diff --git a/.github/workflows/update-sigmarule.yaml b/.github/workflows/update-sigmarule.yaml
index d3890fd9c..3c883d0b1 100644
--- a/.github/workflows/update-sigmarule.yaml
+++ b/.github/workflows/update-sigmarule.yaml
@@ -40,11 +40,11 @@ jobs:
run: |
cd hayabusa-rules/tools/sigmac/
poetry install --no-root
- poetry run python logsource_mapping.py -r ../../../sigma-repo -o converted_rules
+ poetry run python logsource_mapping.py -r ../../../sigma-repo -o ../../../converted_rules
cd -
rm -rf hayabusa-rules/sigma/
mkdir hayabusa-rules/sigma/
- cp -r hayabusa-rules/tools/sigmac/converted_rules/* hayabusa-rules/sigma/
+ cp -r converted_rules/* hayabusa-rules/sigma/
- name: Create Text
id: create-text
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
index c145393bc..7f8e2b7f6 100644
--- a/CHANGELOG-Japanese.md
+++ b/CHANGELOG-Japanese.md
@@ -2,7 +2,6 @@
## v2.13.0-dev [2024/01/19]
-Sigmaルールのコメントを残すようにした。以前は変換後に削除されていた。(#568) (@fukusuket)
Sigma変換バックエンドのパッケージ管理は [Poetry](https://python-poetry.org/) 、静的コード分析は [Ruff](https://github.com/astral-sh/ruff) で実行するようにした。(#567) (@fukusuket)
## v2.12.0 [2023/12/19]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 644f64ce9..8f8e39b7c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,6 @@
## v2.13.0-dev [2024/01/19]
-Comments in Sigma rules are left as is. Before, they would be stripped after conversion. (#568) (@fukusuket)
Package management for the sigma conversion backend is now handled by [Poetry](https://python-poetry.org/) and static code analysis is performed by [Ruff](https://github.com/astral-sh/ruff). (#567) (@fukusuket)
## v2.12.0 [2023/12/19]
diff --git a/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml b/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml
deleted file mode 100644
index 0e6c0bce3..000000000
--- a/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-title: Relevant Anti-Virus Signature Keywords In Application Log
-id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
-status: test
-description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
-references:
- - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2017/02/19
-modified: 2023/11/22
-tags:
- - attack.resource_development
- - attack.t1588
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- keywords:
- - Adfind
- - ASP/BackDoor
- - ATK/
- - Backdoor.ASP
- - Backdoor.Cobalt
- - Backdoor.JSP
- - Backdoor.PHP
- - Blackworm
- - Brutel
- - BruteR
- - Chopper
- - Cobalt
- - COBEACON
- - Cometer
- - CRYPTES
- - Cryptor
- - Destructor
- - DumpCreds
- - Exploit.Script.CVE
- - FastReverseProxy
- - Filecoder
- - GrandCrab
- - HackTool
- - 'HKTL:'
- - HKTL.
- - HKTL/
- - HTool
- - IISExchgSpawnCMD
- - Impacket
- - JSP/BackDoor
- - Keylogger
- - Koadic
- - Krypt
- - Lazagne
- - Metasploit
- - Meterpreter
- - MeteTool
- - Mimikatz
- - Mpreter
- - Nighthawk
- - Packed.Generic.347
- - PentestPowerShell
- - Phobos
- - PHP/BackDoor
- - PowerSploit
- - PowerSSH
- - PshlSpy
- - PSWTool
- - PWCrack
- - PWDump
- - Ransom
- - Rozena
- - Ryzerlo
- - Sbelt
- - Seatbelt
- - SecurityTool
- - SharpDump
- - Sliver
- - Splinter
- - Swrort
- - Tescrypt
- - TeslaCrypt
- - Valyria
- - Webshell
- # - 'FRP.'
- # - 'PWS.'
- # - 'PWSX'
- # - 'Razy'
- # - 'Ryuk'
- # - 'Locker'
- # - 'Potato'
- filter_optional_generic:
- - Keygen
- - Crack
- - anti_ransomware_service.exe
- - cyber-protect-service.exe
- filter_optional_information:
- Level: 4 # Information level
- filter_optional_restartmanager:
- Provider_Name: Microsoft-Windows-RestartManager
- condition: application and (keywords and not 1 of filter_optional_*)
-falsepositives:
- - Some software piracy tools (key generators, cracks) are classified as hack tools
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml
deleted file mode 100644
index 44fba0f5a..000000000
--- a/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Microsoft Malware Protection Engine Crash
-id: 545a5da6-f103-4919-a519-e9aec1026ee4
-related:
- - id: 6c82cf5c-090d-4d57-9188-533577631108
- type: similar
-status: experimental
-description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
-references:
- - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- - https://technet.microsoft.com/en-us/library/security/4022344
-author: Florian Roth (Nextron Systems)
-date: 2017/05/09
-modified: 2023/04/14
-tags:
- - attack.defense_evasion
- - attack.t1211
- - attack.t1562.001
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: Application Error
- EventID: 1000
- Data|contains|all:
- - MsMpEng.exe
- - mpengine.dll
- condition: application and selection
-falsepositives:
- - MsMpEng might crash if the "C:\" partition is full
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml
deleted file mode 100644
index 1a1ab0f85..000000000
--- a/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Potential Credential Dumping Via WER - Application
-id: a18e0862-127b-43ca-be12-1a542c75c7c5
-status: test
-description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
-references:
- - https://github.com/deepinstinct/Lsass-Shtinkering
- - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/12/07
-tags:
- - attack.credential_access
- - attack.t1003.001
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: Application Error
- EventID: 1000
- AppName: lsass.exe
- ExceptionCode: c0000001 # STATUS_UNSUCCESSFUL
- condition: application and selection
-falsepositives:
- - Rare legitimate crashing of the lsass process
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml
deleted file mode 100644
index 54898dca6..000000000
--- a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Ntdsutil Abuse
-id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
-status: test
-description: Detects potential abuse of ntdsutil to dump ntds.dit database
-references:
- - https://twitter.com/mgreen27/status/1558223256704122882
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/08/14
-tags:
- - attack.credential_access
- - attack.t1003.003
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: ESENT
- EventID:
- - 216
- - 325
- - 326
- - 327
- Data|contains: ntds.dit
- condition: application and selection
-falsepositives:
- - Legitimate backup operation/creating shadow copies
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
deleted file mode 100644
index 2a9b1485f..000000000
--- a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Dump Ntds.dit To Suspicious Location
-id: 94dc4390-6b7c-4784-8ffc-335334404650
-status: test
-description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
-references:
- - https://twitter.com/mgreen27/status/1558223256704122882
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/08/14
-modified: 2023/10/23
-tags:
- - attack.execution
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection_root:
- Provider_Name: ESENT
- EventID: 325 # New Database Created
- Data|contains: ntds.dit
- selection_paths:
- Data|contains:
- # Add more locations that you don't use in your env or that are just suspicious
- - :\ntds.dit
- - \Appdata\
- - \Desktop\
- - \Downloads\
- - \Perflogs\
- - \Temp\
- - \Users\Public\
- condition: application and (all of selection_*)
-falsepositives:
- - Legitimate backup operation/creating shadow copies
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml
deleted file mode 100644
index 5aea8a523..000000000
--- a/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Audit CVE Event
-id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
-status: test
-description: |
- Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
- MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
- Unfortunately, that is about the only instance of CVEs being written to this log.
-references:
- - https://twitter.com/VM_vivisector/status/1217190929330655232
- - https://twitter.com/DidierStevens/status/1217533958096924676
- - https://twitter.com/FlemmingRiis/status/1217147415482060800
- - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
- - https://nullsec.us/windows-event-log-audit-cve/
-author: Florian Roth (Nextron Systems), Zach Mathis
-date: 2020/01/15
-modified: 2022/10/22
-tags:
- - attack.execution
- - attack.t1203
- - attack.privilege_escalation
- - attack.t1068
- - attack.defense_evasion
- - attack.t1211
- - attack.credential_access
- - attack.t1212
- - attack.lateral_movement
- - attack.t1210
- - attack.impact
- - attack.t1499.004
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name:
- - Microsoft-Windows-Audit-CVE
- - Audit-CVE
- EventID: 1
- condition: application and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml
deleted file mode 100644
index 25e7b85f5..000000000
--- a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Backup Catalog Deleted
-id: 9703792d-fd9a-456d-a672-ff92efe4806a
-status: test
-description: Detects backup catalog deletions
-references:
- - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
- - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)
-date: 2017/05/12
-modified: 2022/12/25
-tags:
- - attack.defense_evasion
- - attack.t1070.004
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- EventID: 524
- Provider_Name: Microsoft-Windows-Backup
- condition: application and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml
deleted file mode 100644
index e92e1b0e6..000000000
--- a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Restricted Software Access By SRP
-id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
-status: test
-description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
-references:
- - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
- - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
-author: frack113
-date: 2023/01/12
-tags:
- - attack.defense_evasion
- - attack.t1072
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies
- EventID:
- - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
- - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
- - 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
- - 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
- - 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
- condition: application and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml
deleted file mode 100644
index 4bd0a5a1a..000000000
--- a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Application Uninstalled
-id: 570ae5ec-33dc-427c-b815-db86228ad43e
-status: test
-description: An application has been removed. Check if it is critical.
-author: frack113
-date: 2022/01/28
-modified: 2022/09/17
-tags:
- - attack.impact
- - attack.t1489
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MsiInstaller
- EventID:
- - 11724
- - 1034
- condition: application and selection
-falsepositives:
- - Unknown
-# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
deleted file mode 100644
index 9478ade79..000000000
--- a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: MSI Installation From Suspicious Locations
-id: c7c8aa1c-5aff-408e-828b-998e3620b341
-status: test
-description: Detects MSI package installation from suspicious locations
-references:
- - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/08/31
-modified: 2023/10/23
-tags:
- - attack.execution
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MsiInstaller
- EventID:
- - 1040
- - 1042
- Data|contains:
- # Add more suspicious paths
- - :\Windows\TEMP\
- - \\\\
- - \Desktop\
- - \PerfLogs\
- - \Users\Public\
- # - '\AppData\Local\Temp\' # too many FPs
- # - '\Downloads\' # too many FPs, typical legitimate staging directory
- filter_winget:
- Data|contains: \AppData\Local\Temp\WinGet\
- filter_updhealthtools:
- Data|contains: C:\Windows\TEMP\UpdHealthTools.msi
- condition: application and (selection and not 1 of filter_*)
-falsepositives:
- - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml
deleted file mode 100644
index f0c178ed5..000000000
--- a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: MSI Installation From Web
-id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
-status: test
-description: Detects installation of a remote msi file from web.
-references:
- - https://twitter.com/_st0pp3r_/status/1583922009842802689
-author: Stamatis Chatzimangou
-date: 2022/10/23
-modified: 2022/10/23
-tags:
- - attack.execution
- - attack.t1218
- - attack.t1218.007
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MsiInstaller
- EventID:
- - 1040
- - 1042
- Data|contains: ://
- condition: application and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml
deleted file mode 100644
index b695e6db2..000000000
--- a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Atera Agent Installation
-id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
-status: test
-description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
-references:
- - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
-author: Bhabesh Raj
-date: 2021/09/01
-modified: 2022/12/25
-tags:
- - attack.t1219
-logsource:
- service: application
- product: windows
-detection:
- application:
- Channel: Application
- selection:
- EventID: 1033
- Provider_Name: MsiInstaller
- Message|contains: AteraAgent
- condition: application and selection
-falsepositives:
- - Legitimate Atera agent installation
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml
deleted file mode 100644
index 3bcadd343..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: MSSQL Add Account To Sysadmin Role
-id: 08200f85-2678-463e-9c32-88dce2f073d1
-status: test
-description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
-references:
- - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/13
-tags:
- - attack.persistence
-logsource:
- product: windows
- service: application
- definition: MSSQL audit policy must be enabled in order to receive this event in the application log
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 33205
- Data|contains|all:
- - object_name:sysadmin
- - 'statement:alter server role [sysadmin] add member '
- condition: application and selection
-falsepositives:
- - Rare legitimate administrative activity
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml
deleted file mode 100644
index 298387a03..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: MSSQL Disable Audit Settings
-id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
-status: test
-description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
-references:
- - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
- - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/13
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: application
- definition: MSSQL audit policy must be enabled in order to receive this event in the application log
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 33205
- Data|contains:
- - statement:ALTER SERVER AUDIT
- - statement:DROP SERVER AUDIT
- condition: application and selection
-falsepositives:
- - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml
deleted file mode 100644
index 970cf5f14..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: MSSQL Server Failed Logon
-id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
-related:
- - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
- type: similar
-status: experimental
-description: Detects failed logon attempts from clients to MSSQL server.
-author: Nasreddine Bencherchali (Nextron Systems), j4son
-date: 2023/10/11
-references:
- - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
-tags:
- - attack.credential_access
- - attack.t1110
-logsource:
- product: windows
- service: application
- definition: 'Requirements: Must enable MSSQL authentication.'
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 18456
- condition: application and selection
-falsepositives:
- - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
deleted file mode 100644
index ef8d21ed4..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: MSSQL Server Failed Logon From External Network
-id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
-related:
- - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
- type: similar
-status: experimental
-description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
-author: j4son
-date: 2023/10/11
-references:
- - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
- - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
-tags:
- - attack.credential_access
- - attack.t1110
-logsource:
- product: windows
- service: application
- definition: 'Requirements: Must enable MSSQL authentication.'
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 18456
- filter_main_local_ips:
- Data|contains:
- - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- - 'CLIENT: 172.17.'
- - 'CLIENT: 172.18.'
- - 'CLIENT: 172.19.'
- - 'CLIENT: 172.20.'
- - 'CLIENT: 172.21.'
- - 'CLIENT: 172.22.'
- - 'CLIENT: 172.23.'
- - 'CLIENT: 172.24.'
- - 'CLIENT: 172.25.'
- - 'CLIENT: 172.26.'
- - 'CLIENT: 172.27.'
- - 'CLIENT: 172.28.'
- - 'CLIENT: 172.29.'
- - 'CLIENT: 172.30.'
- - 'CLIENT: 172.31.'
- - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
- condition: application and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml
deleted file mode 100644
index bf3ad3fc7..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: MSSQL SPProcoption Set
-id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
-status: test
-description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
-references:
- - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/13
-tags:
- - attack.persistence
-logsource:
- product: windows
- service: application
- definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 33205
- Data|contains|all:
- - object_name:sp_procoption
- - statement:EXEC
- condition: application and selection
-falsepositives:
- - Legitimate use of the feature by administrators (rare)
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml
deleted file mode 100644
index 6ad6865d4..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: MSSQL XPCmdshell Suspicious Execution
-id: 7f103213-a04e-4d59-8261-213dddf22314
-status: test
-description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
-references:
- - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/12
-tags:
- - attack.execution
-logsource:
- product: windows
- service: application
- definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 33205
- Data|contains|all:
- # You can modify this to include specific commands
- - object_name:xp_cmdshell
- - statement:EXEC
- condition: application and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml
deleted file mode 100644
index bff8d735d..000000000
--- a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: MSSQL XPCmdshell Option Change
-id: d08dd86f-681e-4a00-a92c-1db218754417
-status: test
-description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed
-references:
- - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/12
-tags:
- - attack.execution
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 15457
- Data|contains: xp_cmdshell
- condition: application and selection
-falsepositives:
- - Legitimate enable/disable of the setting
- - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml
deleted file mode 100644
index f00075407..000000000
--- a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Remote Access Tool - ScreenConnect Command Execution
-id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
-related:
- - id: b1f73849-6329-4069-bc8f-78a604bb8b23
- type: similar
-status: experimental
-description: Detects command execution via ScreenConnect RMM
-references:
- - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- - https://github.com/SigmaHQ/sigma/pull/4467
-author: Ali Alwashali
-date: 2023/10/10
-tags:
- - attack.execution
- - attack.t1059.003
-logsource:
- service: application
- product: windows
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: ScreenConnect
- EventID: 200
- Data|contains: Executed command of length
- condition: application and selection
-falsepositives:
- - Legitimate use of ScreenConnect
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml
deleted file mode 100644
index 7de1939eb..000000000
--- a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Remote Access Tool - ScreenConnect File Transfer
-id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
-related:
- - id: b1f73849-6329-4069-bc8f-78a604bb8b23
- type: similar
-status: experimental
-description: Detects file being transferred via ScreenConnect RMM
-references:
- - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- - https://github.com/SigmaHQ/sigma/pull/4467
-author: Ali Alwashali
-date: 2023/10/10
-tags:
- - attack.execution
- - attack.t1059.003
-logsource:
- service: application
- product: windows
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: ScreenConnect
- EventID: 201
- Data|contains: Transferred files with action
- condition: application and selection
-falsepositives:
- - Legitimate use of ScreenConnect
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml b/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml
deleted file mode 100644
index d711bf9ba..000000000
--- a/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Microsoft Malware Protection Engine Crash - WER
-id: 6c82cf5c-090d-4d57-9188-533577631108
-status: experimental
-description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
-references:
- - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- - https://technet.microsoft.com/en-us/library/security/4022344
-author: Florian Roth (Nextron Systems)
-date: 2017/05/09
-modified: 2023/04/14
-tags:
- - attack.defense_evasion
- - attack.t1211
- - attack.t1562.001
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: Windows Error Reporting
- EventID: 1001
- Data|contains|all:
- - MsMpEng.exe
- - mpengine.dll
- condition: application and selection
-falsepositives:
- - MsMpEng might crash if the "C:\" partition is full
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml
deleted file mode 100644
index a6d7b1156..000000000
--- a/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: File Was Not Allowed To Run
-id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
-status: test
-description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
-references:
- - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
- - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
-author: Pushkarev Dmitry
-date: 2020/06/28
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1204.002
- - attack.t1059.001
- - attack.t1059.003
- - attack.t1059.005
- - attack.t1059.006
- - attack.t1059.007
-logsource:
- product: windows
- service: applocker
-detection:
- applocker:
- Channel:
- - Microsoft-Windows-AppLocker/MSI and Script
- - Microsoft-Windows-AppLocker/EXE and DLL
- - Microsoft-Windows-AppLocker/Packaged app-Deployment
- - Microsoft-Windows-AppLocker/Packaged app-Execution
- selection:
- EventID:
- - 8004
- - 8007
- - 8022
- - 8025
- condition: applocker and selection
-fields:
- - PolicyName
- - RuleId
- - RuleName
- - TargetUser
- - TargetProcessId
- - FilePath
- - FileHash
- - Fqbn
-falsepositives:
- - Need tuning applocker or add exceptions in SIEM
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml
deleted file mode 100644
index a7570e1a5..000000000
--- a/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Sysinternals Tools AppX Versions Execution
-id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
-status: experimental
-description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
-references:
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-modified: 2023/09/12
-tags:
- - attack.defense_evasion
- - attack.execution
-logsource:
- product: windows
- service: appmodel-runtime
-detection:
- appmodel_runtime:
- Channel: Microsoft-Windows-AppModel-Runtime/Admin
- selection:
- EventID: 201
- ImageName:
- - procdump.exe
- - psloglist.exe
- - psexec.exe
- - livekd.exe
- - ADExplorer.exe
- condition: appmodel_runtime and selection
-falsepositives:
- - Legitimate usage of the applications from the Windows Store
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml
deleted file mode 100644
index bab04a7e8..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: Deployment AppX Package Was Blocked By AppLocker
-id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
-status: test
-description: Detects an appx package deployment that was blocked by AppLocker policy
-references:
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
-author: frack113
-date: 2023/01/11
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID: 412
- condition: appxdeployment_server and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml
deleted file mode 100644
index d19949cf8..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Potential Malicious AppX Package Installation Attempts
-id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
-status: test
-description: Detects potential installation or installation attempts of known malicious appx packages
-references:
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-modified: 2023/01/12
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID:
- - 400
- - 401
- # Add more malicious package names
- # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- PackageFullName|contains: 3669e262-ec02-4e9d-bcb4-3d008b4afac9
- condition: appxdeployment_server and selection
-falsepositives:
- - Rare occasions where a malicious package uses the exact same name and version as a legtimate application
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml
deleted file mode 100644
index 99d4f86f5..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Deployment Of The AppX Package Was Blocked By The Policy
-id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
-status: test
-description: Detects an appx package deployment that was blocked by the local computer policy
-references:
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
-author: frack113
-date: 2023/01/11
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID:
- - 441
- - 442
- - 453
- - 454
- condition: appxdeployment_server and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml
deleted file mode 100644
index f820524a8..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Suspicious AppX Package Installation Attempt
-id: 898d5fc9-fbc3-43de-93ad-38e97237c344
-status: test
-description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
-references:
- - Internal Research
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID: 401
- ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
- condition: appxdeployment_server and selection
-falsepositives:
- - Legitimate AppX packages not signed by MS used part of an enterprise
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
deleted file mode 100644
index c43119920..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Suspicious Remote AppX Package Locations
-id: 8b48ad89-10d8-4382-a546-50588c410f0d
-status: experimental
-description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain
-references:
- - Internal Research
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID: 854
- Path|contains:
- - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea)
- - anonfiles.com
- - cdn.discordapp.com
- - cdn.discordapp.com/attachments/
- - ddns.net
- - dl.dropboxusercontent.com
- - ghostbin.co
- - gofile.io
- - hastebin.com
- - mediafire.com
- - mega.nz
- - paste.ee
- - pastebin.com
- - pastebin.pl
- - pastetext.net
- - privatlab.com
- - privatlab.net
- - send.exploit.in
- - sendspace.com
- - storage.googleapis.com
- - storjshare.io
- - temp.sh
- - transfer.sh
- - ufile.io
- condition: appxdeployment_server and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml
deleted file mode 100644
index 9e2770315..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Suspicious AppX Package Locations
-id: 5cdeaf3d-1489-477c-95ab-c318559fc051
-status: test
-description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
-references:
- - Internal Research
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID: 854
- Path|contains:
- # Paths can be written using forward slash if the "file://" protocol is used
- - C:\Users\Public\
- - /users/public/
- - C:\PerfLogs\
- - C:/perflogs/
- - \Desktop\
- - /desktop/
- - \Downloads\
- - /Downloads/
- - C:\Windows\Temp\
- - C:/Windows/Temp/
- - \AppdData\Local\Temp\
- - /AppdData/Local/Temp/
- condition: appxdeployment_server and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
deleted file mode 100644
index ee7ec5baa..000000000
--- a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Uncommon AppX Package Locations
-id: c977cb50-3dff-4a9f-b873-9290f56132f1
-status: test
-description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
-references:
- - Internal Research
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- service: appxdeployment-server
-detection:
- appxdeployment_server:
- Channel: Microsoft-Windows-AppXDeploymentServer/Operational
- selection:
- EventID: 854
- filter_generic:
- Path|contains:
- # Paths can be written using forward slash if the "file://" protocol is used
- - C:\Program Files\WindowsApps\
- - C:\Program Files (x86)\
- - C:\Windows\SystemApps\
- - C:\Windows\PrintDialog\
- - C:\Windows\ImmersiveControlPanel\
- - x-windowsupdate://
- - file:///C:/Program%20Files # Also covers 'file:///C:/Program%20Files%20(x86)/'
- filter_specific:
- Path|contains:
- - https://statics.teams.cdn.office.net/
- - microsoft.com # Example: https://go.microsoft.com/fwlink/?linkid=2160968
- condition: appxdeployment_server and (selection and not 1 of filter_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml
deleted file mode 100644
index 88a35c0f0..000000000
--- a/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Suspicious Digital Signature Of AppX Package
-id: b5aa7d60-c17e-4538-97de-09029d6cd76b
-status: test
-description: Detects execution of AppX packages with known suspicious or malicious signature
-references:
- - Internal Research
- - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-tags:
- - attack.defense_evasion
- - attack.execution
-logsource:
- product: windows
- service: appxpackaging-om
-detection:
- appxpackaging_om:
- Channel: Microsoft-Windows-AppxPackaging/Operational
- selection:
- EventID: 157
- # Add more known suspicious/malicious certificates used in different attacks
- subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization
- condition: appxpackaging_om and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml
deleted file mode 100644
index 8111d31e2..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: New BITS Job Created Via Bitsadmin
-id: 1ff315dc-2a3a-4b71-8dde-873818d25d39
-status: test
-description: Detects the creation of a new bits job by Bitsadmin
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
-author: frack113
-date: 2022/03/01
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 3
- processPath|endswith: \bitsadmin.exe
- condition: bits_client and selection
-falsepositives:
- - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml
deleted file mode 100644
index a52378e16..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: New BITS Job Created Via PowerShell
-id: fe3a2d49-f255-4d10-935c-bda7391108eb
-status: experimental
-description: Detects the creation of a new bits job by PowerShell
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
-author: frack113
-date: 2022/03/01
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 3
- processPath|endswith:
- - \powershell.exe
- - \pwsh.exe
- condition: bits_client and selection
-falsepositives:
- - Administrator PowerShell scripts
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml
deleted file mode 100644
index fa21ec421..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: BITS Transfer Job Downloading File Potential Suspicious Extension
-id: b85e5894-9b19-4d86-8c87-a2f3b81f0521
-status: experimental
-description: Detects new BITS transfer job saving local files with potential suspicious extensions
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
-author: frack113
-date: 2022/03/01
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 16403
- LocalName|endswith:
- # TODO: Extend this list with more interesting file extensions
- - .bat
- - .dll
- - .exe # TODO: Might wanna comment this if it generates tons of FPs
- - .hta
- - .ps1
- - .psd1
- - .sh
- - .vbe
- - .vbs
- filter_optional_generic:
- # Typical updates: Chrome, Dropbox etc.
- LocalName|contains: \AppData\
- RemoteName|contains: .com
- condition: bits_client and (selection and not 1 of filter_optional_*)
-falsepositives:
- - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
deleted file mode 100644
index 1a7525653..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: BITS Transfer Job Download From File Sharing Domains
-id: d635249d-86b5-4dad-a8c7-d7272b788586
-status: experimental
-description: Detects BITS transfer job downloading files from a file sharing domain.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
- - https://twitter.com/malmoeb/status/1535142803075960832
- - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
-author: Florian Roth (Nextron Systems)
-date: 2022/06/28
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 16403
- RemoteName|contains:
- - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea)
- - anonfiles.com
- - cdn.discordapp.com
- - cdn.discordapp.com/attachments/
- - ddns.net
- - dl.dropboxusercontent.com
- - ghostbin.co
- - gofile.io
- - hastebin.com
- - mediafire.com
- - mega.nz
- - paste.ee
- - pastebin.com
- - pastebin.pl
- - pastetext.net
- - privatlab.com
- - privatlab.net
- - send.exploit.in
- - sendspace.com
- - storage.googleapis.com
- - storjshare.io
- - temp.sh
- - transfer.sh
- - ufile.io
- condition: bits_client and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml
deleted file mode 100644
index 084075335..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-title: BITS Transfer Job Download From Direct IP
-id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
-related:
- - id: 99c840f2-2012-46fd-9141-c761987550ef
- type: similar
-status: experimental
-description: Detects a BITS transfer job downloading file(s) from a direct IP address.
-references:
- - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- - https://isc.sans.edu/diary/22264
- - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/11
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 16403
- RemoteName|contains:
- - http://1
- - http://2
- - http://3
- - http://4
- - http://5
- - http://6
- - http://7
- - http://8
- - http://9
- - https://1
- - https://2
- - https://3
- - https://4
- - https://5
- - https://6
- - https://7
- - https://8
- - https://9
- filter_optional_local_networks:
- RemoteName|contains:
- - ://10. # 10.0.0.0/8
- - ://192.168. # 192.168.0.0/16
- - ://172.16. # 172.16.0.0/12
- - ://172.17.
- - ://172.18.
- - ://172.19.
- - ://172.20.
- - ://172.21.
- - ://172.22.
- - ://172.23.
- - ://172.24.
- - ://172.25.
- - ://172.26.
- - ://172.27.
- - ://172.28.
- - ://172.29.
- - ://172.30.
- - ://172.31.
- - ://127. # 127.0.0.0/8
- - ://169.254. # 169.254.0.0/16
- filter_optional_seven_zip:
- RemoteName|contains:
- # For https://7-zip.org/
- - https://7-
- - http://7-
- condition: bits_client and (selection and not 1 of filter_optional_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
deleted file mode 100644
index 7796f954c..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD
-id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427
-status: experimental
-description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
- - https://twitter.com/malmoeb/status/1535142803075960832
-author: Florian Roth (Nextron Systems)
-date: 2022/06/10
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 16403
- filter_main_generic:
- RemoteName|contains:
- - .azureedge.net/
- - .com/
- - .sfx.ms/
- - download.mozilla.org/ # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US
- condition: bits_client and (selection and not 1 of filter_main_*)
-falsepositives:
- - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml
deleted file mode 100644
index f96ad5b9f..000000000
--- a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: BITS Transfer Job Download To Potential Suspicious Folder
-id: f8a56cb7-a363-44ed-a82f-5926bb44cd05
-status: experimental
-description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
-author: Florian Roth (Nextron Systems)
-date: 2022/06/28
-modified: 2023/03/27
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- product: windows
- service: bits-client
-detection:
- bits_client:
- Channel: Microsoft-Windows-Bits-Client/Operational
- selection:
- EventID: 16403
- LocalName|contains:
- # TODO: Add more interesting suspicious paths
- - \Desktop\
- - C:\Users\Public\
- - C:\PerfLogs\
- condition: bits_client and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml
deleted file mode 100644
index d61e45198..000000000
--- a/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Certificate Private Key Acquired
-id: e2b5163d-7deb-4566-9af3-40afea6858c3
-status: experimental
-description: Detects when an application acquires a certificate private key
-references:
- - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
-author: Zach Mathis
-date: 2023/05/13
-tags:
- - attack.credential_access
- - attack.t1649
-logsource:
- product: windows
- service: capi2
- definition: 'Requirements: The CAPI2 Operational log needs to be enabled'
-detection:
- capi2:
- Channel: Microsoft-Windows-CAPI2/Operational
- selection:
- EventID: 70 # Acquire Certificate Private Key
- condition: capi2 and selection
-falsepositives:
- - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml
deleted file mode 100644
index 3ac97d0b9..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-title: Antivirus Exploitation Framework Detection
-id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
-status: stable
-description: Detects a highly relevant Antivirus alert that reports an exploitation framework
-references:
- - https://www.nextron-systems.com/?s=antivirus
- - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2018/09/09
-modified: 2023/01/13
-tags:
- - attack.execution
- - attack.t1203
- - attack.command_and_control
- - attack.t1219
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- ThreatName|contains:
- - MeteTool
- - MPreter
- - Meterpreter
- - Metasploit
- - PowerSploit
- - CobaltStrike
- - BruteR
- - Brutel
- - Swrort
- - Rozena
- - Backdoor.Cobalt
- - CobaltStr
- - COBEACON
- - Cometer
- - Razy
- - IISExchgSpawnCMD
- - Exploit.Script.CVE
- - Seatbelt
- - Sbelt
- - Sliver
- condition: antivirus and selection
-fields:
- - FileName
- - User
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml
deleted file mode 100644
index 15567e5d0..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-title: Antivirus Hacktool Detection
-id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
-status: stable
-description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
-references:
- - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- - https://www.nextron-systems.com/?s=antivirus
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2021/08/16
-modified: 2023/02/03
-tags:
- - attack.execution
- - attack.t1204
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- - ThreatName|startswith:
- - HTOOL
- - HKTL
- - SecurityTool
- - Adfind
- - ATK/
- - Exploit.Script.CVE
- # - 'FRP.'
- - PWS.
