Merge pull request #1512 from SigmaHQ/rule-devel

duplicate UUIDs, regedit as trusted installer
2024-11-08 02:08:54 +00:00 · 2021-05-27 12:42:36 +02:00 · 2021-05-27 12:42:36 +02:00 · f16aca7a35
commit f16aca7a35
parent ffeda2a2a2 7812a4217c
10 changed files with 27 additions and 9 deletions
--- a/rules/linux/macos_change_file_time_attr.yml
+++ b/rules/linux/macos_change_file_time_attr.yml
@ -1,5 +1,5 @@
 title: 'File Time Attribute Change'
-id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
 status: experimental
 description: 'Detect file time attribute change to hide new or changes to existing files.'
    # For this rule to work you must enable audit of process execution in OpenBSM, see
--- a/rules/linux/macos_find_cred_in_files.yml
+++ b/rules/linux/macos_find_cred_in_files.yml
@ -1,5 +1,5 @@
 title: 'Credentials In Files'
-id: df3fcaea-2715-4214-99c5-0056ea59eb35
+id: 53b1b378-9b06-4992-b972-dde6e423d2b4
 status: experimental
 description: 'Detecting attempts to extract passwords with grep and laZagne'
    # For this rule to work you must enable audit of process execution in OpenBSM, see
--- a/rules/linux/macos_remote_system_discovery.yml
+++ b/rules/linux/macos_remote_system_discovery.yml
@ -1,5 +1,5 @@
 title: Macos Remote System Discovery
-id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+id: 10227522-8429-47e6-a301-f2b2d014e7ad
 status: experimental
 description: Detects the enumeration of other remote systems.
 author: Alejandro Ortuno, oscd.community
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@ -1,5 +1,5 @@
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
-id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+id: e54f5149-6ba3-49cf-b153-070d24679126
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
--- a/rules/windows/process_creation/process_creation_msdeploy.yml
+++ b/rules/windows/process_creation/process_creation_msdeploy.yml
@ -1,6 +1,6 @@
 title: Execute Files with Msdeploy.exe
 status: experimental
-id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
 author: Beyu Denis, oscd.community
 date: 2020/10/18
 description: Detects file execution using the msdeploy.exe lolbin
--- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
+++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
@ -1,5 +1,5 @@
 title: Proxy Execution via Wuauclt
-id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+id: af77cf95-c469-471c-b6a0-946c685c4798
 description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
 status: experimental
 date: 2020/10/12
--- a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml
+++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml
@ -1,5 +1,5 @@
 title: Suspicious WebDav Client Execution
-id: 40f9af16-589d-4984-b78d-8c2aec023197
+id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
 description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
 status: experimental
 date: 2020/05/02
--- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@ -1,5 +1,5 @@
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
-id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+id: e9f55347-2928-4c06-88e5-1a7f8169942e
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
--- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
+++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml
@ -0,0 +1,18 @@
+title: Regedit as Trusted Installer
+id: 883835a7-df45-43e4-bf1d-4268768afda4
+description: Detects a regedit started with TrustedInstaller privileges
+references:
+    - https://twitter.com/1kwpeter/status/1397816101455765504
+author: Florian Roth
+date: 2018/05/27
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regedit.exe'
+        ParentImage|endswith: '\TrustedInstaller.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
--- a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
+++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
@ -1,5 +1,5 @@
 title: Wdigest Enable UseLogonCredential
-id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
+id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
 description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
 status: experimental
 date: 2019/09/12