valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1633 from leegengyu/art_convert_yaml_to_md

Browse Source 
Convert ART reference links from .yaml to .md
This commit is contained in:
Florian Roth 2021-07-06 13:39:37 +02:00 committed by GitHub
commit ff0f1a0222
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 89 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
View File

@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
logsource:
product: linux

2
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
View File

@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
logsource:
product: linux
service: auditd

2
rules/linux/auditd/lnx_auditd_user_discovery.yml
View File

@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
product: linux
service: auditd

6
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
logsource:
product: linux
service: auditd
@ -24,7 +24,7 @@ detection:
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
- Legitimate use of archiving tools by legitimate user.
level: low
tags:
- attack.exfiltration

4
rules/linux/auditd/lnx_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
product: linux
service: auditd
@ -24,7 +24,7 @@ detection:
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
- attack.credential_access

6
rules/linux/lnx_chattr_immutable_removal.yml
View File

@ -1,11 +1,11 @@
title: Remove Immutable File Attribute
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: experimental
description: Detects removing immutable file attribute
description: Detects removing immutable file attribute.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -16,7 +16,7 @@ detection:
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (for instance backups)
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
tags:
- attack.defense_evasion

8
rules/linux/lnx_dd_delete_file.yml
View File

@ -1,11 +1,11 @@
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) the file
description: Detects overwriting (effectively wiping/deleting) of a file.
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
logsource:
product: linux
service: auditd
@ -18,8 +18,8 @@ detection:
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files
- Legitimate overwrite of files
- Appending null bytes to files.
- Legitimate overwrite of files.
level: low
tags:

6
rules/linux/lnx_file_or_folder_permissions.yml
View File

@ -1,11 +1,11 @@
title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: experimental
description: Detects file and folder permission changes
description: Detects file and folder permission changes.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
logsource:
product: linux
service: auditd
@ -17,7 +17,7 @@ detection:
- 'chown'
condition: selection
falsepositives:
- User interacting with files permissions (normal/daily behaviour)
- User interacting with files permissions (normal/daily behaviour).
level: low
tags:
- attack.defense_evasion

8
rules/linux/lnx_pers_systemd_reload.yml
View File

@ -1,12 +1,12 @@
title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
description: Detects a reload or a start of a service
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
- https://attack.mitre.org/techniques/T1543/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
logsource:
product: linux
service: auditd
@ -19,8 +19,8 @@ detection:
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
- Installation of legitimate service.
- Legitimate reconfiguration of service.
level: low
tags:
- attack.persistence

2
rules/linux/lnx_shell_clear_cmd_history.yml
View File

@ -13,7 +13,7 @@ author: Patrick Bareiss
date: 2019/03/24
modified: 2020/07/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
- https://attack.mitre.org/techniques/T1070/003/
- https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
logsource:

2
rules/windows/powershell/powershell_winlogon_helper_dll.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
logsource:
product: windows
service: powershell

2
rules/windows/process_creation/win_bootconf_mod.yml
View File

@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
tags:
- attack.impact

2
rules/windows/process_creation/win_change_default_file_association.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_data_compressed_with_rar.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed - rar.exe
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019/10/21
modified: 2020/08/29
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
logsource:
category: process_creation
@ -25,7 +25,7 @@ fields:
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- highly likely if rar is default archiver in the monitored environment
- Highly likely if rar is a default archiver in the monitored environment.
level: low
tags:
- attack.exfiltration # an old one

6
rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml
View File

@ -1,9 +1,9 @@
title: Domain Trust Discovery
id: 77815820-246c-47b8-9741-e0def3f57308
status: experimental
description: Detects a discovery of domain trusts
description: Detects a discovery of domain trusts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
@ -23,5 +23,5 @@ detection:
CommandLine|contains: 'domain_trusts'
condition: selection
falsepositives:
- Administration of systems
- Administration of systems.
level: medium

9
rules/windows/process_creation/win_file_permission_modifications.yml
View File

@ -1,15 +1,16 @@
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: experimental
description: Detects a file or folder permissions modifications
description: Detects a file or folder's permissions being modified.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001
- attack.t1222 # an old one
logsource:
category: process_creation
product: windows
@ -28,5 +29,5 @@ fields:
- User
- CommandLine
falsepositives:
- Users interacting with the files on their own (unlikely unless power users)
- Users interacting with the files on their own (unlikely unless privileged users).
level: medium

2
rules/windows/process_creation/win_hh_chm.yml
View File

@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
date: 2019/10/24
modified: 2019/11/11

8
rules/windows/process_creation/win_indirect_cmd.yml
View File

@ -1,10 +1,10 @@
title: Indirect Command Execution
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
date: 2019/10/24
modified: 2019/11/11
@ -26,6 +26,6 @@ fields:
- ParentCommandLine
- CommandLine
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
- Legitimate usage of scripts.
level: low