- - PWSX
- - ThreatName|contains:
- - Hacktool
- - ATK/ # Sophos
- - Potato
- - Rozena
- - Sbelt
- - Seatbelt
- - SecurityTool
- - SharpDump
- - Sliver
- - Splinter
- - Swrort
- - Impacket
- - Koadic
- - Lazagne
- - Metasploit
- - Meterpreter
- - MeteTool
- - Mimikatz
- - Mpreter
- - Nighthawk
- - PentestPowerShell
- - PowerSploit
- - PowerSSH
- - PshlSpy
- - PSWTool
- - PWCrack
- - Brutel
- - BruteR
- - Cobalt
- - COBEACON
- - Cometer
- - DumpCreds
- - FastReverseProxy
- - PWDump
- condition: antivirus and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml
deleted file mode 100644
index 401b08f6b..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-title: Antivirus Password Dumper Detection
-id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
-status: stable
-description: Detects a highly relevant Antivirus alert that reports a password dumper
-references:
- - https://www.nextron-systems.com/?s=antivirus
- - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
-author: Florian Roth (Nextron Systems)
-date: 2018/09/09
-modified: 2023/01/18
-tags:
- - attack.credential_access
- - attack.t1003
- - attack.t1558
- - attack.t1003.001
- - attack.t1003.002
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- - ThreatName|startswith: PWS
- - ThreatName|contains:
- - DumpCreds
- - Mimikatz
- - PWCrack
- - HTool/WCE
- - PSWTool
- - PWDump
- - SecurityTool
- - PShlSpy
- - Rubeus
- - Kekeo
- - LsassDump
- - Outflank
- - DumpLsass
- - SharpDump
- - PWSX
- - PWS.
- condition: antivirus and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml
deleted file mode 100644
index 044ed3c27..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-title: Antivirus Ransomware Detection
-id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
-status: test
-description: Detects a highly relevant Antivirus alert that reports ransomware
-references:
- - https://www.nextron-systems.com/?s=antivirus
- - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
- - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
- - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2022/05/12
-modified: 2023/02/03
-tags:
- - attack.t1486
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- ThreatName|contains:
- - Ransom
- - Cryptor
- - Crypter
- - CRYPTES
- - GandCrab
- - BlackWorm
- - Phobos
- - Destructor
- - Filecoder
- - GrandCrab
- - Krypt
- - Locker
- - Ryuk
- - Ryzerlo
- - Tescrypt
- - TeslaCrypt
- condition: antivirus and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml
deleted file mode 100644
index cab783e17..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml
+++ /dev/null
@@ -1,99 +0,0 @@
-title: Antivirus Relevant File Paths Alerts
-id: c9a88268-0047-4824-ba6e-4d81ce0b907c
-status: test
-description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
-references:
- - https://www.nextron-systems.com/?s=antivirus
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2018/09/09
-modified: 2023/10/23
-tags:
- - attack.resource_development
- - attack.t1588
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection_path:
- Path|contains:
- # could be startswith, if there is a better backend handling
- - :\Windows\
- - :\Temp\
- - :\PerfLogs\
- - :\Users\Public\
- - :\Users\Default\
- # true 'contains' matches:
- - \Client\
- - \tsclient\
- - \inetpub\
- - /www/
- - apache
- - tomcat
- - nginx
- - weblogic
- selection_ext:
- Path|endswith:
- - .asax
- - .ashx
- - .asmx
- - .asp
- - .aspx
- - .bat
- - .cfm
- - .cgi
- - .chm
- - .cmd
- - .dat
- - .ear
- - .gif
- - .hta
- - .jpeg
- - .jpg
- - .jsp
- - .jspx
- - .lnk
- - .php
- - .pl
- - .png
- - .ps1
- - .psm1
- - .py
- - .pyc
- - .rb
- - .scf
- - .sct
- - .sh
- - .svg
- - .txt
- - .vbe
- - .vbs
- - .war
- - .wsf
- - .wsh
- - .xml
- condition: antivirus and (1 of selection_*)
-fields:
- - ThreatName
- - User
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml
deleted file mode 100644
index 94ea3ca22..000000000
--- a/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml
+++ /dev/null
@@ -1,103 +0,0 @@
-title: Antivirus Web Shell Detection
-id: fdf135a2-9241-4f96-a114-bb404948f736
-status: test
-description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
-references:
- - https://www.nextron-systems.com/?s=antivirus
- - https://github.com/tennc/webshell
- - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
- - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
-author: Florian Roth (Nextron Systems), Arnim Rupp
-date: 2018/09/09
-modified: 2023/02/03
-tags:
- - attack.persistence
- - attack.t1505.003
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- - ThreatName|startswith:
- - PHP.
- - JSP.
- - ASP.
- - Perl.
- - VBS/Uxor # looking for 'VBS/' would also find downloaders and droppers meant for desktops
- - IIS/BackDoor
- - JAVA/Backdoor
- - Troj/ASP
- - Troj/PHP
- - Troj/JSP
- - ThreatName|contains:
- - Webshell
- - Chopper
- - SinoChoper
- - ASPXSpy
- - Aspdoor
- - filebrowser
- - PHP_
- - JSP_
- - ASP_ # looking for 'VBS_' would also find downloaders and droppers meant for desktops
- - 'PHP:'
- - 'JSP:'
- - 'ASP:'
- - 'Perl:'
- - PHP/
- - JSP/
- - ASP/
- - Perl/
- - PHPShell
- - Trojan.PHP
- - Trojan.ASP
- - Trojan.JSP
- - Trojan.VBS
- - PHP/Agent
- - ASP/Agent
- - JSP/Agent
- - VBS/Agent
- - Backdoor/PHP
- - Backdoor/JSP
- - Backdoor/ASP
- - Backdoor/VBS
- - Backdoor/Java
- - PHP.Agent
- - ASP.Agent
- - JSP.Agent
- - VBS.Agent
- - Backdoor.PHP
- - Backdoor.JSP
- - Backdoor.ASP
- - Backdoor.VBS
- - Backdoor.Java
- - PShlSpy
- - C99shell
- condition: antivirus and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml
deleted file mode 100644
index 037d75920..000000000
--- a/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: Certificate Exported From Local Certificate Store
-id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
-status: experimental
-description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
-references:
- - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
-author: Zach Mathis
-date: 2023/05/13
-tags:
- - attack.credential_access
- - attack.t1649
-logsource:
- product: windows
- service: certificateservicesclient-lifecycle-system
-detection:
- certificateservicesclient_lifecycle_system:
- Channel: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
- selection:
- EventID: 1007 # A certificate has been exported
- condition: certificateservicesclient_lifecycle_system and selection
-falsepositives:
- - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
deleted file mode 100644
index 1f6c76eb0..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
-id: f8931561-97f5-4c46-907f-0a4a592e47a7
-status: experimental
-description: |
- Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
- This event is best correlated with EID 3089 to determine the error of the validation.
-references:
- - https://twitter.com/SBousseaden/status/1483810148602814466
- - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-date: 2022/01/20
-modified: 2023/11/15
-tags:
- - attack.execution
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID:
- - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.
- - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.
- filter_optional_dtrace:
- # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
- FileNameBuffer|endswith: \Program Files\DTrace\dtrace.dll
- ProcessNameBuffer|endswith: \Windows\System32\svchost.exe
- RequestedPolicy: 12
- filter_optional_av_generic:
- # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
- FileNameBuffer|contains: \Windows\System32\DriverStore\FileRepository\
- FileNameBuffer|endswith: \igd10iumd64.dll
- # ProcessNameBuffer is AV products
- RequestedPolicy: 7
- filter_optional_electron_based_app:
- # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
- FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll
- ProcessNameBuffer|endswith:
- - \AppData\Local\Keybase\Gui\Keybase.exe
- - \Microsoft\Teams\stage\Teams.exe
- RequestedPolicy: 8
- filter_optional_bonjour:
- FileNameBuffer|endswith: \Program Files\Bonjour\mdnsNSP.dll
- ProcessNameBuffer|endswith:
- - \Windows\System32\svchost.exe
- - \Windows\System32\SIHClient.exe
- RequestedPolicy:
- - 8
- - 12
- filter_optional_msoffice:
- FileNameBuffer|contains: \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE
- FileNameBuffer|endswith: \MSOXMLMF.DLL
- # ProcessNameBuffer is AV products
- RequestedPolicy: 7
- filter_optional_slack:
- # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
- # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
- FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll
- ProcessNameBuffer|contains: \AppData\Local\slack\app-
- ProcessNameBuffer|endswith: \slack.exe
- RequestedPolicy: 8
- filter_optional_firefox:
- # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
- FileNameBuffer|endswith:
- - \Mozilla Firefox\mozavcodec.dll
- - \Mozilla Firefox\mozavutil.dll
- ProcessNameBuffer|endswith: \Mozilla Firefox\firefox.exe
- RequestedPolicy: 8
- filter_optional_avast:
- FileNameBuffer|endswith:
- - \Program Files\Avast Software\Avast\aswAMSI.dll
- - \Program Files (x86)\Avast Software\Avast\aswAMSI.dll
- RequestedPolicy:
- - 8
- - 12
- filter_main_gac:
- # Filtering the path containing this string because of multiple possible DLLs in that location
- FileNameBuffer|contains: \Windows\assembly\GAC\
- ProcessNameBuffer|endswith: \mscorsvw.exe
- ProcessNameBuffer|contains: \Windows\Microsoft.NET\
- RequestedPolicy: 8
- filter_optional_google_drive:
- # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
- FileNameBuffer|contains: \Program Files\Google\Drive File Stream\
- FileNameBuffer|endswith: \crashpad_handler.exe
- ProcessNameBuffer|endswith: \Windows\ImmersiveControlPanel\SystemSettings.exe
- RequestedPolicy: 8
- filter_optional_trend_micro:
- FileNameBuffer|endswith: \Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll
- RequestedPolicy: 8
- filter_optional_mdns_responder:
- FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
- filter_optional_mcafee:
- FileNameBuffer|endswith:
- - \Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll
- - \Program Files\McAfee\MfeAV\AMSIExt.dll
- filter_optional_eset:
- FileNameBuffer|endswith: \Program Files\ESET\ESET Security\eamsi.dll
- condition: codeintegrity_operational and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
-falsepositives:
- - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml
deleted file mode 100644
index 2344d95f3..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
-id: 5daf11c3-022b-4969-adb9-365e6c078c7c
-status: experimental
-description: Detects block events for files that are disallowed by code integrity for protected processes
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml
deleted file mode 100644
index 6ba9a0877..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation
-id: e4be5675-4a53-426a-8c81-a8bb2387e947
-status: experimental
-description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
-references:
- - https://twitter.com/wdormann/status/1590434950335320065
- - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/11/10
-modified: 2023/06/07
-tags:
- - attack.privilege_escalation
- - attack.t1543
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX).
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml
deleted file mode 100644
index cf72d4d5a..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: CodeIntegrity - Blocked Driver Load With Revoked Certificate
-id: 9b72b82d-f1c5-4632-b589-187159bc6ec1
-status: experimental
-description: Detects blocked load attempts of revoked drivers
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
- - attack.t1543
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml
deleted file mode 100644
index afaff2738..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: CodeIntegrity - Revoked Kernel Driver Loaded
-id: 320fccbf-5e32-4101-82b8-2679c5f007c6
-status: experimental
-description: Detects the load of a revoked kernel driver
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID:
- - 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
- - 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml
deleted file mode 100644
index f150675f7..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: CodeIntegrity - Blocked Image Load With Revoked Certificate
-id: 6f156c48-3894-4952-baf0-16193e9067d2
-status: experimental
-description: Detects blocked image load events with revoked certificates by code integrity.
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml
deleted file mode 100644
index 232801454..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: CodeIntegrity - Revoked Image Loaded
-id: 881b7725-47cc-4055-8000-425823344c59
-status: experimental
-description: Detects image load events with revoked certificates by code integrity.
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID:
- - 3032 # Code Integrity determined a revoked image %2 is loaded into the system. Check with the publisher to see if a new signed version of the image is available.
- - 3035 # Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml
deleted file mode 100644
index f7e1bed39..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: CodeIntegrity - Unsigned Kernel Module Loaded
-id: 951f8d29-f2f6-48a7-859f-0673ff105e6f
-status: experimental
-description: Detects the presence of a loaded unsigned kernel module on the system.
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml
deleted file mode 100644
index a34397684..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: CodeIntegrity - Unsigned Image Loaded
-id: c92c24e7-f595-493f-9c98-53d5142f5c18
-status: experimental
-description: Detects loaded unsigned image on the system
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available.
- condition: codeintegrity_operational and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml
deleted file mode 100644
index 0d61abd52..000000000
--- a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
-id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
-status: experimental
-description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
-references:
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations
- - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations
- - Internal Research
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/06/06
-modified: 2023/06/14
-tags:
- - attack.privilege_escalation
-logsource:
- product: windows
- service: codeintegrity-operational
-detection:
- codeintegrity_operational:
- Channel: Microsoft-Windows-CodeIntegrity/Operational
- selection:
- EventID:
- - 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- - 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
- filter_optional_vmware:
- FileNameBuffer:
- - system32\drivers\vsock.sys
- - System32\drivers\vmci.sys
- condition: codeintegrity_operational and (selection and not 1 of filter_optional_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml
deleted file mode 100644
index f0b3c0fa1..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Netcat The Powershell Version - PowerShell Module
-id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
-status: deprecated
-description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
-references:
- - https://nmap.org/ncat/
- - https://github.com/besimorhino/powercat
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
-author: frack113
-date: 2021/07/21
-modified: 2023/01/20
-tags:
- - attack.command_and_control
- - attack.t1095
-logsource:
- product: windows
- category: ps_module
- definition: 'Requirements: PowerShell Module Logging must be enabled'
-detection:
- ps_module:
- EventID: 4103
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ContextInfo|contains:
- - 'powercat '
- - powercat.ps1
- condition: ps_module and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml
deleted file mode 100644
index 32d087621..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Accessing Encrypted Credentials from Google Chrome Login Database
-id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
-status: deprecated
-author: frack113
-date: 2021/12/20
-modified: 2022/05/14
-description: |
- Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
- Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
- Web browsers typically store the credentials in an encrypted format within a credential store.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
-logsource:
- product: windows
- category: ps_script
- definition: Script block logging must be enabled
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection_cmd:
- ScriptBlockText|contains|all:
- - Copy-Item
- - -Destination
- selection_path:
- ScriptBlockText|contains:
- - \Google\Chrome\User Data\Default\Login Data
- - \Google\Chrome\User Data\Default\Login Data For Account
- condition: ps_script and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-tags:
- - attack.credential_access
- - attack.t1555.003
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml
deleted file mode 100644
index 11c36e4fd..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: AzureHound PowerShell Commands
-id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
-status: deprecated
-description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
-references:
- - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
-author: Austin Songer (@austinsonger)
-date: 2021/10/23
-modified: 2023/01/02
-tags:
- - attack.discovery
- - attack.t1482
- - attack.t1087
- - attack.t1087.001
- - attack.t1087.002
- - attack.t1069.001
- - attack.t1069.002
- - attack.t1069
-logsource:
- product: windows
- category: ps_script
- definition: Script Block Logging must be enabled
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains: Invoke-AzureHound
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml
deleted file mode 100644
index ee47d037b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Execution via CL_Invocation.ps1 - Powershell
-id: 4cd29327-685a-460e-9dac-c3ab96e549dc
-status: deprecated
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
-references:
- - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- - https://twitter.com/bohops/status/948061991012327424
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.t1216
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - CL_Invocation.ps1
- - SyncInvoke
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml
deleted file mode 100644
index fe3a486ae..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Execution via CL_Mutexverifiers.ps1
-id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
-status: deprecated
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
-references:
- - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
- - https://twitter.com/pabraeken/status/995111125447577600
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.t1216
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - CL_Mutexverifiers.ps1
- - runAfterCancelProcess
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml
deleted file mode 100644
index e76013dc6..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Powershell File and Directory Discovery
-id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
-status: deprecated
-description: |
- Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
- Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
- including whether or not the adversary fully infects the target and/or attempts specific actions.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
-author: frack113
-date: 2021/12/15
-modified: 2023/12/11
-tags:
- - attack.discovery
- - attack.t1083
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains:
- - ls
- - get-childitem
- - gci
- recurse:
- ScriptBlockText|contains: -recurse
- condition: ps_script and (selection and recurse)
-falsepositives:
- - Unknown
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml
deleted file mode 100644
index 02daa14f3..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: PrintNightmare Powershell Exploitation
-id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
-status: deprecated
-description: Detects Commandlet name for PrintNightmare exploitation.
-references:
- - https://github.com/calebstewart/CVE-2021-1675
-author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
-date: 2021/08/09
-modified: 2023/01/02
-tags:
- - attack.privilege_escalation
- - attack.t1548
-logsource:
- product: windows
- category: ps_script
- definition: Script Block Logging must be enabled
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains: Invoke-Nightmare
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml
deleted file mode 100644
index 71c2bc83e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Suspicious Get-WmiObject
-id: 0332a266-b584-47b4-933d-a00b103e1b37
-status: deprecated
-description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
-references:
- - https://attack.mitre.org/datasources/DS0005/
- - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
-author: frack113
-date: 2022/01/12
-modified: 2023/12/11
-tags:
- - attack.persistence
- - attack.t1546
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains:
- - Get-WmiObject
- - gwmi
- filter_cl_utility:
- Path|endswith: \CL_Utility.ps1
- ScriptBlockText|contains|all:
- - function Get-FreeSpace
- - SELECT * FROM Win32_LogicalDisk WHERE MediaType=12
- condition: ps_script and (selection and not 1 of filter_*)
-falsepositives:
- - Legitimate PowerShell scripts
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml
deleted file mode 100644
index 6c3973099..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Suspicious PowerShell Download
-id: 65531a81-a694-4e31-ae04-f8ba5bc33759
-status: deprecated
-description: Detects suspicious PowerShell download command
-tags:
- - attack.execution
- - attack.t1059.001
-author: Florian Roth (Nextron Systems)
-date: 2017/03/05
-modified: 2022/04/11
-logsource:
- product: windows
- service: powershell
-detection:
- powershell:
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- webclient:
- - System.Net.WebClient
- download:
- - .DownloadFile(
- - .DownloadString(
- condition: powershell and (webclient and download)
-falsepositives:
- - PowerShell scripts that download content from the Internet
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml
deleted file mode 100644
index 426d3065f..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Suspicious PowerShell Invocations - Generic
-id: 3d304fda-78aa-43ed-975c-d740798a49c1
-status: deprecated
-description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
-author: Florian Roth (Nextron Systems)
-date: 2017/03/12
-modified: 2022/04/11
-logsource:
- product: windows
- service: powershell
-detection:
- powershell:
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection_encoded:
- - ' -enc '
- - ' -EncodedCommand '
- selection_hidden:
- - ' -w hidden '
- - ' -window hidden '
- - ' -windowstyle hidden '
- selection_noninteractive:
- - ' -noni '
- - ' -noninteractive '
- condition: powershell and (all of selection*)
-falsepositives:
- - Very special / sneaky PowerShell scripts
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml
deleted file mode 100644
index 394405215..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-title: Suspicious PowerShell Invocations - Specific
-id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-status: deprecated
-description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
-date: 2017/03/05
-modified: 2023/05/04
-logsource:
- product: windows
- service: powershell
- definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
-detection:
- powershell:
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection_convert_b64:
- '|all':
- - -nop
- - ' -w '
- - hidden
- - ' -c '
- - '[Convert]::FromBase64String'
- selection_iex:
- '|all':
- - ' -w '
- - hidden
- - -noni
- - -nop
- - ' -c '
- - iex
- - New-Object
- selection_enc:
- '|all':
- - ' -w '
- - hidden
- - -ep
- - bypass
- - -Enc
- selection_reg:
- '|all':
- - powershell
- - reg
- - add
- - HKCU\software\microsoft\windows\currentversion\run
- selection_webclient:
- '|all':
- - bypass
- - -noprofile
- - -windowstyle
- - hidden
- - new-object
- - system.net.webclient
- - .download
- selection_iex_webclient:
- '|all':
- - iex
- - New-Object
- - Net.WebClient
- - .Download
- filter_chocolatey:
- - (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
- - (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')
- - Write-ChocolateyWarning
- condition: powershell and (1 of selection_* and not 1 of filter_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml
deleted file mode 100644
index 5fd87989c..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
-related:
- - id: fde7929d-8beb-4a4c-b922-be9974671667
- type: derived
-description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
-references:
- - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-author: Ensar Şamil, @sblmsrsn, OSCD Community
-date: 2020/10/05
-modified: 2022/04/11
-tags:
- - attack.defense_evasion
- - attack.t1218
-logsource:
- product: windows
- service: powershell
-detection:
- powershell:
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- - SyncAppvPublishingServer.exe
- condition: powershell and selection
-falsepositives:
- - App-V clients
-level: medium
-status: deprecated
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml
deleted file mode 100644
index 5ddfecdfc..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: APT29
-id: 033fe7d6-66d1-4240-ac6b-28908009c71f
-status: deprecated
-description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
-references:
- - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
-author: Florian Roth (Nextron Systems)
-date: 2018/12/04
-modified: 2023/03/08
-tags:
- - attack.execution
- - attack.g0016
- - attack.t1059.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - -noni
- - -ep
- - bypass
- - $
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml
deleted file mode 100644
index 59a96c931..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: CrackMapExecWin
-id: 04d9079e-3905-4b70-ad37-6bdf11304965
-status: deprecated
-description: Detects CrackMapExecWin Activity as Described by NCSC
-references:
- - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
- - https://attack.mitre.org/software/S0488/
-author: Markus Neis
-date: 2018/04/08
-modified: 2023/03/08
-tags:
- - attack.g0035
- - attack.credential_access
- - attack.discovery
- - attack.t1110
- - attack.t1087
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith: \crackmapexec.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml
deleted file mode 100644
index f86863770..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: GALLIUM Artefacts
-id: 18739897-21b1-41da-8ee4-5b786915a676
-related:
- - id: 440a56bf-7873-4439-940a-1c8a671073c2
- type: derived
-status: deprecated
-description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-references:
- - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-author: Tim Burrell
-date: 2020/02/07
-modified: 2023/03/09
-tags:
- - attack.credential_access
- - attack.t1212
- - attack.command_and_control
- - attack.t1071
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- legitimate_process_path:
- NewProcessName|contains:
- - :\Program Files(x86)\
- - :\Program Files\
- legitimate_executable:
- sha1: e570585edc69f9074cb5e8a790708336bd45ca0f
- condition: process_creation and (legitimate_executable and not legitimate_process_path)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml
deleted file mode 100644
index 83edbab98..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Hurricane Panda Activity
-id: 0eb2107b-a596-422e-b123-b389d5594ed7
-status: deprecated
-description: Detects Hurricane Panda Activity
-references:
- - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
-author: Florian Roth (Nextron Systems)
-date: 2019/03/04
-modified: 2023/03/10
-tags:
- - attack.privilege_escalation
- - attack.g0009
- - attack.t1068
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains|all:
- - localgroup
- - admin
- - /add
- - CommandLine|contains: \Win64.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml
deleted file mode 100644
index 749980cca..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Lazarus Activity Apr21
-id: 4a12fa47-c735-4032-a214-6fab5b120670
-status: deprecated
-description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
-references:
- - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
-author: Bhabesh Raj
-date: 2021/04/20
-modified: 2023/03/10
-tags:
- - attack.g0032
- - attack.execution
- - attack.t1106
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains|all:
- - mshta # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3
- - .zip
- selection_2:
- ParentProcessName: C:\Windows\System32\wbem\wmiprvse.exe
- NewProcessName: C:\Windows\System32\mshta.exe
- selection_3:
- ParentProcessName|contains: :\Users\Public\
- NewProcessName: C:\Windows\System32\rundll32.exe
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Should not be any false positives
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml
deleted file mode 100644
index 3c8c6a8a4..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Lazarus Loaders
-id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
-status: deprecated
-description: Detects different loaders as described in various threat reports on Lazarus group activity
-references:
- - https://www.hvs-consulting.de/lazarus-report/
- - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
-author: Florian Roth (Nextron Systems), wagga
-date: 2020/12/23
-modified: 2023/03/10
-tags:
- - attack.g0032
- - attack.execution
- - attack.t1059
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cmd1:
- CommandLine|contains|all:
- - 'cmd.exe /c '
- - ' -p 0x'
- selection_cmd2:
- CommandLine|contains:
- - C:\ProgramData\
- - C:\RECYCLER\
- selection_rundll1:
- CommandLine|contains|all:
- - 'rundll32.exe '
- - C:\ProgramData\
- selection_rundll2:
- CommandLine|contains:
- - .bin,
- - .tmp,
- - .dat,
- - .io,
- - .ini,
- - .db,
- condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 ))
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml
deleted file mode 100644
index 39a87378d..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: DNS Tunnel Technique from MuddyWater
-id: 36222790-0d43-4fe8-86e4-674b27809543
-status: deprecated
-description: Detecting DNS tunnel activity for Muddywater actor
-references:
- - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
- - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
-author: '@caliskanfurkan_'
-date: 2020/06/04
-modified: 2023/03/10
-tags:
- - attack.command_and_control
- - attack.t1071.004
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: DataExchange.dll
- NewProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- ParentProcessName|endswith: \excel.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml
deleted file mode 100644
index 7597ea71b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: TA505 Dropper Load Pattern
-id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
-status: deprecated
-description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
-references:
- - https://twitter.com/ForensicITGuy/status/1334734244120309760
-author: Florian Roth (Nextron Systems)
-date: 2020/12/08
-modified: 2023/04/05
-tags:
- - attack.execution
- - attack.g0092
- - attack.t1106
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent:
- ParentProcessName|endswith: \wmiprvse.exe
- selection_mshta:
- - NewProcessName|endswith: \mshta.exe
- - OriginalFileName: mshta.exe
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml
deleted file mode 100644
index 3a2274af6..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-title: Suspicious Certutil Command Usage
-id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
-status: deprecated
-description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
-references:
- - https://twitter.com/JohnLaTwC/status/835149808817991680
- - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
- - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- - https://twitter.com/egre55/status/1087685529016193025
- - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
-author: Florian Roth (Nextron Systems), juju4, keepwatch
-date: 2019/01/16
-modified: 2023/02/15
-tags:
- - attack.defense_evasion
- - attack.t1140
- - attack.command_and_control
- - attack.t1105
- - attack.s0160
- - attack.g0007
- - attack.g0010
- - attack.g0045
- - attack.g0049
- - attack.g0075
- - attack.g0096
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \certutil.exe
- - OriginalFileName: CertUtil.exe
- selection_cli:
- CommandLine|contains:
- - ' -decode '
- - ' -decodehex '
- - ' -urlcache '
- - ' -verifyctl '
- - ' -encode '
- - ' -exportPFX '
- - ' /decode '
- - ' /decodehex '
- - ' /urlcache '
- - ' /verifyctl '
- - ' /encode '
- - ' /exportPFX '
- condition: process_creation and (all of selection_*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml
deleted file mode 100644
index 2dcd3b134..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Read and Execute a File Via Cmd.exe
-id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
-status: deprecated
-description: Detect use of "/R <" to read and execute a file via cmd.exe
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
-author: frack113
-date: 2022/08/20
-modified: 2023/03/07
-tags:
- - attack.execution
- - attack.t1059.003
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cmd:
- - OriginalFileName: Cmd.Exe
- - NewProcessName|endswith: \cmd.exe
- selection_read:
- - ParentCommandLine|contains|all:
- - cmd
- - '/r '
- - <
- - CommandLine|contains|all:
- - cmd
- - '/r '
- - <
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Legitimate use
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml
deleted file mode 100644
index b92f4aded..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Cmd Stream Redirection
-id: 70e68156-6571-427b-a6e9-4476a173a9b6
-status: deprecated
-description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt
-author: frack113
-date: 2022/02/04
-modified: 2023/03/07
-tags:
- - attack.defense_evasion
- - attack.t1564.004
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - '> '
- - ':'
- NewProcessName|endswith: \cmd.exe
- filter:
- CommandLine|contains: ' :\'
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
deleted file mode 100644
index b4bb7dbcc..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Credential Acquisition via Registry Hive Dumping
-id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
-status: deprecated
-description: Detects Credential Acquisition via Registry Hive Dumping
-references:
- - https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html
-author: Tim Rauch
-date: 2022/10/04
-modified: 2023/02/06
-tags:
- - attack.credential_access
- - attack.t1003
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- - NewProcessName|endswith: \reg.exe
- - OriginalFileName: reg.exe
- selection_2:
- CommandLine|contains:
- - ' save '
- - ' export '
- selection_3:
- CommandLine|contains:
- - hklm\sam
- - hklm\security
- - HKEY_LOCAL_MACHINE\SAM
- - HKEY_LOCAL_MACHINE\SECURITY
- condition: process_creation and (all of selection_*)
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml
deleted file mode 100644
index c3eed9b02..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Visual Basic Script Execution
-id: 23250293-eed5-4c39-b57a-841c8933a57d
-status: deprecated
-description: Adversaries may abuse Visual Basic (VB) for execution
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md
-author: frack113
-date: 2022/01/02
-modified: 2023/03/06
-tags:
- - attack.execution
- - attack.t1059.005
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_exe:
- - OriginalFileName:
- - cscript.exe
- - wscript.exe
- - NewProcessName|endswith:
- - \cscript.exe
- - \wscript.exe
- selection_script:
- CommandLine|contains: .vbs
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
deleted file mode 100644
index cde31411b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Execution via MSSQL Xp_cmdshell Stored Procedure
-id: 344482e4-a477-436c-aa70-7536d18a48c7
-related:
- - id: d08dd86f-681e-4a00-a92c-1db218754417
- type: derived
- - id: 7f103213-a04e-4d59-8261-213dddf22314
- type: derived
-status: deprecated
-description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.
-references:
- - https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html
-author: Tim Rauch
-date: 2022/09/28
-modified: 2023/03/06
-tags:
- - attack.execution
- - attack.t1059
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \cmd.exe
- - OriginalFileName: Cmd.Exe
- selection_parent:
- ParentProcessName|endswith: \sqlservr.exe
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml
deleted file mode 100644
index afc86af29..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Indirect Command Execution
-id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
-status: deprecated
-description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md
- - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
-author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-date: 2019/10/24
-modified: 2023/01/04
-tags:
- - attack.defense_evasion
- - attack.t1202
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith:
- - \pcalua.exe
- - \forfiles.exe
- condition: process_creation and selection
-fields:
- - SubjectUserName
- - ComputerName
- - ParentCommandLine
- - CommandLine
-falsepositives:
- - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.
- - Legitimate usage of scripts.
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml
deleted file mode 100644
index 0610cf5b6..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: Indirect Command Exectuion via Forfiles
-id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
-related:
- - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
- type: obsoletes
-status: deprecated
-description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
-references:
- - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a
- - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
-author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
-date: 2022/10/17
-modified: 2023/01/04
-tags:
- - attack.defense_evasion
- - attack.t1202
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent:
- ParentProcessName|endswith: \forfiles.exe
- selection_c:
- ParentCommandLine|contains:
- - ' /c '
- - ' -c '
- selection_p:
- ParentCommandLine|contains:
- - ' /p '
- - ' -p '
- selection_m:
- ParentCommandLine|contains:
- - ' /m '
- - ' -m '
- filter:
- CommandLine|contains|all:
- - xcopy
- - cmd /c del
- NewProcessName|endswith: \cmd.exe
- condition: process_creation and (all of selection_* and not filter)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml
deleted file mode 100644
index 6d53806a4..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Invoke-Obfuscation RUNDLL LAUNCHER
-id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
-status: deprecated
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
-references:
- - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)
-author: Timur Zinniatullin, oscd.community
-date: 2020/10/18
-modified: 2023/02/21
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - rundll32.exe
- - shell32.dll
- - shellexec_rundll
- - powershell
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
deleted file mode 100644
index 557299157..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Invoke-Obfuscation Via Use Rundll32
-id: 36c5146c-d127-4f85-8e21-01bf62355d5a
-status: deprecated
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
-references:
- - https://github.com/SigmaHQ/sigma/issues/1009
-author: Nikita Nazarov, oscd.community
-date: 2019/10/08
-modified: 2022/12/30
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - '&&'
- - rundll32
- - shell32.dll
- - shellexec_rundll
- CommandLine|contains:
- - value
- - invoke
- - comspec
- - iex
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml
deleted file mode 100644
index 53f8e6361..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
-id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
-status: experimental
-description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
-references:
- - https://dtm.uk/wuauclt/
-author: Sreeman
-date: 2020/10/29
-modified: 2022/05/27
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - wuauclt.exe
- - /UpdateDeploymentProvider
- - /Runhandlercomserver
- filter:
- CommandLine|contains:
- - wuaueng.dll
- - UpdateDeploymentProvider.dll /ClassId
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Wuaueng.dll which is a module belonging to Microsoft Windows Update.
