diff --git a/rules/windows/process_creation/win_susp_direct_run_key_modification.yml b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml new file mode 100644 index 00000000..e6b707a2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml @@ -0,0 +1,27 @@ +title: Direct Run key modification +description: Detects direct Run key modification for persistence using reg.exe. +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/10/25 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\reg.exe' + CommandLine: + - '*add*Microsoft\Windows\CurrentVersion\Run*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Admin scripts +level: high diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml new file mode 100644 index 00000000..46e1f21f --- /dev/null +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -0,0 +1,27 @@ +title: Suspicious netsh Dll persistence +description: Detects pesitence via netsh helper +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/10/25 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\netsh.exe' + CommandLine: + - '*add*helper*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unkown +level: high diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml new file mode 100644 index 00000000..93ae0e96 --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -0,0 +1,28 @@ +title: Suspicious service path modification +description: Detects service path modification to powershell/cmd +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml +tags: + - attack.persistence + - attack.t1031 +date: 2019/10/21 +modified: 2019/10/21 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\sc.exe' + CommandLine: + - '*config*binpath*powershell*' + - '*config*binpath*cmd*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_runkey_from_powershell.yml b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml new file mode 100644 index 00000000..3cda627f --- /dev/null +++ b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml @@ -0,0 +1,27 @@ +title: Autorun key modification from powershell/cmd +description: Detects possible persistence from powershell/cmd scripts +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/21 +modified: 2019/10/21 +author: Victor Sergeev, oscd.community +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + Image: + - '*\powershell.exe' + - '*\cmd.exe' + TargetObject: + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' + condition: selection +falsepositives: + - Admin scripts +level: medium