.club"
- "supportxmr.com"
- "minexmr.com"
- "hashvault.pro"
- "xmrpool.net"
- "crypto-pool.fr"
- "xmr.pt"
- "miner.rocks"
- "walpool.com"
- "herominers.com"
- "gntl.co.uk"
- "semipool.com"
- "coinfoundry.org"
- "cryptoknight.cc"
- "fairhash.org"
- "baikalmine.com"
- "tubepool.xyz"
- "fairpool.xyz"
- "asiapool.io"
- "coinpoolit.webhop.me"
- "nanopool.org"
- "moneropool.com"
- "miner.center"
- "prohash.net"
- "poolto.be"
- "cryptoescrow.eu"
- "monerominers.net"
- "cryptonotepool.org"
- "extrmepool.org"
- "webcoin.me"
- "kippo.eu"
- "hashinvest.ws"
- "monero.farm"
- "linux-repository-updates.com"
- "1gh.com"
- "dwarfpool.com"
- "hash-to-coins.com"
- "pool-proxy.com"
- "hashfor.cash"
- "fairpool.cloud"
- "litecoinpool.org"
- "mineshaft.ml"
- "abcxyz.stream"
- "moneropool.ru"
- "cryptonotepool.org.uk"
- "extremepool.org"
- "extremehash.com"
- "hashinvest.net"
- "unipool.pro"
- "crypto-pools.org"
- "monero.net"
- "backup-pool.com"
- "mooo.com" # Dynamic DNS, may want to exclude
- "freeyy.me"
- "cryptonight.net"
- "shscrypto.net"
exclude_answers:
answers:
- "127.0.0.1"
- "0.0.0.0"
exclude_rejected:
rejected: "true"
condition: selection and not (exclude_answers OR exclude_rejected)
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
fields:
- id.orig_h
- id.resp_h
- query
- answers
- qtype_name
- rcode_name

3
rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
View File

@ -10,7 +10,8 @@ references:
- 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
author: '@neu5ron, SOC Prime Team, Corelight'
tags:
- attack.t1094
- attack.t1094 # an old one
- attack.t1095
- attack.t1043
- attack.command_and_control
logsource:

51
rules/network/zeek/zeek_dns_torproxy.yml Normal file
View File

@ -0,0 +1,51 @@
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
date: 2021/08/15
author: Saw Winn Naung , Azure-Sentinel
level: medium
logsource:
service: dns
product: zeek
tags:
- attack.t1048
detection:
selection:
query:
- "tor2web.org"
- "tor2web.com"
- "torlink.co"
- "onion.to"
- "onion.ink"
- "onion.cab"
- "onion.nu"
- "onion.link"
- "onion.it"
- "onion.city"
- "onion.direct"
- "onion.top"
- "onion.casa"
- "onion.plus"
- "onion.rip"
- "onion.dog"
- "tor2web.fi"
- "tor2web.blutmagie.de"
- "onion.sh"
- "onion.lu"
- "onion.pet"
- "t2w.pw"
- "tor2web.ae.org"
- "tor2web.io"
- "tor2web.xyz"
- "onion.lt"
- "s1.tor-gateways.de"
- "s2.tor-gateways.de"
- "s3.tor-gateways.de"
- "s4.tor-gateways.de"
- "s5.tor-gateways.de"
- "hiddenservice.net"
condition: selection
fields:
- clientip

6
rules/network/zeek/zeek_rdp_public_listener.yml
View File

@ -38,8 +38,8 @@ detection:
#- x.x.x.x
condition: not selection #and not approved_rdp
fields:
- src_ip
- dst_ip
- id.orig_h
- id.resp_h
falsepositives:
- none
- Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
level: high

23
rules/web/sql_injection_keywords.yml Normal file
View File

@ -0,0 +1,23 @@
title: Detect Sql Injection By Keywords
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: experimental
description: Detects sql injection that use GET requests by keyword searches in URL strings
author: Saw Win Naung
date: 2020/02/22
logsource:
category: webserver
detection:
keywords:
- '=select'
- '=union'
- '=concat'
condition: keywords
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
level: high

