valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from Neo23x0/master

Browse Source 
update from upstream
This commit is contained in:
Dennis P 2021-02-08 11:03:35 +02:00 committed by GitHub
commit e401750c91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 637 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -323,6 +323,10 @@ These tools are not part of the main toolchain and maintained separately by thei
* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
Sigma is available in some Linux distribution repositories:
[![Packaging status](https://repology.org/badge/vertical-allrepos/sigma.svg)](https://repology.org/project/sigma/versions)
# Contribution
If you want to contribute, you are more then welcome. There are numerous ways to help this project.

37
rules/web/web_cve_2020_3452_cisco_asa_ftd.yml Normal file
View File

@ -0,0 +1,37 @@
title: Cisco ASA FTD Exploit CVE-2020-3452
id: aba47adc-4847-4970-95c1-61dce62a8b29
status: experimental
description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
author: Florian Roth
date: 2021/01/07
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
- https://twitter.com/aboul3la/status/1286012324722155525
- https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
logsource:
category: webserver
detection:
selection_endpoint:
c-uri|contains:
- '+CSCOT+/translation-table'
- '+CSCOT+/oem-customization'
selection_path_select:
c-uri|contains:
- '&textdomain=/'
- '&textdomain=%'
- '&name=/'
- '&name=%'
select_status_code:
sc-status: 200
condition: selection_endpoint and selection_path_select and select_status_code
fields:
- c-ip
- c-dns
falsepositives:
- Unknown
level: high
tags:
- attack.t1100 # an old one
- attack.t1190
- attack.initial_access
- cve.2020-3452

29
rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml Normal file
View File

@ -0,0 +1,29 @@
title: Oracle WebLogic Exploit CVE-2021-2109
id: 687f6504-7f44-4549-91fc-f07bab065821
status: experimental
description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
author: Bhabesh Raj
date: 2021/01/20
references:
- https://twitter.com/pyn3rd/status/1351696768065409026
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
c-uri|contains|all:
- 'com.bea.console.handles.JndiBindingHandle'
- 'ldap://'
- 'AdminServer'
condition: selection
fields:
- c-ip
- c-dns
falsepositives:
- Unknown
level: critical
tags:
- attack.t1190
- attack.initial_access
- cve.2021-2109

27
rules/web/web_sonicwall_jarrewrite_exploit.yml Normal file
View File

@ -0,0 +1,27 @@
title: SonicWall SSL/VPN Jarrewrite Exploit
id: 6f55f047-112b-4101-ad32-43913f52db46
status: experimental
description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
author: Florian Roth
date: 2021/01/25
tags:
- attack.t1190
- attack.initial_access
references:
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/cgi-bin/jarrewrite.sh'
c-useragent|contains:
- ':;'
- '() {'
- '/bin/bash -c'
condition: selection
fields:
- c-ip
- c-dns
falsepositives:
- Unknown
level: high

3
rules/windows/builtin/win_av_relevant_match.yml
View File

@ -3,6 +3,7 @@ id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
date: 2017/02/19
modified: 2021/01/07
logsource:
product: windows
service: application
@ -29,6 +30,8 @@ detection:
- "*Xscan*"
- "*Clearlog*"
- "*ASPXSpy*"
- "*Seatbelt*"
- "*sbelt*"
filters:
Message:
- "*Keygen*"

22
rules/windows/builtin/win_ntfs_vuln_exploit.yml Normal file
View File

@ -0,0 +1,22 @@
title: NTFS Vulnerability Exploitation
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
description: This the exploitation of a NTFS vulnerabilty as reported without many details via Twitter
author: Florian Roth
date: 2021/01/11
references:
- https://twitter.com/jonasLyk/status/1347900440000811010
- https://twitter.com/wdormann/status/1347958161609809921
logsource:
product: windows
service: system
detection:
selection:
EventID: 55
Origin: 'File System Driver'
Description|contains|all:
- 'contains a corrupted file record'
- 'The name of the file is "\"'
condition: selection
falsepositives:
- Unlikely
level: critical

26
rules/windows/builtin/win_scheduled_task_deletion.yml Normal file
View File

@ -0,0 +1,26 @@
title: Scheduled Task Deletion
id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
status: experimental
author: David Strassegger
date: 2021/01/22
tags:
- attack.execution
- attack.privilege_escalation
- attack.t1053 # an old one
- car.2013-08-001
- attack.t1053.005
references:
- https://twitter.com/matthewdunwoody/status/1352356685982146562
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4699
condition: selection
falsepositives:
- Software installation
level: medium

