mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
150 lines
5.0 KiB
YAML
150 lines
5.0 KiB
YAML
# _____ __ __ ___ __
|
|
# / ___/__ ___/ / / |/ /__ ___/ /__
|
|
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
|
|
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_
|
|
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__
|
|
# _\ \/ / _ `/ ' \/ _ `/ / , _/ // / / -_)
|
|
# /___/_/\_, /_/_/_/\_,_/ /_/|_|\_,_/_/\__/
|
|
# /___/
|
|
#
|
|
# Florian Roth
|
|
# May 2020
|
|
# v0.3
|
|
#
|
|
# A Proof-of-Concept with the most effective search queries
|
|
|
|
title: Godmode Sigma Rule
|
|
id: def6caac-a999-4fc9-8800-cfeff700ba98
|
|
description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
|
|
status: experimental
|
|
author: Florian Roth
|
|
date: 2019/12/22
|
|
modified: 2020/05/18
|
|
level: high
|
|
action: global
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
# Different suspicious or malicious command line parameters
|
|
selection_plain:
|
|
CommandLine|contains:
|
|
- ' -NoP ' # Often used in malicious PowerShell commands
|
|
- ' -W Hidden ' # Often used in malicious PowerShell commands
|
|
- ' -decode ' # Used with certutil
|
|
- ' /decode ' # Used with certutil
|
|
- ' -e* JAB' # PowerShell encoded commands
|
|
- ' -e* SUVYI' # PowerShell encoded commands
|
|
- ' -e* SQBFAFgA' # PowerShell encoded commands
|
|
- ' -e* aWV4I' # PowerShell encoded commands
|
|
- ' -e* IAB' # PowerShell encoded commands
|
|
- ' -e* PAA' # PowerShell encoded commands
|
|
- ' -e* aQBlAHgA' # PowerShell encoded commands
|
|
- 'vssadmin delete shadows' # Ransomware
|
|
- 'reg SAVE HKLM\SAM' # save registry SAM - syskey extraction
|
|
- ' -ma ' # ProcDump
|
|
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
|
|
- '.downloadstring(' # PowerShell download command
|
|
- '.downloadfile(' # PowerShell download command
|
|
- ' /ticket:' # Rubeus
|
|
- ' sekurlsa' # Mimikatz
|
|
- ' p::d ' # Mimikatz
|
|
- ';iex(' # PowerShell IEX
|
|
- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
|
|
- ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
|
|
- ' comsvcs.dll,#24' # Process dumping method apart from procdump
|
|
selection_parent_child:
|
|
ParentImage|contains:
|
|
# Office Dropper Detection
|
|
- '\WINWORD.EXE'
|
|
- '\EXCEL.EXE'
|
|
- '\POWERPNT.exe'
|
|
- '\MSPUB.exe'
|
|
- '\VISIO.exe'
|
|
- '\OUTLOOK.EXE'
|
|
Image|contains:
|
|
- '\cmd.exe'
|
|
- '\powershell.exe'
|
|
- '\wscript.exe'
|
|
- '\cscript.exe'
|
|
- '\schtasks.exe'
|
|
- '*\scrcons.exe'
|
|
- '\regsvr32.exe'
|
|
- '\hh.exe'
|
|
- '\wmic.exe'
|
|
- '\mshta.exe'
|
|
- '\msiexec.exe'
|
|
- '\forfiles.exe'
|
|
- '\AppData\'
|
|
selection_webshells:
|
|
Image|contains:
|
|
- '\apache*'
|
|
- '\tomcat*'
|
|
- '\w3wp.exe'
|
|
- '\php-cgi.exe'
|
|
- '\nginx.exe'
|
|
- '\httpd.exe'
|
|
CommandLine|contains:
|
|
- 'whoami'
|
|
- 'net user '
|
|
- 'ping -n '
|
|
- 'systeminfo'
|
|
- '&cd&echo'
|
|
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
|
|
# Running whoami as LOCAL_SYSTEM (usually after privilege escalation)
|
|
selection_whoami:
|
|
Image|contains: '\whoami.exe'
|
|
User: 'NT AUTHORITY\SYSTEM'
|
|
condition: 1 of them
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection_file_creation:
|
|
EventID: 11
|
|
TargetFileName|contains:
|
|
- '.dmp' # dump process memory
|
|
- 'Desktop\how' # Ransomware
|
|
- 'Desktop\decrypt' # Ransomware
|
|
selection_registry_modifications:
|
|
EventID:
|
|
- 12
|
|
- 13
|
|
TargetObject|contains:
|
|
- 'UserInitMprLogonScript' # persistence
|
|
- '\CurrentVersion\Image File Execution Options\' # persistence
|
|
selection_registry_run:
|
|
EventID:
|
|
- 12
|
|
- 13
|
|
TargetObject|contains:
|
|
- '\Microsoft\Windows\CurrentVersion\Run\' # persistence
|
|
- '\Microsoft\Windows\CurrentVersion\RunOnce\' # persistence
|
|
Details|contains:
|
|
- 'AppData'
|
|
- '\Users\Public\'
|
|
- '\Temp\'
|
|
- 'powershell'
|
|
- 'wscript'
|
|
- 'cscript'
|
|
condition: 1 of them
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: system
|
|
detection:
|
|
# Malicious service installs
|
|
selection:
|
|
EventID: 7045
|
|
ServiceName|contains:
|
|
- 'WCESERVICE'
|
|
- 'WCE SERVICE'
|
|
- 'winexesvc'
|
|
- 'DumpSvc'
|
|
- 'pwdump'
|
|
- 'gsecdump'
|
|
- 'cachedump'
|
|
condition:
|
|
1 of them |