-fields:
- - CommandLine
-level: medium
-tags:
- - attack.defense_evasion
- - attack.execution
- - attack.t1218
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml
deleted file mode 100644
index cc138bcd9..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Abusing Findstr for Defense Evasion
-id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
-status: deprecated
-description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
-references:
- - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
-author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali
-date: 2020/10/05
-modified: 2022/10/12
-tags:
- - attack.defense_evasion
- - attack.t1218
- - attack.t1564.004
- - attack.t1552.001
- - attack.t1105
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_findstr:
- - CommandLine|contains: findstr
- - NewProcessName|endswith: findstr.exe
- - OriginalFileName: FINDSTR.EXE
- selection_cli_download_1:
- CommandLine|contains:
- - ' /v '
- - ' -v '
- selection_cli_download_2:
- CommandLine|contains:
- - ' /l '
- - ' -l '
- selection_cli_creds_1:
- CommandLine|contains:
- - ' /s '
- - ' -s '
- selection_cli_creds_2:
- CommandLine|contains:
- - ' /i '
- - ' -i '
- condition: process_creation and (selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*))
-falsepositives:
- - Administrative findstr usage
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml
deleted file mode 100644
index 776dc82c5..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Suspicious File Download Using Office Application
-id: 0c79148b-118e-472b-bdb7-9b57b444cc19
-status: test
-description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files
-references:
- - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
-author: Beyu Denis, oscd.community
-date: 2019/10/26
-modified: 2023/02/04
-tags:
- - attack.command_and_control
- - attack.t1105
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: http
- NewProcessName|endswith:
- - \powerpnt.exe
- - \winword.exe
- - \excel.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml
deleted file mode 100644
index 7641db507..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Process Memory Dumped Via RdrLeakDiag.EXE
-id: 6355a919-2e97-4285-a673-74645566340d
-status: deprecated
-description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
-references:
- - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
-author: Florian Roth (Nextron Systems)
-date: 2022/01/04
-modified: 2023/04/24
-tags:
- - attack.defense_evasion
- - attack.t1036
- - attack.t1003.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains: /fullmemdmp
- NewProcessName|endswith: \rdrleakdiag.exe
- selection2:
- CommandLine|contains|all:
- - /fullmemdmp
- - ' /o '
- - ' /p '
- condition: process_creation and (selection1 or selection2)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml
deleted file mode 100644
index 4dad5de5e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: New Lolbin Process by Office Applications
-id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
-status: deprecated
-description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml
- - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)
-date: 2021/08/23
-modified: 2023/02/04
-tags:
- - attack.t1204.002
- - attack.t1047
- - attack.t1218.010
- - attack.execution
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- #useful_information: add more LOLBins to the rules logic of your choice.
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith:
- - \regsvr32.exe
- - \rundll32.exe
- - \msiexec.exe
- - \mshta.exe
- - \verclsid.exe
- - \msdt.exe
- - \control.exe
- - \msidb.exe
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- - \msaccess.exe
- - \mspub.exe
- - \eqnedt32.exe
- - \visio.exe
- - \wordpad.exe
- - \wordview.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml
deleted file mode 100644
index a1027ebb6..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Ryuk Ransomware Command Line Activity
-id: 0acaad27-9f02-4136-a243-c357202edd74
-related:
- - id: c37510b8-2107-4b78-aa32-72f251e7a844
- type: similar
-status: deprecated
-description: Detects Ryuk Ransomware command lines
-references:
- - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
-author: Vasiliy Burov
-date: 2019/08/06
-modified: 2023/02/03
-tags:
- - attack.execution
- - attack.t1204
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains: stop
- NewProcessName|endswith:
- - \net.exe
- - \net1.exe
- selection2:
- CommandLine|contains:
- - samss
- - audioendpointbuilder
- - unistoresvc_
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml
deleted file mode 100644
index 74518c7cb..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Trickbot Malware Reconnaissance Activity
-id: 410ad193-a728-4107-bc79-4419789fcbf8
-related:
- - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
- type: similar
-status: deprecated
-description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
-references:
- - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
- - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
-author: David Burkett, Florian Roth
-date: 2019/12/28
-modified: 2023/04/28
-tags:
- - attack.discovery
- - attack.t1482
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: /domain_trusts /all_trusts
- ParentProcessName|endswith: \cmd.exe
- NewProcessName|endswith: \nltest.exe
- condition: process_creation and selection
-falsepositives:
- - Rare System Admin Activity
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml
deleted file mode 100644
index 891295519..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: MavInject Process Injection
-id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
-status: deprecated
-description: Detects process injection using the signed Windows tool Mavinject32.exe
-author: Florian Roth (Nextron Systems)
-references:
- - https://twitter.com/gN3mes1s/status/941315826107510784
- - https://reaqta.com/2017/12/mavinject-microsoft-injector/
- - https://twitter.com/Hexacorn/status/776122138063409152
-date: 2018/12/12
-modified: 2022/12/19
-tags:
- - attack.t1055.001
- - attack.t1218
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: ' /INJECTRUNNING '
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml
deleted file mode 100644
index 47767c955..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Execute MSDT.EXE Using Diagcab File
-id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
-status: deprecated
-description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
-references:
- - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
- - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
- - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
-author: GossiTheDog, frack113
-date: 2022/06/09
-modified: 2023/02/06
-tags:
- - attack.defense_evasion
- - attack.t1202
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \msdt.exe
- - OriginalFileName: msdt.exe
- selection_cmd:
- CommandLine|contains:
- - ' /cab'
- - ' -cab'
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Legitimate usage of ".diagcab" files
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml
deleted file mode 100644
index 507e52d18..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: New Service Creation
-id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
-status: deprecated
-description: Detects creation of a new service.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
-author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/21
-modified: 2023/02/20
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1543.003
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_sc:
- CommandLine|contains|all:
- - create
- - binPath
- NewProcessName|endswith: \sc.exe
- selection_posh:
- CommandLine|contains|all:
- - New-Service
- - -BinaryPathName
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Legitimate administrator or user creates a service for legitimate reasons.
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml
deleted file mode 100644
index 1fbb4098f..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Nslookup PwSh Download Cradle
-id: 72671447-4352-4413-bb91-b85569687135
-status: deprecated
-description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
-references:
- - https://twitter.com/alh4zr3d/status/1566489367232651264
-author: Zach Mathis (@yamatosecurity)
-date: 2022/09/06
-modified: 2022/12/14 # Deprecation date
-tags:
- - attack.command_and_control
- - attack.t1105
- - attack.t1071.004
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: '=txt '
- ParentProcessName|endswith: \powershell.exe
- NewProcessName|contains: nslookup
- condition: process_creation and selection
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml
deleted file mode 100644
index 05c5cab7c..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
-id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
-status: deprecated
-description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
-references:
- - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- - https://twitter.com/Hexacorn/status/1187143326673330176
- - https://redcanary.com/blog/raspberry-robin/
- - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca
-author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
-date: 2019/10/25
-modified: 2023/05/22
-tags:
- - attack.defense_evasion
- - attack.t1218.008
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1_img:
- - NewProcessName|endswith: \odbcconf.exe
- - OriginalFileName: odbcconf.exe
- selection_1_cli:
- CommandLine|contains:
- - -a
- - -f
- - /a
- - /f
- - regsvr
- selection_2_parent:
- ParentProcessName|endswith: \odbcconf.exe
- selection_2_img:
- - NewProcessName|endswith: \rundll32.exe
- - OriginalFileName: RUNDLL32.EXE
- condition: process_creation and (all of selection_1_* or all of selection_2_*)
-falsepositives:
- - Legitimate use of odbcconf.exe by legitimate user
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
deleted file mode 100644
index d2f34387b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Excel Proxy Executing Regsvr32 With Payload
-id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
-status: deprecated
-description: |
- Excel called wmic to finally proxy execute regsvr32 with the payload.
- An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
- But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
- Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-modified: 2022/12/02
-tags:
- - attack.t1204.002
- - attack.t1047
- - attack.t1218.010
- - attack.execution
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- #useful_information: add more LOLBins to the rules logic of your choice.
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \wbem\WMIC.exe
- - OriginalFileName: wmic.exe
- selection_other:
- CommandLine|contains:
- - regsvr32
- - rundll32
- - msiexec
- - mshta
- - verclsid
- CommandLine|contains|all:
- - process
- - create
- - call
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
deleted file mode 100644
index 087eabaa7..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Excel Proxy Executing Regsvr32 With Payload Alternate
-id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
-status: deprecated
-description: |
- Excel called wmic to finally proxy execute regsvr32 with the payload.
- An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
- But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
- Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-modified: 2022/12/02
-tags:
- - attack.t1204.002
- - attack.t1047
- - attack.t1218.010
- - attack.execution
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- #useful_information: add more LOLBins to the rules logic of your choice.
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains:
- - regsvr32
- - rundll32
- - msiexec
- - mshta
- - verclsid
- selection2:
- - NewProcessName|endswith: \wbem\WMIC.exe
- - CommandLine|contains: 'wmic '
- selection3:
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- selection4:
- CommandLine|contains|all:
- - process
- - create
- - call
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml
deleted file mode 100644
index cca7a403b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Office Applications Spawning Wmi Cli Alternate
-id: 04f5363a-6bca-42ff-be70-0d28bf629ead
-status: deprecated
-description: Initial execution of malicious document calls wmic to execute the file with regsvr32
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-modified: 2023/02/04
-tags:
- - attack.t1204.002
- - attack.t1047
- - attack.t1218.010
- - attack.execution
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- #useful_information: Add more office applications to the rule logic of choice
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- - NewProcessName|endswith: \wbem\WMIC.exe
- - CommandLine|contains: 'wmic '
- selection2:
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- - \msaccess.exe
- - \mspub.exe
- - \eqnedt32.exe
- - \visio.exe
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml
deleted file mode 100644
index e05210ee9..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Possible Applocker Bypass
-id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
-status: deprecated
-description: Detects execution of executables that can be used to bypass Applocker whitelisting
-references:
- - https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt
- - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md
-author: juju4
-date: 2019/01/16
-modified: 2022/11/03
-tags:
- - attack.defense_evasion
- - attack.t1218.004
- - attack.t1218.009
- - attack.t1127.001
- - attack.t1218.005
- - attack.t1218 # no way to map 1:1, so the technique level is required
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - \msdt.exe
- - \installutil.exe
- - \regsvcs.exe
- - \regasm.exe
- #- '\regsvr32.exe' # too many FPs, very noisy
- - \msbuild.exe
- - \ieexec.exe
- #- '\mshta.exe'
- #- '\csc.exe'
- condition: process_creation and selection
-falsepositives:
- - False positives depend on scripts and administrative tools used in the monitored environment
- - Using installutil to add features for .NET applications (primarily would occur in developer environments)
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
deleted file mode 100644
index fdf71a4fa..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: PowerShell AMSI Bypass Pattern
-id: 4f927692-68b5-4267-871b-073c45f4f6fe
-status: deprecated
-description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
-author: '@Kostastsale'
-references:
- - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
-date: 2022/11/04
-modified: 2023/02/03
-tags:
- - attack.defense_evasion
- - attack.t1562.001
- - attack.execution
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains|all:
- - '[Ref].Assembly.GetType'
- - SetValue($null,$true)
- - NonPublic,Static
- NewProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- - \powershell_ise.exe
- condition: process_creation and selection1
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
deleted file mode 100644
index 2f8e5e3c7..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Malicious Base64 Encoded Powershell Invoke Cmdlets
-id: fd6e2919-3936-40c9-99db-0aa922c356f7
-related:
- - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
- type: similar
-status: deprecated
-description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
-references:
- - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
-author: pH-T (Nextron Systems)
-date: 2022/05/31
-modified: 2023/01/30
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.defense_evasion
- - attack.t1027
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- # Invoke-BloodHound
- - SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA
- - kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA
- - JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA
- # Invoke-Mimikatz
- - SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA
- - kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A
- - JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg
- # Invoke-WMIExec
- - SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA
- - kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw
- - JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA
- condition: process_creation and selection
-fields:
- - CommandLine
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml
deleted file mode 100644
index 1f5d86614..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Base64 Encoded Listing of Shadowcopy
-id: 47688f1b-9f51-4656-b013-3cc49a166a36
-status: deprecated
-description: Detects base64 encoded listing Win32_Shadowcopy
-references:
- - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
-author: Christian Burkard (Nextron Systems)
-date: 2022/03/01
-modified: 2023/01/30
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.defense_evasion
- - attack.t1027
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- # Win32_Shadowcopy | ForEach-Object
- CommandLine|contains:
- - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA
- - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A
- - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA
- condition: process_creation and selection
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml
deleted file mode 100644
index b62565a5e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Potential PowerShell Base64 Encoded Shellcode
-id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
-status: deprecated
-description: Detects potential powershell Base64 encoded Shellcode
-references:
- - https://twitter.com/cyb3rops/status/1063072865992523776
-author: Florian Roth (Nextron Systems)
-date: 2018/11/17
-modified: 2023/04/06
-tags:
- - attack.defense_evasion
- - attack.t1027
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - OiCAAAAYInlM
- - OiJAAAAYInlM
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml
deleted file mode 100644
index 5e4c46a95..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Suspicious Bitsadmin Job via PowerShell
-id: f67dbfce-93bc-440d-86ad-a95ae8858c90
-status: deprecated
-description: Detect download by BITS jobs via PowerShell
-references:
- - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
-author: Endgame, JHasenbusch (ported to sigma for oscd.community)
-date: 2018/10/30
-modified: 2022/11/21
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1197
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: Start-BitsTransfer
- NewProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- condition: process_creation and selection
-fields:
- - SubjectUserName
- - ComputerName
- - CommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml
deleted file mode 100644
index 358f7499e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Stop Or Remove Antivirus Service
-id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
-status: deprecated
-description: |
- Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.
- Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
-author: frack113
-date: 2021/07/07
-modified: 2023/03/04
-tags:
- - attack.defense_evasion
- - attack.t1562.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_action:
- CommandLine|contains:
- - 'Stop-Service '
- - 'Remove-Service '
- selection_product:
- CommandLine|contains:
- # Feel free to add more service name
- - ' McAfeeDLPAgentService'
- - ' Trend Micro Deep Security Manager'
- - ' TMBMServer'
- - Sophos
- - Symantec
- condition: process_creation and (all of selection*)
-fields:
- - SubjectUserName
- - ComputerName
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml
deleted file mode 100644
index 36826b2d0..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Potential Xor Encoded PowerShell Command
-id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
-related:
- - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
- type: similar
-status: deprecated
-description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
-references:
- - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
-author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
-date: 2022/07/06
-modified: 2023/01/30
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- - OriginalFileName:
- - PowerShell.exe
- - pwsh.dll
- selection_cli:
- CommandLine|contains|all:
- - ForEach
- - Xor
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml
deleted file mode 100644
index a8388671b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Registry Dump of SAM Creds and Secrets
-id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
-related:
- - id: fd877b94-9bb5-4191-bb25-d79cbd93c167
- type: similar
-status: deprecated
-description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
-author: frack113
-date: 2022/01/05
-modified: 2023/02/04
-tags:
- - attack.credential_access
- - attack.t1003.002
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_reg:
- CommandLine|contains: ' save '
- selection_key:
- CommandLine|contains:
- - HKLM\sam
- - HKLM\system
- - HKLM\security
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml
deleted file mode 100644
index 759fd565e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml
+++ /dev/null
@@ -1,90 +0,0 @@
-title: Regsvr32 Anomaly
-id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
-status: deprecated
-description: Detects various anomalies in relation to regsvr32.exe
-references:
- - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
- - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
-author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton
-date: 2019/01/16
-modified: 2023/05/26
-tags:
- - attack.defense_evasion
- - attack.t1218.010
- - car.2019-04-002
- - car.2019-04-003
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains: \Temp\
- NewProcessName|endswith: \regsvr32.exe
- selection2:
- NewProcessName|endswith: \regsvr32.exe
- ParentProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- - \powershell_ise.exe
- selection3:
- NewProcessName|endswith: \regsvr32.exe
- ParentProcessName|endswith: \cmd.exe
- selection4a:
- CommandLine|contains|all:
- - '/i:'
- - http
- CommandLine|endswith: scrobj.dll
- NewProcessName|endswith: \regsvr32.exe
- selection4b:
- CommandLine|contains|all:
- - '/i:'
- - ftp
- CommandLine|endswith: scrobj.dll
- NewProcessName|endswith: \regsvr32.exe
- selection5:
- NewProcessName|endswith:
- - \cscript.exe
- - \wscript.exe
- ParentProcessName|endswith: \regsvr32.exe
- selection6:
- CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe '
- NewProcessName|endswith: \EXCEL.EXE
- selection7:
- ParentProcessName|endswith: \mshta.exe
- NewProcessName|endswith: \regsvr32.exe
- selection8:
- CommandLine|contains:
- - \AppData\Local
- - C:\Users\Public
- NewProcessName|endswith: \regsvr32.exe
- selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
- CommandLine|endswith:
- - .jpg
- - .jpeg
- - .png
- - .gif
- - .bin
- - .tmp
- - .temp
- - .txt
- NewProcessName|endswith: \regsvr32.exe
- filter1:
- CommandLine|contains:
- - \AppData\Local\Microsoft\Teams
- - \AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll
- filter2:
- CommandLine|contains: \Program Files\Box\Box\Temp\
- ParentProcessName: C:\Program Files\Box\Box\FS\streem.exe
- filter_legitimate:
- CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll
- condition: process_creation and (1 of selection* and not 1 of filter*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml
deleted file mode 100644
index 7923e73d0..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Renamed PaExec Execution
-id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
-status: deprecated
-description: Detects execution of renamed paexec via imphash and executable product string
-references:
- - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
- - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
-author: Jason Lynch
-date: 2019/04/17
-modified: 2023/02/14
-tags:
- - attack.defense_evasion
- - attack.t1036.003
- - attack.g0046
- - car.2013-05-009
- - attack.execution
- - attack.t1569.002
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - Product|contains: PAExec
- - Imphash:
- - 11D40A7B7876288F919AB819CC2D9802
- - 6444f8a34e99b8f7d9647de66aabe516
- - dfd6aa3f7b2b1035b76b718f1ddc689f
- - 1a6cca4d5460b1710a12dea39e4a592c
- - Hashes|contains:
- - IMPHASH=11D40A7B7876288F919AB819CC2D9802
- - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
- - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
- - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
- filter:
- NewProcessName|contains: paexec
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml
deleted file mode 100644
index 3de7a8d9e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Root Certificate Installed
-id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
-related:
- - id: 42821614-9264-4761-acfc-5772c3286f76
- type: derived
-status: deprecated
-description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
-author: oscd.community, @redcanary, Zach Stanford @svch0st
-date: 2020/10/10
-modified: 2023/03/05
-tags:
- - attack.defense_evasion
- - attack.t1553.004
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains|all:
- - -addstore
- - root
- NewProcessName|endswith: \certutil.exe
- selection2:
- CommandLine|contains|all:
- - /add
- - root
- NewProcessName|endswith: \CertMgr.exe
- condition: process_creation and (selection1 or selection2)
-falsepositives:
- - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml
deleted file mode 100644
index 90a1cad90..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Run from a Zip File
-id: 1a70042a-6622-4a2b-8958-267625349abf
-status: deprecated
-description: Payloads may be compressed, archived, or encrypted in order to avoid detection
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
-author: frack113
-date: 2021/12/26
-modified: 2023/03/05
-tags:
- - attack.impact
- - attack.t1485
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|contains: .zip\
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml
deleted file mode 100644
index d41ee86f3..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml
+++ /dev/null
@@ -1,123 +0,0 @@
-title: Suspicious Execution of Sc to Delete AV Services
-id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
-status: deprecated
-description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
-references:
- - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/08/01
-modified: 2023/03/04
-tags:
- - attack.execution
- - attack.defense_evasion
- - attack.t1562.001
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \sc.exe
- - OriginalFileName: sc.exe
- selection_cli:
- CommandLine|contains: ' delete '
- selection_av_process:
- CommandLine|contains:
- # Delete Service 'AVG'
- - AvgAdminServer
- - AVG Antivirus
- - MBEndpointAgent
- # Delete Service 'Malwarebytes'
- - MBAMService
- - MBCloudEA
- - avgAdminClient
- # Delete Service 'Sophos'
- - SAVService
- - SAVAdminService
- - Sophos AutoUpdate Service
- - Sophos Clean Service
- - Sophos Device Control Service
- - Sophos File Scanner Service
- - Sophos Health Service
- - Sophos MCS Agent
- - Sophos MCS Client
- - SntpService
- - swc_service
- - swi_service
- - Sophos UI
- - swi_update
- - Sophos Web Control Service
- - Sophos System Protection Service
- - Sophos Safestore Service
- - hmpalertsvc
- - RpcEptMapper
- - Sophos Endpoint Defense Service
- - SophosFIM
- - swi_filter
- # Delete Service 'FireBird'
- - FirebirdGuardianDefaultInstance
- - FirebirdServerDefaultInstance
- # Delete Service 'Webroot'
- - WRSVC
- # Delete Service 'ESET'
- - ekrn
- - ekrnEpsw
- # Delete Service 'Kaspersky'
- - klim6
- - AVP18.0.0
- - KLIF
- - klpd
- - klflt
- - klbackupdisk
- - klbackupflt
- - klkbdflt
- - klmouflt
- - klhk
- - KSDE1.0.0
- - kltap
- # Delete Service 'Quick Heal'
- - ScSecSvc
- - Core Mail Protection
- - Core Scanning Server
- - Core Scanning ServerEx
- - Online Protection System
- - RepairService
- - Core Browsing Protection
- - Quick Update Service
- # Delete Service 'McAfee'
- - McAfeeFramework
- - macmnsvc
- - masvc
- - mfemms
- - mfevtp
- # Delete Service 'Trend Micro'
- - TmFilter
- - TMLWCSService
- - tmusa
- - TmPreFilter
- - TMSmartRelayService
- - TMiCRCScanService
- - VSApiNt
- - TmCCSF
- - tmlisten
- - TmProxy
- - ntrtscan
- - ofcservice
- - TmPfw
- - PccNTUpd
- # Delete Service 'Panda'
- - PandaAetherAgent
- - PSUAService
- - NanoServiceMain
- - EPIntegrationService
- - EPProtectedService
- - EPRedline
- - EPSecurityService
- - EPUpdateService
- condition: process_creation and (all of selection*)
-falsepositives:
- - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml
deleted file mode 100644
index 74de89438..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Suspicious Add Scheduled Task From User AppData Temp
-id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
-status: deprecated
-description: schtasks.exe create task from user AppData\Local\Temp
-references:
- - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
-author: frack113
-date: 2021/11/03
-modified: 2023/03/14
-tags:
- - attack.execution
- - attack.t1053.005
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- schtasks:
- NewProcessName|endswith: \schtasks.exe
- option:
- CommandLine|contains|all:
- - '/Create '
- - \AppData\Local\Temp
- filter_klite_codec:
- CommandLine|contains|all:
- - '/Create /TN "klcp_update" /XML '
- - \klcp_update_task.xml
- condition: process_creation and (schtasks and option and not 1 of filter_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml
deleted file mode 100644
index 8c760ed60..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-title: Stop Windows Service
-id: eb87818d-db5d-49cc-a987-d5da331fbd90
-status: deprecated
-description: Detects a Windows service to be stopped
-author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
-date: 2019/10/23
-modified: 2023/03/05
-tags:
- - attack.impact
- - attack.t1489
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_sc_net_img:
- - OriginalFileName:
- - sc.exe
- - net.exe
- - net1.exe
- - NewProcessName|endswith:
- - \sc.exe
- - \net.exe
- - \net1.exe
- selection_sc_net_cli:
- CommandLine|contains: ' stop '
- selection_pwsh:
- CommandLine|contains: 'Stop-Service '
- NewProcessName|endswith:
- - \powershell.exe
- - \pwsh.exe
- filter:
- CommandLine:
- - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop
- - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service
- SubjectUserName|contains: # covers many language settings
- - AUTHORI
- - AUTORI
- condition: process_creation and ((all of selection_sc_net* and not filter) or selection_pwsh)
-fields:
- - SubjectUserName
- - ComputerName
- - CommandLine
-falsepositives:
- - Administrator shutting down the service due to upgrade or removal purposes
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml
deleted file mode 100644
index 6ea020f40..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Suspicious Bitstransfer via PowerShell
-id: cd5c8085-4070-4e22-908d-a5b3342deb74
-status: deprecated
-description: Detects transferring files from system on a server bitstransfer Powershell cmdlets
-references:
- - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
-author: Austin Songer @austinsonger
-date: 2021/08/19
-modified: 2023/01/10
-tags:
- - attack.exfiltration
- - attack.persistence
- - attack.t1197
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - Get-BitsTransfer
- - Add-BitsFile
- NewProcessName|endswith:
- - \powershell.exe
- - \powershell_ise.exe
- - \pwsh.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml
deleted file mode 100644
index 7f71f3bf5..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Suspicious Cmd Execution via WMI
-id: e31f89f7-36fb-4697-8ab6-48823708353b
-status: deprecated
-description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
-references:
- - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
-author: Tim Rauch
-date: 2022/09/27
-modified: 2023/01/19
-tags:
- - attack.execution
- - attack.t1047
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: \\\\127.0.0.1\\
- NewProcessName|endswith: \cmd.exe
- ParentProcessName|endswith: \WmiPrvSE.exe
- selection_opt:
- CommandLine|contains:
- - 2>&1
- - 1>
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml
deleted file mode 100644
index ca6ecabd8..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Suspicious Characters in CommandLine
-id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
-status: deprecated
-description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
-references:
- - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
-author: Florian Roth (Nextron Systems)
-date: 2022/04/27
-modified: 2023/03/03
-tags:
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_spacing_modifiers:
- CommandLine|contains: # spacing modifier letters that get auto-replaced
- - ˣ # 0x02E3
- - ˪ # 0x02EA
- - ˢ # 0x02E2
- selection_unicode_slashes: # forward slash alternatives
- CommandLine|contains:
- - ∕ # 0x22FF
- - ⁄ # 0x206F
- selection_unicode_hyphens: # hyphen alternatives
- CommandLine|contains:
- - ― # 0x2015
- - — # 0x2014
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml
deleted file mode 100644
index cb7b132a3..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Wscript Execution from Non C Drive
-id: 5b80cf53-3a46-4adc-960b-05ec19348d74
-status: deprecated
-description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
-references:
- - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt
- - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/
-author: Aaron Herman
-date: 2022/10/01
-modified: 2023/08/29
-tags:
- - attack.execution
- - attack.t1059
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_lolbin:
- NewProcessName|endswith:
- - \wscript.exe
- - \cscript.exe
- selection_exetensions:
- CommandLine|contains:
- - .js
- - .vbs
- - .vbe
- selection_drive_path:
- CommandLine|contains: :\
- filter_drive_path:
- CommandLine|contains:
- - ' C:\\'
- - " 'C:\\"
- - ' "C:\\'
- filter_env_vars:
- CommandLine|contains: '%'
- filter_unc_paths:
- CommandLine|contains: ' \\\\'
- condition: process_creation and (all of selection_* and not 1 of filter_*)
-falsepositives:
- - Legitimate scripts located on other partitions such as "D:"
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml
deleted file mode 100644
index 4509714ea..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Process Start From Suspicious Folder
-id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b
-status: deprecated
-description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
-references:
- - Malware sandbox results
-author: frack113
-date: 2022/02/11
-modified: 2022/11/03
-tags:
- - attack.execution
- - attack.t1204
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|contains:
- - \Desktop\
- - \Temp\
- - \Temporary Internet
- filter_parent:
- - ParentProcessName:
- - C:\Windows\System32\cleanmgr.exe
- - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe
- - C:\Windows\System32\dxgiadaptercache.exe
- - ParentProcessName|startswith: C:\Program Files (x86)\NVIDIA Corporation\
- filter_other:
- NewProcessName|endswith: setup.exe
- filter_edge:
- NewProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\
- NewProcessName|endswith: .tmp\MicrosoftEdgeUpdate.exe
- condition: process_creation and (selection and not 1 of filter*)
-falsepositives:
- - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" directories
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml
deleted file mode 100644
index be453a803..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-title: Squirrel Lolbin
-id: fa4b21c9-0057-4493-b289-2556416ae4d7
-status: deprecated
-description: Detects Possible Squirrel Packages Manager as Lolbin
-references:
- - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
-author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
-date: 2019/11/12
-modified: 2023/02/14
-tags:
- - attack.execution
- - attack.defense_evasion
- - attack.t1218
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- NewProcessName|endswith: \update.exe
- selection2:
- CommandLine|contains:
- - --processStart
- - --processStartAndWait
- - --createShortcut
- filter_discord:
- CommandLine|contains|all:
- - C:\Users\
- - \AppData\Local\Discord\Update.exe
- - ' --processStart'
- - Discord.exe
- filter_github_desktop:
- CommandLine|contains|all:
- - C:\Users\
- - \AppData\Local\GitHubDesktop\Update.exe
- - GitHubDesktop.exe
- CommandLine|contains:
- - --createShortcut
- - --processStartAndWait
- filter_teams:
- CommandLine|contains|all:
- - C:\Users\
- - \AppData\Local\Microsoft\Teams\Update.exe
- - Teams.exe
- CommandLine|contains:
- - --processStart
- - --createShortcut
- condition: process_creation and (all of selection* and not 1 of filter_*)
-falsepositives:
- - 1Clipboard
- - Beaker Browser
- - Caret
- - Collectie
- - Discord
- - Figma
- - Flow
- - Ghost
- - GitHub Desktop
- - GitKraken
- - Hyper
- - Insomnia
- - JIBO
- - Kap
- - Kitematic
- - Now Desktop
- - Postman
- - PostmanCanary
- - Rambox
- - Simplenote
- - Skype
- - Slack
- - SourceTree
- - Stride
- - Svgsus
- - WebTorrent
- - WhatsApp
- - WordPress.com
- - Atom
- - Gitkraken
- - Slack
- - Teams
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml
deleted file mode 100644
index ef3efe58e..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: PsExec Tool Execution
-id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
-related:
- - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
- type: derived
-status: deprecated
-description: Detects PsExec service execution via default service image name
-references:
- - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- - https://jpcertcc.github.io/ToolAnalysisResultSheet
-author: Thomas Patzke
-date: 2017/06/12
-modified: 2023/02/28
-tags:
- - attack.execution
- - attack.t1569.002
- - attack.s0029
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith: \PSEXESVC.exe
- SubjectUserName|contains: # covers many language settings
- - AUTHORI
- - AUTORI
- condition: process_creation and selection
-fields:
- - EventID
- - CommandLine
- - ParentCommandLine
- - ServiceName
- - ServiceFileName
- - TargetFilename
- - PipeName
-falsepositives:
- - Unknown
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml
deleted file mode 100644
index 2e5894547..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: PsExec Service Start
-id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
-status: deprecated
-description: Detects a PsExec service start
-author: Florian Roth (Nextron Systems)
-date: 2018/03/13
-modified: 2023/02/28
-tags:
- - attack.execution
- - attack.s0029
- - attack.t1569.002
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine: C:\Windows\PSEXESVC.exe
- condition: process_creation and selection
-falsepositives:
- - Administrative activity
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml
deleted file mode 100644
index a45f1cabd..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Run Whoami as SYSTEM
-id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
-status: deprecated
-description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
-references:
- - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-author: Teymur Kheirkhabarov, Florian Roth
-date: 2019/10/23
-modified: 2023/02/28
-tags:
- - attack.privilege_escalation
- - attack.discovery
- - attack.t1033
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_user:
- SubjectUserName|contains: # covers many language settings
- - AUTHORI
- - AUTORI
- selection_img:
- - OriginalFileName: whoami.exe
- - NewProcessName|endswith: \whoami.exe
- condition: process_creation and (all of selection*)
-falsepositives:
- - Possible name overlap with NT AUHTORITY substring to cover all languages
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml
deleted file mode 100644
index 1ea5ae2e7..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Winword.exe Loads Suspicious DLL
-id: 2621b3a6-3840-4810-ac14-a02426086171
-status: deprecated
-description: Detects Winword.exe loading a custom DLL using the /l flag
-author: Victor Sergeev, oscd.community
-references:
- - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
-date: 2020/10/09
-modified: 2022/07/25
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: /l
- NewProcessName|endswith: \winword.exe
- condition: process_creation and selection
-fields:
- - CommandLine
-falsepositives:
- - Unknown
-level: medium
-tags:
- - attack.defense_evasion
- - attack.t1202
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml
deleted file mode 100644
index 9ce7b16a3..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: WMI Execution Via Office Process
-id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
-related:
- - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
- type: derived
- - id: 438025f9-5856-4663-83f7-52f878a70a50
- type: similar
-status: deprecated
-description: Initial execution of malicious document calls wmic to execute the file with regsvr32
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
-date: 2021/08/23
-modified: 2023/02/04
-tags:
- - attack.t1204.002
- - attack.t1047
- - attack.t1218.010
- - attack.execution
- - attack.defense_evasion
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \wbem\WMIC.exe
- - OriginalFileName: wmic.exe
- selection_parent:
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml
deleted file mode 100644
index 9ef16d68a..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: WMI Remote Command Execution
-id: e42af9df-d90b-4306-b7fb-05c863847ebd
-status: deprecated
-description: An adversary might use WMI to execute commands on a remote system
-references:
- - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
-author: frack113
-date: 2022/03/13
-modified: 2023/02/14
-tags:
- - attack.execution
- - attack.t1047
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \WMIC.exe
- - OriginalFileName: wmic.exe
- selection_cli:
- CommandLine|contains|all:
- - '/node:'
- - process
- - call
- - create
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml
deleted file mode 100644
index a4b6c7189..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: WMI Reconnaissance List Remote Services
-id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
-status: deprecated
-description: |
- An adversary might use WMI to check if a certain Remote Service is running on a remote device.