9
rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml → rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml
View File

@ -1,13 +1,13 @@
title: Avusing Azure Browser SSO
title: Abusing Azure Browser SSO
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
author: Den Iuzvyk
references:
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
date: 2020/07/15
modified: 2020/08/26
modified: 2020/12/23
logsource:
category: sysmon
category: image_load
product: windows
status: experimental
tags:
@ -18,7 +18,6 @@ tags:
detection:
condition: selection_dll and not filter_legit
selection_dll:
EventID: 7
ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
filter_legit:
Image|endswith:

3
rules/windows/malware/av_password_dumper.yml
View File

@ -6,6 +6,7 @@ modified: 2019/10/04
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
tags:
- attack.credential_access
- attack.t1003
@ -25,6 +26,8 @@ detection:
- "*PWDump*"
- "*SecurityTool*"
- "*PShlSpy*"
- "*Rubeus*"
- "*Kekeo*"
condition: selection
fields:
- FileName

27
rules/windows/malware/av_webshell.yml
View File

@ -2,10 +2,13 @@ title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
description: Detects a highly relevant Antivirus alert that reports a web shell
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
modified: 2001/01/07
author: Florian Roth, Arnim Rupp
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
- https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
tags:
- attack.persistence
- attack.t1100
@ -18,10 +21,22 @@ detection:
- "PHP/Backdoor*"
- "JSP/Backdoor*"
- "ASP/Backdoor*"
- "Backdoor.PHP*"
- "Backdoor.JSP*"
- "Backdoor.ASP*"
- "Backdoor?PHP*"
- "Backdoor?JSP*"
- "Backdoor?ASP*"
- "Backdoor?Java*"
- "*Webshell*"
- "*Chopper*"
- "*ASPXSpy*"
- "*Aspdoor*"
- "*PHP:*"
- "*PHPShell*"
- "*Trojan.PHP*"
- "*Trojan.ASP*"
- "*Trojan.JSP*"
- "*PHP?Agent*"
- "*ASP?Agent*"
- "*JSP?Agent*"
condition: selection
fields:
- FileName

2
rules/windows/other/win_pcap_drivers.yml
View File

@ -12,7 +12,7 @@ tags:
- attack.t1040
logsource:
product: windows
service: system
service: security
detection:
selection:
EventID: 4697

1
rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
View File

@ -80,7 +80,6 @@ detection:
- OUT-DNSTXT
- Jitter
- ExfilOption
- Tamper
- DumpCerts
- DumpCreds
- Shellcode32

30
rules/windows/process_access/sysmon_cmstp_execution.yml
View File

@ -1,6 +1,5 @@
action: global
title: CMSTP Execution
id: 9d26fede-b526-4413-b069-6e24b6d07167
title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
@ -15,7 +14,7 @@ tags:
- car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/08/24
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
fields:
@ -25,28 +24,11 @@ fields:
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
---
logsource:
product: windows
category: registry_event
category: process_access
detection:
# Registry Object Add
selection2:
TargetObject: '*\cmmgr32.exe*'
EventType: 'CreateKey'
# Registry Object Value Set
selection3:
TargetObject: '*\cmmgr32.exe*'
# Process Access Call Trace
selection4:
selection:
CallTrace: '*cmlua.dll*'
condition: 1 of them
---
logsource:
category: process_creation
product: windows
detection:
# CMSTP Spawning Child Process
selection1:
ParentImage: '*\cmstp.exe'
condition: 1 of them
condition: selection

31
rules/windows/sysmon/sysmon_cmstp_execution.yml → rules/windows/process_creation/cmstp_execution.yml
View File

