mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
a3e02ea70f
* Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename
145 lines
4.2 KiB
YAML
145 lines
4.2 KiB
YAML
title: Executable used by PlugX in Uncommon Location
|
|
status: experimental
|
|
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
|
|
references:
|
|
- 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
|
|
- 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
|
|
author: Florian Roth
|
|
date: 2017/06/12
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
|
|
# CamMute
|
|
selection_cammute:
|
|
EventID: 4688
|
|
CommandLine: '*\CamMute.exe'
|
|
filter_cammute:
|
|
EventID: 4688
|
|
CommandLine: '*\Lenovo\Communication Utility\*'
|
|
|
|
# Chrome Frame Helper
|
|
selection_chrome_frame:
|
|
EventID: 4688
|
|
CommandLine: '*\chrome_frame_helper.exe'
|
|
filter_chrome_frame:
|
|
EventID: 4688
|
|
CommandLine: '*\Google\Chrome\application\*'
|
|
|
|
# Microsoft Device Emulator
|
|
selection_devemu:
|
|
EventID: 4688
|
|
CommandLine: '*\dvcemumanager.exe'
|
|
filter_devemu:
|
|
EventID: 4688
|
|
CommandLine: '*\Microsoft Device Emulator\*'
|
|
|
|
# Windows Media Player Gadget
|
|
selection_gadget:
|
|
EventID: 4688
|
|
CommandLine: '*\Gadget.exe'
|
|
filter_gadget:
|
|
EventID: 4688
|
|
CommandLine: '*\Windows Media Player\*'
|
|
|
|
# HTML Help Workshop
|
|
selection_hcc:
|
|
EventID: 4688
|
|
CommandLine: '*\hcc.exe'
|
|
filter_hcc:
|
|
EventID: 4688
|
|
CommandLine: '*\HTML Help Workshop\*'
|
|
|
|
# Hotkey Command Module for Intel Graphics Contollers
|
|
selection_hkcmd:
|
|
EventID: 4688
|
|
CommandLine: '*\hkcmd.exe'
|
|
filter_hkcmd:
|
|
EventID: 4688
|
|
CommandLine:
|
|
- '*\System32\*'
|
|
- '*\SysNative\*'
|
|
- '*\SysWowo64\*'
|
|
|
|
# McAfee component
|
|
selection_mc:
|
|
EventID: 4688
|
|
CommandLine: '*\Mc.exe'
|
|
filter_mc:
|
|
EventID: 4688
|
|
CommandLine:
|
|
- '*\Microsoft Visual Studio*'
|
|
- '*\Microsoft SDK*'
|
|
- '*\Windows Kit*'
|
|
|
|
# MsMpEng - Microsoft Malware Protection Engine
|
|
selection_msmpeng:
|
|
EventID: 4688
|
|
CommandLine: '*\MsMpEng.exe'
|
|
filter_msmpeng:
|
|
EventID: 4688
|
|
CommandLine:
|
|
- '*\Microsoft Security Client\*'
|
|
- '*\Windows Defender\*'
|
|
- '*\AntiMalware\*'
|
|
|
|
# Microsoft Security Center
|
|
selection_msseces:
|
|
EventID: 4688
|
|
CommandLine: '*\msseces.exe'
|
|
filter_msseces:
|
|
EventID: 4688
|
|
CommandLine: '*\Microsoft Security Center\*'
|
|
|
|
# Microsoft Office 2003 OInfo
|
|
selection_oinfo:
|
|
EventID: 4688
|
|
CommandLine: '*\OInfoP11.exe'
|
|
filter_oinfo:
|
|
EventID: 4688
|
|
CommandLine: '*\Common Files\Microsoft Shared\*'
|
|
|
|
# OLE View
|
|
selection_oleview:
|
|
EventID: 4688
|
|
CommandLine: '*\OleView.exe'
|
|
filter_oleview:
|
|
EventID: 4688
|
|
CommandLine:
|
|
- '*\Microsoft Visual Studio*'
|
|
- '*\Microsoft SDK*'
|
|
- '*\Windows Kit*'
|
|
- '*\Windows Resource Kit\*'
|
|
|
|
# RC
|
|
selection_rc:
|
|
EventID: 4688
|
|
CommandLine: '*\OleView.exe'
|
|
filter_rc:
|
|
EventID: 4688
|
|
CommandLine:
|
|
- '*\Microsoft Visual Studio*'
|
|
- '*\Microsoft SDK*'
|
|
- '*\Windows Kit*'
|
|
- '*\Windows Resource Kit\*'
|
|
- '*\Microsoft.NET\*'
|
|
|
|
condition: ( selection_cammute and not filter_cammute ) or
|
|
( selection_chrome_frame and not filter_chrome_frame ) or
|
|
( selection_devemu and not filter_devemu ) or
|
|
( selection_gadget and not filter_gadget ) or
|
|
( selection_hcc and not filter_hcc ) or
|
|
( selection_hkcmd and not filter_hkcmd ) or
|
|
( selection_mc and not filter_mc ) or
|
|
( selection_msmpeng and not filter_msmpeng ) or
|
|
( selection_msseces and not filter_msseces ) or
|
|
( selection_oinfo and not filter_oinfo ) or
|
|
( selection_oleview and not filter_oleview ) or
|
|
( selection_rc and not filter_rc )
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
|
|
|