40
rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml Normal file
View File

@ -0,0 +1,40 @@
title: Arcadyan Router Exploitations
id: f0500377-bc70-425d-ac8c-e956cd906871
status: experimental
description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
references:
- https://nvd.nist.gov/vuln/detail/cve-2021-20090
- https://nvd.nist.gov/vuln/detail/cve-2021-20091
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://www.tenable.com/security/research/tra-2021-13
- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
author: Bhabesh Raj
date: 2021/08/24
modified: 2021/08/25
falsepositives:
- Unknown
level: critical
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
path_traversal:
c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal)
- '..%2f'
config_file_inj:
c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
- '..%2f'
- 'apply_abstract.cgi'
noauth_list:
c-uri|contains:
- '/images/'
- '/js/'
- '/css/'
- '/setup_top_login.htm'
- '/login.html'
- '/loginerror.html'
- '/loginexclude.html'
- '/loginlock.html'
condition: (path_traversal or config_file_inj) and noauth_list

2
rules/web/web_cve_2018_2894_weblogic_exploit.yml
View File

@ -9,6 +9,7 @@ references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
- https://twitter.com/pyn3rd/status/1020620932967223296
- https://github.com/LandGrey/CVE-2018-2894
- https://nvd.nist.gov/vuln/detail/cve-2018-2894
logsource:
category: webserver
detection:
@ -26,5 +27,4 @@ tags:
- attack.t1190
- attack.initial_access
- attack.persistence
- cve.2018-2894
- attack.t1505.003

2
rules/web/web_cve_2020_14882_weblogic_exploit.yml
View File

@ -10,6 +10,7 @@ references:
- https://isc.sans.edu/diary/26734
- https://twitter.com/jas502n/status/1321416053050667009?s=20
- https://twitter.com/sudo_sudoka/status/1323951871078223874
- https://nvd.nist.gov/vuln/detail/cve-2020-14882
logsource:
category: webserver
detection:
@ -28,4 +29,3 @@ tags:
- attack.t1100 # an old one
- attack.t1190
- attack.initial_access
- cve.2020-14882

2
rules/web/web_cve_2020_3452_cisco_asa_ftd.yml
View File

@ -8,6 +8,7 @@ references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
- https://twitter.com/aboul3la/status/1286012324722155525
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
- https://nvd.nist.gov/vuln/detail/CVE-2020-3452
logsource:
category: webserver
detection:
@ -34,4 +35,3 @@ tags:
- attack.t1100 # an old one
- attack.t1190
- attack.initial_access
- cve.2020-3452

2
rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml
View File

@ -7,6 +7,7 @@ date: 2021/01/20
references:
- https://twitter.com/pyn3rd/status/1351696768065409026
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
- https://nvd.nist.gov/vuln/detail/cve-2021-2109
logsource:
category: webserver
detection:
@ -26,4 +27,3 @@ level: critical
tags:
- attack.t1190
- attack.initial_access
- cve.2021-2109

2
rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml
View File

@ -8,6 +8,7 @@ references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
- https://twitter.com/wugeej/status/1369476795255320580
- https://paper.seebug.org/1495/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21978
logsource:
category: webserver
detection:
@ -27,4 +28,3 @@ level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2021-21978

2
rules/web/web_cve_2021_26814_wzuh_rce.yml
View File

@ -7,6 +7,7 @@ date: 2021/05/22
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
- https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
- https://nvd.nist.gov/vuln/detail/cve-2021-21978
logsource:
category: webserver
detection:
@ -22,4 +23,3 @@ level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2021-21978

2
rules/web/web_terramaster_cve_2020_28188_rce_exploit.yml
View File

@ -8,6 +8,7 @@ references:
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-28188
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
- https://nvd.nist.gov/vuln/detail/cve-2020-28188
logsource:
category: webserver
detection:
@ -34,4 +35,3 @@ level: critical
tags:
- attack.t1190
- attack.initial_access
- cve.2020-28188