@ -1,6 +1,5 @@
action: global
title: CMSTP Execution
id: 9d26fede-b526-4413-b069-6e24b6d07167
title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
@ -12,11 +11,9 @@ tags:
- car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/08/28
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
detection:
condition: 1 of them
fields:
- CommandLine
- ParentCommandLine
@ -24,29 +21,11 @@ fields:
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
---
logsource:
product: windows
service: sysmon
detection:
# Registry Object Add
selection2:
EventID: 12
TargetObject: '*\cmmgr32.exe*'
EventType: 'CreateKey'
# Registry Object Value Set
selection3:
EventID: 13
TargetObject: '*\cmmgr32.exe*'
# Process Access Call Trace
selection4:
EventID: 10
CallTrace: '*cmlua.dll*'
---
logsource:
category: process_creation
product: windows
detection:
# CMSTP Spawning Child Process
selection1:
selection:
ParentImage: '*\cmstp.exe'
condition: selection

25
rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml Normal file
View File

@ -0,0 +1,25 @@
title: Suspicious Plink Remote Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: experimental
description: Detects suspicious Plink tunnel remote forarding to a local port
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth
date: 2021/01/19
tags:
- attack.command_and_control
- attack.t1572
- attack.lateral_movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
Description: 'Command-line SSH, Telnet, and Rlogin client'
CommandLine|contains: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: high

47
rules/windows/process_creation/win_apt_unc2452_cmds.yml Normal file
View File

@ -0,0 +1,47 @@
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
status: experimental
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
tags:
- attack.execution
- attack.t1059.001
- sunburst
- unc2452
author: Florian Roth
date: 2021/01/22
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
selection2:
ParentCommandLine|contains|all:
- 'wscript.exe'
- '.vbs'
CommandLine|contains|all:
- 'rundll32.exe'
- 'C:\Windows'
- '.dll,Tk_'
selection3:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains: 'C:\Windows'
CommandLine|contains: 'cmd.exe /C '
selection4:
CommandLine|contains|all:
- 'rundll32 c:\windows\\'
- '.dll '
specific1:
ParentImage|endswith: '\rundll32.exe'
Image|endswith: '\dllhost.exe'
filter1:
CommandLine:
- ' '
- ''
condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
falsepositives:
- Unknown
level: critical

31
rules/windows/process_creation/win_apt_unc2452_ps.yml Normal file
View File

@ -0,0 +1,31 @@
title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
tags:
- attack.execution
- attack.t1059.001
- attack.t1047
- sunburst
author: Florian Roth
date: 2021/01/20
modified: 2021/01/22
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
- 'rundll32 c:\windows'
selection2:
CommandLine|contains|all:
- 'wmic /node:'
- 'process call create "rundll32 c:\windows'
condition: selection1 or selection2
falsepositives:
- Unknown, unlikely, but possible
level: critical

40
rules/windows/process_creation/win_etw_trace_evasion.yml
View File

@ -4,9 +4,9 @@ description: Detects a command that clears or disables any ETW trace log which c
status: experimental
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
- https://abuse.io/lockergoga.txt
author: '@neu5ron, Florian Roth'
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
date: 2019/03/22
tags:
- attack.defense_evasion
@ -19,13 +19,39 @@ logsource:
product: windows
detection:
selection_clear_1:
CommandLine: '* cl */Trace*'
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine: '* clear-log */Trace*'
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine: '* sl* /e:false*'
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine: '* set-log* /e:false*'
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: #Autologger provider removal
Commandline|contains|all:
- 'Remove-EtwTraceProvider'
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
selection_disable_4: #Provider “Enable” property modification
Commandline|contains|all:
- 'Set-EtwTraceProvider'
- '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}'
- 'EventLog-Microsoft-Windows-WMI-Activity-Trace'
- '0x11'
selection_disable_5: #ETW provider removal from a trace session
Commandline|contains|all:
- "logman"
- "update"
- "trace"
- "--p"
- "-ets"
condition: 1 of them
falsepositives:
- Unknown

9
rules/windows/process_creation/win_malware_qbot.yml
View File

@ -4,7 +4,7 @@ status: experimental
description: Detects QBot like process executions
author: Florian Roth
date: 2019/10/01
modified: 2020/09/01
modified: 2021/01/25
tags:
- attack.execution
- attack.t1059.005
@ -22,7 +22,12 @@ detection:
Image: '*\wscript.exe'
selection2:
CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
condition: selection1 or selection2
selection3:
CommandLine|contains|all:
- 'regsvr32.exe'
- 'C:\ProgramData'
- '.tmp'
condition: selection1 or selection2 or selection3
fields:
- CommandLine
- ParentCommandLine