- When the test completes, a service information will be displayed on the screen if it exists.
- A common feedback message is that "No instance(s) Available" if the service queried is not running.
- A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
-author: frack113
-date: 2022/01/01
-modified: 2023/02/14
-tags:
- - attack.execution
- - attack.t1047
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \WMIC.exe
- - OriginalFileName: wmic.exe
- selection_cli:
- CommandLine|contains|all:
- - '/node:'
- - service
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml
deleted file mode 100644
index 7a4d54c9a..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Windows Update Client LOLBIN
-id: d7825193-b70a-48a4-b992-8b5b3015cc11
-status: deprecated
-description: Detects code execution via the Windows Update client (wuauclt)
-references:
- - https://dtm.uk/wuauclt/
-author: FPT.EagleEye Team
-date: 2020/10/17
-modified: 2023/11/11
-tags:
- - attack.command_and_control
- - attack.execution
- - attack.t1105
- - attack.t1218
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \wuauclt.exe
- - OriginalFileName: wuauclt.exe
- selection_cli:
- CommandLine|contains|all:
- - /UpdateDeploymentProvider
- - /RunHandlerComServer
- - .dll
- filter:
- CommandLine|contains:
- - ' /ClassId '
- - ' wuaueng.dll '
- condition: process_creation and (all of selection* and not filter)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml b/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml
deleted file mode 100644
index f8cdc01f9..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
-id: fde7929d-8beb-4a4c-b922-be9974671667
-description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
-references:
- - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
-author: Ensar Şamil, @sblmsrsn, OSCD Community
-date: 2020/10/05
-modified: 2022/04/11
-tags:
- - attack.defense_evasion
- - attack.t1218
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith: \SyncAppvPublishingServer.exe
- condition: process_creation and selection
-falsepositives:
- - App-V clients
-level: medium
-status: deprecated
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml
deleted file mode 100644
index 85fd9ba57..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Sysinternals SDelete Registry Keys
-id: 9841b233-8df8-4ad7-9133-b0b4402a9014
-status: deprecated
-description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
-references:
- - https://github.com/OTRF/detection-hackathon-apt29/issues/9
- - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-modified: 2023/02/07
-tags:
- - attack.defense_evasion
- - attack.t1070.004
-logsource:
- product: windows
- category: registry_add
-detection:
- registry_add:
- EventID: 4657
- Channel: Security
- selection:
- OperationType: '%%1904'
- ObjectName|contains: \Software\Sysinternals\SDelete
- condition: registry_add and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml
deleted file mode 100644
index 4469a5721..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml
+++ /dev/null
@@ -1,208 +0,0 @@
-title: Autorun Keys Modification
-id: 17f878b8-9968-4578-b814-c4217fc5768c
-description: Detects modification of autostart extensibility point (ASEP) in registry.
-status: deprecated
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
-date: 2019/10/25
-modified: 2022/05/14
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton
-logsource:
- category: registry_event
- product: windows
-level: medium
-detection:
- registry_event:
- EventID: 4657
- Channel: Security
- main_selection:
- ObjectName|contains:
- - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
- - \Software\Wow6432Node\Microsoft\Command Processor\Autorun
- - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
- - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
- - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
- - \SYSTEM\Setup\CmdLine
- - \Software\Microsoft\Ctf\LangBarAddin
- - \Software\Microsoft\Command Processor\Autorun
- - \SOFTWARE\Microsoft\Active Setup\Installed Components
- - \SOFTWARE\Classes\Protocols\Handler
- - \SOFTWARE\Classes\Protocols\Filter
- - \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
- - \Environment\UserInitMprLogonScript
- - \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
- - \Software\Microsoft\Internet Explorer\UrlSearchHooks
- - \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
- - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
- - \Control Panel\Desktop\Scrnsave.exe
- session_manager_base:
- ObjectName|contains: \System\CurrentControlSet\Control\Session Manager
- session_manager:
- ObjectName|contains:
- - \SetupExecute
- - \S0InitialCommand
- - \KnownDlls
- - \Execute
- - \BootExecute
- - \AppCertDlls
- current_version_base:
- ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
- current_version:
- ObjectName|contains:
- - \ShellServiceObjectDelayLoad
- - \Run
- - \Policies\System\Shell
- - \Policies\Explorer\Run
- - \Group Policy\Scripts\Startup
- - \Group Policy\Scripts\Shutdown
- - \Group Policy\Scripts\Logon
- - \Group Policy\Scripts\Logoff
- - \Explorer\ShellServiceObjects
- - \Explorer\ShellIconOverlayIdentifiers
- - \Explorer\ShellExecuteHooks
- - \Explorer\SharedTaskScheduler
- - \Explorer\Browser Helper Objects
- - \Authentication\PLAP Providers
- - \Authentication\Credential Providers
- - \Authentication\Credential Provider Filters
- nt_current_version_base:
- ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
- nt_current_version:
- ObjectName|contains:
- - \Winlogon\VmApplet
- - \Winlogon\Userinit
- - \Winlogon\Taskman
- - \Winlogon\Shell
- - \Winlogon\GpExtensions
- - \Winlogon\AppSetup
- - \Winlogon\AlternateShells\AvailableShells
- - \Windows\IconServiceLib
- - \Windows\Appinit_Dlls
- - \Image File Execution Options
- - \Font Drivers
- - \Drivers32
- - \Windows\Run
- - \Windows\Load
- wow_current_version_base:
- ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
- wow_current_version:
- ObjectName|contains:
- - \ShellServiceObjectDelayLoad
- - \Run
- - \Explorer\ShellServiceObjects
- - \Explorer\ShellIconOverlayIdentifiers
- - \Explorer\ShellExecuteHooks
- - \Explorer\SharedTaskScheduler
- - \Explorer\Browser Helper Objects
- wow_nt_current_version_base:
- ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
- wow_nt_current_version:
- ObjectName|contains:
- - \Windows\Appinit_Dlls
- - \Image File Execution Options
- - \Drivers32
- wow_office:
- ObjectName|contains: \Software\Wow6432Node\Microsoft\Office
- office:
- ObjectName|contains: \Software\Microsoft\Office
- wow_office_details:
- ObjectName|contains:
- - \Word\Addins
- - \PowerPoint\Addins
- - \Outlook\Addins
- - \Onenote\Addins
- - \Excel\Addins
- - \Access\Addins
- - test\Special\Perf
- wow_ie:
- ObjectName|contains: \Software\Wow6432Node\Microsoft\Internet Explorer
- ie:
- ObjectName|contains: \Software\Microsoft\Internet Explorer
- wow_ie_details:
- ObjectName|contains:
- - \Toolbar
- - \Extensions
- - \Explorer Bars
- wow_classes_base:
- ObjectName|contains: \Software\Wow6432Node\Classes
- wow_classes:
- ObjectName|contains:
- - \Folder\ShellEx\ExtShellFolderViews
- - \Folder\ShellEx\DragDropHandlers
- - \Folder\ShellEx\ColumnHandlers
- - \Directory\Shellex\DragDropHandlers
- - \Directory\Shellex\CopyHookHandlers
- - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- - \AllFileSystemObjects\ShellEx\DragDropHandlers
- - \ShellEx\PropertySheetHandlers
- - \ShellEx\ContextMenuHandlers
- classes_base:
- ObjectName|contains: \Software\Classes
- classes:
- ObjectName|contains:
- - \Folder\ShellEx\ExtShellFolderViews
- - \Folder\ShellEx\DragDropHandlers
- - \Folder\Shellex\ColumnHandlers
- - \Filter
- - \Exefile\Shell\Open\Command\(Default)
- - \Directory\Shellex\DragDropHandlers
- - \Directory\Shellex\CopyHookHandlers
- - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- - \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
- - \.exe
- - \.cmd
- - \ShellEx\PropertySheetHandlers
- - \ShellEx\ContextMenuHandlers
- scripts_base:
- ObjectName|contains: \Software\Policies\Microsoft\Windows\System\Scripts
- scripts:
- ObjectName|contains:
- - \Startup
- - \Shutdown
- - \Logon
- - \Logoff
- winsock_parameters_base:
- ObjectName|contains: \System\CurrentControlSet\Services\WinSock2\Parameters
- winsock_parameters:
- ObjectName|contains:
- - \Protocol_Catalog9\Catalog_Entries
- - \NameSpace_Catalog5\Catalog_Entries
- system_control_base:
- ObjectName|contains: \SYSTEM\CurrentControlSet\Control
- system_control:
- ObjectName|contains:
- - \Terminal Server\WinStations\RDP-Tcp\InitialProgram
- - \Terminal Server\Wds\rdpwd\StartupPrograms
- - \SecurityProviders\SecurityProviders
- - \SafeBoot\AlternateShell
- - \Print\Providers
- - \Print\Monitors
- - \NetworkProvider\Order
- - \Lsa\Notification Packages
- - \Lsa\Authentication Packages
- - \BootVerificationProgram\ImagePath
- filter:
- - NewValue: (Empty)
- - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount
- - ProcessName: C:\WINDOWS\System32\svchost.exe
- condition: registry_event and (( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or wow_current_version_base and wow_current_version or wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base and wow_classes or classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or system_control_base and system_control ) and not filter)
-fields:
- - SecurityID
- - ObjectName
- - OldValueType
- - NewValueType
-falsepositives:
- - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- - Legitimate administrator sets up autorun keys for legitimate reason
-tags:
- - attack.persistence
- - attack.t1547.001
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml
deleted file mode 100644
index 67a5cd103..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Abusing Windows Telemetry For Persistence - Registry
-id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
-status: deprecated
-description: |
- Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
- This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
- The problem is, it will run any arbitrary command without restriction of location or type.
-references:
- - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
-author: Sreeman
-date: 2020/09/29
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1112
- - attack.t1053
-logsource:
- product: windows
- category: registry_set
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
- NewValue|endswith:
- - .sh
- - .exe
- - .dll
- - .bin
- - .bat
- - .cmd
- - .js
- - .ps
- - .vb
- - .jar
- - .hta
- - .msi
- - .vbs
- condition: registry_set and selection
-fields:
- - ObjectName
- - NewValue
- - EventID
- - CommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml
deleted file mode 100644
index 1d17dbb89..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: User Account Hidden By Registry
-id: 8a58209c-7ae6-4027-afb0-307a78e4589a
-status: deprecated
-description: Detect modification for a specific user to prevent that user from being listed on the logon screen
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
-author: frack113
-date: 2022/08/20
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.t1564.002
-logsource:
- product: windows
- category: registry_set
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\
- ObjectName|endswith: $
- NewValue: DWORD (0x00000000)
- condition: registry_set and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml
deleted file mode 100644
index 5092d1a09..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Disable Microsoft Office Security Features
-id: 7c637634-c95d-4bbf-b26c-a82510874b34
-status: deprecated
-description: Disable Microsoft Office Security Features by registry
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
-author: frack113
-date: 2021/06/08
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.t1562.001
-logsource:
- product: windows
- category: registry_set
- definition: key must be add to the sysmon configuration to works
- # Sysmon
- # \VBAWarnings
- # \DisableInternetFilesInPV
- # \DisableUnsafeLocationsInPV
- # \DisableAttachementsInPV
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains: \SOFTWARE\Microsoft\Office\
- ObjectName|endswith:
- - VBAWarnings
- - DisableInternetFilesInPV
- - DisableUnsafeLocationsInPV
- - DisableAttachementsInPV
- NewValue: DWORD (0x00000001)
- condition: registry_set and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml
deleted file mode 100644
index 10c849c8c..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Office Security Settings Changed
-id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
-status: deprecated
-description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
-references:
- - https://twitter.com/inversecos/status/1494174785621819397
- - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
-author: Trent Liffick (@tliffick)
-date: 2020/05/22
-modified: 2023/08/17
-tags:
- - attack.defense_evasion
- - attack.t1112
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|endswith:
- - \Security\Trusted Documents\TrustRecords
- - \Security\AccessVBOM
- - \Security\VBAWarnings
- condition: registry_set and selection
-falsepositives:
- - Valid Macros and/or internal documents
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml
deleted file mode 100644
index 3bd64f404..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: SilentProcessExit Monitor Registration
-id: c81fe886-cac0-4913-a511-2822d72ff505
-status: deprecated
-description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
-references:
- - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
-author: Florian Roth (Nextron Systems)
-date: 2021/02/26
-modified: 2023/08/17
-tags:
- - attack.persistence
- - attack.t1546.012
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit
- NewValue|contains: MonitorProcess
- condition: registry_set and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml
deleted file mode 100644
index 154a30bb2..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: RClone Execution
-id: a0d63692-a531-4912-ad39-4393325b2a9c
-status: deprecated
-description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
-tags:
- - attack.exfiltration
- - attack.t1567.002
-author: Bhabesh Raj, Sittikorn S
-date: 2021/05/10
-modified: 2022/04/11
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
- - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
- - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
-fields:
- - CommandLine
- - ParentCommandLine
- - Details
-falsepositives:
- - Legitimate RClone use
-level: high
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- Description: Rsync for cloud storage
- selection2:
- CommandLine|contains|all:
- - '--config '
- - '--no-check-certificate '
- - ' copy '
- selection3:
- CommandLine|contains:
- - mega
- - pcloud
- - ftp
- - --progress
- - --ignore-existing
- - --auto-confirm
- - --transfers
- - --multi-thread-streams
- NewProcessName|endswith:
- - \rclone.exe
- condition: process_creation and (1 of selection*)
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml
deleted file mode 100644
index 475ab593b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Windows Defender Threat Detection Disabled
-id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
-status: deprecated
-description: Detects disabling Windows Defender threat protection
-references:
- - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
-author: Ján Trenčanský, frack113
-date: 2020/07/28
-modified: 2023/11/22
-tags:
- - attack.defense_evasion
- - attack.t1562.001
-logsource:
- product: windows
- service: windefend
-detection:
- windefend:
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- EventID:
- - 5001 # Real-time protection is disabled.
- - 5010 # Scanning for malware and other potentially unwanted software is disabled.
- - 5012 # Scanning for viruses is disabled.
- - 5101 # The antimalware platform is expired.
- condition: windefend and selection
-falsepositives:
- - Administrator actions (should be investigated)
- - Seen being triggered occasionally during Windows 8 Defender Updates
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml
deleted file mode 100644
index 7d51fcd47..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Domain Trust Discovery
-id: 77815820-246c-47b8-9741-e0def3f57308
-status: deprecated
-description: Detects a discovery of domain trusts.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
-author: Jakob Weinzettl, oscd.community
-date: 2019/10/23
-modified: 2023/02/04
-tags:
- - attack.discovery
- - attack.t1482
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains|all:
- - -filter
- - trustedDomain
- NewProcessName|endswith: \dsquery.exe
- - CommandLine|contains: domain_trusts
- NewProcessName|endswith: \nltest.exe
- condition: process_creation and selection
-falsepositives:
- - Administration of systems.
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml
deleted file mode 100644
index 3ac136c3b..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Lateral Movement Indicator ConDrv
-id: 29d31aee-30f4-4006-85a9-a4a02d65306c
-status: deprecated #Too many FP
-description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
-author: Janantha Marasinghe
-date: 2021/04/27
-modified: 2022/05/14
-references:
- - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
- - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
-tags:
- - attack.lateral_movement
- - attack.execution
- - attack.t1021
- - attack.t1059
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4674
- ObjectServer: Security
- ObjectType: File
- ObjectName: \Device\ConDrv
- condition: security and selection
-falsepositives:
- - Legal admin action
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml
deleted file mode 100644
index dbe8628c2..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Security Event Log Cleared
-id: a122ac13-daf8-4175-83a2-72c387be339d
-status: deprecated
-description: Checks for event id 1102 which indicates the security event log was cleared.
-references:
- - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
-author: Saw Winn Naung
-date: 2021/08/15
-modified: 2023/12/06
-tags:
- - attack.t1070.001
-logsource:
- service: security
- product: windows
-detection:
- security:
- Channel: Security
- selection:
- EventID: 1102
- Provider_Name: Microsoft-Windows-Eventlog
- condition: security and selection
-falsepositives:
- - Legitimate administrative activity
-fields:
- - SubjectLogonId
- - SubjectUserName
- - SubjectUserSid
- - SubjectDomainName
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml
deleted file mode 100644
index 8e3be50b5..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-title: Group Modification Logging
-id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
-status: deprecated
-description: |
- Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
- Sigma detects
- Event ID 4728 indicates a "Member is added to a Security Group".
- Event ID 4729 indicates a "Member is removed from a Security enabled-group".
- Event ID 4730 indicates a "Security Group is deleted".
- The case is not applicable for Unix OS.
- Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
-references:
- - https://www.cisecurity.org/controls/cis-controls-list/
- - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
-author: Alexandr Yampolskyi, SOC Prime
-date: 2019/03/26
-modified: 2023/04/26
-# tags:
- # - CSC4
- # - CSC4.8
- # - NIST CSF 1.1 PR.AC-4
- # - NIST CSF 1.1 PR.AT-2
- # - NIST CSF 1.1 PR.MA-2
- # - NIST CSF 1.1 PR.PT-3
- # - ISO 27002-2013 A.9.1.1
- # - ISO 27002-2013 A.9.2.2
- # - ISO 27002-2013 A.9.2.3
- # - ISO 27002-2013 A.9.2.4
- # - ISO 27002-2013 A.9.2.5
- # - ISO 27002-2013 A.9.2.6
- # - ISO 27002-2013 A.9.3.1
- # - ISO 27002-2013 A.9.4.1
- # - ISO 27002-2013 A.9.4.2
- # - ISO 27002-2013 A.9.4.3
- # - ISO 27002-2013 A.9.4.4
- # - PCI DSS 3.2 2.1
- # - PCI DSS 3.2 7.1
- # - PCI DSS 3.2 7.2
- # - PCI DSS 3.2 7.3
- # - PCI DSS 3.2 8.1
- # - PCI DSS 3.2 8.2
- # - PCI DSS 3.2 8.3
- # - PCI DSS 3.2 8.7
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID:
- - 4728 # A member was added to a security-enabled global group
- - 4729 # A member was removed from a security-enabled global group
- - 4730 # A security-enabled global group was deleted
- - 633 # Security Enabled Global Group Member Removed
- - 632 # Security Enabled Global Group Member Added
- - 634 # Security Enabled Global Group Deleted
- condition: security and selection
-falsepositives:
- - Unknown
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml
deleted file mode 100644
index bfd8d86ac..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Correct Execution of Nltest.exe
-id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
-status: deprecated
-description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
-references:
- - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
- - https://attack.mitre.org/software/S0359/
-author: Arun Chauhan
-date: 2021/10/04
-modified: 2023/02/02
-tags:
- - attack.discovery
- - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts
- - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc
- - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4689
- ProcessName|endswith: nltest.exe
- Status: '0x0'
- condition: security and selection
-fields:
- - SubjectUserName
- - SubjectDomainName
-falsepositives:
- - Red team activity
- - Rare legitimate use by an administrator
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml
deleted file mode 100644
index 7008e5553..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Suspicious Esentutl Use
-id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
-status: deprecated
-description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
-author: Florian Roth (Nextron Systems)
-date: 2020/05/23
-modified: 2022/04/11
-references:
- - https://lolbas-project.github.io/
- - https://twitter.com/chadtilbury/status/1264226341408452610
-tags:
- - attack.defense_evasion
- - attack.execution
- - attack.s0404
- - attack.t1218
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - ' /vss '
- - ' /y '
- condition: process_creation and selection
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Administrative activity
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml
deleted file mode 100644
index 554165915..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Activity Related to NTDS.dit Domain Hash Retrieval
-id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
-status: deprecated
-description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
-author: Florian Roth (Nextron Systems), Michael Haag
-date: 2019/01/16
-modified: 2022/04/11
-references:
- - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
- - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
-tags:
- - attack.credential_access
- - attack.t1003
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine:
- - vssadmin.exe Delete Shadows
- - 'vssadmin create shadow /for=C:'
- - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
- - copy \\?\GLOBALROOT\Device\\*\config\SAM
- - 'vssadmin delete shadows /for=C:'
- - 'reg SAVE HKLM\SYSTEM '
- - esentutl.exe /y /vss *\ntds.dit*
- - esentutl.exe /y /vss *\SAM
- - esentutl.exe /y /vss *\SYSTEM
- condition: process_creation and selection
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Administrative activity
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml
deleted file mode 100644
index 343dee973..000000000
--- a/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: New Service Uses Double Ampersand in Path
-id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
-status: deprecated
-description: Detects a service installation that uses a suspicious double ampersand used in the image path value
-references:
- - Internal Research
-author: Florian Roth (Nextron Systems)
-date: 2022/07/05
-modified: 2023/11/15
-tags:
- - attack.defense_evasion
- - attack.t1027
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ImagePath|contains: '&&'
- condition: system and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml
deleted file mode 100644
index d12cf61cc..000000000
--- a/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Loading Diagcab Package From Remote Path
-id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
-status: test
-description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
-references:
- - https://twitter.com/nas_bench/status/1539679555908141061
- - https://twitter.com/j00sean/status/1537750439701225472
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/08/14
-tags:
- - attack.execution
-logsource:
- product: windows
- service: diagnosis-scripted
-detection:
- diagnosis_scripted:
- Channel: Microsoft-Windows-Diagnosis-Scripted/Operational
- selection:
- EventID: 101
- PackagePath|contains: \\\\ # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
- condition: diagnosis_scripted and selection
-falsepositives:
- - Legitimate package hosted on a known and authorized remote location
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml
deleted file mode 100644
index 90aac3c83..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
-id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
-related:
- - id: f356a9c4-effd-4608-bbf8-408afd5cd006
- type: similar
-status: test
-description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
-references:
- - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-tags:
- - attack.command_and_control
- - attack.t1071.004
-logsource:
- product: windows
- service: dns-client
- definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
-detection:
- dns_client:
- Channel: Microsoft-Windows-DNS Client Events/Operational
- selection_eid:
- EventID: 3008
- selection_query_1:
- QueryName|startswith:
- - aaa.stage.
- - post.1
- selection_query_2:
- QueryName|contains: .stage.123456.
- condition: dns_client and (selection_eid and 1 of selection_query_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml
deleted file mode 100644
index abddacb4d..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: DNS Query for Anonfiles.com Domain - DNS Client
-id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
-related:
- - id: 065cceea-77ec-4030-9052-fc0affea7110
- type: similar
-status: test
-description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
-references:
- - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-tags:
- - attack.exfiltration
- - attack.t1567.002
-logsource:
- product: windows
- service: dns-client
- definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
-detection:
- dns_client:
- Channel: Microsoft-Windows-DNS Client Events/Operational
- selection:
- EventID: 3008
- QueryName|contains: .anonfiles.com
- condition: dns_client and selection
-falsepositives:
- - Rare legitimate access to anonfiles.com
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml
deleted file mode 100644
index dc63fcf36..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: DNS Query To MEGA Hosting Website - DNS Client
-id: 66474410-b883-415f-9f8d-75345a0a66a6
-related:
- - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
- type: similar
-status: test
-description: Detects DNS queries for subdomains related to MEGA sharing website
-references:
- - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-tags:
- - attack.exfiltration
- - attack.t1567.002
-logsource:
- product: windows
- service: dns-client
- definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
-detection:
- dns_client:
- Channel: Microsoft-Windows-DNS Client Events/Operational
- selection:
- EventID: 3008
- QueryName|contains: userstorage.mega.co.nz
- condition: dns_client and selection
-falsepositives:
- - Legitimate DNS queries and usage of Mega
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml
deleted file mode 100644
index 651ec29be..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Query Tor Onion Address - DNS Client
-id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
-related:
- - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
- type: similar
-status: test
-description: Detects DNS resolution of an .onion address related to Tor routing networks
-references:
- - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/02/20
-tags:
- - attack.command_and_control
- - attack.t1090.003
-logsource:
- product: windows
- service: dns-client
- definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
-detection:
- dns_client:
- Channel: Microsoft-Windows-DNS Client Events/Operational
- selection:
- EventID: 3008
- QueryName|contains: .onion
- condition: dns_client and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml
deleted file mode 100644
index 26f404283..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: DNS Query To Ufile.io - DNS Client
-id: 090ffaad-c01a-4879-850c-6d57da98452d
-related:
- - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
- type: similar
-status: experimental
-description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
-references:
- - https://thedfirreport.com/2021/12/13/diavol-ransomware/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/16
-modified: 2023/09/18
-tags:
- - attack.exfiltration
- - attack.t1567.002
-logsource:
- product: windows
- service: dns-client
- definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
-detection:
- dns_client:
- Channel: Microsoft-Windows-DNS Client Events/Operational
- selection:
- EventID: 3008
- QueryName|contains: ufile.io
- condition: dns_client and selection
-falsepositives:
- - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml
deleted file mode 100644
index ffca67d76..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: Failed DNS Zone Transfer
-id: 6d444368-6da1-43fe-b2fc-44202430480e
-status: experimental
-description: Detects when a DNS zone transfer failed.