4
rules/web/win_powershell_snapins_hafnium.yml
View File

@ -10,8 +10,8 @@ date: 2021/03/03
modified: 2021/08/09
tags:
- attack.execution
- attack.t1086
- attack.t1059.005
- attack.t1086 # an old one
- attack.t1059.001
- attack.collection
- attack.t1114
logsource:

2
rules/web/win_webshell_regeorg.yml
View File

@ -33,5 +33,5 @@ falsepositives:
level: high
tags:
- attack.persistence
- attack.t1100
- attack.t1100 # an old one
- attack.t1505.003

24
rules/web/xss_keywords.yml Normal file
View File

@ -0,0 +1,24 @@
title: Detect XSS Attempts By Keywords
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: experimental
description: Detects XSS that use GET requests by keyword searches in URL strings
author: Saw Win Naung
date: 2021/08/15
logsource:
category: webserver
detection:
keywords:
- '=cookie'
- '=script'
- '=onload'
- '=onmouseover'
condition: keywords
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- Java scripts,CSS Files and PNG files
- User searches in search boxes of the respective website
level: high

3
rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
View File

@ -8,7 +8,8 @@ references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
tags:
- attack.t1204
- attack.t1193
- attack.t1193 # an old one
- attack.t1566.001
- attack.execution
- attack.initial_access
logsource:

26
rules/windows/builtin/win_event_log_cleared.yml Normal file
View File

@ -0,0 +1,26 @@
title: Security Event Log Cleared
id: a122ac13-daf8-4175-83a2-72c387be339d
status: experimental
description: Checks for event id 1102 which indicates the security event log was cleared.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
date: 2021/08/15
author: Saw Winn Naung
level: medium
logsource:
service: security
product: windows
tags:
- attack.t1107 # an old one
- attack.t1070.001
detection:
selection:
EventID: 1102
condition: selection
fields:
- SubjectLogonId
- SubjectUserName
- SubjectUserSid
- SubjectDomainName
falsepositives:
- Legitimate administrative activity

2
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
View File

@ -8,11 +8,11 @@ references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://twitter.com/fuzzyf10w/status/1410202370835898371
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
date: 2021/06/30
modified: 2021/07/08
tags:
- attack.execution
- cve.2021-1675
logsource:
product: windows
service: printservice-admin

4
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
View File

@ -6,11 +6,11 @@ status: experimental
level: critical
references:
- https://twitter.com/INIT_3/status/1410662463641731075
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
date: 2021/07/02
tags:
- attack.execution
- cve.2021-1675
- cve.2021-34527
logsource:
product: windows
service: security

2
rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
View File

@ -6,10 +6,10 @@ status: experimental
level: critical
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
date: 2021/07/01
tags:
- attack.execution
- cve.2021-1675
logsource:
product: windows
service: printservice-operational

0
rules/windows/powershell/powershell_code_injection.yml → rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml
View File

3
rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml
View File

@ -5,11 +5,12 @@ author: Florian Roth
date: 2021/05/05
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
- https://nvd.nist.gov/vuln/detail/cve-2021-21551
logsource:
category: driver_load
product: windows
tags:
- cve.2021-21551
- attack.privilege_escalation
detection:
selection_image:
ImageLoaded|contains: '\DBUtil_2_3.Sys'

11
rules/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
View File

@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
author: Bhabesh Raj
date: 2021/07/01
modified: 2021/08/24
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021-1675
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith:
- 'spoolsv.exe'
TargetFilename|contains:
- 'C:\Windows\System32\spool\drivers\x64\3\'
Image|endswith: 'spoolsv.exe'
TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
condition: selection
falsepositives:
- Unknown
level: high
level: high

2
rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
View File

@ -9,11 +9,11 @@ level: critical
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://nvd.nist.gov/vuln/detail/cve-2021-26858
date: 2021/03/03
tags:
- attack.t1203
- attack.execution
- cve.2021-26858
logsource:
category: file_event
product: windows

0
rules/windows/powershell/powershell_suspicious_profile_create.yml → rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml
View File

3
rules/windows/file_event/win_cve_2021_1675_printspooler.yml
View File

@ -8,11 +8,12 @@ references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
date: 2021/06/29
modified: 2021/07/01
tags:
- attack.execution
- cve.2021-1675
- attack.privilege_escalation
logsource:
category: file_event
product: windows