5
rules/windows/process_creation/win_office_shell.yml
View File

@ -9,7 +9,7 @@ tags:
- attack.execution
- attack.t1204 # an old one
- attack.t1204.002
author: Michael Haag, Florian Roth, Markus Neis
author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
date: 2018/04/06
modified: 2020/09/01
logsource:
@ -24,6 +24,8 @@ detection:
- '*\MSPUB.exe'
- '*\VISIO.exe'
- '*\OUTLOOK.EXE'
- '*\MSACCESS.EXE'
- '*\EQNEDT32.EXE'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
@ -44,6 +46,7 @@ detection:
- '*\mftrace.exe'
- '*\AppVLP.exe'
- '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '*\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
condition: selection
fields:
- CommandLine

30
rules/windows/process_creation/win_rundll32_without_parameters.yml Normal file
View File

@ -0,0 +1,30 @@
title: Rundll32 Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: experimental
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
author: Bartlomiej Czyz, Relativity
date: 2021/01/31
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: 'rundll32.exe'
condition: selection
fields:
- ComputerName
- SubjectUserName
- CommandLine
- Image
- ParentImage
falsepositives:
- Unknown
level: high

9
rules/windows/process_creation/win_susp_csc_folder.yml
View File

@ -9,7 +9,7 @@ references:
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth
date: 2019/08/24
modified: 2020/09/05
modified: 2021/02/01
tags:
- attack.defense_evasion
- attack.t1500 # an old one
@ -23,12 +23,15 @@ detection:
CommandLine:
- '*\AppData\\*'
- '*\Windows\Temp\\*'
filter:
filter1:
ParentImage:
- 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
condition: selection and not filter
filter2:
ParentCommandLine|contains:
- '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
condition: selection and not filter1 and not filter2
falsepositives:
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://twitter.com/gabriele_pippi/status/1206907900268072962

33
rules/windows/process_creation/win_susp_disable_raccine.yml Normal file
View File

@ -0,0 +1,33 @@
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: experimental
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
- https://github.com/Neo23x0/Raccine
tags:
- attack.defense_evasion
- attack.t1562.001
author: Florian Roth
date: 2021/01/21
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'taskkill '
- '/IM RaccineSettings.exe'
selection2:
CommandLine|contains|all:
- 'reg.exe'
- 'delete'
- 'Raccine Tray'
selection3:
CommandLine|contains|all:
- 'schtasks'
- '/DELETE'
- 'Raccine Rules Updater'
condition: 1 of them
falsepositives:
- Legitimate deinstallation by administrative staff
level: high

28
rules/windows/process_creation/win_susp_emotet_rudll32_execution.yml Normal file
View File

@ -0,0 +1,28 @@
title: Emotet RunDLL32 Process Creation
id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,#1
author: FPT.EagleEye
status: experimental
date: 2020/12/25
references:
- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
tags:
- attack.defense_evasion
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\rundll32.exe'
CommandLine|endswith:
- ',RunDLL'
# - ',#1' too generic - function load by ordinal is not Emotet specific
filter_ide:
ParentImage|endswith:
- '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
condition: selection and not filter_ide
falsepositives:
- Unknown
level: critical

25
rules/windows/process_creation/win_susp_volsnap_disable.yml Normal file
View File

@ -0,0 +1,25 @@
title: Disabled Volume Snapshots
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
description: Detects commands that temporarily turn off Volume Snapshots
references:
- https://twitter.com/0gtweet/status/1354766164166115331
date: 2021/01/28
status: experimental
author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'reg'
- ' add '
- '\Services\VSS\Diag'
- '/d Disabled'
condition: selection
falsepositives:
- Legitimate administration
level: high

35
rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml Normal file
View File

@ -0,0 +1,35 @@
title: Wmic Uninstall Security Product
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
description: Detects deinstallation of security products using WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
date: 2021/01/30
status: experimental
author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'wmic'
- 'product where name='
- 'call uninstall'
- '/nointeractive'
selection_product:
CommandLine|contains:
- 'Antivirus'
- 'Endpoint Security'
- 'Endpoint Detection'
- 'Crowdstrike Sensor'
- 'Windows Defender'
- 'VirusScan'
- 'Threat Protection'
- 'Endpoint Sensor'
condition: selection and selection_product
falsepositives:
- Legitimate administration
level: medium