-references:
- - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
-author: Zach Mathis
-date: 2023/05/24
-tags:
- - attack.reconnaissance
- - attack.t1590.002
-logsource:
- product: windows
- service: dns-server
-detection:
- dns_server:
- Channel: DNS Server
- selection:
- EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
- condition: dns_server and selection
-falsepositives:
- - Unlikely
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml
deleted file mode 100644
index 98dab8c3f..000000000
--- a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: DNS Server Error Failed Loading the ServerLevelPluginDLL
-id: cbe51394-cd93-4473-b555-edf0144952d9
-related:
- - id: e61e8a88-59a9-451c-874e-70fcc9740d67
- type: derived
- - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
- type: derived
-status: test
-description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
-references:
- - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- - https://twitter.com/gentilkiwi/status/861641945944391680
-author: Florian Roth (Nextron Systems)
-date: 2017/05/08
-modified: 2023/02/05
-tags:
- - attack.defense_evasion
- - attack.t1574.002
-logsource:
- product: windows
- service: dns-server
-detection:
- dns_server:
- Channel: DNS Server
- selection:
- EventID:
- - 150
- - 770
- - 771
- condition: dns_server and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml b/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml
deleted file mode 100644
index 2bdcf202b..000000000
--- a/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: USB Device Plugged
-id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
-status: test
-description: Detects plugged/unplugged USB devices
-references:
- - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
- - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
-author: Florian Roth (Nextron Systems)
-date: 2017/11/09
-modified: 2021/11/30
-tags:
- - attack.initial_access
- - attack.t1200
-logsource:
- product: windows
- service: driver-framework
- definition: Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog
-detection:
- driver_framework:
- Channel: Microsoft-Windows-DriverFrameworks-UserMode/Operational
- selection:
- EventID:
- - 2003 # Loading drivers
- - 2100 # Pnp or power management
- - 2102 # Pnp or power management
- condition: driver_framework and selection
-falsepositives:
- - Legitimate administrative activity
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml
deleted file mode 100644
index 7f11bd5e4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: ZxShell Malware
-id: f0b70adb-0075-43b0-9745-e82a1c608fcc
-status: test
-description: Detects a ZxShell start by the called and well-known function name
-references:
- - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
- - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
-author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-date: 2017/07/20
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1059.003
- - attack.defense_evasion
- - attack.t1218.011
- - attack.s0412
- - attack.g0001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - zxFunction
- - RemoteDiskXXXXX
- NewProcessName|endswith: \rundll32.exe
- condition: process_creation and selection
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml
deleted file mode 100644
index a5372e7bc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Turla Group Lateral Movement
-id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
-status: test
-description: Detects automated lateral movement by Turla group
-references:
- - https://securelist.com/the-epic-turla-operation/65545/
-author: Markus Neis
-date: 2017/11/07
-modified: 2022/10/09
-tags:
- - attack.g0010
- - attack.execution
- - attack.t1059
- - attack.lateral_movement
- - attack.t1021.002
- - attack.discovery
- - attack.t1083
- - attack.t1135
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine:
- - net use \\\\%DomainController%\C$ "P@ssw0rd" *
- - dir c:\\*.doc* /s
- - dir %TEMP%\\*.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml
deleted file mode 100644
index 2bf684be1..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Turla Group Commands May 2020
-id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
-status: test
-description: Detects commands used by Turla group as reported by ESET in May 2020
-references:
- - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
-author: Florian Roth (Nextron Systems)
-date: 2020/05/26
-modified: 2021/11/27
-tags:
- - attack.g0010
- - attack.execution
- - attack.t1059.001
- - attack.t1053.005
- - attack.t1027
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cli_1:
- CommandLine|contains:
- - tracert -h 10 yahoo.com
- - .WSqmCons))|iex;
- - Fr`omBa`se6`4Str`ing
- selection_cli_2:
- CommandLine|contains|all:
- - net use https://docs.live.net
- - '@aol.co.uk'
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml
deleted file mode 100644
index fe8565135..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Exploit for CVE-2015-1641
-id: 7993792c-5ce2-4475-a3db-a3a5539827ef
-status: stable
-description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
-references:
- - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
- - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
-author: Florian Roth (Nextron Systems)
-date: 2018/02/22
-modified: 2021/11/27
-tags:
- - attack.defense_evasion
- - attack.t1036.005
- - cve.2015.1641
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \WINWORD.EXE
- NewProcessName|endswith: \MicroScMgmt.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml
deleted file mode 100644
index e13c6ca95..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Exploit for CVE-2017-0261
-id: 864403a1-36c9-40a2-a982-4c9a45f7d833
-status: test
-description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
-references:
- - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
-author: Florian Roth (Nextron Systems)
-date: 2018/02/22
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1203
- - attack.t1204.002
- - attack.initial_access
- - attack.t1566.001
- - cve.2017.0261
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \WINWORD.EXE
- NewProcessName|contains: \FLTLDR.exe
- condition: process_creation and selection
-falsepositives:
- - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml
deleted file mode 100644
index 1ed94956f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Droppers Exploiting CVE-2017-11882
-id: 678eb5f4-8597-4be6-8be7-905e4234b53a
-status: stable
-description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
-references:
- - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
- - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
-author: Florian Roth (Nextron Systems)
-date: 2017/11/23
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1203
- - attack.t1204.002
- - attack.initial_access
- - attack.t1566.001
- - cve.2017.11882
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \EQNEDT32.EXE
- condition: process_creation and selection
-fields:
- - CommandLine
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml
deleted file mode 100644
index 6f92a3317..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Exploit for CVE-2017-8759
-id: fdd84c68-a1f6-47c9-9477-920584f94905
-status: test
-description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
-references:
- - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-author: Florian Roth (Nextron Systems)
-date: 2017/09/15
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1203
- - attack.t1204.002
- - attack.initial_access
- - attack.t1566.001
- - cve.2017.8759
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \WINWORD.EXE
- NewProcessName|endswith: \csc.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml
deleted file mode 100644
index a6014b1e8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Adwind RAT / JRAT
-id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
-status: test
-description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-references:
- - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
-author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
-date: 2017/11/10
-modified: 2022/10/09
-tags:
- - attack.execution
- - attack.t1059.005
- - attack.t1059.007
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains|all:
- - \AppData\Roaming\Oracle
- - \java
- - '.exe '
- - CommandLine|contains|all:
- - cscript.exe
- - Retrive
- - '.vbs '
- condition: process_creation and selection
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml
deleted file mode 100644
index b358483bc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Fireball Archer Install
-id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
-status: test
-description: Detects Archer malware invocation via rundll32
-references:
- - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
- - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
-author: Florian Roth (Nextron Systems)
-date: 2017/06/03
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - rundll32.exe
- - InstallArcherSvc
- condition: process_creation and selection
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml
deleted file mode 100644
index 2298b7966..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: NotPetya Ransomware Activity
-id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
-status: test
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
-references:
- - https://securelist.com/schroedingers-petya/78870/
- - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
-author: Florian Roth (Nextron Systems), Tom Ueltschi
-date: 2019/01/16
-modified: 2022/12/15
-tags:
- - attack.defense_evasion
- - attack.t1218.011
- - attack.t1070.001
- - attack.credential_access
- - attack.t1003.001
- - car.2016-04-002
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_specific_pattern:
- CommandLine|contains:
- - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
- - dllhost.dat %WINDIR%\ransoms
- selection_rundll32:
- CommandLine|endswith:
- - .dat,#1
- - '.dat #1' # Sysmon removes comma
- - .zip.dll",#1
- NewProcessName|endswith: \rundll32.exe
- selection_perfc_keyword:
- - \perfc.dat
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml
deleted file mode 100644
index 72958fbd3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-title: Potential PlugX Activity
-id: aeab5ec5-be14-471a-80e8-e344418305c2
-status: test
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
-references:
- - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
-author: Florian Roth (Nextron Systems)
-date: 2017/06/12
-modified: 2023/02/03
-tags:
- - attack.s0013
- - attack.defense_evasion
- - attack.t1574.002
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cammute:
- NewProcessName|endswith: \CamMute.exe
- filter_cammute:
- NewProcessName|contains:
- - \Lenovo\Communication Utility\
- - \Lenovo\Communications Utility\
- selection_chrome_frame:
- NewProcessName|endswith: \chrome_frame_helper.exe
- filter_chrome_frame:
- NewProcessName|contains: \Google\Chrome\application\
- selection_devemu:
- NewProcessName|endswith: \dvcemumanager.exe
- filter_devemu:
- NewProcessName|contains: \Microsoft Device Emulator\
- selection_gadget:
- NewProcessName|endswith: \Gadget.exe
- filter_gadget:
- NewProcessName|contains: \Windows Media Player\
- selection_hcc:
- NewProcessName|endswith: \hcc.exe
- filter_hcc:
- NewProcessName|contains: \HTML Help Workshop\
- selection_hkcmd:
- NewProcessName|endswith: \hkcmd.exe
- filter_hkcmd:
- NewProcessName|contains:
- - \System32\
- - \SysNative\
- - \SysWow64\
- selection_mc:
- NewProcessName|endswith: \Mc.exe
- filter_mc:
- NewProcessName|contains:
- - \Microsoft Visual Studio
- - \Microsoft SDK
- - \Windows Kit
- selection_msmpeng:
- NewProcessName|endswith: \MsMpEng.exe
- filter_msmpeng:
- NewProcessName|contains:
- - \Microsoft Security Client\
- - \Windows Defender\
- - \AntiMalware\
- selection_msseces:
- NewProcessName|endswith: \msseces.exe
- filter_msseces:
- NewProcessName|contains:
- - \Microsoft Security Center\
- - \Microsoft Security Client\
- - \Microsoft Security Essentials\
- selection_oinfo:
- NewProcessName|endswith: \OInfoP11.exe
- filter_oinfo:
- NewProcessName|contains: \Common Files\Microsoft Shared\
- selection_oleview:
- NewProcessName|endswith: \OleView.exe
- filter_oleview:
- NewProcessName|contains:
- - \Microsoft Visual Studio
- - \Microsoft SDK
- - \Windows Kit
- - \Windows Resource Kit\
- selection_rc:
- NewProcessName|endswith: \rc.exe
- filter_rc:
- NewProcessName|contains:
- - \Microsoft Visual Studio
- - \Microsoft SDK
- - \Windows Kit
- - \Windows Resource Kit\
- - \Microsoft.NET\
- condition: process_creation and (( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ))
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml
deleted file mode 100644
index 500915c03..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: StoneDrill Service Install
-id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
-status: test
-description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
-references:
- - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
-author: Florian Roth (Nextron Systems)
-date: 2017/03/07
-modified: 2021/11/30
-tags:
- - attack.persistence
- - attack.g0064
- - attack.t1543.003
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName: NtsSrv
- ImagePath|endswith: ' LocalService'
- condition: system and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml
deleted file mode 100644
index 00656f3da..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-title: WannaCry Ransomware Activity
-id: 41d40bff-377a-43e2-8e1b-2e543069e079
-status: test
-description: Detects WannaCry ransomware activity
-references:
- - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
-date: 2019/01/16
-modified: 2023/02/03
-tags:
- - attack.lateral_movement
- - attack.t1210
- - attack.discovery
- - attack.t1083
- - attack.defense_evasion
- - attack.t1222.001
- - attack.impact
- - attack.t1486
- - attack.t1490
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- - NewProcessName|endswith:
- - \tasksche.exe
- - \mssecsvc.exe
- - \taskdl.exe
- - \taskhsvc.exe
- - \taskse.exe
- - \111.exe
- - \lhdfrgui.exe
- # - '\diskpart.exe' # cannot be used in a rule of level critical
- - \linuxnew.exe
- - \wannacry.exe
- - NewProcessName|contains: WanaDecryptor
- selection2:
- - CommandLine|contains|all:
- - icacls
- - /grant
- - Everyone:F
- - /T
- - /C
- - /Q
- - CommandLine|contains|all:
- - bcdedit
- - /set
- - '{default}'
- - recoveryenabled
- - no
- - CommandLine|contains|all:
- - wbadmin
- - delete
- - catalog
- - -quiet
- - CommandLine|contains: '@Please_Read_Me@.txt'
- condition: process_creation and (1 of selection*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml
deleted file mode 100644
index c0ca40cf5..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Potential APT10 Cloud Hopper Activity
-id: 966e4016-627f-44f7-8341-f394905c361f
-status: test
-description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
-references:
- - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
-author: Florian Roth (Nextron Systems)
-date: 2017/04/07
-modified: 2023/03/08
-tags:
- - attack.execution
- - attack.g0045
- - attack.t1059.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cscript:
- CommandLine|contains: '.vbs /shell '
- NewProcessName|endswith: \cscript.exe
- selection_csvde:
- CommandLine|contains|all:
- - csvde -f C:\windows\web\
- - .log
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml
deleted file mode 100644
index 7464fa4f8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Ps.exe Renamed SysInternals Tool
-id: 18da1007-3f26-470f-875d-f77faf1cab31
-status: test
-description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
-references:
- - https://www.us-cert.gov/ncas/alerts/TA17-293A
-author: Florian Roth (Nextron Systems)
-date: 2017/10/22
-modified: 2023/05/02
-tags:
- - attack.defense_evasion
- - attack.g0035
- - attack.t1036.003
- - car.2013-05-009
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - ps.exe -accepteula
- - -s cmd /c netstat
- condition: process_creation and selection
-falsepositives:
- - Renamed SysInternals tool
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml
deleted file mode 100644
index d20bd4338..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Lazarus System Binary Masquerading
-id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
-status: test
-description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
-references:
- - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
-author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
-date: 2020/06/03
-modified: 2023/03/10
-tags:
- - attack.defense_evasion
- - attack.t1036.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith:
- - \msdtc.exe
- - \gpsvc.exe
- filter:
- NewProcessName|startswith:
- - C:\Windows\System32\
- - C:\Windows\SysWOW64\
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml
deleted file mode 100644
index aa7b7a3a4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Turla Service Install
-id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
-status: test
-description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
-references:
- - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
-author: Florian Roth (Nextron Systems)
-date: 2017/03/31
-modified: 2021/11/30
-tags:
- - attack.persistence
- - attack.g0010
- - attack.t1543.003
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName:
- - srservice
- - ipvpn
- - hkmsvc
- condition: system and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml
deleted file mode 100644
index 47e6633a7..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Turla PNG Dropper Service
-id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
-status: test
-description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
-references:
- - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
-author: Florian Roth (Nextron Systems)
-date: 2018/11/23
-modified: 2021/11/30
-tags:
- - attack.persistence
- - attack.g0010
- - attack.t1543.003
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName: WerFaultSvc
- condition: system and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml
deleted file mode 100644
index 57766516e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Elise Backdoor Activity
-id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
-status: test
-description: Detects Elise backdoor activity used by APT32
-references:
- - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
- - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-date: 2018/01/31
-modified: 2023/03/09
-tags:
- - attack.g0030
- - attack.g0050
- - attack.s0081
- - attack.execution
- - attack.t1059.003
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_other_svchost:
- NewProcessName|endswith: \Microsoft\Network\svchost.exe
- selection_other_del:
- CommandLine|contains|all:
- - \Windows\Caches\NavShExt.dll
- - /c del
- selection_dll_path:
- CommandLine|endswith:
- - \AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll
- - \AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll
- selection_dll_function:
- CommandLine|contains: ',Setting'
- condition: process_creation and (1 of selection_other_* or all of selection_dll_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml
deleted file mode 100644
index 8faf6d754..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: APT27 - Emissary Panda Activity
-id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
-status: test
-description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
-references:
- - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
- - https://twitter.com/cyb3rops/status/1168863899531132929
- - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
-author: Florian Roth (Nextron Systems)
-date: 2018/09/03
-modified: 2023/03/09
-tags:
- - attack.defense_evasion
- - attack.t1574.002
- - attack.g0027
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_sllauncher:
- ParentProcessName|endswith: \sllauncher.exe
- NewProcessName|endswith: \svchost.exe
- selection_svchost:
- CommandLine|contains: -k
- ParentProcessName|contains: \AppData\Roaming\
- NewProcessName|endswith: \svchost.exe
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml
deleted file mode 100644
index 53137427f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Sofacy Trojan Loader Activity
-id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
-status: test
-description: Detects Trojan loader activity as used by APT28
-references:
- - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
- - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110
- - https://twitter.com/ClearskySec/status/960924755355369472
-author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
-date: 2018/03/01
-modified: 2023/05/31
-tags:
- - attack.defense_evasion
- - attack.execution
- - attack.g0007
- - attack.t1059.003
- - attack.t1218.011
- - car.2013-10-002
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_path:
- CommandLine|contains:
- - '%LOCALAPPDATA%'
- - \AppData\Local\
- NewProcessName|endswith: \rundll32.exe
- selection_extensions:
- - CommandLine|contains: .dat",
- - CommandLine|endswith:
- - '.dll #1'
- - '.dll" #1'
- - .dll",#1
- filter_main_exclude_temp:
- CommandLine|contains: \AppData\Local\Temp\
- condition: process_creation and (all of selection_* and not 1 of filter_main_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
deleted file mode 100644
index eaf3596f7..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: APT29 2018 Phishing Campaign CommandLine Indicators
-id: 7453575c-a747-40b9-839b-125a0aae324b
-related:
- - id: 033fe7d6-66d1-4240-ac6b-28908009c71f
- type: obsoletes
-status: stable
-description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
-references:
- - https://twitter.com/DrunkBinary/status/1063075530180886529
- - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
-author: Florian Roth (Nextron Systems), @41thexplorer
-date: 2018/11/20
-modified: 2023/03/08
-tags:
- - attack.execution
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains: -noni -ep bypass $
- - CommandLine|contains|all:
- - cyzfc.dat,
- - PointFunctionCall
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml
deleted file mode 100644
index fe8c82050..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Potential MuddyWater APT Activity
-id: 36222790-0d43-4fe8-86e4-674b27809543
-status: test
-description: Detects potential Muddywater APT activity
-references:
- - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/03/10
-tags:
- - attack.defense_evasion
- - attack.execution
- - attack.g0069
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_mshta:
- CommandLine|contains|all:
- - vbscript:Close(Execute("CreateObject(
- - powershell
- - -w 1 -exec Bypass
- - \ProgramData\
- selection_survey:
- CommandLine|contains|all:
- - Win32_OperatingSystem
- - Win32_NetworkAdapterConfiguration
- - root\SecurityCenter2
- - '[System.Net.DNS]'
- selection_pwsh_backdoor:
- CommandLine|contains|all:
- - '[Convert]::ToBase64String'
- - '[System.Text.Encoding]::UTF8.GetString]'
- - GetResponse().GetResponseStream()
- - '[System.Net.HttpWebRequest]::Create('
- - '-bxor '
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml
deleted file mode 100644
index 643823ade..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: OilRig APT Activity
-id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
-related:
- - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
- type: similar
- - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
- type: similar
- - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
- type: similar
-status: test
-description: Detects OilRig activity as reported by Nyotron in their March 2018 report
-references:
- - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
-author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-modified: 2023/03/08
-tags:
- - attack.persistence
- - attack.g0049
- - attack.t1053.005
- - attack.s0111
- - attack.t1543.003
- - attack.defense_evasion
- - attack.t1112
- - attack.command_and_control
- - attack.t1071.004
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_schtasks:
- CommandLine|contains|all:
- - SC Scheduled Scan
- - \microsoft\Taskbar\autoit3.exe
- selection_temp:
- NewProcessName|contains: \Windows\Temp\DB\
- NewProcessName|endswith: .exe
- selection_service:
- CommandLine|contains:
- - i
- - u
- NewProcessName: C:\Windows\system32\Service.exe
- selection_autoit:
- CommandLine|contains|all:
- - nslookup.exe
- - -q=TXT
- ParentProcessName|endswith: \local\microsoft\Taskbar\autoit3.exe
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml
deleted file mode 100644
index ebee13389..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: OilRig APT Schedule Task Persistence - Security
-id: c0580559-a6bd-4ef6-b9b7-83703d98b561
-related:
- - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
- type: similar
- - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
- type: similar
- - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
- type: similar
-status: test
-description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
-references:
- - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
-author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-modified: 2023/03/08
-tags:
- - attack.persistence
- - attack.g0049
- - attack.t1053.005
- - attack.s0111
- - attack.t1543.003
- - attack.defense_evasion
- - attack.t1112
- - attack.command_and_control
- - attack.t1071.004
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection_service:
- EventID: 4698
- TaskName:
- - SC Scheduled Scan
- - UpdatMachine
- condition: security and selection_service
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml
deleted file mode 100644
index 608674039..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: OilRig APT Schedule Task Persistence - System
-id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
-related:
- - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
- type: similar
- - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
- type: similar
- - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
- type: similar
-status: experimental
-description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
-references:
- - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
-author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-date: 2018/03/23
-modified: 2023/03/08
-tags:
- - attack.persistence
- - attack.g0049
- - attack.t1053.005
- - attack.s0111
- - attack.t1543.003
- - attack.defense_evasion
- - attack.t1112
- - attack.command_and_control
- - attack.t1071.004
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName:
- - SC Scheduled Scan
- - UpdatMachine
- condition: system and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml
deleted file mode 100644
index ca39ec945..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Defrag Deactivation
-id: 958d81aa-8566-4cea-a565-59ccd4df27b0
-status: test
-description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
-references:
- - https://securelist.com/apt-slingshot/84312/
-author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-modified: 2022/10/09
-tags:
- - attack.persistence
- - attack.t1053.005
- - attack.s0111
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - /delete
- - /change
- CommandLine|contains|all:
- - /TN
- - \Microsoft\Windows\Defrag\ScheduledDefrag
- NewProcessName|endswith: \schtasks.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml
deleted file mode 100644
index f50398291..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Defrag Deactivation - Security
-id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
-related:
- - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
- type: derived
-status: test
-description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
-references:
- - https://securelist.com/apt-slingshot/84312/
-author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
-date: 2019/03/04
-modified: 2022/11/27
-tags:
- - attack.persistence
- - attack.t1053
- - attack.s0111
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
- definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4701
- TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
- condition: security and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml
deleted file mode 100644
index a44892193..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: TropicTrooper Campaign November 2018
-id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
-status: stable
-description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
-references:
- - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
-author: '@41thexplorer, Microsoft Defender ATP'
-date: 2019/11/12
-modified: 2020/08/27
-tags:
- - attack.execution
- - attack.t1059.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc
- condition: process_creation and selection
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml
deleted file mode 100644
index 7fe19772e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Potential BearLPE Exploitation
-id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
-status: test
-description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
-references:
- - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
-author: Olaf Hartong
-date: 2019/05/22
-modified: 2023/01/26
-tags:
- - attack.privilege_escalation
- - attack.t1053.005
- - car.2013-08-001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \schtasks.exe
- - OriginalFileName: schtasks.exe
- selection_cli:
- CommandLine|contains|all:
- - /change
- - /TN
- - /RU
- - /RP
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml
deleted file mode 100644
index f51deb85f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Exploiting CVE-2019-1388
-id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
-status: stable
-description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
-references:
- - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
- - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
-author: Florian Roth (Nextron Systems)
-date: 2019/11/20
-modified: 2022/05/27
-tags:
- - attack.privilege_escalation
- - attack.t1068
- - cve.2019.1388
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: ' http'
- ParentProcessName|endswith: \consent.exe
- NewProcessName|endswith: \iexplore.exe
- rights1:
- MandatoryLabel: S-1-16-16384
- rights2:
- SubjectUserName|contains: # covers many language settings
- - AUTHORI
- - AUTORI
- condition: process_creation and (selection and ( rights1 or rights2 ))
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml
deleted file mode 100644
index 6f56ab7b3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Potential Baby Shark Malware Activity
-id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
-status: test
-description: Detects activity that could be related to Baby Shark malware
-references:
- - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-author: Florian Roth (Nextron Systems)
-date: 2019/02/24
-modified: 2023/03/08
-tags:
- - attack.execution
- - attack.defense_evasion
- - attack.discovery
- - attack.t1012
- - attack.t1059.003
- - attack.t1059.001
- - attack.t1218.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains|all:
- - powershell.exe mshta.exe http
- - .hta
- - CommandLine|contains:
- - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
- - cmd.exe /c taskkill /im cmd.exe
- - (New-Object System.Net.WebClient).UploadFile('http
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml
deleted file mode 100644
index 17f16035e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-title: Potential Dridex Activity
-id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
-status: stable
-description: Detects potential Dridex acitvity via specific process patterns
-references:
- - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
- - https://redcanary.com/threat-detection-report/threats/dridex/
-author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
-date: 2019/01/10
-modified: 2023/02/03
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1055
- - attack.discovery
- - attack.t1135
- - attack.t1033
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_svchost:
- CommandLine|contains|all:
- - C:\Users\
- - \Desktop\
- NewProcessName|endswith: \svchost.exe
- filter_svchost:
- ParentProcessName|startswith: C:\Windows\System32\
- selection_regsvr:
- CommandLine|contains:
- - ' -s '
- - \AppData\Local\Temp\
- ParentProcessName|endswith: \excel.exe
- NewProcessName|endswith: \regsvr32.exe
- filter_regsvr:
- CommandLine|contains: .dll
- selection_anomaly_parent:
- ParentProcessName|endswith: \svchost.exe
- selection_anomaly_child_1:
- CommandLine|contains: ' /all'
- NewProcessName|endswith: \whoami.exe
- selection_anomaly_child_2:
- CommandLine|contains: ' view'
- NewProcessName|endswith:
- - \net.exe
- - \net1.exe
- condition: process_creation and ((selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*))
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml
deleted file mode 100644
index 2229c4279..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Potential Dtrack RAT Activity
-id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
-status: stable
-description: Detects potential Dtrack RAT activity via specific process patterns
-references:
- - https://securelist.com/my-name-is-dtrack/93338/
- - https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
- - https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
- - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
- - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-date: 2019/10/30
-modified: 2023/02/03
-tags:
- - attack.impact
- - attack.t1490
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_ping:
- CommandLine|contains|all:
- - 'ping -n '
- - ' echo EEEE > '
- selection_ipconfig:
- CommandLine|contains|all:
- - ipconfig /all
- - \temp\res.ip
- selection_netsh:
- CommandLine|contains|all:
- - interface ip show config
- - \temp\netsh.res
- condition: process_creation and (1 of selection_*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml
deleted file mode 100644
index 6681a803f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Potential Emotet Activity
-id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
-status: stable
-description: Detects all Emotet like process executions that are not covered by the more generic rules
-references:
- - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
- - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
- - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
- - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
-author: Florian Roth (Nextron Systems)
-date: 2019/09/30
-modified: 2023/02/04
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.defense_evasion
- - attack.t1027
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - ' -e* PAA'
- - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ # $env:userprofile
- - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA # $env:userprofile
- - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA # $env:userprofile
- - IgAoACcAKgAnACkAOwAkA # "('*');$
- - IAKAAnACoAJwApADsAJA # "('*');$
- - iACgAJwAqACcAKQA7ACQA # "('*');$
- - JABGAGwAeAByAGgAYwBmAGQ
- - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA # =$env:temp+(
- - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA # =$env:temp+(
- - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA # =$env:temp+(
- filter:
- CommandLine|contains:
- - fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ
- - wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA
- - 8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA
- condition: process_creation and (selection and not filter)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml
deleted file mode 100644
index 26e3547c7..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-title: Formbook Process Creation
-id: 032f5fb3-d959-41a5-9263-4173c802dc2b
-status: test
-description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
-references:
- - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
-author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-date: 2019/09/30
-modified: 2022/10/06
-tags:
- - attack.resource_development
- - attack.t1587.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- # Parent command line should not contain a space value
- # This avoids false positives not caused by process injection
- # e.g. wscript.exe /B sysmon-install.vbs
- ParentCommandLine|startswith:
- - C:\Windows\System32\
- - C:\Windows\SysWOW64\
- ParentCommandLine|endswith: .exe
- selection2:
- - CommandLine|contains|all:
- - /c
- - del
- - C:\Users\
- - \AppData\Local\Temp\
- - CommandLine|contains|all:
- - /c
- - del
- - C:\Users\
- - \Desktop\
- - CommandLine|contains|all:
- - /C
- - type nul >
- - C:\Users\
- - \Desktop\
- selection3:
- CommandLine|endswith: .exe
- condition: process_creation and (all of selection*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml
deleted file mode 100644
index c44323e1a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: LockerGoga Ransomware Activity
-id: 74db3488-fd28-480a-95aa-b7af626de068
-status: stable
-description: Detects LockerGoga ransomware activity via specific command line.
-references:
- - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
- - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
- - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
-author: Vasiliy Burov, oscd.community
-date: 2020/10/18
-modified: 2023/02/03
-tags:
- - attack.impact
- - attack.t1486
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: -i SM-tgytutrc -s
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml
deleted file mode 100644
index 12c863c7c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Potential QBot Activity
-id: 4fcac6eb-0287-4090-8eea-2602e4c20040
-status: stable
-description: Detects potential QBot activity by looking for process executions used previously by QBot
-references:
- - https://twitter.com/killamjr/status/1179034907932315648
- - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
-author: Florian Roth (Nextron Systems)
-date: 2019/10/01
-modified: 2023/02/03
-tags:
- - attack.execution
- - attack.t1059.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- ParentProcessName|endswith: \WinRAR.exe
- NewProcessName|endswith: \wscript.exe
- selection2:
- CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
- selection3:
- CommandLine|contains|all:
- - regsvr32.exe
- - C:\ProgramData
- - .tmp
- condition: process_creation and (1 of selection*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml
deleted file mode 100644
index 8b10b62ae..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: Potential Ryuk Ransomware Activity
-id: c37510b8-2107-4b78-aa32-72f251e7a844
-related:
- - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
- type: similar
- - id: 0acaad27-9f02-4136-a243-c357202edd74
- type: obsoletes
-status: stable
-description: Detects Ryuk ransomware activity
-references:
- - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
- - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
-author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
-date: 2019/12/16
-modified: 2023/02/03
-tags:
- - attack.persistence
- - attack.t1547.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_reg:
- CommandLine|contains|all:
- - Microsoft\Windows\CurrentVersion\Run
- - C:\users\Public\
- selection_del:
- CommandLine|contains|all:
- - del /s /f /q c:\
- - \*.bac
- - \*.bak
- - \*.bkf
- selection_net:
- CommandLine|contains|all:
- - ' stop '
- - ' /y'
- CommandLine|contains:
- - samss
- - audioendpointbuilder
- - unistoresvc_
- - AcrSch2Svc
- NewProcessName|endswith:
- - \net.exe
- - \net1.exe
- condition: process_creation and (1 of selection_*)
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml
deleted file mode 100644
index fb36aa973..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Potential Snatch Ransomware Activity
-id: 5325945e-f1f0-406e-97b8-65104d393fff
-status: stable
-description: Detects specific process characteristics of Snatch ransomware word document droppers
-references:
- - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
-author: Florian Roth (Nextron Systems)
-date: 2020/08/26
-modified: 2023/02/13
-tags:
- - attack.execution
- - attack.t1204
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - shutdown /r /f /t 00 # Shutdown in safe mode immediately
- - net stop SuperBackupMan
- condition: process_creation and selection
-fields:
- - SubjectUserName
- - NewProcessName
- - ComputerName
-falsepositives:
- - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml
deleted file mode 100644
index 48f03fba3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
-id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
-status: test
-description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
-references:
- - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
-author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
-date: 2019/10/02
-modified: 2023/03/29
-tags:
- - attack.defense_evasion
- - attack.t1218.010
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - regsvr32
- - \AppData\Local\
- - .dll
- - ',DllEntry'
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml
deleted file mode 100644
index bd9f91174..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: APT31 Judgement Panda Activity
-id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
-status: test
-description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
-references:
- - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
-author: Florian Roth (Nextron Systems)
-date: 2019/02/21
-modified: 2023/03/10
-tags:
- - attack.lateral_movement
- - attack.credential_access
- - attack.g0128
- - attack.t1003.001
- - attack.t1560.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_ldifde:
- CommandLine|contains|all:
- - ldifde
- - -f -n
- - eprod.ldf
- selection_lateral_movement:
- CommandLine|contains|all:
- - copy \\\\
- - c$
- CommandLine|contains:
- - \aaaa\procdump64.exe
- - \aaaa\netsess.exe
- - \aaaa\7za.exe
- - \c$\aaaa\
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml
deleted file mode 100644
index cdbd7ffa9..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Potential Russian APT Credential Theft Activity
-id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
-status: stable
-description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
-references:
- - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
-author: Florian Roth (Nextron Systems)
-date: 2019/02/21
-modified: 2023/03/08
-tags:
- - attack.credential_access
- - attack.t1552.001
- - attack.t1003.003
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_xcopy:
- CommandLine|contains|all:
- - xcopy /S /E /C /Q /H \\\\
- - \sysvol\
- selection_adexplorer:
- CommandLine|contains|all:
- - adexplorer -snapshot "" c:\users\
- - \downloads\
- - .snp
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml
deleted file mode 100644
index 31eff7409..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Potential EmpireMonkey Activity
-id: 10152a7b-b566-438f-a33c-390b607d1c8d
-status: experimental
-description: Detects potential EmpireMonkey APT activity
-references:
- - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
-author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
-date: 2019/04/02
-modified: 2023/03/09
-tags:
- - attack.defense_evasion
- - attack.t1218.010
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - /e:jscript # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
- - \Local\Temp\Errors.bat
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml
deleted file mode 100644
index 2fc96f369..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Equation Group DLL_U Export Function Load
-id: d465d1d8-27a2-4cca-9621-a800f37cf72e
-status: stable
-description: Detects a specific export function name used by one of EquationGroup tools
-references:
- - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
- - https://twitter.com/cyb3rops/status/972186477512839170
-author: Florian Roth (Nextron Systems)
-date: 2019/03/04
-modified: 2023/03/09
-tags:
- - attack.g0020
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - CommandLine|contains: -export dll_u
- - CommandLine|endswith:
- - ',dll_u'
- - ' dll_u'
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml
deleted file mode 100644
index 8dcd7da61..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Mustang Panda Dropper
-id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
-status: test
-description: Detects specific process parameters as used by Mustang Panda droppers
-references:
- - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
- - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
- - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
-author: Florian Roth (Nextron Systems), oscd.community
-date: 2019/10/30
-modified: 2021/11/27
-tags:
- - attack.t1587.001
- - attack.resource_development
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cli:
- - CommandLine|contains:
- - Temp\wtask.exe /create
- - '%windir:~-3,1%%PUBLIC:~-9,1%'
- - '/tn "Security Script '
- - '%windir:~-1,1%'
- - CommandLine|contains|all:
- - /E:vbscript
- - C:\Users\
- - .txt
- - /F
- selection_img:
- NewProcessName|endswith: Temp\winwsh.exe
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml
deleted file mode 100644
index f5e5a7331..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-title: Operation Wocao Activity
-id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
-related:
- - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
- type: derived
-status: test
-description: Detects activity mentioned in Operation Wocao report
-references:
- - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- - https://twitter.com/SBousseaden/status/1207671369963646976
-author: Florian Roth (Nextron Systems), frack113
-date: 2019/12/20
-modified: 2022/10/09
-tags:
- - attack.discovery
- - attack.t1012
- - attack.defense_evasion
- - attack.t1036.004
- - attack.t1027
- - attack.execution
- - attack.t1053.005
- - attack.t1059.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
- definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - checkadmin.exe 127.0.0.1 -all
- - netsh advfirewall firewall add rule name=powershell dir=in
- - cmd /c powershell.exe -ep bypass -file c:\s.ps1
- - /tn win32times /f
- - create win32times binPath=
- - \c$\windows\system32\devmgr.dll
- - ' -exec bypass -enc JgAg'
- - type *keepass\KeePass.config.xml
- - iie.exe iie.txt
- - reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\
- condition: process_creation and selection
-falsepositives:
- - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml
deleted file mode 100644
index 9c204d2d9..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Operation Wocao Activity - Security
-id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
-status: test
-description: Detects activity mentioned in Operation Wocao report
-references:
- - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
- - https://twitter.com/SBousseaden/status/1207671369963646976
-author: Florian Roth (Nextron Systems), frack113
-date: 2019/12/20
-modified: 2022/11/27
-tags:
- - attack.discovery
- - attack.t1012
- - attack.defense_evasion
- - attack.t1036.004
- - attack.t1027
- - attack.execution
- - attack.t1053.005
- - attack.t1059.001
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4799
- TargetUserName|startswith: Administr
- CallerProcessName|endswith: \checkadmin.exe
- condition: security and selection
-falsepositives:
- - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml
deleted file mode 100644
index 243fcc6f3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: CVE-2020-0688 Exploitation via Eventlog
-id: d6266bf5-935e-4661-b477-78772735a7cb
-status: test
-description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
-references:
- - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
- - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
-author: Florian Roth (Nextron Systems), wagga
-date: 2020/02/29
-modified: 2022/12/25
-tags:
- - attack.initial_access
- - attack.t1190
- - cve.2020.0688
- - detection.emerging_threats
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection1:
- EventID: 4
- Provider_Name: MSExchange Control Panel
- Level: Error
- selection2:
- - '&__VIEWSTATE='
- condition: application and (all of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml
deleted file mode 100644
index c3010eb88..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Exploited CVE-2020-10189 Zoho ManageEngine
-id: 846b866e-2a57-46ee-8e16-85fa92759be7
-status: test
-description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
-references:
- - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
-author: Florian Roth (Nextron Systems)
-date: 2020/03/25
-modified: 2023/01/21
-tags:
- - attack.initial_access
- - attack.t1190
- - attack.execution
- - attack.t1059.001
- - attack.t1059.003
- - attack.s0190
- - cve.2020.10189
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: DesktopCentral_Server\jre\bin\java.exe
- NewProcessName|endswith:
- - \cmd.exe
- - \powershell.exe
- - \pwsh.exe
- - \bitsadmin.exe
- - \systeminfo.exe
- - \net.exe
- - \net1.exe
- - \reg.exe
- - \query.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml
deleted file mode 100644
index 90104f0f8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Suspicious PrinterPorts Creation (CVE-2020-1048)
-id: cc08d590-8b90-413a-aff6-31d1a99678d7
-status: test
-description: Detects new commands that add new printer port which point to suspicious file
-references:
- - https://windows-internals.com/printdemon-cve-2020-1048/
-author: EagleEye Team, Florian Roth
-date: 2020/05/13
-modified: 2021/11/27
-tags:
- - attack.persistence
- - attack.execution
- - attack.t1059.001
- - cve.2020.1048
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains: Add-PrinterPort -Name
- selection2:
- CommandLine|contains:
- - .exe
- - .dll
- - .bat
- selection3:
- CommandLine|contains: Generic / Text Only
- condition: process_creation and ((selection1 and selection2) or selection3)
-falsepositives:
- - New printer port install on host
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml
deleted file mode 100644
index cb7a47f54..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: DNS RCE CVE-2020-1350
-id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
-status: test
-description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
-references:
- - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
-author: Florian Roth (Nextron Systems)
-date: 2020/07/15
-modified: 2022/07/12
-tags:
- - attack.initial_access
- - attack.t1190
- - attack.execution
- - attack.t1569.002
- - cve.2020.1350
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \System32\dns.exe
- filter:
- NewProcessName|endswith:
- - \System32\werfault.exe
- - \System32\conhost.exe
- - \System32\dnscmd.exe
- - \System32\dns.exe
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown but benign sub processes of the Windows DNS service dns.exe
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml
deleted file mode 100644
index 5b83188eb..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Blue Mockingbird
-id: c3198a27-23a0-4c2c-af19-e5328d49680e
-related:
- - id: ce239692-aa94-41b3-b32f-9cab259c96ea
- type: merged
-status: test
-description: Attempts to detect system changes made by Blue Mockingbird
-references:
- - https://redcanary.com/blog/blue-mockingbird-cryptominer/
-author: Trent Liffick (@tliffick)
-date: 2020/05/14
-modified: 2022/10/09
-tags:
- - attack.execution
- - attack.t1112
- - attack.t1047
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- sc_cmd:
- CommandLine|contains|all:
- - sc config
- - wercplsupporte.dll
- NewProcessName|endswith: \cmd.exe
- wmic_cmd:
- CommandLine|endswith: COR_PROFILER
- NewProcessName|endswith: \wmic.exe
- condition: process_creation and (sc_cmd or wmic_cmd)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml
deleted file mode 100644
index 45ea2cd02..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Potential Emotet Rundll32 Execution
-id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
-status: test
-description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
-references:
- - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
- - https://cyber.wtf/2021/11/15/guess-whos-back/
-author: FPT.EagleEye
-date: 2020/12/25
-modified: 2023/02/21
-tags:
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \rundll32.exe
- - OriginalFileName: RUNDLL32.EXE
- selection_cli:
- CommandLine|endswith:
- - ',RunDLL'
- - ',Control_RunDLL'
- # - ',#1' too generic - function load by ordinal is not Emotet specific
- filter_legitimate_dll:
- CommandLine|endswith:
- - .dll,Control_RunDLL
- - .dll",Control_RunDLL
- - .dll',Control_RunDLL
- filter_ide:
- ParentProcessName|endswith: \tracker.exe
- condition: process_creation and (all of selection_* and not 1 of filter_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml
deleted file mode 100644
index 4879d7db9..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Potential Ke3chang/TidePool Malware Activity
-id: 7b544661-69fc-419f-9a59-82ccc328f205
-status: test
-description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
-references:
- - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
-author: Markus Neis, Swisscom
-date: 2020/06/18
-modified: 2023/03/10
-tags:
- - attack.g0004
- - attack.defense_evasion
- - attack.t1562.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
- # Setting these registry keys is unique to the Ke3chang and TidePool malware families.
- # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
- # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
- # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
- CommandLine|contains:
- - -Property DWORD -name DisableFirstRunCustomize -value 2 -Force
- - -Property String -name Check_Associations -value
- - -Property DWORD -name IEHarden -value 0 -Force
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml
deleted file mode 100644
index 1175563a7..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Potential Maze Ransomware Activity
-id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
-status: test
-description: Detects specific process characteristics of Maze ransomware word document droppers
-references:
- - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
- - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
-author: Florian Roth (Nextron Systems)
-date: 2020/05/08
-modified: 2023/02/13
-tags:
- - attack.execution
- - attack.t1204.002
- - attack.t1047
- - attack.impact
- - attack.t1490
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- # Dropper
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- ParentProcessName|endswith: \WINWORD.exe
- NewProcessName|endswith: .tmp
- selection2:
- CommandLine|endswith: shadowcopy delete
- # Specific Pattern
- NewProcessName|endswith: \wmic.exe
- ParentProcessName|contains: \Temp\
- selection3:
- CommandLine|endswith: shadowcopy delete
- CommandLine|contains: \..\..\system32
- condition: process_creation and (1 of selection*)
-fields:
- - SubjectUserName
- - NewProcessName
- - ComputerName
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml
deleted file mode 100644
index bd10990aa..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: EvilNum APT Golden Chickens Deployment Via OCX Files
-id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
-status: test
-description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
-references:
- - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
-author: Florian Roth (Nextron Systems)
-date: 2020/07/10
-modified: 2023/03/09
-tags:
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - regsvr32
- - /s
- - /i
- - \AppData\Roaming\
- - .ocx
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml
deleted file mode 100644
index 0d71c46b8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml
+++ /dev/null
@@ -1,110 +0,0 @@
-title: GALLIUM IOCs
-id: 440a56bf-7873-4439-940a-1c8a671073c2
-status: test
-description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
-references:
- - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
-author: Tim Burrell
-date: 2020/02/07
-modified: 2023/03/09
-tags:
- - attack.credential_access
- - attack.command_and_control
- - attack.t1212
- - attack.t1071
- - attack.g0093
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_sysmon:
- Hashes|contains:
- - SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd
- - SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b
- - SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5
- - SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29
- - SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77
- - SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3
- - SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022
- - SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883
- - SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e
- - SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7
- - SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1
- - SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c
- - SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945
- - SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9
- - SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79
- - SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf
- - SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08
- - SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef
- - SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070
- - SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635
- - SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19
- - SHA1=aeb573accfd95758550cf30bf04f389a92922844
- - SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a
- - SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196
- - SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
- - SHA1=e841a63e47361a572db9a7334af459ddca11347a
- - SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d
- - SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b
- - SHA1=dd44133716b8a241957b912fa6a02efde3ce3025
- - SHA1=8793bf166cb89eb55f0593404e4e933ab605e803
- - SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138
- - SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea
- - SHA1=d209430d6af54792371174e70e27dd11d3def7a7
- - SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0
- - SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
- - SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f
- - SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de
- - SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2
- selection_hashes:
- - sha256:
- - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd
- - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b
- - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5
- - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29
- - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77
- - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3
- - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022
- - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883
- - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e
- - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7
- - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1
- - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c
- - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945
- - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9
- - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79
- - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf
- - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08
- - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef
- - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070
- - sha1:
- - 53a44c2396d15c3a03723fa5e5db54cafd527635
- - 9c5e496921e3bc882dc40694f1dcc3746a75db19
- - aeb573accfd95758550cf30bf04f389a92922844
- - 79ef78a797403a4ed1a616c68e07fff868a8650a
- - 4f6f38b4cec35e895d91c052b1f5a83d665c2196
- - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
- - e841a63e47361a572db9a7334af459ddca11347a
- - c28f606df28a9bc8df75a4d5e5837fc5522dd34d
- - 2e94b305d6812a9f96e6781c888e48c7fb157b6b
- - dd44133716b8a241957b912fa6a02efde3ce3025
- - 8793bf166cb89eb55f0593404e4e933ab605e803
- - a39b57032dbb2335499a51e13470a7cd5d86b138
- - 41cc2b15c662bc001c0eb92f6cc222934f0beeea
- - d209430d6af54792371174e70e27dd11d3def7a7
- - 1c6452026c56efd2c94cea7e0f671eb55515edb0
- - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
- - 4923d460e22fbbf165bbbaba168e5a46b8157d9f
- - f201504bd96e81d0d350c3a8332593ee1c9e09de
- - ddd2db1127632a2a52943a2fe516a2e7d05d70d2
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml
deleted file mode 100644
index 3d9a4471d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: GALLIUM Artefacts - Builtin
-id: 3db10f25-2527-4b79-8d4b-471eb900ee29
-related:
- - id: 440a56bf-7873-4439-940a-1c8a671073c2
- type: derived
-status: test
-description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
-references:
- - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
-author: Tim Burrell
-date: 2020/02/07
-modified: 2023/01/02
-tags:
- - attack.credential_access
- - attack.command_and_control
- - attack.t1071
- - detection.emerging_threats
-logsource:
- product: windows
- service: dns-server-analytic
- definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
-detection:
- dns_server_analytic:
- Channel: Microsoft-Windows-DNS-Server/Analytical
- selection:
- EventID: 257
- QNAME:
- - asyspy256.ddns.net
- - hotkillmail9sddcc.ddns.net
- - rosaf112.ddns.net
- - cvdfhjh1231.myftp.biz
- - sz2016rose.ddns.net
- - dffwescwer4325.myftp.biz
- - cvdfhjh1231.ddns.net
- condition: dns_server_analytic and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml
deleted file mode 100644
index 0c0730e8d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-title: Greenbug Espionage Group Indicators
-id: 3711eee4-a808-4849-8a14-faf733da3612
-status: test
-description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
-references:
- - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
-author: Florian Roth (Nextron Systems)
-date: 2020/05/20
-modified: 2023/03/09
-tags:
- - attack.g0049
- - attack.execution
- - attack.t1059.001
- - attack.command_and_control
- - attack.t1105
- - attack.defense_evasion
- - attack.t1036.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- NewProcessName|endswith:
- - :\ProgramData\adobe\Adobe.exe
- - :\ProgramData\oracle\local.exe
- - \revshell.exe
- - \infopagesbackup\ncat.exe
- - :\ProgramData\comms\comms.exe
- selection_msf:
- CommandLine|contains|all:
- - -ExecutionPolicy Bypass -File
- - \msf.ps1
- selection_ncat:
- CommandLine|contains|all:
- - infopagesbackup
- - \ncat
- - -e cmd.exe
- selection_powershell:
- CommandLine|contains:
- - system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill
- - -nop -w hidden -c $k=new-object
- - '[Net.CredentialCache]::DefaultCredentials;IEX '
- - ' -nop -w hidden -c $m=new-object net.webclient;$m'
- - -noninteractive -executionpolicy bypass whoami
- - -noninteractive -executionpolicy bypass netstat -a
- selection_other:
- CommandLine|contains: L3NlcnZlcj1 # base64 encoded '/server='
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml
deleted file mode 100644
index 8682aeb67..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-title: Lazarus Group Activity
-id: 24c4d154-05a4-4b99-b57d-9b977472443a
-related:
- - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
- type: obsoletes
-status: test
-description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
-references:
- - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
- - https://www.hvs-consulting.de/lazarus-report/
-author: Florian Roth (Nextron Systems), wagga
-date: 2020/12/23
-modified: 2023/03/10
-tags:
- - attack.g0032
- - attack.execution
- - attack.t1059
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_generic:
- CommandLine|contains:
- - reg.exe save hklm\sam %temp%\~reg_sam.save
- - 1q2w3e4r@#$@#$@#$
- - ' -hp1q2w3e4 '
- - '.dat data03 10000 -p '
- selection_netstat:
- CommandLine|contains|all:
- - 'netstat -aon | find '
- - ESTA
- - ' > %temp%\~'
- # Network share discovery
- selection_network_discovery:
- CommandLine|contains|all:
- - .255 10 C:\ProgramData\IBM\
- - .DAT
- selection_persistence:
- CommandLine|contains|all:
- - ' /c '
- - ' -p 0x'
- CommandLine|contains:
- - C:\ProgramData\
- - C:\RECYCLER\
- selection_rundll32:
- CommandLine|contains|all:
- - 'rundll32 '
- - C:\ProgramData\
- CommandLine|contains:
- - .bin,
- - .tmp,
- - .dat,
- - .io,
- - .ini,
- - .db,
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
deleted file mode 100644
index 460e604ce..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-title: UNC2452 Process Creation Patterns
-id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
-status: test
-description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
-references:
- - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
-author: Florian Roth (Nextron Systems)
-date: 2021/01/22
-modified: 2023/09/12
-tags:
- - attack.execution
- - attack.t1059.001
- - detection.emerging_threats
- # - sunburst
- # - unc2452
-logsource:
- category: process_creation
- product: windows
-detection:
- # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
- process_creation:
- EventID: 4688
- Channel: Security
- selection_generic_1:
- CommandLine|contains:
- - 7z.exe a -v500m -mx9 -r0 -p
- - 7z.exe a -mx9 -r0 -p
- CommandLine|contains|all:
- - .zip
- - .txt
- selection_generic_2:
- CommandLine|contains:
- - 7z.exe a -v500m -mx9 -r0 -p
- - 7z.exe a -mx9 -r0 -p
- CommandLine|contains|all:
- - .zip
- - .log
- selection_generic_3:
- ParentCommandLine|contains|all:
- - wscript.exe
- - .vbs
- CommandLine|contains|all:
- - rundll32.exe
- - C:\Windows
- - .dll,Tk_
- selection_generic_4:
- ParentCommandLine|contains:
- - C:\Windows
- - .dll
- CommandLine|contains: 'cmd.exe /C '
- ParentProcessName|endswith: \rundll32.exe
- selection_generic_5:
- CommandLine: ''
- ParentProcessName|endswith: \rundll32.exe
- NewProcessName|endswith: \dllhost.exe
- condition: process_creation and (1 of selection_generic_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml
deleted file mode 100644
index 08ee32a67..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: UNC2452 PowerShell Pattern
-id: b7155193-8a81-4d8f-805d-88de864ca50c
-status: test
-description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
-references:
- - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
-author: Florian Roth (Nextron Systems)
-date: 2021/01/20
-modified: 2022/10/09
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.t1047
- - detection.emerging_threats
- # - sunburst
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cli_1:
- CommandLine|contains|all:
- - Invoke-WMIMethod win32_process -name create -argumentlist
- - rundll32 c:\windows
- selection_cli_2:
- CommandLine|contains|all:
- - 'wmic /node:'
- - process call create "rundll32 c:\windows
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml
deleted file mode 100644
index 4c88c59f0..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Suspicious VBScript UN2452 Pattern
-id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
-status: test
-description: Detects suspicious inline VBScript keywords as used by UNC2452
-references:
- - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
-author: Florian Roth (Nextron Systems)
-date: 2021/03/05
-modified: 2022/10/09
-tags:
- - attack.persistence
- - attack.t1547.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - Execute
- - CreateObject
- - RegRead
- - window.close
- - \Microsoft\Windows\CurrentVersion
- filter:
- CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml
deleted file mode 100644
index 16b628b3d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: TAIDOOR RAT DLL Load
-id: d1aa3382-abab-446f-96ea-4de52908210b
-status: test
-description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
-references:
- - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
-author: Florian Roth (Nextron Systems)
-date: 2020/07/30
-modified: 2021/11/27
-tags:
- - attack.execution
- - attack.t1055.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains:
- - dll,MyStart
- - dll MyStart
- selection2a:
- CommandLine|endswith: ' MyStart'
- selection2b:
- CommandLine|contains: rundll32.exe
- condition: process_creation and (selection1 or ( selection2a and selection2b ))
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml
deleted file mode 100644
index 6b0ce0a17..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Winnti Malware HK University Campaign
-id: 3121461b-5aa0-4a41-b910-66d25524edbb
-status: test
-description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
-references:
- - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
-author: Florian Roth (Nextron Systems), Markus Neis
-date: 2020/02/01
-modified: 2021/11/27
-tags:
- - attack.defense_evasion
- - attack.t1574.002
- - attack.g0044
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- ParentProcessName|contains:
- - C:\Windows\Temp
- - \hpqhvind.exe
- NewProcessName|startswith: C:\ProgramData\DRM
- selection2:
- ParentProcessName|startswith: C:\ProgramData\DRM
- NewProcessName|endswith: \wmplayer.exe
- selection3:
- ParentProcessName|endswith: \Test.exe
- NewProcessName|endswith: \wmplayer.exe
- selection4:
- NewProcessName: C:\ProgramData\DRM\CLR\CLR.exe
- selection5:
- ParentProcessName|startswith: C:\ProgramData\DRM\Windows
- NewProcessName|endswith: \SearchFilterHost.exe
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml
deleted file mode 100644
index 79e0e4db9..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Winnti Pipemon Characteristics
-id: 73d70463-75c9-4258-92c6-17500fe972f2
-status: stable
-description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
-references:
- - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
-author: Florian Roth (Nextron Systems), oscd.community
-date: 2020/07/30
-modified: 2021/11/27
-tags:
- - attack.defense_evasion
- - attack.t1574.002
- - attack.g0044
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains: setup0.exe -p
- selection_2:
- CommandLine|contains: setup.exe
- CommandLine|endswith:
- - -x:0
- - -x:1
- - -x:2
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Legitimate setups that use similar flags
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml
deleted file mode 100644
index 4b2d5c861..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
-id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
-status: stable
-description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
-references:
- - https://twitter.com/mvelazco/status/1410291741241102338
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
-author: Sittikorn S, Nuttakorn T, Tim Shelton
-date: 2021/07/01
-modified: 2023/10/23
-tags:
- - attack.privilege_escalation
- - attack.t1055
-logsource:
- category: antivirus
- product: windows
- service: windefend
-detection:
- antivirus:
- EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
- - 1006
- - 1007
- - 1008
- - 1009
- - 1010
- - 1011
- - 1012
- - 1115
- - 1116
- - 1017
- - 1018
- - 1019
- - 1115
- - 1116
- Channel: Microsoft-Windows-Windows Defender/Operational
- selection:
- Path|contains: :\Windows\System32\spool\drivers\x64\
- keywords:
- - File submitted to Symantec # symantec fp, pending analysis, more generic
- condition: antivirus and (selection and not keywords)
-falsepositives:
- - Unlikely, or pending PSP analysis
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml
deleted file mode 100644
index c2eef25e8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: Possible CVE-2021-1675 Print Spooler Exploitation
-id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
-status: test
-description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
-references:
- - https://github.com/hhlxf/PrintNightmare
- - https://github.com/afwu/PrintNightmare
- - https://twitter.com/fuzzyf10w/status/1410202370835898371
-author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton
-date: 2021/06/30
-modified: 2022/11/15
-tags:
- - attack.execution
- - attack.t1569
- - cve.2021.1675
- - detection.emerging_threats
-logsource:
- product: windows
- service: printservice-admin
-detection:
- printservice_admin:
- Channel: Microsoft-Windows-PrintService/Admin
- selection:
- EventID: 808
- ErrorCode:
- - '0x45A'
- - '0x7e'
- keywords:
- - The print spooler failed to load a plug-in module
- # default file names used in PoC codes
- - MyExploit.dll
- - evil.dll
- - \addCube.dll
- - \rev.dll
- - \rev2.dll
- - \main64.dll
- - \mimilib.dll
- - \mimispool.dll
- falsepositive:
- - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out
- condition: printservice_admin and ((selection or keywords) and not falsepositive)
-fields:
- - PluginDllName
-falsepositives:
- - Problems with printer drivers
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml
deleted file mode 100644
index caf656ee0..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: CVE-2021-1675 Print Spooler Exploitation
-id: f34d942d-c8c4-4f1f-b196-22471aecf10a
-status: test
-description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
-references:
- - https://twitter.com/MalwareJake/status/1410421967463731200
-author: Florian Roth (Nextron Systems)
-date: 2021/07/01
-modified: 2022/10/09
-tags:
- - attack.execution
- - attack.t1569
- - cve.2021.1675
- - detection.emerging_threats
-logsource:
- product: windows
- service: printservice-operational
-detection:
- printservice_operational:
- Channel: Microsoft-Windows-PrintService/Operational
- selection:
- EventID: 316
- keywords:
- - 'UNIDRV.DLL, kernelbase.dll, '
- - ' 123 '
- - ' 1234 '
- - mimispool
- condition: printservice_operational and (selection and keywords)
-fields:
- - DriverAdded
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml
deleted file mode 100644
index 4b2792344..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: CVE-2021-1675 Print Spooler Exploitation IPC Access
-id: 8fe1c584-ee61-444b-be21-e9054b229694
-status: test
-description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
-references:
- - https://twitter.com/INIT_3/status/1410662463641731075
-author: INIT_6
-date: 2021/07/02
-modified: 2022/10/05
-tags:
- - attack.execution
- - attack.t1569
- - cve.2021.1675
- - cve.2021.34527
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID: 5145
- ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$
- RelativeTargetName: spoolss
- AccessMask: '0x3'
- ObjectType: File
- condition: security and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml
deleted file mode 100644
index cfa8f9d99..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
-id: 245f92e3-c4da-45f1-9070-bc552e06db11
-status: test
-description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
-references:
- - https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- - https://github.com/h3v0x/CVE-2021-26084_Confluence
-author: Bhabesh Raj
-date: 2021/09/08
-modified: 2023/02/13
-tags:
- - attack.initial_access
- - attack.execution
- - attack.t1190
- - attack.t1059
- - cve.2021.26084
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- # Monitor suspicious child processes spawned by Confluence
- CommandLine|contains:
- - certutil
- - cmd /c
- - cmd /k
- - cscript
- - curl
- - ipconfig
- - powershell
- - pwsh
- - regsvr32
- - rundll32
- - whoami
- - wscript
- ParentProcessName|endswith: \Atlassian\Confluence\jre\bin\java.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml
deleted file mode 100644
index e94eb7e3c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Potential CVE-2021-26857 Exploitation Attempt
-id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
-status: stable
-description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
-references:
- - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
-author: Bhabesh Raj
-date: 2021/03/03
-modified: 2023/02/07
-tags:
- - attack.t1203
- - attack.execution
- - cve.2021.26857
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \UMWorkerProcess.exe
- filter:
- NewProcessName|endswith:
- - wermgr.exe
- - WerFault.exe
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml
deleted file mode 100644
index f00a0f98b..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
-id: 75578840-9526-4b2a-9462-af469a45e767
-status: test
-description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
-references:
- - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
-author: Florian Roth (Nextron Systems)
-date: 2021/07/14
-modified: 2022/12/18
-tags:
- - attack.persistence
- - attack.t1136.001
- - cve.2021.35211
- - detection.emerging_threats
- # - threat_group.DEV-0322
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_whoami:
- CommandLine|contains: whoami
- selection_cmd_1:
- CommandLine|contains:
- - ./Client/Common/
- - .\Client\Common\
- selection_cmd_2:
- CommandLine|contains: C:\Windows\Temp\Serv-U.bat
- condition: process_creation and (selection_whoami and 1 of selection_cmd*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
deleted file mode 100644
index 9e22c47ec..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Potential CVE-2021-40444 Exploitation Attempt
-id: 894397c6-da03-425c-a589-3d09e7d1f750
-status: test
-description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
-references:
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- - https://twitter.com/neonprimetime/status/1435584010202255375
- - https://www.joesandbox.com/analysis/476188/1/iochtml
-author: Florian Roth (Nextron Systems), @neonprimetime
-date: 2021/09/08
-modified: 2023/02/04
-tags:
- - attack.execution
- - attack.t1059
- - cve.2021.40444
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith: \control.exe
- ParentProcessName|endswith:
- - \winword.exe
- - \powerpnt.exe
- - \excel.exe
- filter:
- CommandLine|endswith:
- - \control.exe input.dll
- - \control.exe" input.dll
- condition: process_creation and (selection and not filter)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml
deleted file mode 100644
index 76b60849e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Potential Exploitation Attempt From Office Application
-id: 868955d9-697e-45d4-a3da-360cefd7c216
-status: test
-description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
-references:
- - https://twitter.com/sbousseaden/status/1531653369546301440
- - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
-author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
-date: 2022/06/02
-modified: 2023/02/04
-tags:
- - attack.execution
- - attack.defense_evasion
- - cve.2021.40444
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - ../../../..
- - ..\..\..\..
- - ..//..//..//..
- ParentProcessName|endswith:
- - \winword.exe
- - \excel.exe
- - \powerpnt.exe
- - \msaccess.exe
- - \mspub.exe
- - \eqnedt32.exe
- - \visio.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml
deleted file mode 100644
index 27d810c6e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Potential CVE-2021-41379 Exploitation Attempt
-id: af8bbce4-f751-46b4-8d91-82a33a736f61
-status: test
-description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
-references:
- - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
- - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
- - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
- - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
-author: Florian Roth (Nextron Systems)
-date: 2021/11/22
-modified: 2023/02/13
-tags:
- - attack.privilege_escalation
- - attack.t1068
- - cve.2021.41379
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith:
- - \cmd.exe
- - \powershell.exe
- - \pwsh.exe
- - OriginalFileName:
- - Cmd.Exe
- - PowerShell.EXE
- - pwsh.dll
- selection_parent:
- ParentProcessName|endswith: \elevation_service.exe
- MandatoryLabel: S-1-16-16384
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml
deleted file mode 100644
index a1c4090e3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: LPE InstallerFileTakeOver PoC CVE-2021-41379
-id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
-status: test
-description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
-references:
- - https://github.com/klinix5/InstallerFileTakeOver
-author: Florian Roth (Nextron Systems)
-date: 2021/11/22
-modified: 2022/07/12
-tags:
- - attack.initial_access
- - attack.t1190
- - detection.emerging_threats
-logsource:
- product: windows
- service: application
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- application:
- Channel: Application
- selection:
- EventID: 1033
- Provider_Name: MsiInstaller
- Data|contains: test pkg
- condition: application and selection
-falsepositives:
- - Other MSI packages for which your admins have used that name
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml
deleted file mode 100644
index dad2d257f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-title: Potential CVE-2021-42278 Exploitation Attempt
-id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
-related:
- - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
- type: similar
-status: test
-description: |
- The attacker creates a computer object using those permissions with a password known to her.
- After that she clears the attribute ServicePrincipalName on the computer object.
- Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
-references:
- - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
-author: frack113
-date: 2021/12/15
-modified: 2023/04/14
-tags:
- - attack.credential_access
- - attack.t1558.003
- - cve.2021.42278
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory
- EventID:
- - 35 # PAC without attributes
- - 36 # Ticket without a PAC
- - 37 # Ticket without Requestor
- - 38 # Requestor Mismatch
- condition: system and selection
-falsepositives:
- - Unknown
-fields:
- - samAccountName
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml
deleted file mode 100644
index f8b3669b4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Suspicious Computer Account Name Change CVE-2021-42287
-id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466
-status: test
-description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
-references:
- - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
-author: Florian Roth (Nextron Systems)
-date: 2021/12/22
-modified: 2022/12/25
-tags:
- - cve.2021.42287
- - detection.emerging_threats
- - attack.defense_evasion
- - attack.persistence
- - attack.t1036
- - attack.t1098
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4781 # rename user
- OldTargetUserName|contains: $
- filter:
- NewTargetUserName|contains: $
- condition: security and (selection and not filter)
-falsepositives:
- - Unknown
-fields:
- - EventID
- - SubjectUserName
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml
deleted file mode 100644
index da9ea7a6f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Suspicious RazerInstaller Explorer Subprocess
-id: a4eaf250-7dc1-4842-862a-5e71cd59a167
-status: test
-description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
-references:
- - https://twitter.com/j0nh4t/status/1429049506021138437
- - https://streamable.com/q2dsji
-author: Florian Roth (Nextron Systems), Maxime Thiebaut
-date: 2021/08/23
-modified: 2022/10/09
-tags:
- - attack.privilege_escalation
- - attack.t1553
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \RazerInstaller.exe
- MandatoryLabel: S-1-16-16384
- filter:
- NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\
- condition: process_creation and (selection and not filter)
-falsepositives:
- - User selecting a different installation folder (check for other sub processes of this explorer.exe process)
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml
deleted file mode 100644
index e0c9bd606..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Potential SystemNightmare Exploitation Attempt
-id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
-status: test
-description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
-references:
- - https://github.com/GossiTheDog/SystemNightmare
-author: Florian Roth (Nextron Systems)
-date: 2021/08/11
-modified: 2023/02/04
-tags:
- - attack.privilege_escalation
- - attack.t1068
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - printnightmare.gentilkiwi.com
- - ' /user:gentilguest '
- - Kiwi Legit Printer
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
deleted file mode 100644
index 2fbf20afa..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: CVE-2021-31979 CVE-2021-33771 Exploits
-id: 32b5db62-cb5f-4266-9639-0fa48376ac00
-status: experimental
-description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-references:
- - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
-author: Sittikorn S, frack113
-date: 2021/07/16
-modified: 2023/08/17
-tags:
- - attack.credential_access
- - attack.t1566
- - attack.t1203
- - cve.2021.33771
- - cve.2021.31979
- - detection.emerging_threats
- # - threat_group.Sourgum
-logsource:
- product: windows
- category: registry_set
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|endswith:
- - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
- - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
- filter:
- NewValue|endswith:
- - system32\wbem\wmiutils.dll
- - system32\wbem\wbemsvc.dll
- condition: registry_set and (selection and not filter)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml
deleted file mode 100644
index b852c739f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Possible Exploitation of Exchange RCE CVE-2021-42321
-id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
-status: test
-description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
-references:
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
-author: Florian Roth (Nextron Systems), @testanull
-date: 2021/11/18
-modified: 2022/07/12
-tags:
- - attack.lateral_movement
- - attack.t1210
- - detection.emerging_threats
-logsource:
- product: windows
- service: msexchange-management
- # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
-detection:
- msexchange_management:
- Channel: MSExchange Management
- selection:
- EventID:
- - 6
- - 8
- Data|contains:
- - 'Cmdlet failed. Cmdlet Get-App, '
- - 'Task Get-App throwing unhandled exception: System.InvalidCastException:'
- condition: msexchange_management and selection
-falsepositives:
- - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml
deleted file mode 100644
index 8e07648bc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Potential BlackByte Ransomware Activity
-id: 999e8307-a775-4d5f-addc-4855632335be
-status: test
-description: Detects command line patterns used by BlackByte ransomware in different operations
-references:
- - https://redcanary.com/blog/blackbyte-ransomware/
-author: Florian Roth (Nextron Systems)
-date: 2022/02/25
-modified: 2023/02/08
-tags:
- - detection.emerging_threats
- - attack.execution
- - attack.defense_evasion
- - attack.impact
- - attack.t1485
- - attack.t1498
- - attack.t1059.001
- - attack.t1140
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains: ' -single '
- NewProcessName|startswith: C:\Users\Public\
- selection_2:
- CommandLine|contains:
- - del C:\Windows\System32\Taskmgr.exe
- - ;Set-Service -StartupType Disabled $
- - powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(
- - ' do start wordpad.exe /p '
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml
deleted file mode 100644
index a1cee1e23..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Conti Volume Shadow Listing
-id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
-status: test
-description: Detects a command used by conti to find volume shadow backups
-references:
- - https://twitter.com/vxunderground/status/1423336151860002816?s=20
- - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
-author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
-date: 2021/08/09
-tags:
- - attack.t1587.001
- - attack.resource_development
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - vssadmin list shadows
- - log.txt
- condition: process_creation and selection
-fields:
- - SubjectUserName
- - ParentProcessName
- - CommandLine
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml
deleted file mode 100644
index 96ab7caba..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Conti NTDS Exfiltration Command
-id: aa92fd02-09f2-48b0-8a93-864813fb8f41
-status: test
-description: Detects a command used by conti to exfiltrate NTDS
-references:
- - https://twitter.com/vxunderground/status/1423336151860002816?s=20
- - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
-author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
-date: 2021/08/09
-modified: 2022/10/09
-tags:
- - attack.collection
- - attack.t1560
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - 7za.exe
- - \\C$\\temp\\log.zip
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml
deleted file mode 100644
index dbb15619a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Potential Conti Ransomware Activity
-id: 689308fc-cfba-4f72-9897-796c1dc61487
-status: test
-description: Detects a specific command used by the Conti ransomware group
-references:
- - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
-author: frack113
-date: 2021/10/12
-modified: 2023/02/13
-tags:
- - attack.impact
- - attack.s0575
- - attack.t1486
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - '-m '
- - '-net '
- - '-size ' # Size 10 in references
- - '-nomutex '
- - -p \\\\
- - $
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml
deleted file mode 100644
index 3f3b4fccc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
-id: 2f47f1fd-0901-466e-a770-3b7092834a1b
-status: test
-description: Detects a command used by conti to dump database
-references:
- - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
- - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
-author: frack113
-date: 2021/08/16
-modified: 2023/05/04
-tags:
- - attack.collection
- - attack.t1005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_tools:
- - NewProcessName|endswith: \sqlcmd.exe
- - CommandLine|contains:
- - 'sqlcmd '
- - sqlcmd.exe
- selection_svr:
- CommandLine|contains: ' -S localhost '
- selection_query:
- CommandLine|contains:
- - sys.sysprocesses
- - master.dbo.sysdatabases
- - BACKUP DATABASE
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml
deleted file mode 100644
index ca667dbe3..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: DarkSide Ransomware Pattern
-id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
-status: test
-description: Detects DarkSide Ransomware and helpers
-references:
- - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
- - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
-author: Florian Roth (Nextron Systems)
-date: 2021/05/14
-tags:
- - attack.execution
- - attack.t1204
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains:
- - =[char][byte]('0x'+
- - ' -work worker0 -path '
- selection2:
- ParentCommandLine|contains: DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
- NewProcessName|contains: \AppData\Local\Temp\
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unknown
- - UAC bypass method used by other malware
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml
deleted file mode 100644
index 0b71d9f68..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Potential Devil Bait Malware Reconnaissance
-id: e8954be4-b2b8-4961-be18-da1a5bda709c
-related:
- - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
- type: derived
-status: experimental
-description: Detects specific process behavior observed with Devil Bait samples
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
-author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
-date: 2023/05/15
-tags:
- - attack.execution
- - attack.t1218
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_redirect:
- CommandLine|contains: '>>%APPDATA%\Microsoft\'
- CommandLine|endswith:
- - .xml
- - .txt
- ParentProcessName|endswith: \wscript.exe
- NewProcessName|endswith: \cmd.exe
- selection_recon_cmd:
- CommandLine|contains:
- # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
- # If you find samples using other commands please add them
- - dir
- - ipconfig /all
- - systeminfo
- - tasklist
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml
deleted file mode 100644
index b6dea421d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Potential Goofy Guineapig Backdoor Activity
-id: 477a5ed3-a374-4282-9f3b-ed94e159a108
-status: experimental
-description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
-author: X__Junior (Nextron Systems)
-date: 2023/05/14
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: choice /t %d /d y /n >nul
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml
deleted file mode 100644
index df83e5aee..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
-id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
-status: experimental
-description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
-author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/15
-tags:
- - attack.defense_evasion
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \GoogleUpdate.exe
- NewProcessName|endswith: \GoogleUpdate.exe
- filter_main_legit_paths:
- - NewProcessName|startswith:
- - C:\Program Files\Google\
- - C:\Program Files (x86)\Google\
- - NewProcessName|contains: \AppData\Local\Google\Update\
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml
deleted file mode 100644
index f5b1c2c52..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Goofy Guineapig Backdoor Service Creation
-id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
-status: experimental
-description: Detects service creation persistence used by the Goofy Guineapig backdoor
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/15
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName: GoogleUpdate
- ImagePath|contains|all:
- - rundll32
- - FileProtocolHandler
- - \ProgramData\GoogleUpdate\GoogleUpdate.exe
- condition: system and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml
deleted file mode 100644
index 7d204765c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: Pingback Backdoor Activity
-id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
-related:
- - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
- type: similar
- - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
- type: similar
-status: test
-description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
-references:
- - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
-author: Bhabesh Raj
-date: 2021/05/05
-modified: 2023/02/17
-tags:
- - attack.persistence
- - attack.t1574.001
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - config
- - msdtc
- - start
- - auto
- ParentProcessName|endswith: \updata.exe
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml
deleted file mode 100644
index bbd432ddf..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Small Sieve Malware CommandLine Indicator
-id: 21117127-21c8-437a-ae03-4b51e5a8a088
-status: test
-description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/19
-tags:
- - attack.persistence
- - attack.t1574.001
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|endswith: .exe Platypus
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml
deleted file mode 100644
index 8435c429c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Small Sieve Malware Registry Persistence
-id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
-status: experimental
-description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/19
-modified: 2023/08/17
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection_path:
- ObjectName|contains: \Microsoft\Windows\CurrentVersion\Run\
- selection_value:
- - ObjectName|contains: Microsift
- - NewValue|contains: .exe Platypus
- condition: registry_set and (all of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
deleted file mode 100644
index f01a1996e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-title: HAFNIUM Exchange Exploitation Activity
-id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
-status: test
-description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
-references:
- - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- - https://twitter.com/BleepinComputer/status/1372218235949617161
-author: Florian Roth (Nextron Systems)
-date: 2021/03/09
-modified: 2023/03/09
-tags:
- - attack.persistence
- - attack.t1546
- - attack.t1053
- - attack.g0125
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_attrib:
- CommandLine|contains|all:
- - attrib
- - ' +h '
- - ' +s '
- - ' +r '
- - .aspx
- selection_vsperfmon:
- - NewProcessName|contains: \ProgramData\VSPerfMon\
- - CommandLine|contains|all:
- - schtasks
- - VSPerfMon
- selection_opera_1:
- NewProcessName|endswith: Opera_browser.exe
- ParentProcessName|endswith:
- - \services.exe
- - \svchost.exe
- selection_opera_2:
- NewProcessName|endswith: Users\Public\opera\Opera_browser.exe
- selection_vssadmin:
- CommandLine|contains|all:
- - vssadmin list shadows
- - Temp\__output
- selection_makecab_1:
- CommandLine|contains|all:
- - inetpub\wwwroot\
- - .dmp.zip
- NewProcessName|endswith: \makecab.exe
- selection_makecab_2:
- CommandLine|contains:
- - Microsoft\Exchange Server\
- - compressionmemory
- - .gif
- NewProcessName|endswith: \makecab.exe
- selection_7zip:
- CommandLine|contains|all:
- - ' -t7z '
- - C:\Programdata\pst
- - \it.zip
- selection_rundll32:
- CommandLine|contains|all:
- - \comsvcs.dll
- - Minidump
- - 'full '
- - \inetpub\wwwroot
- selection_other:
- CommandLine|contains:
- - Windows\Temp\xx.bat
- - Windows\WwanSvcdcs
- - Windows\Temp\cw.exe
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml
deleted file mode 100644
index 7ff674180..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: REvil Kaseya Incident Malware Patterns
-id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
-status: test
-description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
-references:
- - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- - https://www.joesandbox.com/analysis/443736/0/html
- - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
-author: Florian Roth (Nextron Systems)
-date: 2021/07/03
-modified: 2022/05/20
-tags:
- - attack.execution
- - attack.t1059
- - attack.g0115
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- CommandLine|contains:
- - C:\Windows\cert.exe
- - del /q /f c:\kworking\agent.crt
- - Kaseya VSA Agent Hot-fix
- - \AppData\Local\Temp\MsMpEng.exe
- - rmdir /s /q %SystemDrive%\inetpub\logs
- - del /s /q /f %SystemDrive%\\*.log
- - c:\kworking1\agent.exe
- - c:\kworking1\agent.crt
- selection2:
- NewProcessName:
- - C:\Windows\MsMpEng.exe
- - C:\Windows\cert.exe
- - C:\kworking\agent.exe
- - C:\kworking1\agent.exe
- selection3:
- CommandLine|contains|all:
- - del /s /q /f
- - WebPages\Errors\webErrorLog.txt
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml
deleted file mode 100644
index 13615cfa6..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: SOURGUM Actor Behaviours
-id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
-status: test
-description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
-references:
- - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
-author: MSTIC, FPT.EagleEye
-date: 2021/06/15
-modified: 2022/10/09
-tags:
- - attack.t1546
- - attack.t1546.015
- - attack.persistence
- - attack.privilege_escalation
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|contains:
- - windows\system32\Physmem.sys
- - Windows\system32\ime\SHARED\WimBootConfigurations.ini
- - Windows\system32\ime\IMEJP\WimBootConfigurations.ini
- - Windows\system32\ime\IMETC\WimBootConfigurations.ini
- registry_image:
- CommandLine|contains: reg add
- NewProcessName|contains:
- - windows\system32\filepath2
- - windows\system32\ime
- registry_key:
- CommandLine|contains:
- - HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32
- - HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32
- condition: process_creation and (selection or all of registry_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml
deleted file mode 100644
index 5521500b4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Potential CVE-2023-21554 QueueJumper Exploitation
-id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
-status: experimental
-description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
-references:
- - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/12
-tags:
- - attack.privilege_escalation
- - attack.execution
- - cve.2023.21554
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \Windows\System32\mqsvc.exe
- NewProcessName|endswith:
- - \cmd.exe
- - \cscript.exe
- - \mshta.exe
- - \powershell.exe
- - \pwsh.exe
- - \regsvr32.exe
- - \rundll32.exe
- - \schtasks.exe
- - \wmic.exe
- - \wscript.exe
- - \wsl.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml
deleted file mode 100644
index 0b9627f8c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: Potential CVE-2022-29072 Exploitation Attempt
-id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
-status: test
-description: |
- Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
- 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
- The command runs in a child process under the 7zFM.exe process.
-references:
- - https://github.com/kagancapar/CVE-2022-29072
- - https://twitter.com/kagancapar/status/1515219358234161153
-author: frack113
-date: 2022/04/17
-modified: 2023/02/07
-tags:
- - attack.execution
- - cve.2022.29072
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- - NewProcessName|endswith: \cmd.exe
- - OriginalFileName: Cmd.Exe
- selection_parent:
- ParentProcessName|endswith: \7zFM.exe
- filter_bat:
- CommandLine|contains:
- - ' /c '
- - ' /k '
- - ' /r '
- filter_null:
- CommandLine:
- condition: process_creation and (all of selection_* and not 1 of filter_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
deleted file mode 100644
index fc80fe972..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-title: Suspicious Sysmon as Execution Parent
-id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
-status: experimental
-description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
-references:
- - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
- - https://twitter.com/filip_dragovic/status/1590052248260055041
- - https://twitter.com/filip_dragovic/status/1590104354727436290
-author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
-date: 2022/11/10
-modified: 2023/10/23
-tags:
- - attack.privilege_escalation
- - attack.t1068
- - cve.2022.41120
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith:
- - \Sysmon.exe
- - \Sysmon64.exe
- filter_main_generic:
- NewProcessName|contains:
- - :\Windows\Sysmon.exe
- - :\Windows\Sysmon64.exe
- - :\Windows\System32\conhost.exe
- - :\Windows\System32\WerFault.exe # When Sysmon crashes
- - :\Windows\System32\WerFaultSecure.exe # When Sysmon crashes
- - :\Windows\System32\wevtutil.exe
- - :\Windows\SysWOW64\wevtutil.exe
- - \AppData\Local\Temp\Sysmon.exe # When launching Sysmon 32bit version.
- filter_main_null:
- NewProcessName:
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml
deleted file mode 100644
index d463111cc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: BlueSky Ransomware Artefacts
-id: eee8311f-a752-44f0-bf2f-6b007db16300
-status: experimental
-description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
-references:
- - https://unit42.paloaltonetworks.com/bluesky-ransomware/
-author: j4son
-date: 2023/05/23
-tags:
- - attack.impact
- - attack.t1486
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
-detection:
- security:
- Channel: Security
- selection_access_eid:
- EventID:
- - 4663
- - 4656
- selection_access_data:
- - ObjectName|endswith: .bluesky
- - ObjectName|contains: DECRYPT FILES BLUESKY
- selection_share_eid:
- EventID: 5145
- selection_share_data:
- - RelativeTargetName|endswith: .bluesky
- - RelativeTargetName|contains: DECRYPT FILES BLUESKY
- condition: security and (all of selection_access_* or all of selection_share_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml
deleted file mode 100644
index 4bff8d5dd..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Hermetic Wiper TG Process Patterns
-id: 2f974656-6d83-4059-bbdf-68ac5403422f
-status: test
-description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
-references:
- - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
-author: Florian Roth (Nextron Systems)
-date: 2022/02/25
-modified: 2022/09/09
-tags:
- - attack.execution
- - attack.lateral_movement
- - attack.t1021.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection1:
- NewProcessName|endswith: \policydefinitions\postgresql.exe
- selection2:
- - CommandLine|contains:
- - CSIDL_SYSTEM_DRIVE\temp\sys.tmp
- - ' 1> \\\\127.0.0.1\ADMIN$\__16'
- - CommandLine|contains|all:
- - 'powershell -c '
- - '\comsvcs.dll MiniDump '
- - \winupd.log full
- condition: process_creation and (1 of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml
deleted file mode 100644
index 232ecd0ce..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Potential Raspberry Robin Dot Ending File
-id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
-status: test
-description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
-author: Nasreddine Bencherchali (Nextron Systems)
-references:
- - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
-date: 2022/10/28
-modified: 2023/02/05
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
- # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
- # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
- CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml
deleted file mode 100644
index acaf0e817..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: MSSQL Extended Stored Procedure Backdoor Maggie
-id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
-status: test
-description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
-references:
- - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
-author: Denis Szadkowski, DIRT / DCSO CyTec
-date: 2022/10/09
-modified: 2022/10/09
-tags:
- - attack.persistence
- - attack.t1546
- - detection.emerging_threats
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSSQLSERVER
- EventID: 8128
- Message|contains: maggie
- condition: application and selection
-falsepositives:
- - Legitimate extended stored procedures named maggie
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml
deleted file mode 100644
index 6057c3acd..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Potential ACTINIUM Persistence Activity
-id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
-status: test
-description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
-references:
- - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
-author: Andreas Hunkeler (@Karneades)
-date: 2022/02/07
-modified: 2023/03/18
-tags:
- - attack.persistence
- - attack.t1053
- - attack.t1053.005
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - schtasks
- - create
- - wscript
- - ' /e:vbscript'
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml
deleted file mode 100644
index 5c0b098dc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: MERCURY APT Activity
-id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
-status: experimental
-description: Detects suspicious command line patterns seen being used by MERCURY APT
-references:
- - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
-author: Florian Roth (Nextron Systems)
-date: 2022/08/26
-modified: 2023/03/10
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.g0069
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_base:
- CommandLine|contains|all:
- - -exec bypass -w 1 -enc
- - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA # Start-Job -ScriptBlock
- condition: process_creation and (all of selection*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
deleted file mode 100644
index 32d19b72f..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
-id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
-related:
- - id: f8987c03-4290-4c96-870f-55e75ee377f4
- type: similar
-status: experimental
-description: |
- Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
-references:
- - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
- - https://github.com/ForceFledgling/CVE-2023-22518
-author: Andreas Braathen (mnemonic.io)
-date: 2023/11/14
-tags:
- - detection.emerging_threats
- - attack.execution
- - attack.t1059
- - attack.initial_access
- - attack.t1190
- - cve.2023.22518
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent:
- ParentCommandLine|contains: confluence
- ParentProcessName|endswith:
- - \tomcat8.exe
- - \tomcat9.exe
- - \tomcat10.exe
- selection_child:
- # Note: Only children associated with known campaigns
- - NewProcessName|endswith:
- - \cmd.exe
- - \powershell.exe
- - OriginalFileName:
- - Cmd.Exe
- - PowerShell.EXE
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml
deleted file mode 100644
index ce540193e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Outlook Task/Note Reminder Received
-id: fc06e655-d98c-412f-ac76-05c2698b1cb2
-status: experimental
-description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/05
-modified: 2023/08/17
-tags:
- - attack.persistence
- - attack.t1137
- - cve.2023.23397
- - detection.emerging_threats
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains|all:
- - \SOFTWARE\Microsoft\Office\
- - \Outlook\
- ObjectName|contains:
- - \Tasks\
- - \Notes\
- condition: registry_set and selection
-falsepositives:
- - Legitimate reminders received for a task or a note will also trigger this rule.
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml
deleted file mode 100644
index f8939caee..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: CVE-2023-23397 Exploitation Attempt
-id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
-status: experimental
-description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
-author: Robert Lee @quantum_cookie
-date: 2023/03/16
-modified: 2023/03/22
-references:
- - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
-tags:
- - attack.credential_access
- - attack.initial_access
- - cve.2023.23397
- - detection.emerging_threats
-logsource:
- service: security
- product: windows
- definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule'
-detection:
- security:
- Channel: Security
- selection:
- EventID:
- - 4656
- - 4663
- ProcessName|endswith: \OUTLOOK.EXE
- # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider
- ObjectName|contains|all:
- - \REGISTRY\MACHINE\SYSTEM
- - Services\
- ObjectName|endswith:
- - WebClient\NetworkProvider
- - LanmanWorkstation\NetworkProvider
- AccessList|contains: '%%4416' # "Query key value"
- condition: security and selection
-falsepositives:
- - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
deleted file mode 100644
index a6a65c13c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-title: Potential CVE-2023-23397 Exploitation Attempt - SMB
-id: de96b824-02b0-4241-9356-7e9b47f04bac
-status: experimental
-description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/05
-tags:
- - attack.exfiltration
- - cve.2023.23397
- - detection.emerging_threats
-logsource:
- product: windows
- service: smbclient-connectivity
-detection:
- smbclient_connectivity:
- Channel: Microsoft-Windows-SmbClient/Connectivity
- selection:
- # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
- EventID:
- # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
- - 30803 # Failed to establish a network connection.
- - 30804 # A network connection was disconnected.
- - 30806 # The client re-established its session to the server.
- # - 31001 # Error (Doesn't contain the "ServerAddress" field)
- filter_main_local_ips:
- ServerAddress|startswith:
- - '10.' # 10.0.0.0/8
- - 192.168. # 192.168.0.0/16
- - 172.16. # 172.16.0.0/12
- - 172.17.
- - 172.18.
- - 172.19.
- - 172.20.
- - 172.21.
- - 172.22.
- - 172.23.
- - 172.24.
- - 172.25.
- - 172.26.
- - 172.27.
- - 172.28.
- - 172.29.
- - 172.30.
- - 172.31.
- - '127.' # 127.0.0.0/8
- - 169.254. # 169.254.0.0/16
- condition: smbclient_connectivity and (selection and not 1 of filter_main_*)
-falsepositives:
- - Some false positives may occur from external trusted servers. Apply additional filters accordingly
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml
deleted file mode 100644
index 5fcb96159..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Potential CVE-2023-36884 Exploitation - Share Access
-id: 3df95076-9e78-4e63-accb-16699c3b74f8
-status: experimental
-description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
-references:
- - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/07/13
-tags:
- - attack.command_and_control
- - cve.2023.36884
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
- definition: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure
-detection:
- security:
- Channel: Security
- selection_eid:
- EventID: 5140
- selection_share_name:
- ShareName|contains: \MSHTML_C7\
- ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
- selection_share_path:
- ShareLocalPath|contains: \MSHTML_C7\
- ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
- condition: security and (selection_eid and 1 of selection_share_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
deleted file mode 100644
index fed5935a0..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
-id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
-related:
- - id: e4556676-fc5c-4e95-8c39-5ef27791541f
- type: similar
-status: experimental
-description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
-references:
- - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
-author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
-date: 2023/08/30
-tags:
- - detection.emerging_threats
- - attack.execution
- - attack.t1203
- - cve.2023.38331
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent:
- ParentProcessName|endswith: \WinRAR.exe
- selection_folder:
- CommandLine|contains: \AppData\Local\Temp\Rar$
- selection_double_ext:
- CommandLine|re: \.[a-zA-Z0-9]{1,4} \.
- selection_binaries:
- # Note: add additional binaries that the attacker might use
- - NewProcessName|endswith:
- - \cmd.exe
- - \wscript.exe
- - OriginalFileName:
- - Cmd.Exe
- - cscript.exe
- - PowerShell.EXE
- - pwsh.dll
- - wscript.exe
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml
deleted file mode 100644
index d0076ebdc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
-id: e5a29b54-6fe7-4258-8a23-82960e31231a
-status: experimental
-description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
-references:
- - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
- - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
- - https://www.rarlab.com/vuln_rev3_names.html
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/08/31
-tags:
- - attack.execution
- - cve.2023.40477
- - detection.emerging_threats
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: Application Error
- EventID: 1000
- AppName: WinRAR.exe
- filter_main_fixed_version:
- # TODO: fix this when the "lt" modifier is implemented for software versions
- AppVersion|startswith:
- - 6.23.
- - 6.24.
- - 6.25.
- - 6.26.
- - '7.'
- condition: application and (selection and not 1 of filter_main_*)
-falsepositives:
- - Legitimate crash for reasons other than exploitation of the vulnerability
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml
deleted file mode 100644
index 16ef41993..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: MSMQ Corrupted Packet Encountered
-id: ae94b10d-fee9-4767-82bb-439b309d5a27
-status: experimental
-description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
-references:
- - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/21
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- product: windows
- service: application
-detection:
- application:
- Channel: Application
- selection:
- Provider_Name: MSMQ
- EventID: 2027
- Level: 2
- condition: application and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml
deleted file mode 100644
index e9e6fcf11..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: COLDSTEEL RAT Anonymous User Process Execution
-id: e01b6eb5-1eb4-4465-a165-85d40d874add
-status: experimental
-description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/30
-tags:
- - attack.persistence
- - attack.defense_evasion
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|contains:
- - \Windows\System32\
- - \AppData\
- SubjectUserName|contains: ANONYMOUS
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml
deleted file mode 100644
index b5c42591e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: COLDSTEEL RAT Service Persistence Execution
-id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd
-status: experimental
-description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
-author: X__Junior (Nextron Systems)
-date: 2023/04/30
-tags:
- - attack.persistence
- - attack.defense_evasion
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|endswith:
- - ' -k msupdate'
- - ' -k msupdate2'
- - ' -k alg'
- NewProcessName|endswith: \svchost.exe
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml
deleted file mode 100644
index 621561baf..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Potential COLDSTEEL RAT Windows User Creation
-id: 95214813-4c7a-4a50-921b-ee5c538e1d16
-status: experimental
-description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/02
-modified: 2023/08/17
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains|all:
- - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-
- - \ProfileImagePath
- NewValue|contains:
- - ANONYMOUS
- - _DomainUser_
- condition: registry_set and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml
deleted file mode 100644
index a1e270191..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: COLDSTEEL Persistence Service Creation
-id: 3ced239c-7285-4b54-99c4-8525b69293f7
-status: test
-description: Detects the creation of new services potentially related to COLDSTEEL RAT
-references:
- - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/02
-tags:
- - attack.defense_evasion
- - attack.persistence
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName:
- - Name
- - msupdate
- - msupdate2
- ImagePath|contains: \Windows\System32\svchost.exe
- condition: system and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml
deleted file mode 100644
index befa6a640..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: DarkGate - Autoit3.EXE Execution Parameters
-id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
-status: experimental
-description: |
- Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
- the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
- command-and-control server.
-references:
- - https://github.security.telekom.com/2023/08/darkgate-loader.html
- - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- - https://github.com/pr0xylife/DarkGate/tree/main
-author: Micah Babinski
-date: 2023/10/15
-tags:
- - attack.execution
- - attack.t1059
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_proc:
- - NewProcessName|endswith: \Autoit3.exe
- - OriginalFileName: AutoIt3.exe
- selection_parent:
- ParentProcessName|endswith:
- - \cmd.exe
- - \KeyScramblerLogon.exe
- - \msiexec.exe
- filter_main_legit_autoit_location:
- NewProcessName|endswith:
- - :\Program Files (x86)\AutoIt3\AutoIt3.exe
- - :\Program Files\AutoIt3\AutoIt3.exe
- condition: process_creation and (all of selection_* and not 1 of filter_main_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml
deleted file mode 100644
index 5cc0bceca..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: DarkGate - User Created Via Net.EXE
-id: bf906d7b-7070-4642-8383-e404cf26eba5
-status: experimental
-description: Detects creation of local users via the net.exe command with the name of "DarkGate"
-references:
- - Internal Research
-author: X__Junior (Nextron Systems)
-date: 2023/08/27
-modified: 2023/10/15
-tags:
- - attack.persistence
- - attack.t1136.001
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- # /c net user /add SafeMode DarkGate0!
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - user
- - add
- - DarkGate
- - SafeMode
- NewProcessName|endswith:
- - \net.exe
- - \net1.exe
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml
deleted file mode 100644
index 309d7c208..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Griffon Malware Attack Pattern
-id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
-status: experimental
-description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
-references:
- - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/03/09
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - \local\temp\
- - //b /e:jscript
- - .txt
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml
deleted file mode 100644
index b787c5815..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
-id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5
-status: experimental
-description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
-references:
- - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
- - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/08/31
-tags:
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|endswith:
- - \1.dll, DllRegisterServer # In case of full path exec
- - ' 1.dll, DllRegisterServer' # In case of direct exec
- NewProcessName|endswith: \rundll32.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml
deleted file mode 100644
index eb0b05b05..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
-id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
-status: experimental
-description: |
- Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
- Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
- In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
-references:
- - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
- - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
-author: Alejandro Houspanossian ('@lekz86')
-date: 2024/01/02
-tags:
- - attack.execution
- - attack.t1059.003
- - attack.t1105
- - attack.t1218
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_cmd:
- CommandLine|contains|all:
- - cmd
- - /c
- selection_pipes:
- CommandLine|contains:
- - ' & '
- - ' || '
- selection_commands_1:
- CommandLine|contains:
- - ' curl'
- - ' wget'
- - ' timeout '
- - ' ping '
- selection_commands_2:
- CommandLine|contains:
- - ' rundll32'
- - ' mkdir '
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml
deleted file mode 100644
index ef3cd6a8a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
-id: 698d4431-514f-4c82-af4d-cf573872a9f5
-status: experimental
-description: |
- Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups.
- The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
-references:
- - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
-author: Andreas Braathen (mnemonic.io)
-date: 2023/10/27
-tags:
- - attack.discovery
- - attack.t1016
- - attack.t1049
- - attack.t1087
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
- definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- GrandParentImage|endswith: \rundll32.exe
- CommandLine:
- # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
- - ipconfig.exe /all
- - netstat.exe -aon
- - whoami.exe /all
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
deleted file mode 100644
index 61cb4db93..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
-id: d8937fe7-42d5-4b4d-8178-e089c908f63f
-status: experimental
-description: |
- Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
- The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
-references:
- - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
-author: Andreas Braathen (mnemonic.io)
-date: 2023/10/27
-tags:
- - attack.defense_evasion
- - attack.t1055.012
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \rundll32.exe
- NewProcessName|endswith:
- # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
- - \searchprotocolhost.exe
- - \sndvol.exe
- - \wermgr.exe
- - \wwahost.exe
- filter_main_legit_sndvol:
- ParentCommandLine|contains: mmsys.cpl
- NewProcessName|endswith: \sndvol.exe
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
deleted file mode 100644
index b4e75b47d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Qakbot Regsvr32 Calc Pattern
-id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
-status: experimental
-description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
-references:
- - https://github.com/pr0xylife/Qakbot/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/26
-tags:
- - attack.defense_evasion
- - attack.execution
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- - ' /s'
- - ' -s'
- CommandLine|endswith: ' calc'
- NewProcessName|endswith: \regsvr32.exe
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml
deleted file mode 100644
index 13805359e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Potential Qakbot Rundll32 Execution
-id: cf879ffb-793a-4753-9a14-bc8f37cc90df
-status: experimental
-description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
-references:
- - https://github.com/pr0xylife/Qakbot/
-author: X__Junior (Nextron Systems)
-date: 2023/05/24
-tags:
- - attack.defense_evasion
- - attack.execution
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_paths:
- CommandLine|contains:
- # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- - :\ProgramData\
- - :\Users\Public\
- - \AppData\Local\Temp\
- - \AppData\Roaming\
- ParentProcessName|endswith:
- # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- - \cmd.exe
- - \cscript.exe
- - \curl.exe
- - \mshta.exe
- - \powershell.exe
- - \pwsh.exe
- - \wscript.exe
- NewProcessName|endswith: \rundll32.exe
- selection_extension:
- CommandLine|contains: .dll
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml
deleted file mode 100644
index d72dabfc0..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-title: Qakbot Rundll32 Exports Execution
-id: 339ed3d6-5490-46d0-96a7-8abe33078f58
-status: experimental
-description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
-references:
- - https://github.com/pr0xylife/Qakbot/
-author: X__Junior (Nextron Systems)
-date: 2023/05/24
-modified: 2023/05/30
-tags:
- - attack.defense_evasion
- - attack.execution
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_paths:
- CommandLine|contains:
- # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- - :\ProgramData\
- - :\Users\Public\
- - \AppData\Local\Temp\
- - \AppData\Roaming\
- ParentProcessName|endswith:
- # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- - \cmd.exe
- - \cscript.exe
- - \curl.exe
- - \mshta.exe
- - \powershell.exe
- - \pwsh.exe
- - \wscript.exe
- NewProcessName|endswith: \rundll32.exe
- selection_exports:
- CommandLine|endswith:
- # Note: Only add additional exports seen used by Qakbot
- - aslr # https://tria.ge/230524-scgq9add9v/behavioral1#report
- - bind
- - DrawThemeIcon
- - GG10
- - GL70
- - jhbvygftr
- - kjhbhkjvydrt
- - LS88
- - Motd
- - N115
- - next # https://tria.ge/230530-n3rxpahf9w/behavioral2
- - Nikn
- - print
- - qqqb
- - qqqq
- - RS32
- - Test
- - Time
- - Updt
- - vips
- - Wind
- - WW50
- - X555
- - XL55
- - xlAutoOpen
- - XS88
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml
deleted file mode 100644
index 854e6d612..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Qakbot Rundll32 Fake DLL Extension Execution
-id: bfd34392-c591-4009-b938-9fd985a28b85
-status: experimental
-description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
-references:
- - https://github.com/pr0xylife/Qakbot/
-author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/24
-tags:
- - attack.defense_evasion
- - attack.execution
- - detection.emerging_threats
-logsource:
- product: windows
- category: process_creation
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains:
- # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- - :\ProgramData\
- - :\Users\Public\
- - \AppData\Local\Temp\
- - \AppData\Roaming\
- ParentProcessName|endswith:
- # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- - \cmd.exe
- - \cscript.exe
- - \curl.exe
- - \mshta.exe
- - \powershell.exe
- - \pwsh.exe
- - \wscript.exe
- NewProcessName|endswith: \rundll32.exe
- filter_main_extension:
- CommandLine|contains: .dll
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml
deleted file mode 100644
index af3fa3ddc..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Qakbot Uninstaller Execution
-id: bc309b7a-3c29-4937-a4a3-e232473f9168
-status: experimental
-description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
-references:
- - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
- - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community
- - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community
-author: Florian Roth (Nextron Systems)
-date: 2023/08/31
-modified: 2023/09/01
-tags:
- - detection.emerging_threats
- - attack.execution
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- - NewProcessName|endswith: \QbotUninstall.exe
- - Hashes|contains:
- - IMPHASH=E772C815072311D6FB8C3390743E6BE5
- - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180
- - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6
- - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071
- - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml
deleted file mode 100644
index 9bed93d19..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
-id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
-status: test
-description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
-references:
- - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
- - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
- - https://www.joesandbox.com/analysis/790122/0/html
- - https://twitter.com/anfam17/status/1607477672057208835
-author: TropChaud
-date: 2023/01/26
-modified: 2023/02/05
-tags:
- - attack.defense_evasion
- - attack.t1218.011
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_rundll32:
- - OriginalFileName: RUNDLL32.EXE
- - NewProcessName|endswith: \rundll32.exe
- selection_dll:
- CommandLine|contains: nsis_uns
- selection_export_function:
- CommandLine|contains: PrintUIEntry
- condition: process_creation and (all of selection_*)
-falsepositives:
- - Unknown
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml
deleted file mode 100644
index 370c7e1e5..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Rorschach Ransomware Execution Activity
-id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68
-status: experimental
-description: Detects Rorschach ransomware execution activity
-references:
- - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
-author: X__Junior (Nextron Systems)
-date: 2023/04/04
-modified: 2023/04/22
-tags:
- - attack.execution
- - attack.t1059.003
- - attack.t1059.001
- - attack.defense_evasion
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: '11111111'
- NewProcessName|endswith:
- - \bcdedit.exe
- - \net.exe
- - \net1.exe
- - \netsh.exe
- - \wevtutil.exe
- - \vssadmin.exe
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml
deleted file mode 100644
index 7d35a7cf4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Potential SNAKE Malware Installation CLI Arguments Indicator
-id: 02cbc035-b390-49fe-a9ff-3bb402c826db
-status: experimental
-description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- # This CLI regex is based on the following description from the report:
- # The jpsetup.exe installer requires two arguments to be passed via the command line for execution
- # The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256
- # The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)
- CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml
deleted file mode 100644
index 667f4e15a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-title: Potential SNAKE Malware Installation Binary Indicator
-id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733
-status: experimental
-description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- NewProcessName|endswith:
- - \jpsetup.exe
- - \jpinst.exe
- filter_main_cli_name:
- CommandLine:
- - jpinst.exe
- - jpinst
- - jpsetup.exe
- - jpsetup
- filter_main_cli_empty:
- CommandLine: ''
- filter_main_cli_null:
- CommandLine:
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml
deleted file mode 100644
index a63d4bdaa..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Potential SNAKE Malware Persistence Service Execution
-id: f7536642-4a08-4dd9-b6d5-c3286d8975ed
-status: experimental
-description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \services.exe
- NewProcessName|startswith: C:\Windows\WinSxS\
- NewProcessName|endswith: \WerFault.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml
deleted file mode 100644
index efcdeee56..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: SNAKE Malware Covert Store Registry Key
-id: d0fa35db-0e92-400e-aa16-d32ae2521618
-status: experimental
-description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/11
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- category: registry_event
- product: windows
-detection:
- registry_event:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|endswith: SECURITY\Policy\Secrets\n
- condition: registry_event and selection
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml
deleted file mode 100644
index e8c30e58a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Potential Encrypted Registry Blob Related To SNAKE Malware
-id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
-status: experimental
-description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/10
-modified: 2023/08/17
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- category: registry_set
- product: windows
-detection:
- registry_set:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\
- filter_main_wav:
- - ObjectName|endswith: .AssocFile.WAV
- - ObjectName|contains: .wav.