4
rules/windows/process_creation/win_interactive_at.yml
View File

@ -1,10 +1,10 @@
title: Interactive AT Job
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
description: Detect an interactive AT job, which may be used as a form of privilege escalation
description: Detect an interactive AT job, which may be used as a form of privilege escalation.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
date: 2019/10/24
modified: 2019/11/11

2
rules/windows/process_creation/win_local_system_owner_account_discovery.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2020/09/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
category: process_creation
product: windows

2
rules/windows/process_creation/win_lsass_dump.yml
View File

@ -8,7 +8,7 @@ modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
tags:
- attack.credential_access
- attack.t1003.001

4
rules/windows/process_creation/win_mshta_javascript.yml
View File

@ -1,13 +1,13 @@
title: Mshta JavaScript Execution
id: 67f113fa-e23d-4271-befa-30113b3e08b1
description: Identifies suspicious mshta.exe commands
description: Identifies suspicious mshta.exe commands.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2020/09/01
references:
- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
tags:
- attack.defense_evasion
- attack.t1170 # an old one

2
rules/windows/process_creation/win_net_enum.yml
View File

@ -4,7 +4,7 @@ status: stable
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018/10/30
modified: 2019/11/11

10
rules/windows/process_creation/win_net_user_add.yml
View File

@ -1,11 +1,11 @@
title: Net.exe User Account Creation
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
status: experimental
description: Identifies creation of local users via the net.exe command
description: Identifies creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018/10/30
modified: 2020/09/01
tags:
@ -29,6 +29,6 @@ fields:
- User
- CommandLine
falsepositives:
- Legit user creation
- Better use event ids for user creation rather than command line rules
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium

2
rules/windows/process_creation/win_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_new_service_creation.yml
View File

@ -1,7 +1,7 @@
title: New Service Creation
id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
status: experimental
description: Detects creation of a new service
description: Detects creation of a new service.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
@ -11,7 +11,7 @@ tags:
- attack.t1050 # an old one
- attack.t1543.003
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
logsource:
category: process_creation
product: windows
@ -25,5 +25,5 @@ detection:
CommandLine|contains: 'new-service'
condition: selection
falsepositives:
- Legitimate administrator or user creates a service for legitimate reason
- Legitimate administrator or user creates a service for legitimate reasons.
level: low

6
rules/windows/process_creation/win_powershell_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
description: Detects audio capture via PowerShell Cmdlet
description: Detects audio capture via PowerShell Cmdlet.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
tags:
- attack.collection
@ -16,7 +16,7 @@ detection:
CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium
logsource:
category: process_creation

2
rules/windows/process_creation/win_query_registry.yml
View File

@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
logsource:
category: process_creation
product: windows

6
rules/windows/process_creation/win_service_execution.yml
View File

@ -1,12 +1,12 @@
title: Service Execution
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: experimental
description: Detects manual service execution (start) via system utilities
description: Detects manual service execution (start) via system utilities.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
logsource:
category: process_creation
product: windows
@ -18,7 +18,7 @@ detection:
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
- Legitimate administrator or user executes a service for legitimate reasons.
level: low
tags:
- attack.execution

6
rules/windows/process_creation/win_soundrec_audio_capture.yml
View File

@ -1,12 +1,12 @@
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
description: Detect attacker collecting audio via SoundRecorder application
description: Detect attacker collecting audio via SoundRecorder application.
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
tags:
- attack.collection
@ -20,5 +20,5 @@ detection:
CommandLine|contains: '/FILE'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
- Legitimate audio capture by legitimate user.
level: medium

6
rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
View File

@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
tags:
- attack.persistence
- attack.t1547.001
@ -35,6 +35,6 @@ fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
level: medium

4
rules/windows/process_creation/win_susp_eventlog_clear.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Eventlog Clear or Configuration Using Wevtutil
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, Daniil Yugoslavskiy, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
date: 2019/09/26
modified: 2019/11/11

4
rules/windows/process_creation/win_susp_fsutil_usage.yml
View File

@ -1,13 +1,13 @@
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
author: Ecco, E.M. Anhaus, oscd.community
date: 2019/09/26
modified: 2019/11/11
level: high
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
tags:
- attack.defense_evasion

4
rules/windows/process_creation/win_susp_service_path_modification.yml
View File

@ -1,9 +1,9 @@
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
description: Detects service path modification to powershell/cmd
description: Detects service path modification to PowerShell or cmd.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
tags:
- attack.persistence
- attack.privilege_escalation

10
rules/windows/process_creation/win_xsl_script_processing.yml
View File

@ -1,13 +1,13 @@
title: XSL Script Processing
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
status: experimental
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries
abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
logsource:
category: process_creation
product: windows
@ -18,8 +18,8 @@ detection:
- Image|endswith: '\msxsl.exe'
condition: selection
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
- msxsl.exe is not installed by default so unlikely.
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- msxsl.exe is not installed by default, so unlikely.
level: medium
tags:
- attack.defense_evasion