4 rules to cover ART

2024-11-07 09:48:58 +00:00 · 2019-10-25 15:38:47 +04:00 · 2019-10-25 15:38:47 +04:00 · dcaacd07bf
commit dcaacd07bf
parent 454ba2b576
4 changed files with 109 additions and 0 deletions
--- a/rules/windows/process_creation/win_susp_direct_run_key_modification.yml
+++ b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml
@ -0,0 +1,27 @@
+title: Direct Run key modification
+description: Detects direct Run key modification for persistence using reg.exe.
+status: test
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/25
+modified: 2019/10/25
+author: Victor Sergeev, oscd.community
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\reg.exe'
+        CommandLine:
+            - '*add*Microsoft\Windows\CurrentVersion\Run*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Admin scripts
+level: high
--- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
+++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
@ -0,0 +1,27 @@
+title: Suspicious netsh Dll persistence
+description: Detects pesitence via netsh helper
+status: test
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/25
+modified: 2019/10/25
+author: Victor Sergeev, oscd.community
+logsource:
+    category: process_creation
+    product: windows   
+detection:
+    selection:
+        Image:
+            - '*\netsh.exe'
+        CommandLine:
+            - '*add*helper*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unkown
+level: high
--- a/rules/windows/process_creation/win_susp_service_path_modification.yml
+++ b/rules/windows/process_creation/win_susp_service_path_modification.yml
@ -0,0 +1,28 @@
+title: Suspicious service path modification
+description: Detects service path modification to powershell/cmd
+status: test
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
+tags:
+    - attack.persistence
+    - attack.t1031
+date: 2019/10/21
+modified: 2019/10/21
+author: Victor Sergeev, oscd.community
+logsource:
+    category: process_creation
+    product: windows   
+detection:
+    selection:
+        Image:
+            - '*\sc.exe'
+        CommandLine:
+            - '*config*binpath*powershell*'
+            - '*config*binpath*cmd*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high
--- a/rules/windows/sysmon/sysmon_runkey_from_powershell.yml
+++ b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml
@ -0,0 +1,27 @@
+title: Autorun key modification from powershell/cmd
+description: Detects possible persistence from powershell/cmd scripts
+status: test
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
+tags:
+    - attack.persistence
+    - attack.t1060
+date: 2019/10/21
+modified: 2019/10/21
+author: Victor Sergeev, oscd.community
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        Image: 
+            - '*\powershell.exe'
+            - '*\cmd.exe'
+        TargetObject: 
+            - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+            - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
+    condition: selection
+falsepositives:
+    - Admin scripts
+level: medium