- condition: registry_set and (selection and not 1 of filter_main_*)
-falsepositives:
- - Some additional tuning might be required to tune out legitimate processes that write to this key by default
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml
deleted file mode 100644
index c1217463b..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: SNAKE Malware Service Persistence
-id: b2e60816-96b2-45bd-ba91-b63578c03ef6
-status: experimental
-description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
-references:
- - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/10
-tags:
- - attack.persistence
- - detection.emerging_threats
-logsource:
- product: windows
- service: system
-detection:
- system:
- Channel: System
- selection:
- Provider_Name: Service Control Manager
- EventID: 7045
- ServiceName|contains: WerFaultSvc # Note: The report contains a "," in the name ("WerFaultSvc,"). Since we can't confirm if its a typo or not we don't use it
- ImagePath|startswith: C:\Windows\WinSxS\
- ImagePath|endswith: \WerFault.exe
- condition: system and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml
deleted file mode 100644
index fe135e832..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml
+++ /dev/null
@@ -1,104 +0,0 @@
-title: Potential Compromised 3CXDesktopApp Execution
-id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
-related:
- - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
- type: similar
- - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
- type: similar
- - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
- type: similar
- - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
- type: similar
- - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
- type: similar
- - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
- type: similar
- - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
- type: similar
-status: experimental
-description: Detects execution of known compromised version of 3CXDesktopApp
-references:
- - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/03/29
-modified: 2023/03/31
-tags:
- - attack.defense_evasion
- - attack.t1218
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_hashes_1:
- Hashes|contains:
- # 3CX Desktop 18.12.407
- - SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC
- - SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02
- - SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE
- - SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859
- - SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187
- - SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA
- - MD5=BB915073385DD16A846DFA318AFA3C19
- - MD5=08D79E1FFFA244CC0DC61F7D2036ACA9
- - MD5=4965EDF659753E3C05D800C6C8A23A7A
- # 3CX Desktop 18.12.416
- - SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405
- - SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734
- - SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203
- - SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1
- - SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB
- - SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5
- - MD5=9833A4779B69B38E3E51F04E395674C6
- - MD5=704DB9184700481A56E5100FB56496CE
- - MD5=8EE6802F085F7A9DF7E0303E65722DC0
- # 3CXDesktopApp MSI
- - SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868
- - SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983
- - SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA
- - SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E
- - MD5=F3D4144860CA10BA60F7EF4D176CC736
- - MD5=0EEB1C0133EB4D571178B2D9D14CE3E9
- selection_hashes_2:
- - sha256:
- - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC
- - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02
- - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE
- - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405
- - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734
- - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203
- - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868
- - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983
- - sha1:
- - 480DC408EF50BE69EBCF84B95750F7E93A8A1859
- - 3B43A5D8B83C637D00D769660D01333E88F5A187
- - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA
- - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1
- - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB
- - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5
- - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA
- - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E
- - md5:
- - BB915073385DD16A846DFA318AFA3C19
- - 08D79E1FFFA244CC0DC61F7D2036ACA9
- - 4965EDF659753E3C05D800C6C8A23A7A
- - 9833A4779B69B38E3E51F04E395674C6
- - 704DB9184700481A56E5100FB56496CE
- - 8EE6802F085F7A9DF7E0303E65722DC0
- - F3D4144860CA10BA60F7EF4D176CC736
- - 0EEB1C0133EB4D571178B2D9D14CE3E9
- selection_pe_1:
- - OriginalFileName: 3CXDesktopApp.exe
- - NewProcessName|endswith: \3CXDesktopApp.exe
- - Product: 3CX Desktop App
- selection_pe_2:
- FileVersion|contains: 18.12.
- condition: process_creation and (all of selection_pe_* or 1 of selection_hashes_*)
-falsepositives:
- - Legitimate usage of 3CXDesktopApp
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml
deleted file mode 100644
index 6d08d787c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-title: Potential Suspicious Child Process Of 3CXDesktopApp
-id: 63f3605b-979f-48c2-b7cc-7f90523fed88
-related:
- - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
- type: similar
- - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
- type: similar
- - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
- type: similar
- - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
- type: similar
- - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
- type: similar
- - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
- type: similar
- - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
- type: similar
-status: experimental
-description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
-references:
- - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/03/29
-tags:
- - attack.command_and_control
- - attack.execution
- - attack.t1218
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \3CXDesktopApp.exe
- NewProcessName|endswith:
- - \cmd.exe
- - \cscript.exe
- - \mshta.exe
- - \powershell.exe
- - \pwsh.exe
- - \regsvr32.exe
- - \rundll32.exe
- - \wscript.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml
deleted file mode 100644
index 2c79aa6a2..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-title: Potential Compromised 3CXDesktopApp Update Activity
-id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
-related:
- - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
- type: similar
- - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
- type: similar
- - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
- type: similar
- - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
- type: similar
- - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
- type: similar
- - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
- type: similar
- - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
- type: similar
-status: experimental
-description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
-references:
- - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
- - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/03/29
-tags:
- - attack.defense_evasion
- - attack.t1218
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - --update
- - http
- - /electron/update/win32/18.12
- NewProcessName|endswith: \3CXDesktopApp\app\update.exe
- condition: process_creation and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml
deleted file mode 100644
index 3ca90b2c4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
-id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
-related:
- - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
- type: similar
-status: experimental
-description: Hunts for known SVR-specific scheduled task names
-author: CISA
-references:
- - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
-date: 2023/12/18
-tags:
- - attack.persistence
-logsource:
- service: security
- product: windows
-detection:
- security:
- Channel: Security
- selection:
- EventID:
- - 4698
- - 4699
- - 4702
- TaskName:
- - \defender
- - \Microsoft\DefenderService
- - \Microsoft\Windows\Application Experience\StartupAppTaskCheck
- - \Microsoft\Windows\Application Experience\StartupAppTaskCkeck
- - \Microsoft\Windows\ATPUpd
- - \Microsoft\Windows\Data Integrity Scan\Data Integrity Update
- - \Microsoft\Windows\DefenderUPDService
- - \Microsoft\Windows\IISUpdateService
- - \Microsoft\Windows\Speech\SpeechModelInstallTask
- - \Microsoft\Windows\WiMSDFS
- - \Microsoft\Windows\Windows Defender\Defender Update Service
- - \Microsoft\Windows\Windows Defender\Service Update
- - \Microsoft\Windows\Windows Error Reporting\CheckReporting
- - \Microsoft\Windows\Windows Error Reporting\SubmitReporting
- - \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart
- - \Microsoft\Windows\WindowsDefenderService
- - \Microsoft\Windows\WindowsDefenderService2
- - \Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck
- - \Microsoft\Windows\WindowsUpdate\Scheduled Check
- - \WindowUpdate
- condition: security and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml
deleted file mode 100644
index 1ed268e58..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
-id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
-related:
- - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
- type: similar
-status: experimental
-description: Hunts for known SVR-specific scheduled task names
-author: CISA
-references:
- - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
-date: 2023/12/18
-tags:
- - attack.persistence
-logsource:
- product: windows
- service: taskscheduler
- definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
-detection:
- taskscheduler:
- Channel: Microsoft-Windows-TaskScheduler/Operational
- selection:
- EventID:
- - 129 # Task Created
- - 140 # Task Updated
- - 141 # Task Deleted
- TaskName:
- - \defender
- - \Microsoft\DefenderService
- - \Microsoft\Windows\Application Experience\StartupAppTaskCheck
- - \Microsoft\Windows\Application Experience\StartupAppTaskCkeck
- - \Microsoft\Windows\ATPUpd
- - \Microsoft\Windows\Data Integrity Scan\Data Integrity Update
- - \Microsoft\Windows\DefenderUPDService
- - \Microsoft\Windows\IISUpdateService
- - \Microsoft\Windows\Speech\SpeechModelInstallTask
- - \Microsoft\Windows\WiMSDFS
- - \Microsoft\Windows\Windows Defender\Defender Update Service
- - \Microsoft\Windows\Windows Defender\Service Update
- - \Microsoft\Windows\Windows Error Reporting\CheckReporting
- - \Microsoft\Windows\Windows Error Reporting\SubmitReporting
- - \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart
- - \Microsoft\Windows\WindowsDefenderService
- - \Microsoft\Windows\WindowsDefenderService2
- - \Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck
- - \Microsoft\Windows\WindowsUpdate\Scheduled Check
- - \WindowUpdate
- condition: taskscheduler and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml
deleted file mode 100644
index c758c8c1a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Diamond Sleet APT Process Activity Indicators
-id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2
-status: experimental
-description: Detects process creation activity indicators related to Diamond Sleet APT
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/10/24
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: ' uTYNkfKxHiZrx3KJ'
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml
deleted file mode 100644
index e3f0b4f68..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Diamond Sleet APT Scheduled Task Creation - Registry
-id: 9f9f92ba-5300-43a4-b435-87d1ee571688
-status: experimental
-description: |
- Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/10/24
-tags:
- - attack.defense_evasion
- - attack.t1562
- - detection.emerging_threats
-logsource:
- product: windows
- category: registry_event
-detection:
- registry_event:
- EventID: 4657
- Channel: Security
- selection:
- ObjectName|contains|all:
- - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
- - Windows TeamCity Settings User Interface
- condition: registry_event and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml
deleted file mode 100644
index bd2d0fd73..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-title: Diamond Sleet APT Scheduled Task Creation
-id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d
-status: experimental
-description: |
- Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/10/24
-tags:
- - attack.execution
- - attack.privilege_escalation
- - attack.persistence
- - attack.t1053.005
- - detection.emerging_threats
-logsource:
- product: windows
- service: security
- definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.
-detection:
- security:
- Channel: Security
- selection:
- EventID: 4698
- TaskName: \Windows TeamCity Settings User Interface
- TaskContent|contains: uTYNkfKxHiZrx3KJ
- condition: security and selection
-falsepositives:
- - Unknown
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
deleted file mode 100644
index 42d31a657..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Potential APT FIN7 POWERHOLD Execution
-id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
-status: test
-description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
-references:
- - https://labs.withsecure.com/publications/fin7-target-veeam-servers
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.g0046
- - detection.emerging_threats
-logsource:
- product: windows
- category: ps_script
- definition: bade5735-5ab0-4aa7-a642-a11be0e40872
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - $env:APPDATA
- - function MainPayload
- - ::WriteAllBytes
- - wscript.exe
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml
deleted file mode 100644
index 57cefdae8..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Potential POWERTRASH Script Execution
-id: 4e19528a-f081-40dd-be09-90c39352bd64
-status: test
-description: Detects potential execution of the PowerShell script POWERTRASH
-references:
- - https://labs.withsecure.com/publications/fin7-target-veeam-servers
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.g0046
- - detection.emerging_threats
-logsource:
- product: windows
- category: ps_script
- definition: bade5735-5ab0-4aa7-a642-a11be0e40872
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - IO.Compression.DeflateStream
- - IO.MemoryStream
- - ::FromBase64String
- - GetDelegateForFunctionPointer
- - .Invoke()
- - GlobalAssemblyCache
- condition: ps_script and selection
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
deleted file mode 100644
index 180ec761d..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
-id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
-status: experimental
-description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
-references:
- - https://labs.withsecure.com/publications/fin7-target-veeam-servers
- - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
- - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/04
-tags:
- - attack.execution
- - attack.g0046
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains|all:
- - -noni -nop -exe bypass -f \\\\
- - ADMIN$
- selection_2:
- CommandLine|contains|all:
- - -ex bypass -noprof -nolog -nonint -f
- - C:\Windows\Temp\
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml
deleted file mode 100644
index 59af99f0a..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: Lace Tempest PowerShell Evidence Eraser
-id: b377ddab-502d-4519-9e8c-5590033d2d70
-status: experimental
-description: |
- Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
-references:
- - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/11/09
-tags:
- - attack.execution
- - attack.t1059.001
- - detection.emerging_threats
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - cleanLL
- - usersfiles.war
- - Remove-Item -Path "$tomcat_dir
- - SysAidServer
- - 'sleep '
- - while(1)
- condition: ps_script and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml
deleted file mode 100644
index b7c27b5b4..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Lace Tempest PowerShell Launcher
-id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
-status: experimental
-description: |
- Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
-references:
- - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/11/09
-tags:
- - attack.execution
- - attack.t1059.001
- - detection.emerging_threats
-logsource:
- product: windows
- category: ps_script
- definition: 'Requirements: Script Block Logging must be enabled'
-detection:
- ps_script:
- EventID: 4104
- Channel:
- - Microsoft-Windows-PowerShell/Operational
- - PowerShellCore/Operational
- selection:
- ScriptBlockText|contains|all:
- - \SysAidServer\tomcat\webapps
- - Starting user.exe
- - \usersfiles\user.exe
- - Remove-Item -Force "$wapps
- - (Sophos).
- condition: ps_script and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml
deleted file mode 100644
index c692c3e8c..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Lace Tempest Cobalt Strike Download
-id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
-status: experimental
-description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
-references:
- - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/11/09
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains|all:
- - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
- - /a')
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml
deleted file mode 100644
index 2ab168f21..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Lace Tempest Malware Loader Execution
-id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
-status: experimental
-description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
-references:
- - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/11/09
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_img:
- NewProcessName|endswith: :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe
- selection_hash:
- Hashes|contains: SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
deleted file mode 100644
index 090789553..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
+++ /dev/null
@@ -1,120 +0,0 @@
-title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
-id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
-status: test
-description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
-author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
-date: 2023/04/20
-modified: 2023/04/25
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent:
- ParentProcessName|contains|all:
- - aspera
- - \ruby
- selection_special_child_powershell_img:
- NewProcessName|endswith:
- - \powershell.exe
- - \powershell_ise.exe
- selection_special_child_powershell_cli:
- - CommandLine|contains:
- - ' echo '
- - -dumpmode
- - -ssh
- - .dmp
- - add-MpPreference
- - adscredentials
- - bitsadmin
- - certutil
- - csvhost.exe
- - DownloadFile
- - DownloadString
- - dsquery
- - ekern.exe
- - FromBase64String
- - 'iex '
- - iex(
- - Invoke-Expression
- - Invoke-WebRequest
- - localgroup administrators
- - net group
- - net user
- - o365accountconfiguration
- - query session
- - samaccountname=
- - set-MpPreference
- - svhost.exe
- - System.IO.Compression
- - System.IO.MemoryStream
- - usoprivate
- - usoshared
- - whoami
- - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- selection_special_child_lsass_1:
- CommandLine|contains: lsass
- selection_special_child_lsass_2:
- CommandLine|contains:
- - procdump
- - tasklist
- - findstr
- selection_child_wget:
- CommandLine|contains: http
- NewProcessName|endswith: \wget.exe
- selection_child_curl:
- CommandLine|contains: http
- NewProcessName|endswith: \curl.exe
- selection_child_script:
- CommandLine|contains:
- - E:jscript
- - e:vbscript
- selection_child_localgroup:
- CommandLine|contains|all:
- - localgroup Administrators
- - /add
- selection_child_net:
- CommandLine|contains: net # Covers net1
- CommandLine|contains|all:
- - user
- - /add
- selection_child_reg:
- - CommandLine|contains|all:
- - reg add
- - DisableAntiSpyware
- - \Microsoft\Windows Defender
- - CommandLine|contains|all:
- - reg add
- - DisableRestrictedAdmin
- - CurrentControlSet\Control\Lsa
- selection_child_wmic_1:
- CommandLine|contains|all:
- - wmic
- - process call create
- selection_child_wmic_2:
- CommandLine|contains|all:
- - wmic
- - delete
- - shadowcopy
- selection_child_vssadmin:
- CommandLine|contains|all:
- - vssadmin
- - delete
- - shadows
- selection_child_wbadmin:
- CommandLine|contains|all:
- - wbadmin
- - delete
- - catalog
- condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*))
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml
deleted file mode 100644
index 35ef2972b..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Mint Sandstorm - Log4J Wstomcat Process Execution
-id: 7c97c625-0350-4f0a-8943-f6cadc88125e
-status: test
-description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
-author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
-date: 2023/04/20
-modified: 2023/11/29
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \ws_tomcatservice.exe
- filter_main_repadmin:
- NewProcessName|endswith: \repadmin.exe
- condition: process_creation and (selection and not 1 of filter_main_*)
-falsepositives:
- - Unknown
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml
deleted file mode 100644
index eca187be5..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml
+++ /dev/null
@@ -1,127 +0,0 @@
-title: Mint Sandstorm - ManageEngine Suspicious Process Execution
-id: 58d8341a-5849-44cd-8ac8-8b020413a31b
-status: test
-description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
-references:
- - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
-author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
-date: 2023/04/20
-modified: 2023/04/25
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_parent_path:
- ParentProcessName|contains:
- - manageengine
- - ServiceDesk
- selection_parent_image:
- ParentProcessName|contains: \java
- selection_special_child_powershell_img:
- NewProcessName|endswith:
- - \powershell.exe
- - \powershell_ise.exe
- selection_special_child_powershell_cli:
- - CommandLine|contains:
- - ' echo '
- - -dumpmode
- - -ssh
- - .dmp
- - add-MpPreference
- - adscredentials
- - bitsadmin
- - certutil
- - csvhost.exe
- - DownloadFile
- - DownloadString
- - dsquery
- - ekern.exe
- - FromBase64String
- - 'iex '
- - iex(
- - Invoke-Expression
- - Invoke-WebRequest
- - localgroup administrators
- - net group
- - net user
- - o365accountconfiguration
- - query session
- - samaccountname=
- - set-MpPreference
- - svhost.exe
- - System.IO.Compression
- - System.IO.MemoryStream
- - usoprivate
- - usoshared
- - whoami
- - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- selection_special_child_lsass_1:
- CommandLine|contains: lsass
- selection_special_child_lsass_2:
- CommandLine|contains:
- - procdump
- - tasklist
- - findstr
- selection_child_wget:
- CommandLine|contains: http
- NewProcessName|endswith: \wget.exe
- selection_child_curl:
- CommandLine|contains: http
- NewProcessName|endswith: \curl.exe
- selection_child_script:
- CommandLine|contains:
- - E:jscript
- - e:vbscript
- selection_child_localgroup:
- CommandLine|contains|all:
- - localgroup Administrators
- - /add
- selection_child_net:
- CommandLine|contains: net # Covers net1
- CommandLine|contains|all:
- - user
- - /add
- selection_child_reg:
- - CommandLine|contains|all:
- - reg add
- - DisableAntiSpyware
- - \Microsoft\Windows Defender
- - CommandLine|contains|all:
- - reg add
- - DisableRestrictedAdmin
- - CurrentControlSet\Control\Lsa
- selection_child_wmic_1:
- CommandLine|contains|all:
- - wmic
- - process call create
- selection_child_wmic_2:
- CommandLine|contains|all:
- - wmic
- - delete
- - shadowcopy
- selection_child_vssadmin:
- CommandLine|contains|all:
- - vssadmin
- - delete
- - shadows
- selection_child_wbadmin:
- CommandLine|contains|all:
- - wbadmin
- - delete
- - catalog
- filter_main:
- CommandLine|contains|all:
- - download.microsoft.com
- - manageengine.com
- - msiexec
- condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main)
-falsepositives:
- - Unlikely
-level: critical
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml
deleted file mode 100644
index 646cdeb78..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: Potential APT Mustang Panda Activity Against Australian Gov
-id: 7806bb49-f653-48d3-a915-5115c1a85234
-status: experimental
-description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
-references:
- - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/05/15
-tags:
- - attack.execution
- - attack.g0129
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains|all:
- - copy SolidPDFCreator.dll
- - C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll
- selection_2:
- CommandLine|contains|all:
- - 'reg '
- - \Windows\CurrentVersion\Run
- - SolidPDF
- - C:\Users\Public\Libraries\PhotoTvRHD\
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml
deleted file mode 100644
index d7ae05264..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: PaperCut MF/NG Exploitation Related Indicators
-id: de1bd0b6-6d59-417c-86d9-a44114aede3b
-status: test
-description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
-references:
- - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
- - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
-author: Nasreddine Bencherchali (Nextron Systems)
-date: 2023/04/25
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection_1:
- CommandLine|contains|all:
- - ' /c '
- - powershell
- - -nop -w hidden
- - Invoke-WebRequest
- - setup.msi
- - -OutFile
- selection_2:
- CommandLine|contains|all:
- - 'msiexec '
- - '/i '
- - 'setup.msi '
- - '/qn '
- - IntegratorLogin=fimaribahundq
- condition: process_creation and (1 of selection_*)
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml
deleted file mode 100644
index b5ce9df0e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-title: PaperCut MF/NG Potential Exploitation
-id: 0934ac71-a331-4e98-a034-d49c491fbbcb
-status: test
-description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
-references:
- - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
- - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
-author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea)
-date: 2023/04/20
-modified: 2023/04/25
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- ParentProcessName|endswith: \pc-app.exe
- NewProcessName|endswith:
- - \bash.exe
- - \calc.exe
- - \certutil.exe
- - \cmd.exe
- - \csc.exe
- - \cscript.exe
- - \dllhost.exe
- - \mshta.exe
- - \msiexec.exe
- - \powershell.exe
- - \pwsh.exe
- - \regsvr32.exe
- - \rundll32.exe
- - \scriptrunner.exe
- - \wmic.exe
- - \wscript.exe
- - \wsl.exe
- condition: process_creation and selection
-falsepositives:
- - Legitimate administration activity
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
deleted file mode 100644
index 48793077e..000000000
--- a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Peach Sandstorm APT Process Activity Indicators
-id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
-status: experimental
-description: Detects process creation activity related to Peach Sandstorm APT
-references:
- - https://twitter.com/MsftSecIntel/status/1737895710169628824
- - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
-author: X__Junior (Nextron Systems)
-date: 2024/01/15
-tags:
- - attack.execution
- - detection.emerging_threats
-logsource:
- category: process_creation
- product: windows
-detection:
- process_creation:
- EventID: 4688
- Channel: Security
- selection:
- CommandLine|contains: QP's\*(58vaP!tF4
- condition: process_creation and selection
-falsepositives:
- - Unlikely
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml
deleted file mode 100644
index b48fc1c81..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-title: New Firewall Rule Added In Windows Firewall Exception List
-id: cde0a575-7d3d-4a49-9817-b8004a7bf105
-status: experimental
-description: Detects when a rule has been added to the Windows Firewall exception list
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
-date: 2022/02/19
-modified: 2023/09/09
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2004 # A rule has been added to the Windows Defender Firewall exception list
- - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- filter_main_block:
- Action: 2
- filter_main_installations:
- - ApplicationPath|startswith:
- - C:\Program Files\
- - C:\Program Files (x86)\
- - ModifyingApplication|startswith: C:\Windows\WinSxS\ # TiWorker.exe
- - ModifyingApplication:
- - C:\Windows\System32\oobe\Setup.exe
- - C:\Windows\SysWOW64\msiexec.exe
- - C:\Windows\System32\svchost.exe
- - C:\Windows\System32\dllhost.exe
- - C:\Program Files\Windows Defender\MsMpEng.exe
- filter_optional_msmpeng:
- ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
- ModifyingApplication|endswith: \MsMpEng.exe
- condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml
deleted file mode 100644
index 892edad73..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-title: New Firewall Exception Rule Added For A Suspicious Folder
-id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
-related:
- - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
- type: derived
-status: experimental
-description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
-author: frack113
-date: 2023/02/26
-modified: 2023/05/30
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- ApplicationPath|contains:
- - \AppData\
- - \Temp\
- filter_main_block:
- Action: 2
- filter_optional_teams:
- ApplicationPath|endswith: \AppData\local\microsoft\teams\current\teams.exe
- filter_optional_keybase:
- ApplicationPath|endswith: \AppData\Local\Keybase\keybase.exe
- filter_optional_messenger:
- ApplicationPath|endswith: \AppData\Local\Programs\Messenger\Messenger.exe
- filter_optional_opera:
- ApplicationPath|startswith: C:\Users\
- ApplicationPath|contains: \AppData\Local\Programs\Opera\
- ApplicationPath|endswith: \opera.exe
- condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
-falsepositives:
- - Any legitimate application that runs from the AppData user directory
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml
deleted file mode 100644
index 94121f62b..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Firewall Rule Modified In The Windows Firewall Exception List
-id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
-status: experimental
-description: Detects when a rule has been modified in the Windows firewall exception list
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
-date: 2022/02/19
-modified: 2023/04/21
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)
- - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)
- filter_main_generic:
- ModifyingApplication|startswith:
- - C:\Program Files (x86)\
- - C:\Program Files\
- condition: firewall_as and (selection and not 1 of filter_main_*)
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml
deleted file mode 100644
index f9ad02f30..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-title: All Rules Have Been Deleted From The Windows Firewall Configuration
-id: 79609c82-a488-426e-abcf-9f341a39365d
-status: experimental
-description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113, Nasreddine Bencherchali (Nextron Systems)
-date: 2023/01/17
-modified: 2023/04/21
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
- - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
- filter_main_generic:
- ModifyingApplication|startswith:
- - C:\Program Files\
- - C:\Program Files (x86)\
- filter_main_svchost:
- ModifyingApplication: C:\Windows\System32\svchost.exe
- filter_optional_msmpeng:
- ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
- ModifyingApplication|endswith: \MsMpEng.exe
- condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
-level: high
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml
deleted file mode 100644
index 40f5dc95b..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-title: A Rule Has Been Deleted From The Windows Firewall Exception List
-id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
-status: experimental
-description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
-date: 2022/02/19
-modified: 2023/06/12
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2006 # A rule has been deleted in the Windows Defender Firewall exception list
- - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
- filter_main_generic:
- ModifyingApplication|startswith:
- - C:\Program Files\
- - C:\Program Files (x86)\
- filter_main_svchost:
- ModifyingApplication: C:\Windows\System32\svchost.exe
- filter_optional_msmpeng:
- ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
- ModifyingApplication|endswith: \MsMpEng.exe
- filter_main_null:
- ModifyingApplication:
- filter_main_empty:
- ModifyingApplication: ''
- condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*)
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml
deleted file mode 100644
index 101598083..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: The Windows Defender Firewall Service Failed To Load Group Policy
-id: 7ec15688-fd24-4177-ba43-1a950537ee39
-status: test
-description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
-date: 2022/02/19
-modified: 2023/01/17
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
- condition: firewall_as and selection
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml
deleted file mode 100644
index 802f9f5bb..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Windows Defender Firewall Has Been Reset To Its Default Configuration
-id: 04b60639-39c0-412a-9fbe-e82499c881a3
-status: experimental
-description: Detects activity when Windows Defender Firewall has been reset to its default configuration
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
-date: 2022/02/19
-modified: 2023/04/21
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2032 # Windows Defender Firewall has been reset to its default configuration
- - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
- condition: firewall_as and selection
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml
deleted file mode 100644
index 2802ecf9a..000000000
--- a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Windows Firewall Settings Have Been Changed
-id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
-status: experimental
-description: Detects activity when the settings of the Windows firewall have been changed
-references:
- - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113, Nasreddine Bencherchali (Nextron Systems)
-date: 2022/02/19
-modified: 2023/04/21
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-logsource:
- product: windows
- service: firewall-as
-detection:
- firewall_as:
- Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
- selection:
- EventID:
- - 2002 # A Windows Defender Firewall setting has changed.
- - 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- - 2003 # A Windows Firewall setting in the profile has changed
- - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
- # - 2010 # Network profile changed on an interface.
- condition: firewall_as and selection
-level: low
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml
deleted file mode 100644
index 3b94568d0..000000000
--- a/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-title: Standard User In High Privileged Group
-id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
-status: experimental
-description: Detect standard users login that are part of high privileged groups such as the Administrator group
-references:
- - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
- - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
-author: frack113
-date: 2023/01/13
-modified: 2023/05/05
-tags:
- - attack.credential_access
- - attack.privilege_escalation
-logsource:
- product: windows
- service: lsa-server
- definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
-detection:
- lsa_server:
- Channel: Microsoft-Windows-LSA/Operational
- selection:
- EventID: 300
- TargetUserSid|startswith: S-1-5-21- # Standard user
- SidList|contains:
- - S-1-5-32-544 # Local admin
- - -500} # Domain admin
- - -518} # Schema admin
- - -519} # Enterprise admin
- filter_main_admin:
- TargetUserSid|endswith:
- - '-500' # Domain admin
- - '-518' # Schema admin
- - '-519' # Enterprise admin
- condition: lsa_server and (selection and not 1 of filter_main_*)
-falsepositives:
- - Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
-level: medium
-ruletype: Sigma
diff --git a/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
deleted file mode 100644
index e568c3cfc..000000000
--- a/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: ProxyLogon MSExchange OabVirtualDirectory
-id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
-status: test
-description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
-references:
- - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
-author: Florian Roth (Nextron Systems)
-date: 2021/08/09
-modified: 2023/01/23
-tags:
- - attack.t1587.001
- - attack.resource_development
-logsource:
- product: windows
- service: msexchange-management
-detection:
- msexchange_management:
- Channel: MSExchange Management
- keywords_cmdlet:
- '|all':
- - OabVirtualDirectory
- - ' -ExternalUrl '
- keywords_params:
- - eval(request
- - http://f/