27
rules/windows/process_creation/win_susp_wuauclt.yml Normal file
View File

@ -0,0 +1,27 @@
title: Windows Update Client LOLBIN
id: d7825193-b70a-48a4-b992-8b5b3015cc11
status: experimental
description: Detects code execution via the Windows Update client (wuauclt)
references:
- https://dtm.uk/wuauclt/
author: FPT.EagleEye Team
date: 2020/10/17
tags:
- attack.command_and_control
- attack.execution
- attack.t1105
- attack.t1218
logsource:
product: windows
service: process_creation
detection:
selection:
ProcessCommandline|contains|all:
- '/UpdateDeploymentProvider'
- '/RunHandlerComServer'
Image|endswith:
- '\wuauclt.exe'
condition: selection
falsepositives:
- Unknown
level: high

20
rules/windows/process_creation/win_webshell_detection.yml
View File

@ -4,11 +4,15 @@ description: Detects certain command line parameters often used during reconnais
author: Florian Roth
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
date: 2017/01/01
modified: 2019/10/26
modified: 2021/01/11
tags:
- attack.persistence
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
- attack.privilege_escalation # an old one
- attack.t1100 # an old one
logsource:
@ -26,10 +30,24 @@ detection:
CommandLine:
- '*whoami*'
- '*net user *'
- '*net use *'
- '*net group *'
- '*quser*'
- '*ping -n *'
- '*systeminfo'
- '*&cd&echo*'
- '*cd /d*' # https://www.computerhope.com/cdhlp.htm
- '*ipconfig*'
- '*pathping*'
- '*tracert*'
- '*netstat*'
- '*schtasks*'
- '*vssadmin*'
- '*wevtutil*'
- '*tasklist*'
- '*wmic /node:*'
- '*Test-NetConnection*'
- '*dir \*' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
condition: selection
fields:
- CommandLine

2
rules/windows/process_creation/win_webshell_spawn.yml
View File

@ -30,7 +30,7 @@ tags:
- attack.persistence
- attack.t1505.003
- attack.privilege_escalation # an old one
- attack.t1100 # an old one
- attack.t1190
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high

26
rules/windows/registry_event/sysmon_cmstp_execution.yml
View File

@ -1,6 +1,5 @@
action: global
title: CMSTP Execution
id: 9d26fede-b526-4413-b069-6e24b6d07167
title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
@ -12,7 +11,7 @@ tags:
- car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/09/06
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
fields:
@ -22,28 +21,15 @@ fields:
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
---
logsource:
category: process_creation,registry_event
category: registry_event
product: windows
detection:
# Registry Object Add
selection2:
selection1:
TargetObject: '*\cmmgr32.exe*'
EventType: 'CreateKey'
# Registry Object Value Set
selection3:
selection2:
TargetObject: '*\cmmgr32.exe*'
# Process Access Call Trace
selection4:
CallTrace: '*cmlua.dll*'
condition: 1 of them
---
detection:
# CMSTP Spawning Child Process
selection1:
ParentImage: '*\cmstp.exe'
condition: 1 of them
logsource:
category: process_creation
product: windows

26
rules/windows/registry_event/sysmon_office_vsto_persistence.yml Normal file
View File

@ -0,0 +1,26 @@
title: Stealthy VSTO Persistence
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: experimental
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
tags:
- attack.t1137.006
- attack.persistence
author: Bhabesh Raj
date: 2021/01/10
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
condition: selection
falsepositives:
- Unknown
level: high

8
tools/config/thor.yml
View File

@ -76,10 +76,10 @@ logsources:
service: applocker
conditions:
sources:
- 'Microsoft-Windows-AppLocker/MSI and Script'
- 'Microsoft-Windows-AppLocker/EXE and DLL'
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
apache:
category: webserver
sources:

2
tools/sigma/backends/elasticsearch.py
View File

@ -355,7 +355,7 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast
raise TypeError("Field mapping must return string or list")
fields = ",".join(str(x) for x in columns)
self.queries[-1]['_source_'] = columns
self.queries[-1]['_source'] = columns
except KeyError: # no 'fields' attribute
mapped = None
pass

