Skip to content

Commit

Permalink
Sigma Rule Update (2024-01-20 01:48:33)
Browse files Browse the repository at this point in the history
  • Loading branch information
YamatoSecurity authored Jan 20, 2024
1 parent f6bc46e commit 3e19428
Show file tree
Hide file tree
Showing 8,114 changed files with 203,724 additions and 30,214 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
12 changes: 9 additions & 3 deletions sigma/builtin/application/Other/win_av_relevant_match.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: Detects potentially highly relevant antivirus events in the application
log based on known virus signature names and malware keywords.
description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
Expand Down Expand Up @@ -84,13 +83,20 @@ detection:
- TeslaCrypt
- Valyria
- Webshell
# - 'FRP.'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
# - 'Locker'
# - 'Potato'
filter_optional_generic:
- Keygen
- Crack
- anti_ransomware_service.exe
- cyber-protect-service.exe
filter_optional_information:
Level: 4
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: Microsoft-Windows-RestartManager
condition: application and (keywords and not 1 of filter_optional_*)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
- id: 6c82cf5c-090d-4d57-9188-533577631108
type: similar
- id: 6c82cf5c-090d-4d57-9188-533577631108
type: similar
status: experimental
description: This rule detects a suspicious crash of the Microsoft Malware Protection
Engine
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
Expand All @@ -19,6 +18,7 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
title: Potential Credential Dumping Via WER - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: test
description: Detects Windows error reporting event where the process that crashed
is lsass. This could be the cause of an intentional crash by techniques such as
Lsass-Shtinkering to dump credential
description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
Expand All @@ -23,7 +21,7 @@ detection:
Provider_Name: Application Error
EventID: 1000
AppName: lsass.exe
ExceptionCode: c0000001
ExceptionCode: c0000001 # STATUS_UNSUCCESSFUL
condition: application and selection
falsepositives:
- Rare legitimate crashing of the lsass process
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: Dump Ntds.dit To Suspicious Location
id: 94dc4390-6b7c-4784-8ffc-335334404650
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious
location
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
Expand All @@ -14,15 +13,17 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
selection_root:
Provider_Name: ESENT
EventID: 325
EventID: 325 # New Database Created
Data|contains: ntds.dit
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- :\ntds.dit
- \Appdata\
- \Desktop\
Expand Down
Original file line number Diff line number Diff line change
@@ -1,20 +1,15 @@
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: 'Detects events generated by user-mode applications when they call the
CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI
vulnerability.
description: |
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
'
references:
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
- https://www.youtube.com/watch?v=ebmW42YYveI
- https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
- https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020/01/15
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: Restricted Software Access By SRP
id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
status: test
description: Detects restricted access to applications by the Software Restriction
Policies (SRP) policy
description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
references:
- https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
Expand All @@ -20,11 +19,11 @@ detection:
selection:
Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies
EventID:
- 865
- 866
- 867
- 868
- 882
- 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
- 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
- 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
- 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
- 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
condition: application and selection
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,6 @@ detection:
condition: application and selection
falsepositives:
- Unknown
# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
level: low
ruletype: Sigma
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand All @@ -21,19 +22,20 @@ detection:
- 1040
- 1042
Data|contains:
# Add more suspicious paths
- :\Windows\TEMP\
- \\\\
- \Desktop\
- \PerfLogs\
- \Users\Public\
# - '\AppData\Local\Temp\' # too many FPs
# - '\Downloads\' # too many FPs, typical legitimate staging directory
filter_winget:
Data|contains: \AppData\Local\Temp\WinGet\
filter_updhealthtools:
Data|contains: C:\Windows\TEMP\UpdHealthTools.msi
condition: application and (selection and not 1 of filter_*)
falsepositives:
- False positives may occur if you allow installation from folders such as the
desktop, the public folder or remote shares. A baseline is required before
production use.
- False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
level: medium
ruletype: Sigma
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management
(RMM) agent as recently found to be used by Conti operators
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: MSSQL Add Account To Sysadmin Role
id: 08200f85-2678-463e-9c32-88dce2f073d1
status: test
description: Detects when an attacker tries to backdoor the MSSQL server by adding
a backdoor account to the sysadmin fixed server role
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
author: Nasreddine Bencherchali (Nextron Systems)
Expand All @@ -12,8 +11,8 @@ tags:
logsource:
product: windows
service: application
definition: MSSQL audit policy must be enabled in order to receive this event
in the application log
definition: MSSQL audit policy must be enabled in order to receive this event in the application log
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: MSSQL Disable Audit Settings
id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
status: test
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER
AUDIT" transaction in order to delete or disable audit logs on the server
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
Expand All @@ -14,8 +13,8 @@ tags:
logsource:
product: windows
service: application
definition: MSSQL audit policy must be enabled in order to receive this event
in the application log
definition: MSSQL audit policy must be enabled in order to receive this event in the application log
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand All @@ -27,7 +26,6 @@ detection:
- statement:DROP SERVER AUDIT
condition: application and selection
falsepositives:
- This event should only fire when an administrator is modifying the audit policy.
Which should be a rare occurrence once it's set up
- This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
level: high
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
- id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
type: similar
status: experimental
description: Detects failed logon attempts from clients to MSSQL server.
author: Nasreddine Bencherchali (Nextron Systems), j4son
Expand All @@ -25,8 +25,6 @@ detection:
EventID: 18456
condition: application and selection
falsepositives:
- This event could stem from users changing an account's password that's used
to authenticate via a job or an automated process. Investigate the source
of such events and mitigate them
- This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low
ruletype: Sigma
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
- id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
type: similar
status: experimental
description: Detects failed logon attempts from clients with external network IP to
an MSSQL server. This can be a sign of a bruteforce attack.
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
author: j4son
date: 2023/10/11
references:
Expand All @@ -26,8 +25,8 @@ detection:
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.'
- 'CLIENT: 172.16.'
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
Expand All @@ -43,9 +42,9 @@ detection:
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.'
- 'CLIENT: 127.'
- 'CLIENT: 169.254.'
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
condition: application and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
title: MSSQL SPProcoption Set
id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
status: test
description: Detects when the a stored procedure is set or cleared for automatic execution
in MSSQL. A stored procedure that is set to automatic execution runs every time
an instance of SQL Server is started
description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
Expand All @@ -14,8 +12,8 @@ tags:
logsource:
product: windows
service: application
definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled
in order to receive this event in the application log
definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
title: MSSQL XPCmdshell Suspicious Execution
id: 7f103213-a04e-4d59-8261-213dddf22314
status: test
description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute
commands
description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Expand All @@ -13,15 +12,16 @@ tags:
logsource:
product: windows
service: application
definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in
order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)
definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
selection:
Provider_Name: MSSQLSERVER
EventID: 33205
Data|contains|all:
# You can modify this to include specific commands
- object_name:xp_cmdshell
- statement:EXEC
condition: application and selection
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ tags:
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
application:
Channel: Application
Expand All @@ -22,7 +23,6 @@ detection:
condition: application and selection
falsepositives:
- Legitimate enable/disable of the setting
- Note that since the event contain the change for both values. This means that
this will trigger on both enable and disable
- Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
level: high
ruletype: Sigma
Loading

0 comments on commit 3e19428

Please sign in to comment.