2
rules/windows/file_event/win_hivenightmare_file_exports.yml
View File

@ -9,11 +9,11 @@ references:
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
- https://twitter.com/cube0x0/status/1418920190759378944
- https://nvd.nist.gov/vuln/detail/cve-2021-36934
logsource:
product: windows
category: file_event
tags:
- cve.2021-36934
- attack.credential_access
- attack.t1552.001
detection:

2
rules/windows/file_event/win_outlook_c2_macro_creation.yml
View File

@ -7,7 +7,7 @@ references:
author: '@ScoubiMtl'
tags:
- attack.persistence
- command_and_control
- attack.command_and_control
- attack.t1137
- attack.t1008
- attack.t1546

15
rules/windows/image_load/sysmon_spoolsv_dll_load.yml
View File

@ -4,27 +4,24 @@ status: experimental
description: Detect DLL Load from Spooler Service backup folder
references:
- https://github.com/hhlxf/PrintNightmare
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
author: FPT.EagleEye, Thomas Patzke (improvements)
date: 2021/06/29
modified: 2021/07/08
modified: 2021/08/24
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574
- cve.2021-1675
- cve.2021-34527
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- 'spoolsv.exe'
ImageLoaded|contains:
- '\Windows\System32\spool\drivers\x64\3\'
ImageLoaded|endswith:
- '.dll'
Image|endswith: 'spoolsv.exe'
ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\'
ImageLoaded|endswith: '.dll'
condition: selection
falsepositives:
- Loading of legitimate driver

2
rules/windows/malware/av_webshell.yml
View File

@ -16,7 +16,7 @@ references:
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100
- attack.t1100 # an old one
- attack.t1505.003
logsource:
product: antivirus

29
rules/windows/other/win_exchange_proxyshell_certificate_generation.yml Normal file
View File

@ -0,0 +1,29 @@
title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: experimental
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
- https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt
date: 2021/08/23
logsource:
service: msexchange-management
product: windows
detection:
export_command:
- 'New-ExchangeCertificate'
- ' -GenerateRequest'
- ' -BinaryEncoded'
- ' -RequestFile'
export_params:
- '\\\\localhost\\C$'
- '\\\\127.0.0.1\\C$'
- 'C:\\inetpub'
- '.aspx'
condition: all of export_command and export_params
falsepositives:
- unlikely
level: critical
tags:
- attack.persistence
- attack.t1505.003

26
rules/windows/pipe_created/sysmon_efspotato_namedpipe.yml Normal file
View File

@ -0,0 +1,26 @@
title: EfsPotato Named Pipe
id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
status: experimental
description: Detects the pattern of a pipe name as used by the tool EfsPotato
references:
- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
- https://github.com/zcgonvh/EfsPotato
date: 2021/08/23
author: Florian Roth
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
detection:
selection:
PipeName|contains:
- '\pipe\'
- '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives)
condition: selection
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
falsepositives:
- Unknown
level: critical

2
rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection2:
EventID: 4104

2
rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection2:
EventID: 4104

2
rules/windows/powershell/powershell_accessing_win_api.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_adrecon_execution.yml
View File

@ -14,7 +14,7 @@ date: 2021/07/16
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_automated_collection.yml
View File

@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection_eventid:
EventID: 4104

4
rules/windows/powershell/powershell_bad_opsec_artifacts.yml
View File

@ -12,11 +12,11 @@ modified: 2020/10/09
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.t1086 # an old one
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103
detection:
selection_4104:
EventID: 4104

2
rules/windows/powershell/powershell_clear_powershell_history.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_create_local_user.yml
View File

@ -17,7 +17,7 @@ modified: 2021/08/04
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_data_compressed.yml
View File

@ -10,7 +10,7 @@ references:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_decompress_commands.yml
View File

@ -13,7 +13,7 @@ references:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection1:
EventID: 4104

0
rules/windows/powershell/poweshell_detect_vm_env.yml → rules/windows/powershell/powershell_detect_vm_env.yml
View File