76
tools/sigma/backends/mdatp.py
View File

@ -80,70 +80,92 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"DeviceProcessEvents": {
"AccountName": (self.id_mapping, self.default_value_mapping),
"CommandLine": ("ProcessCommandLine", self.default_value_mapping),
"Command": ("ProcessCommandLine", self.default_value_mapping),
"DeviceName": (self.id_mapping, self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"Image": ("FolderPath", self.default_value_mapping),
"ImagePath": ("FolderPath", self.default_value_mapping),
"ImageLoaded": ("FolderPath", self.default_value_mapping),
"LogonType": (self.id_mapping, self.logontype_mapping),
"NewProcessName": ("FolderPath", self.default_value_mapping),
"ProcessName": ("FileName", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentName": ("InitiatingProcessFileName", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"ParentImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ParentImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"SourceImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceEvents": {
"AccountName": (self.id_mapping, self.default_value_mapping),
"CommandLine": ("ProcessCommandLine", self.default_value_mapping),
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
"DestinationIp": ("RemoteIP", self.default_value_mapping),
"DestinationPort": ("RemotePort", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"SourceIp": ("LocalIP", self.default_value_mapping),
"SourcePort": ("LocalPort", self.default_value_mapping),
"TargetFilename": ("FolderPath", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"TargetObject": ("RegistryKey", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceRegistryEvents": {
"TargetObject": ("RegistryKey", self.default_value_mapping),
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
"DeviceRegistryEvents": {
"DataType": ("RegistryValueType", self.default_value_mapping),
"Details": ("RegistryValueData", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"TargetObject": ("RegistryKey", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceFileEvents": {
"TargetFilename": ("FolderPath", self.default_value_mapping),
"TargetFileName": ("FolderPath", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"OriginIp": ("FileOriginIp", self.default_value_mapping),
"OriginReferrer": ("FileOriginReferrerUrl", self.default_value_mapping),
"OriginUrl": ("FileOriginUrl", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"CommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"ParentName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"TargetFilename": ("FolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceNetworkEvents": {
"Initiated": ("RemotePort", self.default_value_mapping),
"Protocol": ("RemoteProtocol", self.default_value_mapping),
"DestinationPort": ("RemotePort", self.default_value_mapping),
"DeviceNetworkEvents": {
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
"DestinationIp": ("RemoteIP", self.default_value_mapping),
"DestinationIsIpv6": ("RemoteIP has \":\"", ),
"SourcePort": ("LocalPort", self.default_value_mapping),
"SourceIp": ("LocalIP", self.default_value_mapping),
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
"DestinationPort": ("RemotePort", self.default_value_mapping),
"DeviceName": (self.id_mapping, self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"Initiated": ("RemotePort", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"Protocol": ("RemoteProtocol", self.default_value_mapping),
"SourceIp": ("LocalIP", self.default_value_mapping),
"SourcePort": ("LocalPort", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceImageLoadEvents": {
"ImageLoaded": ("FolderPath", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"DeviceName": (self.id_mapping, self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
}
}

17
tools/sigma/backends/qradar.py
View File

@ -103,7 +103,11 @@ class QRadarBackend(SingleTextQueryBackend):
def generateMapItemListNode(self, key, value):
itemslist = list()
for item in value:
if type(item) == str and "*" in item:
if item is None:
itemslist.append(self.nullExpression % (key))
elif type(item) == str and "ip" in key and ("/16" in item or "/24" in item):
itemslist.append("INCIDR(%s, %s)" % (self.generateValueNode(item, True), self.cleanKey(key)))
elif type(item) == str and "*" in item:
item = item.replace("*", "%")
itemslist.append('%s ilike %s' % (self.cleanKey(key), self.generateValueNode(item, True)))
else:
@ -197,17 +201,20 @@ class QRadarBackend(SingleTextQueryBackend):
aql_database = "flows"
else:
aql_database = "events"
qradarPrefix="SELECT "
qradarPrefix="SELECT UTF8(payload) as search_payload"
try:
mappedFields = []
for field in sigmaparser.parsedyaml["fields"]:
mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser)
mappedFields.append(mapped)
qradarPrefix += str(mappedFields).strip('[]')
if " " in mapped and not "(" in mapped:
qradarPrefix += ", \"" + mapped + "\""
else:
qradarPrefix += ", " + mapped
except KeyError: # no 'fields' attribute
mapped = None
qradarPrefix+="UTF8(payload) as search_payload"
pass
qradarPrefix += " from %s where " % (aql_database)