2
rules/windows/powershell/powershell_dnscat_execution.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_get_clipboard.yml
View File

@ -13,7 +13,7 @@ references:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection1:
EventID: 4104

2
rules/windows/powershell/powershell_icmp_exfiltration.yml
View File

@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_nightmare.yml
View File

@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski
logsource:
product: windows
service: powershell
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
definition: Script Block Logging must be enable
detection:
selection:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_var+.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml
View File

@ -14,7 +14,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

2
rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
View File

@ -15,7 +15,7 @@ tags:
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
detection:
selection_1:
EventID: 4104

12
rules/windows/powershell/powershell_malicious_commandlets.yml
View File

@ -10,13 +10,13 @@ tags:
- attack.t1086 #an old one
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
modified: 2020/10/11
modified: 2021/08/21
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: Script Block Logging must be enable
detection:
keywords:
select_Malicious:
EventID: 4104
ScriptBlockText|contains:
- "Invoke-DllInjection"
@ -115,10 +115,8 @@ detection:
- "Invoke-Mimikittenz"
- "Invoke-AllChecks"
false_positives:
EventID: 4104
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: select_Malicious and not false_positives
falsepositives:
- Penetration testing
level: high

47
rules/windows/powershell/powershell_malicious_keywords.yml
View File

@ -10,33 +10,36 @@ tags:
- attack.t1086 #an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
modified: 2021/08/21
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- "AdjustTokenPrivileges"
- "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
- "Microsoft.Win32.UnsafeNativeMethods"
- "ReadProcessMemory.Invoke"
- "SE_PRIVILEGE_ENABLED"
- "LSA_UNICODE_STRING"
- "MiniDumpWriteDump"
- "PAGE_EXECUTE_READ"
- "SECURITY_DELEGATION"
- "TOKEN_ADJUST_PRIVILEGES"
- "TOKEN_ALL_ACCESS"
- "TOKEN_ASSIGN_PRIMARY"
- "TOKEN_DUPLICATE"
- "TOKEN_ELEVATION"
- "TOKEN_IMPERSONATE"
- "TOKEN_INFORMATION_CLASS"
- "TOKEN_PRIVILEGES"
- "TOKEN_QUERY"
- "Metasploit"
- "Mimikatz"
condition: keywords
Malicious:
EventID: 4104
ScriptBlockText|contains:
- "AdjustTokenPrivileges"
- "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
- "Microsoft.Win32.UnsafeNativeMethods"
- "ReadProcessMemory.Invoke"
- "SE_PRIVILEGE_ENABLED"
- "LSA_UNICODE_STRING"
- "MiniDumpWriteDump"
- "PAGE_EXECUTE_READ"
- "SECURITY_DELEGATION"
- "TOKEN_ADJUST_PRIVILEGES"
- "TOKEN_ALL_ACCESS"
- "TOKEN_ASSIGN_PRIMARY"
- "TOKEN_DUPLICATE"
- "TOKEN_ELEVATION"
- "TOKEN_IMPERSONATE"
- "TOKEN_INFORMATION_CLASS"
- "TOKEN_PRIVILEGES"
- "TOKEN_QUERY"
- "Metasploit"
- "Mimikatz"
condition: Malicious
falsepositives:
- Penetration tests
level: high

11
rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
View File

@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: experimental
description: Detects Commandlet names and arguments from the Nishang exploitation framework
date: 2019/05/16
modified: 2021/07/21
modified: 2021/08/21
references:
- https://github.com/samratashok/nishang
tags:
@ -14,10 +14,11 @@ author: Alec Costello
logsource:
product: windows
service: powershell
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
definition: Script block logging must be enabled
detection:
keywords:
Payload|contains:
Nishang:
EventID: 4104
ScriptBlockText|contains:
- Add-ConstrainedDelegationBackdoor
- Set-DCShadowPermissions
- DNS_TXT_Pwnage
@ -89,7 +90,7 @@ detection:
- NotAllNameSpaces
- exfill
- FakeDC
condition: keywords
condition: Nishang
falsepositives:
- Penetration testing
level: high

Some files were not shown because too many files have changed in this diff Show More